由于docker hub为官方仓库，速度较慢，虽然可以配置加速器，但对于隐密性，安全性来说，私有仓库会更加方便。

创建私有仓库

1.下载registry镜像 虚拟机联网

[root@server1 ~]# docker pull registry:2 [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 f32a97de94e1 4 months ago 25.8MB

查看镜像封装是暴露的端口，以便于端口映射

[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2 f0fe21e6d5f6c739ba972187b2e099eed8b28f96c7494a9690d0cb9446e95e8b [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4bdb8de8ef34 registry:2 "/entrypoint.sh /etc…" 32 seconds ago Up 31 seconds 0.0.0.0:5000->5000/tcp registry [root@server1 ~]# netstat -ntlp | grep 5000 tcp6 0 0 :::5000 :::* LISTEN 12350/docker-proxy [root@server1 ~]# docker load -i game2048.tar [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 f32a97de94e1 5 months ago 25.8MB registry latest f32a97de94e1 5 months ago 25.8MB game2048 latest 19299002fdbe 2 years ago 55.5MB [root@server1 ~]# docker tag game2048:latest localhost:5000/game2048 修改game2048:latest镜像名，要上传到主机 [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 f32a97de94e1 5 months ago 25.8MB registry latest f32a97de94e1 5 months ago 25.8MB game2048 latest 19299002fdbe 2 years ago 55.5MB localhost:5000/game2048 latest 19299002fdbe 2 years ago 55.5MB [root@server1 ~]# docker push localhost:5000/game2048 #将命名的镜像上传到本机5000端口，也就是容器端口内 [root@server1 ~]# curl localhost:5000/v2/_catalog #查看私人仓库是否有game2048 {"repositories":["game2048"]} [root@serve1 repositories]# ls game2048 [root@server2 repositories]# pwd #根据挂载位置查看是否存在game数据 /opt/registry/docker/registry/v2/repositories

此时创建的私有仓库远程主机无法使用，并且不够安全，此时则可以采用私有仓库加证书加密的方式来创建私有仓库

私有仓库的TLS加密

生成证书

[root@server1 ~]# mkdir -p certs #创建加密证书存放目录 [root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/haha.com.key -x509 -days 365 -out certs/haha.com.crt Generating a 4096 bit RSA private key ........++ .........................................................................................................................................................................++ writing new private key to 'certs/haha.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shaanxi Locality Name (eg, city) [Default City]:xi'an Organization Name (eg, company) [Default Company Ltd]:redhat Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:haha.com Email Address []:root@haha.com [root@server1 ~]# ls certs/ #证书和密钥生成 haha.com.crt haha.com.key [root@server1 ~]# vim /etc/hosts #做好地址解析 172.25.25.1 server1 haha.com

构建加密仓库

docker rm -f registry docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/haha.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/haha.com.key -p 443:443 registry #以加密方式运行仓库，并进行端口映射 docker ps #查看进程 cd /etc/docker/ mkdir certs.d/haha.com #创建docker TSL认证证书 cd certs.d/haha.com/ cp /root/certs/haha.com.crt ca.crt #复制认证证书到当前文件，并改名 systemctl restart docker #重启docker服务，由于重新加入认证证书

验证部署是否成功

docker images docker load -i ubuntu.tar #加载镜像 docker tag ubuntu:latest haha.com/ubuntu:latest #修改镜像名为仓库名 docker push haha.com/ubuntu#上传镜像

Docker仓库添加用户认证功能

1.创建认证功能

[root@server1 ~]# mkdir auth #创建用户认证目录 [root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn admin redhat > auth/htpasswd #容器运行认证用户admin信息存放到auth/htpasswd [root@server1 ~]# cat auth/htpasswd admin:$2y$05$MrxBOhunWu.VfMkPr2lKG.QleK6d8CBocYD7Jv6Wt6cE62i.agJ8q [root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn xixi redhat >> auth/htpasswd ##追加认证用户及密码 [root@server1 ~]# docker ps ##查看当前docker容器进程 [root@server1 ~]# docker rm -f ef61c36b8c89 ##删除原有的registry，否则再次创建registry会出现报错 [root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/haha.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/haha.com.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES bea51c3c3c50 registry "/entrypoint.sh /etc…" 42 seconds ago Up 41 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# docker login haha.com #用户认证登陆 [root@server1 ~]# docker push haha.com/ubuntu #上传镜像 [root@server1 ~]# docker logout haha.com #退出 [root@server1 ~]# docker push westos.org/nginx #镜像上传不成功，原因是没有登录

远程主机连接当前仓库

远程登陆： 条件：远程主机必须要有域名解析，以及生成docker的密钥证书。

仓库（server2）：

vim /etc/hosts 172.25.25.2 server2 haha.com 172.25.25.3 server3 scp -r /etc/docker/certs.d/ server3:/etc/docker/

远程主机：

配置yum源 安装docker vim /etc/hosts 172.25.25.2 server2 haha.com 172.25.25.3 server3 docker login haha.com #由于使用了用户认证，就必须先登陆，后拉取 docker pull haha.com/ubuntu #下载镜像

[root@server3 docker]# docker images ##查看镜像拉取是否成功