Shulou(Shulou.com)06/01 Report--

Many novices are not very clear about how to build and authenticate the Docker private image warehouse. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

DockerHub provides us with many official images and personal uploaded images. We can download images provided by institutions or individuals, or upload our own local images, but the disadvantages are:

Due to network reasons, downloading and uploading images from DockerHub may be slow.

The Docker image used in production may contain our code, configuration information, etc., which we do not want to be obtained by outsiders, but can only be downloaded by developers on the intranet.

In order to solve the above problems, Docker officially provides an image called registry for building local private repositories. The Docker private warehouse built on the internal network enables private network personnel to download and upload very quickly without being affected by external network bandwidth and other factors. At the same time, people who are not in the private network cannot download our images, and the private warehouse also supports the configuration of warehouse authentication.

Pull private repository image

Pull the private repository image.

Docker pull registry modifies configuration

Modify the daemon.json file.

Vi / etc/docker/daemon.json

Add the following to make Docker trust the private warehouse address and save the exit.

{"insecure-registries": ["192.168.10.10 virtual 5000"]}

Reload configuration information and restart the Docker service.

# reload the configuration file of a service, sudo systemctl daemon-reload#, restart dockersudo systemctl restart docker to create a private warehouse container

Create a private warehouse container.

Docker run-di-- name registry-p 5000Disc 5000-v / mydata/docker_registry:/var/lib/registry registry

-d: the container runs in the background

-- name: name the created container

-p: indicates the port mapping. The former is the host port, and the latter is the mapped port in the container. You can use multiple-p for multiple port mapping

-v: Mount the data in the container / var/lib/registry directory to the host / mydata/docker_registry directory

Open the browser and enter: http://192.168.10.10:5000/v2/_catalog to see {"repositories": []} indicates that the private warehouse has been built successfully and the content is empty.

Push the image to the private warehouse

Label the image docker tag local-image:tagname new-repo:tagname first.

Then push the image to the private repository docker push new-repo:tagname.

Docker tag hello-world:latest 192.168.10.10:5000/test-hello-world:1.0.0docker push 192.168.10.10:5000/test-hello-world:1.0.0

Open the browser and enter: http://192.168.10.10:5000/v2/_catalog can see the uploaded images in the private repository.

Since we have done directory mount, we can view it in the host / mydata/docker_registry/docker/registry/v2/repositories directory.

Configure private warehouse authentication

A private warehouse has been set up, and a security certificate is needed to ensure the security of the private warehouse to prevent unexpected things from happening. Therefore, you need to build a self-signed certificate on the Docker host that builds a private warehouse.

Create a certificate store directory.

Mkdir-p / usr/local/registry/certs

Generate a self-signed certificate command.

Openssl req-newkey rsa:2048-nodes-sha256-keyout / usr/local/registry/certs/domain.key-x509-days 365-out / usr/local/registry/certs/domain.crt

Openssl req: create certificate signature request and other functions

-newkey: create CSR certificate signature file and RSA private key file

Rsa:2048: specifies that the length of the created RSA private key is 2048

-nodes: do not encrypt the private key

-sha256: use the SHA256 algorithm

-keyout: the name and location of the private key file created

-x509: self-issued certificate format

-days: certificate validity period

-out: specify the CSR output file name and location

Generate a self-signed certificate

Through Mr. openssl's self-signed certificate, you need to enter some certificate information after running the command. The most important part is: Common Name (eg, your name or your server's hostname) []: 192.168.10.10, where the address of the private warehouse is entered.

[root@localhost] # openssl req-newkey rsa:2048-nodes-sha256-keyout / usr/local/registry/certs/domain.key-x509-days 365-out / usr/local/registry/certs/domain.crtGenerating a 2048 bit RSA private key...+++.+++writing new private key to'/ usr/local/registry/certs / domain.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: SHLocality Name (eg, city) [Default City]: SHOrganization Name (eg, company) [Default Company Ltd]: mrhelloworldOrganizational Unit Name (eg, section) []: mrhelloworldCommon Name (eg) Your name or your server's hostname) []: 192.168.10.10Email Address []: mrhelloworld@126.com generates authentication password file # create directory to store authentication password file mkdir-p / usr/local/registry/auth# if there is no htpasswd function need to install httpdyum install-y httpd# create user and password htpasswd-Bbn root 1234 > / usr/local/registry/auth/htpasswd

Htpasswd is the basic authentication file of apache http. User and password files can be generated by using htpasswd command.

Create a private warehouse container docker run-di-- name registry-p 5000 mydata/docker_registry:/var/lib/registry\-v / usr/local/registry/certs:/certs\-v / usr/local/registry/auth:/auth\-e "REGISTRY_AUTH=htpasswd"\-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"\-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd\-e REGISTRY _ HTTP_TLS_CERTIFICATE=/certs/domain.crt\-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key\ registry failed to push image to private repository

Label the image docker tag local-image:tagname new-repo:tagname first.

Then push the image to the private repository docker push new-repo:tagname.

Docker tag hello-world:latest 192.168.10.10:5000/test-hello-world:1.0.0docker push 192.168.10.10:5000/test-hello-world:1.0.0

If the direct push image is sure to fail, and there is an error of no basic auth credentials, this is because we do not have login authentication.

Login account

Enter the account password through the docker login command to log in to the private warehouse.

Successfully push the image to the private warehouse

Push the image again and find that it can be pushed successfully.

Exit the account

Use the docker logout command to exit the account.

[root@localhost ~] # docker logout 192.168.10.10Removing login credentials for 192.168.10.10

The construction of private image warehouse can also be realized through Harbor. Harbor is an enterprise-level Docker Registry management project opened by VMware, which includes rights management (RBAC), LDAP, log audit, management interface, self-registration, image replication and Chinese support and other functions.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.