咱們用server1虛擬機作實驗,讓他能夠上網,再物理主機進行配置:html
[root@rhel7host ~]# iptables -t nat -I POSTROUTING -s 172.25.254.0/24 -j MASQUERADE^C [root@rhel7host ~]# iptables -t nat -nL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.25.254.0/24 0.0.0.0/0 [root@server1 ~]# ping baidu.com #server1能夠上網了 PING baidu.com (220.181.38.148) 56(84) bytes of data. 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=46 time=28.4 ms 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=46 time=28.7 ms 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=46 time=28.7 ms
[root@server1 ~]# docker login ## 登錄 Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: ^C [root@server1 ~]# docker tag busybox:latest cay718/busybox:latest ## 打標籤 # 打標籤必須以這種方式,【用戶名/鏡像】,官方鏡像則不須要。 [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE cay718/busybox latest 59788edf1f3e 19 months ago 1.15MB ## 咱們的鏡像 busybox latest 59788edf1f3e 19 months ago 1.15MB gcr.io/distroless/base latest 9a255d5fe262 50 years ago 16.8MB [root@server1 ~]# docker search busybox ## 能夠在社區中找到全部的busybox鏡像 NAME DESCRIPTION STARS OFFICIAL AUTOMATED busybox Busybox base image. 1901 [OK] progrium/busybox 71 [OK] ... ggtools/busybox-ubuntu Busybox ubuntu version with extra goodies 0 [OK] trollin/busybox 0 [root@server1 ~]# docker push cay718/busybox:latest # 就直接把這個鏡像推送到咱們的賬號所屬的倉庫裏面去了,由於咱們前面已經登錄了。 咱們就能夠去web界面登錄dockerhub查看了
咱們如今拉去的鏡像都是從國外拉取的由於docker的官網在國外。node
咱們使用docker pull 拉去鏡像是比較慢的
咱們可使用阿里雲提供的鏡像加速器。linux
登錄阿里雲,註冊賬號,
也可使用支付寶或者淘寶等登錄方式。nginx
找到鏡像加速器。
p
就會生成一個加速器地址:
p
它讓先創建/etc/docker 目錄:web
[root@server1 ~]# ls /etc/docker/ key.json # 咱們有這個目錄 而後它讓編輯一個daemon.json [root@server1 ~]# cd /etc/docker/ [root@server1 docker]# vim daemon.json { "registry-mirrors": ["https://f7behxow.mirror.aliyuncs.com"] } [root@server1 docker]# systemctl daemon-reload [root@server1 docker]# systemctl restart docker
而後咱們拉取的速度就快了。由於咱們使用的是阿里雲這個路徑。docker
[root@server1 docker]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx afb6ec6fdc1c: Pull complete b90c53a0b692: Pull complete 11fa52a0fdc0: Pull complete Digest: sha256:30dfa439718a17baafefadf16c5e7c9d0a1cde97b4fd84f63b69e13513be7097 Status: Downloaded newer image for nginx:latest ## 速度是很快的,這裏沒辦法展現
使用私有倉庫的優勢:json
私有倉庫使用的是registry這個鏡像。ubuntu
## 下載registry [root@server1 docker]# docker pull registry Using default tag: latest latest: Pulling from library/registry 486039affc0a: Pull complete ba51a3b098e6: Pull complete 8bb4c43d6c8e: Pull complete 6f5f453e5f2d: Pull complete 42bc10b72f42: Pull complete Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7 Status: Downloaded newer image for registry:latest [root@server1 docker]# docker images registry latest 708bc6af7e5e 4 months ago 25.8MB [root@server1 docker]# docker history registry:latest # 查看構建歷史 IMAGE CREATED CREATED BY SIZE COMMENT 708bc6af7e5e 4 months ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B <missing> 4 months ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B <missing> 4 months ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B <missing> 4 months ago /bin/sh -c #(nop) EXPOSE 5000 0B #打開的是5000端口 <missing> 4 months ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B #數據目錄 <missing> 4 months ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B <missing> 4 months ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB <missing> 4 months ago /bin/sh -c set -ex && apk add --no-cache… 1.28MB <missing> 4 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 4 months ago /bin/sh -c #(nop) ADD file:e38375b009a2e2c9b… 4.41MB [root@server1 docker]# docker run -d -p 5000:5000 --name registry registry # 運行 e1be7cfce770c1474e6c7ad590194e77c7b38625b111dc93075cc3e196c930bf [root@server1 docker]# docker volume ls # 本地docker數據目錄。 DRIVER VOLUME NAME local 79cd4dfd7a1065b487fdfd36c77ba31ad152eb1165080e07f8952470cef40621 # registry的 local 91f0897dbeda40ac75f20603dccb0459920191144c77eea663cccde1307b7f1d # 以前的 [root@server1 docker]# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3012/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3120/master tcp6 0 0 :::5000 :::* LISTEN 4972/docker-proxy ## 能夠看到5000端口打開。
如今咱們上傳鏡像到registry中。vim
[root@server1 docker]# docker tag nginx:latest localhost:5000/nginx:lastest # 打標籤 [root@server1 docker]# docker push localhost:5000/nginx # 上傳 The push refers to repository [localhost:5000/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed ffc9b21953f4: Pushed lastest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948 # 存放位置在: [root@server1 repositories]# pwd /var/lib/docker/volumes/79cd4dfd7a1065b487fdfd36c77ba31ad152eb1165080e07f8952470cef40621/_data/docker/registry/v2/repositories [root@server1 repositories]# ls nginx 咱們也能夠這樣查看: [root@server1 repositories]# curl localhost:5000/v2/_catalog {"repositories":["nginx"]} # nginx
如今咱們使用命令行操做不方便,並且遠程鏈接的話必須使用 tls 加密,因此咱們如今作 tls 加密。安全
[root@server1 ~]# mkdir -p certs #創建目錄用來存放證書 [root@server1 ~]# openssl req \ #生成證書和key > -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \ > -x509 -days 365 -out certs/westos.org.crt ...... Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shaanxi Locality Name (eg, city) [Default City]:Xi'an Organization Name (eg, company) [Default Company Ltd]:Westos Organizational Unit Name (eg, section) []:Linux Common Name (eg, your name or your server's hostname) []:westos.org Email Address []:root@westos.org # 輸入證書的信息 [root@server1 ~]# ls busybox.tar containerd.io-1.2.5-3.1.el7.x86_64.rpm distroless docker docker-ce-cli-18.09.6-3.el7.x86_64.rpm nginx.tar ubuntu.tar certs container-selinux-2.21-1.el7.noarch.rpm distroless.tar docker-ce-18.09.6-3.el7.x86_64.rpm game2048.tar rhel7.tar [root@server1 ~]# ls certs/ westos.org.crt westos.org.key ## 就生成了證書和key文件 [root@server1 ~]# docker rm -f registry 刪除這個容器,從新使用tls加密開啓 registry [root@server1 ~]# docker run -d \ > --restart=always \ #容器開機自啓 > --name registry \ #容器名 > -v "$(pwd)"/certs:/certs \ #證書目錄的掛載 > -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e是編輯容器運行的參數 > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ #指定證書 > -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ # 指定key > -p 443:443 \ # 端口映射 > registry # 鏡像 2775257a5127111ca9f188304a7c938b76875c841e9c5a861eac8c842bd96676 [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2775257a5127 registry "/entrypoint.sh /etc…" 7 seconds ago Up 6 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3012/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3120/master tcp6 0 0 :::22 :::* LISTEN 3012/sshd tcp6 0 0 ::1:25 :::* LISTEN 3120/master tcp6 0 0 :::443 :::* LISTEN 5381/docker-proxy ## 加密的端口已經打開了。 [root@server1 ~]# vim /etc/hosts # 寫一下解析,由於咱們剛纔使用的是westos這個名字 172.25.254.1 server1 westos.org # 而後咱們讓每一個docker的守護進程都信任這個證書 [root@server1 ~]# mkdir -p /etc/docker/certs.d/westos.org [root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/westos.org/ [root@server1 ~]# cd /etc/docker/certs.d/westos.org/ [root@server1 westos.org]# mv westos.org.crt ca.crt [root@server1 westos.org]# ls ca.crt # 更名爲 ca.crt
上傳鏡像: [root@server1 westos.org]# docker tag nginx:latest westos.org/nginx:latest #咱們剛纔作了解析,不然這裏不識別 [root@server1 westos.org]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost:5000/nginx lastest 9beeba249f3e 8 days ago 127MB westos.org/nginx latest 9beeba249f3e 8 days ago 127MB # 建立成功 [root@server1 repositories]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed ffc9b21953f4: Pushed latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948 [root@server1 repositories]# netstat -tnlp tcp6 0 0 :::443 :::* LISTEN 5381/docker-proxy 咱們只有443端口打開,此次就走的是443端口,使用了TLS加密
[root@server1 ~]# mkdir auth # 創建用戶認證目錄 [root@server1 ~]# docker run \ > --entrypoint htpasswd \ > registry -Bbn admin westos > auth/htpasswd [root@server1 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9207ef348e06 registry "htpasswd -Bbn admin…" 7 seconds ago Exited (0) 6 seconds ago clever_proskuriakova 2775257a5127 registry "/entrypoint.sh /etc…" 34 minutes ago Up 34 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# docker rm -f clever_proskuriakova # 運行完刪除它 clever_proskuriakova [root@server1 ~]# cat auth/htpasswd admin:$2y$05$cBCyZDWgWoU8rnmvOCU7rO2XTCvVP6kIJ6fdeOV2l5Di8Gyg6hG1i ## 生成咱們須要的用戶和加密字符就行了。 # 咱們還能夠在追加一個用戶。 [root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn cay caoaoyuan >> auth/htpasswd [root@server1 ~]# cat auth/htpasswd admin:$2y$05$cBCyZDWgWoU8rnmvOCU7rO2XTCvVP6kIJ6fdeOV2l5Di8Gyg6hG1i cay:$2y$05$nBO8Or64HGWvRQhYgEYnouWZ4NAeQxOTaKuMwIVJdGwvCMuIUXTKu 從新運行registry: [root@server1 ~]# docker rm -f registry registry [root@server1 ~]# docker run -d \ > --restart=always \ > --name registry \ > -v "$(pwd)"/certs:/certs \ > -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ > -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ > -p 443:443 \ > -v "$(pwd)"/auth:/auth \ # 用戶認證目錄掛載 > -e "REGISTRY_AUTH=htpasswd" \ # 認證文件 > -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ # > -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ #認證路徑 > registry
測試:
[root@server1 ~]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Preparing 2f4accd375d9: Preparing ffc9b21953f4: Preparing no basic auth credentials #沒有基礎的用戶認證,因此不能上傳 [root@server1 ~]# docker login westos.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@server1 ~]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed # 登錄後就能夠上傳了 ffc9b21953f4: Pushed latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
兩個用戶就都登錄成功了。
registry 工做原理:
它有三個角色:Docker index 、registry、client
index起用戶認證和索引的做用。registry是倉庫,client是客戶端
docker pull 發起請求, index進行認證和索引,查找到請求的鏡像的地址,而後返回給客戶端。
客戶端從registry去下載鏡像,這時 registry 會先去 index 服務器上作 token 合法性校驗,給一個鏡像的token(校驗碼),而後 registry 用 token 去 index 上看這個 token 和用戶想要下載的鏡像的 token 是否一致,若是匹配,就拉起鏡像。
開啓server2主機進行遠程鏈接。
#先寫本地解析: [root@server2 ~]# vim /etc/hosts 172.25.254.1 server1 westos.org #再把證書從server1上拷貝到server2上,遠程鏈接須要認證 [root@server1 ~]# scp -r /etc/docker/certs.d server2:/etc/docker/ [root@server2 certs.d]# ls westos.org [root@server2 certs.d]# cd westos.org/ [root@server2 westos.org]# ls ca.crt [root@server2 westos.org]# docker login westos.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #就登陸進去了 [root@server2 westos.org]# docker pull westos.org/nginx #能夠下載鏡像。 Using default tag: latest latest: Pulling from nginx afb6ec6fdc1c: Pull complete b90c53a0b692: Pull complete 11fa52a0fdc0: Pull complete Digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b rStatus: Downloaded newer image for westos.org/nginx:latest [root@server2 westos.org]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE westos.org/nginx latest 9beeba249f3e 9 days ago 127MB [root@server2 westos.org]# docker run -d --name nginx -p 80:80 westos.org/nginx 21d271bdfc9cde7c5ed6279a2093e4e9d7fe74e4caf365c7da4b9091e34301f6 [root@server2 westos.org]# docker ps # 正常運行 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 21d271bdfc9c westos.org/nginx "nginx -g 'daemon of…" 3 seconds ago Up 2 seconds 0.0.0.0:80->80/tcp nginx [root@server2 westos.org]# curl localhost # 而且能夠訪問 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style>