我的環境相關設置如下
環境:centos7
IP地址:10.211.55.30
dockere版本:1.10.3
鏡像倉庫:v2
首先在10.211.55.30機器上下載registry鏡像
也可以進行鏡像導入的方法進行離線的安裝��?���?梢匀ノ业木W盤中下載:https://pan.baidu.com/s/1jHZlz2u
然后進入Docker中進行導入
$ docker load -i registry.tar
下載完之后我們通過該鏡像啟動一個容器
$ docker run -d -p 5000:5000 registry
默認情況下��,會將倉庫存放于容器內的/tmp/registry目錄下�,這樣如果容器被刪除,則存放于容器中的鏡像也會丟失����,所以我們一般情況下會指定本地一個目錄掛載到容器內的/tmp/registry下����,我將/opt/data/registry目錄掛載到/tmp/registry目錄下,如果你本地沒有這個目錄需要新創建��,同時需要給/opt/data/registry目錄擴大權限
chmod +777 /opt/data/registry
此處有坑:默認情況下是在容器內的/tmp/registry目錄下��,但是我的容器鏡像是存放在容器中的/var/lib/registry 這個位置����。
我是搭建完畢之后����,上傳一個鏡像之后然后使用 find / -name ***查到的位置
[root@server01 ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry registry 55c60589cb0e2d094d5371c4dd650127cfeae1b361477d50cfe48552e6308830
可以看到我們啟動了一個容器����,地址為:10.211.55.30:5000����。
測試
接下來我們就要操作把一個本地鏡像push到私有倉庫中����。首先在10.211.55.30機器下pull一個比較小的鏡像來測試(此處使用的是busybox)
$ sudo docker pull busybox
接下來修改一下該鏡像的tag��,鏡像的格式為 鏡像倉庫IP:端口/鏡像名稱
$ sudo docker tag busybox 10.211.55.30:5000/busybox
接下來把打了tag的鏡像上傳到私有倉庫��。
$ sudo docker push 10.211.55.30:5000/busybox
可以看到push失敗����,具體錯誤如下:
復制代碼 代碼如下:
2015/01/05 11:01:17 Error: Invalid registry endpoint https://192.168.112.136:5000/v1/: Get https://192.168.112.136:5000/v1/_ping: dial tcp 192.168.112.136:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 192.168.112.136:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.112.136:5000/ca.crt
因為Docker從1.3.X之后����,與docker registry交互默認使用的是https��,然而此處搭建的私有倉庫只提供http服務��,所以當與私有倉庫交互時就會報上面的錯誤��。為了解決這個問題需要在啟動docker server時增加啟動參數為默認使用http訪問�。修改docker啟動配置文件(此處是修改10.211.55.30機器的配置)centos7下配置文件地址為:/usr/lib/systemd/system/docker.service��,在其中增加–insecure-registry 10.211.55.30:5000如下所示:
[Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com After=network.target rhel-push-plugin.socket Wants=docker-storage-setup.service [Service] Type=notify NotifyAccess=all EnvironmentFile=-/etc/sysconfig/docker EnvironmentFile=-/etc/sysconfig/docker-storage EnvironmentFile=-/etc/sysconfig/docker-network Environment=GOTRACEBACK=crash ExecStart=/usr/bin/docker-current daemon / --exec-opt native.cgroupdriver=systemd / --insecure-registry=10.211.55.30:5000 / $OPTIONS / $DOCKER_STORAGE_OPTIONS / $DOCKER_NETWORK_OPTIONS / $ADD_REGISTRY / $BLOCK_REGISTRY / $INSECURE_REGISTRY LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity TimeoutStartSec=0 MountFlags=slave Restart=on-abnormal [Install] WantedBy=multi-user.target
修改完之后����,重啟Docker服務。
重啟完之后我們再次運行推送命令�,把本地鏡像推送到私有服務器上。
$ sudo docker push 10.211.55.30:5000/busybox
可以看到鏡像已經push到私有倉庫中去了����。
進行到這一步的時候也不一定能夠成功�,使用journalctl -f 可以查看日志信息,通過日志信息可以查看到如下信息����,關注標紅的部分,顯示的是SELinux 的問題�,我的處理方法是直接關閉SELinux
Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T08:08:16Z" level=error msg="response completed with error" err.code="blob unknown" err.detail=sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729 err.message="blob unknown to registry" go.version=go1.7.3 http.request.host="10.211.55.30:5000" http.request.id=a2dbff10-2937-4e9e-94f3-16275739ad61 http.request.method=HEAD http.request.remoteaddr="10.211.55.30:48256" http.request.uri="/v2/centos_20170127/blobs/sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729" http.request.useragent="docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.4262ms http.response.status=404 http.response.written=157 instance.id=f9f97de9-15bc-41e3-9ec3-f1033e57a77e vars.digest="sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729" vars.name="centos_20170127" version=v2.6.0 Jan 27 16:08:16 server01 docker-current[15241]: 10.211.55.30 - - [27/Jan/2017:08:08:16 +0000] "HEAD /v2/centos_20170127/blobs/sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729 HTTP/1.1" 404 157 "" "docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T08:08:16Z" level=error msg="response completed with error" err.code=unknown err.detail="filesystem: mkdir /var/lib/registry/docker: permission denied" err.message="unknown error" go.version=go1.7.3 http.request.host="10.211.55.30:5000" http.request.id=158612a0-39f5-41f5-9985-c80db7da911f http.request.method=POST http.request.remoteaddr="10.211.55.30:48258" http.request.uri="/v2/centos_20170127/blobs/uploads/" http.request.useragent="docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.671997ms http.response.status=500 http.response.written=164 instance.id=f9f97de9-15bc-41e3-9ec3-f1033e57a77e vars.name="centos_20170127" version=v2.6.0 Jan 27 16:08:16 server01 docker-current[15241]: 10.211.55.30 - - [27/Jan/2017:08:08:16 +0000] "POST /v2/centos_20170127/blobs/uploads/ HTTP/1.1" 500 164 "" "docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T16:08:16.115997771+08:00" level=error msg="Upload failed, retrying: Received unexpected HTTP status: 500 Internal Server Error" Jan 27 16:08:16 server01 setroubleshoot[5771]: failed to retrieve rpm info for /opt/data/registry Jan 27 16:08:16 server01 setroubleshoot[5771]: SELinux is preventing /bin/registry from write access on the directory /opt/data/registry. For complete SELinux messages. run sealert -l 748743d8-dd8a-4482-9771-94a403bccf18 Jan 27 16:08:16 server01 python[5771]: <strong>SELinux is preventing /bin/registry from write access on the directory /opt/data/registry.</strong> ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow registry to have write access on the registry directory Then you need to change the label on /opt/data/registry Do # semanage fcontext -a -t FILE_TYPE '/opt/data/registry' where FILE_TYPE is one of the following: cgroup_t, docker_var_lib_t, svirt_home_t, svirt_sandbox_file_t, virt_home_t. Then execute: restorecon -v '/opt/data/registry' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that registry should be allowed write access on the registry directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep registry /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
關閉方法如下
查看SELinux狀態:
1、/usr/sbin/sestatus -v ##如果SELinux status參數為enabled即為開啟狀態 SELinux status: enabled 2�、getenforce ##也可以用這個命令檢查
關閉SELinux:
1、臨時關閉(不用重啟機器):
setenforce 0 ##設置SELinux 成為permissive模式 setenforce 1 設置SELinux 成為enforcing模式
2����、修改配置文件需要重啟機器:
修改/etc/selinux/config 文件
將SELINUX=enforcing改為SELINUX=disabled
重啟機器即可
接下來我們刪除本地鏡像�,然后從私有倉庫中pull下來該鏡像。
$ sudo docker pull 10.211.55.30:5000/busybox
到此就搭建好了Docker私有倉庫����。上面搭建的倉庫是不需要認證的。
管理倉庫中的鏡像
查詢
在Private Registry2中查看或檢索Repository或images�, 將不能用docker search,會報下邊的錯誤
$ docker search 10.211.55.30:5000/busybox/ Error response from daemon: Unexpected status code 404
但通過v2版本的API�,我們可以實現相同目的,必須按照IP:port/v2/_catalog格式:
[root@server01 ~]# curl http://10.211.55.30:5000/v2/_catalog {"repositories":["centos"]} [root@server01 ~]# curl http://10.211.55.30:5000/v2/centos/tags/list {"name":"centos","tags":["latest"]} 拉取鏡像如下
[root@server01 ~]# docker pull 10.211.55.30:5000/centos Using default tag: latest Trying to pull repository 10.211.55.30:5000/centos ... latest: Pulling from 10.211.55.30:5000/centos Digest: sha256:7dfffa13a2addc317ac3bdfbddbd4604ea629decea19c271481e5c45245b7612 Status: Downloaded newer image for 10.211.55.30:5000/centos:latest
以上就是本文的全部內容�,希望對大家的學習有所幫助����,也希望大家多多支持VEVB武林網��。
