Home > Backend Development > PHP Tutorial > How to build a private docker registry on Ubuntu14.04

How to build a private docker registry on Ubuntu14.04

WBOY
Release: 2016-08-08 09:28:00
Original
1091 people have browsed it

How to set up a private docker registry on Ubuntu14.04

Original address: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu -14-04

Author: Nik van der Ploeg

Translator: Chen Zhengwen (awenchen)

Introduction

Docker is a powerful tool for deploying servers. docker.io provides users with a free service to upload image resources to the official registry. However, the registry is open to everyone. Maybe you are not willing to do this for a non-open source project.

This article will guide you on how to set up a private docker registry and ensure its security. At the end of this tutorial, you will have hands-on experience uploading a homemade docker image to a private registry and safely pulling it down on a different machine.

This tutorial does not cover how to containerize application services, but is intended to guide you to create a registry to store the service resources you want to deploy. If you want an introductory tutorial on docker, maybe this can help you.

Based on single registry and single client mode of Ubuntu14.04 system, this tutorial has been tested and may still work on other Debian-based distributions.

Docker Concepts

If you have not been exposed to docker before, it will take you a few minutes to become familiar with the key concepts of docker. If you are already familiar with docker and just want to know how to build a private registry, then you can go directly to the next section.

For a novice on how to use docker, you might as well try the excellent docker notes here.

The core of docker is to separate applications and application dependencies from the operating system. In order to achieve the above purpose, docker uses container and mirroring mechanisms. A docker image is basically a template for a file system. When you run a docker image through the docker run command, an instance of the file system is activated and runs in the docker container on the system. By default, the container cannot touch the file system of the original image and the host on which Docker itself is running. This is a self-contained environment.

Any changes made to the container will be saved within the container itself and will not affect the original image. If you want to keep these changes, you can save the container as an image through the docker commit command. This means that you can derive a new container from an existing container without any impact on the original container (or image). If you are familiar with git, then you will find the process very familiar: create a new branch from any container (here, branch means the image in docker). Running the image is similar to performing a git checkout operation.

To further describe it, running a private docker registry is like running a private git warehouse for docker images.

Step 1 - Install the necessary software

On the docker registry server, a user with sudo permissions should be created (and on the client machine too, if possible).

docker registry software is a pythonapplication, so in order to run it, you need to install the pythondevelopment environment and necessary libraries:

<code>sudo apt-get update

sudo apt-get -y install build-essential python-dev libevent-dev python-pip liblzma-dev
</code>
Copy after login

Step 2 - Install and configure docker registry

In order to install For the latest stable docker registry release (0.7.3 at the time of writing, 0.9.1 at the time of translation), we will use pythonpackage management toolpip:

<code>sudo pip install docker-registry
</code>
Copy after login

docker-registryRequires configuration document.

By default, pip places this configuration file in a fairly out-of-the-way place, depending on where python is installed on your system. So, in order to find that path, we will try to run registry to see the relevant output:

<code>gunicorn --access-logfile - --debug -k gevent -b 0.0.0.0:5000 -w 1 docker_registry.wsgi:application
</code>
Copy after login
Copy after login

Since the configuration file is not in the correct location, the above attempt will fail with an error message containing FileNotFoundError , as shown below [In some versions, the following information is not output, translator's note]:

<code>FileNotFoundError: Heads-up! File is missing: /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/config.yml
</code>
Copy after login

registry contains a sample configuration file on the same path, the file is named config_sample.yml, so , we can locate the sample configuration file through the pathname given above.

Copy the path information from the error message (in this case /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/config.yml) and then, Remove the config.yml part so that we can switch to this path.

<code>cd /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/
</code>
Copy after login

Copy the contents of the config_sample.yml file to config.yml:

<code>sudo cp config_sample.yml config.yml
</code>
Copy after login

By default, the data files of docker are stored in the /tmp folder, but in many classes In Linux system, the folder is cleared when the system is restarted, which is not what we want. So, we create a permanent folder to store the data:

<code>sudo mkdir /var/docker-registry
</code>
Copy after login

Okay, now we configure the config.yml file and change the reference to the folder /tmp to /var/docker-registry . First, start by finding the line near the beginning of the file headed by sqlalchemy_index_database:

<code>sqlalchemy_index_database:
_env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/docker-registry.db
</code>
Copy after login

and change it to point /var/docker-registry like this:

<code>sqlalchemy_index_database:
_env:SQLALCHEMY_INDEX_DATABASE:sqlite:////var/docker-registry/docker-registry.db
</code>
Copy after login

向下一点,到local:部分,重复上述操作,更改如下内容:

<code>local: &local
storage: local
storage_path: _env:STORAGE_PATH:/tmp/registry
</code>
Copy after login

为:

<code>local: &local
storage: local
storage_path: _env:STORAGE_PATH:/var/docker-registry/registry
</code>
Copy after login

样例配置文件中的其他默认值均无需修改。一目十行即可。然而,如果你想要做一些复杂的配置,诸如采用扩展存储装置来存储docker数据,那么该文件正具有此功能。当然,这已超出本教程的范围,你可以查看docker-registry文档以获取更多的帮助。

既然配置文件已置于正确的位置,那么再一次尝试来测试docker registry服务器:

<code>gunicorn --access-logfile - --debug -k gevent -b 0.0.0.0:5000 -w 1 docker_registry.wsgi:application
</code>
Copy after login
Copy after login

你会看到如下的输出:

<code>2014-07-27 07:12:24 [29344] [INFO] Starting gunicorn 18.0
2014-07-27 07:12:24 [29344] [INFO] Listening at: http://0.0.0.0:5000 (29344)
2014-07-27 07:12:24 [29344] [INFO] Using worker: gevent
2014-07-27 07:12:24 [29349] [INFO] Booting worker with pid: 29349
2014-07-27 07:12:24,807 DEBUG: Will return docker-registry.drivers.file.Storage
</code>
Copy after login

棒极了!现在我们已经拥有一个运行着的docker registry。下面执行Ctrl+C终止该程序。

到目前为止,docker registry并不是那么有用。它并不会自行启动除非我们执行上述gunicorn命令。另外,docker registry不没有引入任何的内置的认证机制,因此,其当前状态下是不安全并且对外部完全开放的。

第三步——以服务的形式启动docker registry

通过创建Upstart脚本,设置docker registry在系统的启动程序中开始运行。

首先,创建日志文件目录:

<code>sudo mkdir -p /var/log/docker-registry
</code>
Copy after login

然后,用一款你拿手的文本编辑器来创建Upstart脚本:

<code>sudo nano /etc/init/docker-registry.conf
</code>
Copy after login

将如下内容写入上述脚本中:

<code>description "Docker Registry"

start on runlevel [2345]
stop on runlevel [016]

respawn
respawn limit 10 5

script
    exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w 8 docker_registry.wsgi:application
end script
</code>
Copy after login

更多关于Upstart脚本的内容,请阅读该教程。

此时,执行如下命令:

<code>sudo service docker-registry start
</code>
Copy after login

将看到下面的输出:

<code>docker-registry start/running, process 25303
</code>
Copy after login

当然,你也可以通过运行下面的命令查看server.log日志文件,验证docker-registry服务是否正在运行:

<code>tail /var/log/docker-registry/server.log
</code>
Copy after login

如果一切正常的话,你会看到像之前执行gunicorn命令时输出的文本信息。

既然docker-registry服务器已在后台运行,那么下面我们来配置Nginx,以使registry更加安全。

第四步——通过Nginx来保障docker registry的安全性

为了避免任何人都能登陆我们的docker registy服务器,首先要做的就是建立认证机制。

下面安装Nginxapache2-utils包(通过该包,可以轻松创建Nginx能够读取的权限文件)。

<code>sudo apt-get -y install nginx apache2-utils
</code>
Copy after login

现在来创建docker用户。

通过下面的命令来创建第一个用户:

<code>sudo htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME
</code>
Copy after login

当跳出命令行时,轻给出该用户的密码。

如果将来想添加更多的用户,只需要在去除可选参数c的前提下,重新运行上述命令:

<code>sudo htpasswd /etc/nginx/docker-registry.htpasswd USERNAME_2
</code>
Copy after login

现在,我们拥有了一个创建用户的文件dokcer-registry.htpasswd,以及可用的docker registry服务器。如果你想了解你的用户的话你可以随意查看该文件(如果想收回权限的话可以删除掉该用户)。

下面,我们需要告诉Nginx去利用权限文件,并且将请求转发给docker registry

那么,我们来创建一个Nginx的配置文件。创建一个新的docker-registry文件,必要时可能需要输入执行sudo命令的密码:

<code>sudo nano /etc/nginx/sites-available/docker-registry
</code>
Copy after login
Copy after login

将如下内容添加到该文件中。注释也包含在其中。更多关于Nginx虚拟主机配置文件的内容,可查阅该教程。

<code># For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
    server localhost:5000;
}

server {
    listen 8080;
    server_name my.docker.registry.com;

    # ssl on;
    # ssl_certificate /etc/ssl/certs/docker-registry;
    # ssl_certificate_key /etc/ssl/private/docker-registry;

    proxy_set_header Host       $http_host;   # required for Docker client sake
    proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    chunked_transfer_encoding on;

    location / {
        # let Nginx know about our auth file
        auth_basic              "Restricted";
        auth_basic_user_file    docker-registry.htpasswd;

        proxy_pass http://docker-registry;
    }
    location /_ping {
        auth_basic off;
        proxy_pass http://docker-registry;
    }  
    location /v1/_ping {
        auth_basic off;
        proxy_pass http://docker-registry;
    }
}
</code>
Copy after login

对该文件建立链接,这样Nginx就可以使用该配置文件:

<code>sudo ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
</code>
Copy after login

然后,重启Nginx以激活虚拟主机配置:

<code>sudo service nginx restart
</code>
Copy after login
Copy after login

让我们确保每一环节都准确无误。Nginx服务器监听端口8080,而初始的docker-registry服务器监听本地端口5000。

我们可以通过curl命令来测试整个环节的准确性:

<code>curl localhost:5000
</code>
Copy after login

你应当看到下述输出:

<code>"docker-registry server (dev) (v0.8.1)"
</code>
Copy after login
Copy after login

不错,docker-registry正在运行。现在检查Nginx是否工作:

<code>curl localhost:8080
</code>
Copy after login

这次,你将得到HTML格式的无权限访问的消息:

<code><html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>
</code>
Copy after login

同样的,也可以通过远端的机器运行上述两个测试命令来验证端口是否正确设置,不过需要将localhost更改为主机的IP地址。

Upstart配置文件中,我们设置docker-registry仅仅监听来自localhost的请求,这意味着外网将无法通过端口5000来访问docker-registry。另一方面,Nginx监听来自端口8080的请求,并且对外网开放。如果并非如此,你需要调整你的防火墙权限设置。

好了,权限设置已建立起来。那么,现在我们尝试使用先前创建的某个用户名来登陆Nginx

<code>curl USERNAME:PASSWORD@localhost:8080
</code>
Copy after login

如果正确运行,你将看到如下信息:

<code>"docker-registry server (dev) (0.8.1)"
</code>
Copy after login

第五步——建立SSL

到目前为止,我们已经搭建起了registry服务,并且运行在Nginx后面,通过HTTP基础认证机制连接二者。然而,由于连接是未加密的,所以该服务仍然是不安全的。也许你已经主要到了先前创建的Nginx配置文件中被注释掉的关于SSL的部分。

激活SSL。首先,打开Nginx文件以备编辑:

<code>sudo nano /etc/nginx/sites-available/docker-registry
</code>
Copy after login
Copy after login

找到下述内容:

<code>server {
    listen 8080;
    server_name my.docker.registry.com;

    # ssl on;
    # ssl_certificate /etc/ssl/certs/docker-registry;
    # ssl_certificate_key /etc/ssl/private/docker-registry;
</code>
Copy after login

删除SSL行首的#。如果你的服务器有自己的域名的话,将server_name更改为你的域名。完成后应当如下所示:

<code>server {
    listen 8080;
    server_name yourdomain.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/docker-registry;
    ssl_certificate_key /etc/ssl/private/docker-registry;
</code>
Copy after login

保存该文件。现在,Nginx已经被配置使用SSL,下面将会分别从/etc/ssl/certs/docker-registry/etc/ssl/private/docker-registry文件中搜索SSL证书和秘钥。

如果你已经拥有了一个SSL证书或者正准备去购买一个的话,你仅需要将证书和秘钥拷贝到上述所列的路径下(ssl_certificatessl_certficate_key

也可以免费获得一个签名SSL证书。

或者,使用一个自签名的SSL证书。由于docker当前不允许使用自签名的SSL证书,这将带来加倍的复杂度,因为我们必须去搭建系统来充当我们已具有签名权限的证书。

建立签名证书

首先,创建存放证书的目录并进入该目录:

<code>mkdir ~/certs
cd ~/certs
</code>
Copy after login

生成一个新的根秘钥:

<code>openssl genrsa -out devdockerCA.key 2048
</code>
Copy after login

生成一个根证书(跳入命令行时可输入任何内容):

<code>openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt
</code>
Copy after login

然后,为服务器生成一个秘钥(稍后会将该文件拷贝到/etc/ssl/private/docker-registryNginx使用):

<code>openssl genrsa -out dev-docker-registry.com.key 2048
</code>
Copy after login

现在,我们必须生成证书签名请求。

在输入下面的OpenSSL命令后,将会跳入命令行模式,需要你输入一些问题的答案。对于前面的一些问题,可随意编辑,但是当要求你键入“Common Name”时,确保输入的是你的服务器的域名。

<code>openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr
</code>
Copy after login

例如,你的docker-registry将以www.ilovedocker.com为域名运行,然后你的输入应当如下所示:

<code>Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.ilovedocker.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</code>
Copy after login

切勿输入挑战码。然后,我们需要对证书的请求进行签名:

<code>openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out dev-docker-registry.com.crt -days 10000
</code>
Copy after login

既然我们已生成了所需的证书文件,下面就将它们拷贝到正确的位置。

首先,将证书和秘钥拷贝到Nginx预期的路径:

<code>sudo cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry
sudo cp dev-docker-registry.com.key /etc/ssl/private/docker-registry
</code>
Copy after login

由于生成的这些证书并没有得到任何一个著名的证书认证机构(例如,VeriSign)验证,我们需要告诉那些即将连接该docker-registry的客户机,该证书是合法的。我们本地做出上述认证,以便可以在docker-registry服务器上使用docker

<code>sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
sudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
sudo update-ca-certificates 
</code>
Copy after login

你可能必须在每一台想要连接该docker-registry的主机上执行上述操作。否则,你将得到SSL错误并且无法取得连接,这些步骤将在客户端测试小节中再次出现。

SSL测试

重启Nginx以重新载入配置文件和SSL秘钥:

<code>sudo service nginx restart
</code>
Copy after login
Copy after login

再次执行curl测试(仅此次使用https)以验证SSL正确工作。必须记住的是,为了让SSL能够正确运行,你必须使用在创建SSL证书的之前,在Common Name域输入的域名。

<code>curl https://USERNAME:PASSWORD@YOUR-DOMAIN:8080
</code>
Copy after login

例如,若用户名和密码分别为niktest,并且SSL证书是为域名www.ilovedocker.com,那么,你将输入如下的命令:

<code>curl https://nik:test@www.ilovedocker.com:8080
</code>
Copy after login

如果一切顺利的话,你会看到熟悉的内容:

<code>"docker-registry server (dev) (v0.8.1)"
</code>
Copy after login
Copy after login

否则,重新检查建立SSL的相关步骤,以及Nginx配置文件,以确保一切正常。

到目前为止,我们已经建立了运行在Nginx服务器后面的docker regsitry,而Nginx通过SSL可以提供权限认证和加密。

第六步——通过其他主机访问docker registry

为了能够访问docker registry,首先要将先前创建的SSL证书添加到新的主机中。该证书文件位于~/certs/devdockerCA.crt。可以选择直接将其复制到新的机器中,或者根据以下说明来进行拷贝粘贴:

registry服务器上,查看证书:

<code>cat ~/certs/devdockerCA.crt
</code>
Copy after login

可得到类似如下的输出:

<code>-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJANiXy7fHSPrmMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwOTIxMDYwODE2WhcNNDIwMjA2MDYwODE2WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuK4kNFaY3k/0RdKRK1XLj9+IrpR7WW5lrNaFB0OIiItHV9FjyuSWK2mj
ObR1IWJNrVSqWvfZ/CLGay6Lp9DJvBbpT68dhuS5xbVw3bs3ghB24TntDYhHMAc8
GWor/ZQTzjccHUd1SJxt5mGXalNHUharkLd8mv4fAb7Mh/7AFP32W4X+scPE2bVH
OJ1qH8ACo7pSVl1Ohcri6sMp01GoELyykpXu5azhuCnfXLRyuOvQb7llV5WyKhq+
SjcE3c2C+hCCC5g6IzRcMEg336Ktn5su+kK6c0hoD0PR/W0PtwgH4XlNdpVFqMST
vthEG+Hv6xVGGH+nTszN7F9ugVMxewIDAQABo1AwTjAdBgNVHQ4EFgQULek+WVyK
dJk3JIHoI4iVi0FPtdwwHwYDVR0jBBgwFoAULek+WVyKdJk3JIHoI4iVi0FPtdww
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkignESZcgr4dBmVZqDwh
YsrKeWSkj+5p9eW5hCHJ5Eg2X8oGTgItuLaLfyFWPS3MYWWMzggxgKMOQM+9o3+k
oH5sUmraNzI3TmAtkqd/8isXzBUV661BbSV0obAgF/ul5v3Tl5uBbCXObC+NUikM
O0C3fDmmeK799AM/hP5CTDehNaFXABGoVRMSlGYe8hZqap/Jm6AaKThV4g6n4F7M
u5wYtI9YDMsxeVW6OP9ZfvpGZW/n/88MSFjMlBjFfFsorfRd6P5WADhdfA6CBECG
LP83r7/MhqO06EOpsv4n2CJ3yoyqIr1L1+6C7Erl2em/jfOb/24y63dj/ATytt2H
6g==
-----END CERTIFICATE-----
</code>
Copy after login

拷贝该输出到粘贴板,并且连接到客户机。

在客户机上,创建证书目录:

<code>sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
</code>
Copy after login

打开证书文件以备编辑:

<code>nano /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
</code>
Copy after login

粘贴证书内容[已在粘贴板上,译者注]。

通过查看给文件来验证证书已保存到客户机上:

<code>cat /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
</code>
Copy after login

如果一切顺利的话,你会看到和之前一样的输出文本:

<code>-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJANiXy7fHSPrmMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
...
...
LP83r7/MhqO06EOpsv4n2CJ3yoyqIr1L1+6C7Erl2em/jfOb/24y63dj/ATytt2H
6g==
-----END CERTIFICATE-----
</code>
Copy after login

现在,更新证书:

<code>sudo update-ca-certificates
</code>
Copy after login

会得到形如下文的输出(主要这里的”1 added”)

<code>Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
</code>
Copy after login

如果你到现在还没有安装docker在这台客户机上的,马上安装吧。

Ubuntu的大多数版本中,你仅需下面这几个命令就能够快速安装最新版的docker。如果你的是其他的发布或者遇到了一些难题,那么你可以查看docker安装指南,以寻其他出路。

添加仓库秘钥:

<code>sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9;
</code>
Copy after login

创建一个文件来罗列docker仓库:

<code>sudo nano /etc/apt/sources.list.d/docker.list
</code>
Copy after login

将以下内容添加到该文件中:

<code>deb https://get.docker.io/ubuntu docker main
</code>
Copy after login

更新包列表:

<code>sudo apt-get update
</code>
Copy after login

安装docker

<code>sudo apt-get install -y --force-yes lxc-docker
</code>
Copy after login

为了使docker能更快的工作起来,将当前用户加入到docker组中,并且重开一个新的命令行模式:

<code>sudo gpasswd -a ${USER} docker
sudo su -l $USER #(必要时需键入密码)
</code>
Copy after login

重启docker以确保其重新载入系统的CA证书。

<code>sudo service docker restart
</code>
Copy after login

此时,你应当能够从该客户机登陆docker registry服务器:

<code>docker login https://YOUR-HOSTNAME:8080
</code>
Copy after login

注意,此时应当使用https://以及端口8080。输入先前设置的用户名和密码(邮件地址可随意输入)。这时,你应当看到Login Succeeded的成功登陆消息。

此时,docker registry以构建并运行起来。让我们来做个测试的镜像推送到registry上。

第七步——发布到docker registry

在客户机上,创建一个小的、空的镜像,然后推送到registry上。

<code>docker run -t -i ubuntu /bin/bash
</code>
Copy after login

在完成下载之后,你就进入docker命令行模式。对该文件系统做一些小的改变:

<code>touch /SUCCESS
</code>
Copy after login

docker容器中退出:

<code>exit
</code>
Copy after login

将所做的更改提交:

<code>docker commit $(docker ps -lq) test-image
</code>
Copy after login

如果此时执行docker images命令,你会在镜像列表里,看到已经拥有了一个新的test-image镜像。

<code># docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
test-image          latest              1f3ce8008165        9 seconds ago       192.7 MB
ubuntu              trusty              ba5877dc9bec        11 days ago         192.7 MB
</code>
Copy after login

此时,该镜像只存在于本地。那么我们将其推送到新建的registry上。

首先,从docker登陆registry。注意,你要用https://以及8080端口:

<code>docker login https://<YOUR-DOMAIN>:8080
</code>
Copy after login
Copy after login

输入已设置的用户名和密码:

<code>Username: USERNAME
Password: PASSWORD
Email: 
Account created. Please see the documentation of the registry http://localhost:5000/v1/ for instructions how to activate it.
</code>
Copy after login

docker有一个非同寻常的机制来明确将镜像推送的哪里的registry。必须将镜像打上私有registry路径标签才能实现将其推送上去。那么我们将该镜像打上我们私有registry的标签:

<code>docker tag test-image YOUR-DOMAIN:8080/test-image
</code>
Copy after login

注意,先给出镜像的本地名称,然后给出想要将其打成的标签。该标签上不包含https://,仅有域名,端口和镜像名字。

现在可以将镜像推送到registry上了。此时,仅使用标签名:

<code>docker push <YOUR-DOMAIN>:8080/test-image
</code>
Copy after login

该过程会花费一些时间将镜像上传到registry上。你也会看到包含Image successfully pushed输出消息。

第八步——从docker registry拉去镜像

为了确保一切运行正常,让我们回到初始的服务器上(安装docker regsitry的机器上),将从客户机推送上来的镜像拉去下来。你也可以从第三方的服务器上来测试这一步。

如果在即将测试拉去的服务器上还没有安装docker,回到第六步去参看安装说明(如果是第三方的服务器,那么参看SSL说明一节)。

使用之前创建的用户名和密码登陆:

<code>docker login https://<YOUR-DOMAIN>:8080
</code>
Copy after login
Copy after login

现在来拉去镜像。仅需要使用打标签的镜像的名字,包括域名,端口号以及镜像名(而没有https://):

<code>docker pull <YOUR-DOMAIN>:8080/test-image
</code>
Copy after login

docker会执行一些下载任务并回退会命令行模式。如果你在这个新的机器上运行该镜像的话,你会看到之前创建的SUCCESS文件:

<code>docker run -t -i <YOUR-DOMAIN>:8080/test-image /bin/bash
</code>
Copy after login

罗列文件:

<code>ls
</code>
Copy after login

你会看到我们之前创建的SUCCESS文件:

<code>SUCCESS  bin  boot  dev  etc  home  lib  lib64  media   mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
</code>
Copy after login

恭喜你!你已经使用私有的docker registry实现了推送和拉去镜像。Happy Docker-ing!

以上就介绍了如何在Ubuntu14.04上搭建私有docker registry,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template