1. 程式人生 > >docker網絡管理與本地私有Registry創建部署

docker網絡管理與本地私有Registry創建部署

docker網絡分類 docker網絡管理 docker Registry部署 docker Registry htt

概述

上一篇博客大致描述了docker的原理與傳統虛擬機的使用,以及docker基本使用,本文主要描述docker的網絡管理及重點介紹docker本地(內部)registry倉庫的搭建及私有registry,用來統一保存與管理企業docker鏡像;

docker網絡

docker網絡分四種類型:
closed container:封閉式容器
open container開放式:使用宿主機所有網絡接口
聯盟式網絡:即多個容器共享一個網絡
示例:

docker run --name bbox1 -it --rm --net bridge busybox
啟動httpd -f -h /data/html         
再啟一個容器bbox2的網絡關聯到bbox1
docker run --name bbox2 --rm --net container:bbox1 -it busybox
此時兩臺使用同個個網絡地址ifconfig
wget localhost/index.html   
即訪問本地的index.html卻是bbox1上的web內容

Bridged:橋接式 expose(DNAT)
docker 啟動後默認啟動了三個網絡接口 docker network list

san@yongc-dong:~$ docker network list
NETWORK ID          NAME                DRIVER              SCOPE
ba4170b93ff8        bridge              bridge              local
4e8802445c71        host                host                local
d6685aeb00d4        none                null                local

查看docker橋接式網絡:

san@yongc-dong:~$ docker network inspect bridge
bridge:默認關聯到docker0上(私有網絡)
host:使用物理主機網絡空間(開放式)
none:不使用網絡,關閉網絡功能

創建不使用網絡的容器

 $ docker run --name bbox1 -it --rm --net none busybox
/ # ifconfig
lo        Link encap:Local Loopback  
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING  MTU:65536  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1 
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 

給容器綁定主機名和解析

san@yongc-dong:~$ docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm --net bridge busybox
/ # cat /etc/hosts 
127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
 ff00::0    ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.16.0.188    www.san.com
173.172.17.0.3  bbox1.san.com bbox1
/ # hostname
bbox1.san.com
/ # cat /etc/resolv.conf 
nameserver 172.16.0.188

容器內部端口暴露到宿主機
容器暴露端口 -p選項(四種方式,自動添加到iptables nat中)

1,隨機映射成宿主機端口
  docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm -p 80 busybox
 $docker port bbox1
  80/tcp -> 0.0.0.0:32768
  此時即可訪問宿主機ip:32768即可訪問容器web
 2,-p port:port
   -p 80:80
 3,-p host::port      :將容器的port映射到宿主機指定ip的隨機端口上
  -p 172.16.0.188::80
   80/tcp -> 172.16.0.188:32768
 4,-p host:port:port   :將容器port映射到宿主機指定ip上的port
   80/tcp -> 172.16.0.188:80

註意:可同進暴露多個端口;一個容器如需要暴露多個端口可使用多個-p 進行映射
docker 網絡管理
docker daemon 修改docker網絡
創建docker網絡 docker network create

san@yongc-dong:~$ docker network create -d bridge --subnet=172.31.0.0/16 --ip-range=172.31.0.0/16 --gateway=172.31.255.254 mybr0
86e7cdf8507e0c1721e16f29693c471bfd2db0e4c7bc7be90a3f72ab7d699450
san@yongc-dong:~$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
5579bb2c46f9        bridge              bridge              local
4e8802445c71        host                host                local
86e7cdf8507e        mybr0               bridge              local
d6685aeb00d4        none                null                local         

網絡配置文件CentOS7保存在/etc/sysconfig/docker-network中

san@yongc-dong:~$ docker run --name bbox1 --rm -it --net mybr0 busybox
eth0      Link encap:Ethernet  HWaddr 02:42:AC:1F:00:01  
inet addr:172.31.0.1  Bcast:172.31.255.255  Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 
RX bytes:2874 (2.8 KiB)  TX bytes:0 (0.0 B)

為運行中的容器添加網絡
$ docker network connect bridge bbox1
查看docker網絡

$ docker network ls
root@san-dong # docker network ls
ID          NAME                DRIVER              SCOPE
37f00a3e739c        bridge              bridge              local
1cd7af35c54a        host                host                local
75c791849a76        none                null                local

查看指定網絡
root@san-dong # docker network inspect 37f00a3e739c

刪除網絡
$docker network disconnect mybr0 bbox1

創建疊加網絡
$ docker network create

搭建本地私有registry

對企業內部使用docker如果沒有統一的私有registry倉庫;默認是從docker.io上,網絡連接問題,下載鏡像那是相當的痛苦;所以為了愉快的使用docker提高工作效率;我們需要部署本地的私有registry
部署registry方式通常有兩種;一種通過容器(registry)方式;一種安裝服務(docker-distribution)自行部署;本文主要通過安裝服務部署;
架構圖:
技術分享圖片
部署環境:
客戶端1:
ubuntu 16.04
docker 版本: 18.03.0-ce
hostname: san-dong
ip:172.16.0.188
需要服務:docker
registry服務器(客戶端2):
centos7.x_x64
docker版本:18.04.0-ce
hostname: registry
ip: 172.16.0.4
需要服務:docker-distribution
nginx:1.12.2 (epel安裝,用於做反代)

安裝docker-distribution服務

[root@registry ~]# yum install docker-distribution
[root@registry ~]# rpm -ql docker-distribution
其中 配置文件/etc/docker-distribution/registry/config.yml
默認存儲目錄:/var/lib/registry

配置文件:

[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
                version: 0.1
                log:
                fields:
                    service: registry
                storage:
                    cache:
                        layerinfo: inmemory     #存在內存當緩存
                    filesystem:
                        rootdirectory: /var/lib/registry    #存放位置

                http:                  #http協議
                    addr: :5000          #偵聽在5000端口

啟動服務
[root@registry ~]# systemctl docker-distribution
至此registry本地倉庫配置完成

在客戶端上推送鏡像到私有registry倉庫:

#客戶端上(模擬開發工作主機)鏡像
san@san-dong:~$ sudo docker images
                REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
                nginx               tomcat              e982d826d0f1        7 days ago          388MB
                nginx               v1.0                ea7ac1a661bf        7 days ago          388MB
                centos              v0.1.0              b30913017782        7 days ago          388MB
                nginx               latest              b30913017782        7 days ago          388MB
                busybox             v0.1.1              549a7aba89bd        7 days ago          1.15MB
                busybox             v0.1.0              42b4837a2d1e        7 days ago          1.15MB
                centos              latest              e934aafc2206        2 weeks ago         199MB
                busybox             latest              8ac48589692a        2 weeks ago         1.15MB

1、把要推的鏡像打上registry標簽

san@san-dong:~$ sudo docker tag centos:v0.1.0  172.16.0.4:5000/centos:latest
san@san-dong:~$ sudo docker images
REPOSITORY               TAG                 IMAGE ID            CREATED             SIZE
nginx                    tomcat              e982d826d0f1        7 days ago          388MB
nginx                    v1.0                ea7ac1a661bf        7 days ago          388MB
172.16.0.4:5000/centos   latest              b30913017782        7 days ago          388MB

2、推送到registry

 san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos
 The push refers to repository [172.16.0.4:5000/centos]
 Get https://172.16.0.4:5000/v2/: http: server gave HTTP response to HTTPS client

以上提示是需要https(默認強制https)而我們的registry用的是http;因此需要修改客戶端與registry之間的認證即把默認的https修改為http;

#ubuntu16.04 (centos 7 docker version 18.04.0-ce):
san@san-dong:~$  cat /etc/docker/deamon.json
 { "insecure-registries": [ "http://172.16.0.4:5000"]}
 重啟docker 
 san@san-dong:~$  systemctl restart docker

註意這裏的deamon.json文件名其實可以用其他名稱,但格式必須是json格式
如果您的docker是CentOS7 且 版本是18.03-ce及之前的版本需要如下修改(沒辦法docker更新速度太快):
修改 /etc/sysconfig/docker
ADD_REGISTRY="--add-registry 172.16.0.4:5000"
INSECURE_REGISTRY="--insecure-registry 172.16.0.4:5000"
重啟docker systemctl restart docker
再次推送鏡像到registry

 #成功(ubuntu 16.04)推送類似如下:
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos 
The push refers to repository [172.16.0.4:5000/centos]
60c2902e0aff: Pushed 
214c17cfa38b: Pushed 
43e653f84b79: Pushed 
latest: digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8 size: 948

此時在服務器端可以在/var/lib/registry下已經 存在
[root@registry centos]# pwd
var/lib/registry/docker/registry/v2/repositories/centos
[root@registry centos]# ls
_layers _manifests _uploads

面臨問題:任何人都可以訪問了~ 如是企業內部使用到這裏就夠了;如果跨IDC或安全性要求高時則此時用nginx做反代 做認證;

基於nginx反代並做基礎認證的registry私有倉庫

需要安裝nginx服務
安裝nginx

[root@registry ~]# yum install epel-release -y
[root@registry ~]# yum install nginx -y
[root@registry ~]# yum install httpd-tools -y
###安裝完先不啟動

添加認證用戶

[root@registry ~]#  htpasswd -c -m /etc/nginx/.ngxpasswd san

修改docker-distribution偵聽接口(改為127.0.0.1)

[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
....省略(和上面一致)...
 http:
        addr: 127.0.0.1:5000

重啟docker-distribution
[root@registry ~]# systemctl restart docker-distribution
#查看
[root@registry conf.d]# netstat -ntpul |grep registry
 tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      2547/registry

nginx配置:

 [root@registry nginx]# egrep -v ‘(^#|^$)‘ nginx.conf
        ....省略....
            client_max_body_size 0;   ##重要
            server {
                listen       80 default_server;
                listen       [::]:80 default_server;
                server_name  _;
                root         /usr/share/nginx/html;
                # Load configuration files for the default server block.
                include /etc/nginx/default.d/*.conf;
                location / {
                    proxy_pass  http://localhost:5000;
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
                    proxy_redirect off;
                    proxy_buffering off;
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                    auth_basic "Docker Registry Service";
                    auth_basic_user_file "/etc/nginx/.ngxpasswd";
                }
                error_page 404 /404.html;
                    location = /40x.html {
                }
                error_page 500 502 503 504 /50x.html;
                    location = /50x.html {
                    }
                }
            }

###檢查nginx配置
# nginx -t
 [root@registry ~]# systemctl restart nginx
 [root@registry ~]# netstat -ntpul 
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  tcp        0      0 0.0.0.0:80            0.0.0.0:*               LISTEN      2574/nginx: master

上傳客戶端上的鏡像並推送到registry
先登錄registry

san@san-dong:~$ sudo docker login 172.16.0.4:80    #做了反代不能用http://172.16.0.4:80
 Username: san
 Password: 
  Login Succeeded

登錄成功後修改要推送鏡像標簽:

root@san-dong:/etc/docker# docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE      
nginx                     latest              b30913017782        7 days ago          388MB        
busybox                   v0.1.0              42b4837a2d1e        7 days ago          1.15MB
centos                    latest              e934aafc2206        2 weeks ago         199MB
#對centos打標簽:
root@san-dong:/etc/docker# docker tag centos:latest  172.16.0.4:80/san/centos:latest
#推送到本地倉庫:
root@san-dong:/etc/docker# docker push 172.16.0.4:80/san/centos:latest
The push refers to repository [172.16.0.4:80/san/centos]
43e653f84b79: Mounted from san/nginx 
 latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529

此時到鏡像倉庫中就可以查看到/var/lib/registry/下

在registry上安裝docker並模擬客戶端從私有registry上下載鏡像
安裝docker服務這裏就不再詳說了;可參考上一篇文章;版本是18.04-ce(更新太快,上一篇文章中版本還是18.0.3-ce)

安裝完後啟動docker服務並修改配置

查看docker版本
[root@registry ~]#  docker --version
Docker version 18.04.0-ce, build 3d479c0
[root@registry ~]# systemctl restart docker
[root@registry ~]# cat /etc/docker/deamon.json
        { "insecure-registries": [ "http://172.16.0.4:80" ] }

登錄registry(其實中本地,這裏是模擬邏輯一樣)

[root@registry ~]# docker login 172.16.0.4:80
Username: san
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 Are you sure you want to proceed? [y/N] y
 Login Succeeded

從registry中獲取鏡像

[root@registry ~]# docker pull 172.16.0.4:80/centos
        Using default tag: latest
        latest: Pulling from centos
        469cfcc7a4b3: Pull complete 
        9710c34f15fa: Pull complete 
        a53634549a5e: Pull complete 
        Digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8
        Status: Downloaded newer image for 172.16.0.4:80/centos:latest
#查看下載到本地的鏡像
[root@registry ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
172.16.0.4:80/centos   latest              b30913017782        7 days ago          388MB
 registry               latest              d1fd7d86a825        3 months ago        33.3MB

啟動下載的鏡像

[root@registry ~]# docker run -d -it  --name centos 172.16.0.4:80/centos
e11ecaf81abbbd698cdb3d58813ccaaec297c9fab490e9d0f63a7150054f2140

[root@registry ~]# docker ps
CONTAINER ID        IMAGE                  COMMAND             CREATED             STATUS              PORTS               NAMES
e11ecaf81abb        172.16.0.4:80/centos   "/bin/bash"         15 seconds ago      Up 13 seconds       80/tcp              centos

補充:

出現如下提示:

san@san-dong:~$ sudo docker push 172.16.0.4:80/san/busybox:latest
The push refers to repository [172.16.0.4:80/san/busybox]
 0314be9edf00: Preparing 
 no basic auth credentials

表示沒有認證登錄
多用戶時, 用什麽賬號登錄時打標簽就用什麽用戶 push時也要對應;換用戶登出時
san@san-dong:~$ docker login 172.16.0.4:80
別外:一般企業內部registry不需要做認證;也可以用ftp集中保存tar格式鏡像用時下載 load進去;

docker網絡管理與本地私有Registry創建部署