docker網絡管理與本地私有Registry創建部署
上一篇博客大致描述了docker的原理與傳統虛擬機的使用,以及docker基本使用,本文主要描述docker的網絡管理及重點介紹docker本地(內部)registry倉庫的搭建及私有registry,用來統一保存與管理企業docker鏡像;
docker網絡
docker網絡分四種類型:
closed container:封閉式容器
open container開放式:使用宿主機所有網絡接口
聯盟式網絡:即多個容器共享一個網絡
示例:
docker run --name bbox1 -it --rm --net bridge busybox 啟動httpd -f -h /data/html 再啟一個容器bbox2的網絡關聯到bbox1 docker run --name bbox2 --rm --net container:bbox1 -it busybox 此時兩臺使用同個個網絡地址ifconfig wget localhost/index.html 即訪問本地的index.html卻是bbox1上的web內容
Bridged:橋接式 expose(DNAT)
docker 啟動後默認啟動了三個網絡接口 docker network list
san@yongc-dong:~$ docker network list NETWORK ID NAME DRIVER SCOPE ba4170b93ff8 bridge bridge local 4e8802445c71 host host local d6685aeb00d4 none null local
查看docker橋接式網絡:
san@yongc-dong:~$ docker network inspect bridge
bridge:默認關聯到docker0上(私有網絡)
host:使用物理主機網絡空間(開放式)
none:不使用網絡,關閉網絡功能創建不使用網絡的容器
$ docker run --name bbox1 -it --rm --net none busybox / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0
給容器綁定主機名和解析
san@yongc-dong:~$ docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm --net bridge busybox
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.16.0.188 www.san.com
173.172.17.0.3 bbox1.san.com bbox1
/ # hostname
bbox1.san.com
/ # cat /etc/resolv.conf
nameserver 172.16.0.188容器內部端口暴露到宿主機
容器暴露端口 -p選項(四種方式,自動添加到iptables nat中)
1,隨機映射成宿主機端口
docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm -p 80 busybox
$docker port bbox1
80/tcp -> 0.0.0.0:32768
此時即可訪問宿主機ip:32768即可訪問容器web
2,-p port:port
-p 80:80
3,-p host::port :將容器的port映射到宿主機指定ip的隨機端口上
-p 172.16.0.188::80
80/tcp -> 172.16.0.188:32768
4,-p host:port:port :將容器port映射到宿主機指定ip上的port
80/tcp -> 172.16.0.188:80註意:可同進暴露多個端口;一個容器如需要暴露多個端口可使用多個-p 進行映射
docker 網絡管理
docker daemon 修改docker網絡
創建docker網絡 docker network create
san@yongc-dong:~$ docker network create -d bridge --subnet=172.31.0.0/16 --ip-range=172.31.0.0/16 --gateway=172.31.255.254 mybr0
86e7cdf8507e0c1721e16f29693c471bfd2db0e4c7bc7be90a3f72ab7d699450
san@yongc-dong:~$ docker network ls
NETWORK ID NAME DRIVER SCOPE
5579bb2c46f9 bridge bridge local
4e8802445c71 host host local
86e7cdf8507e mybr0 bridge local
d6685aeb00d4 none null local 網絡配置文件CentOS7保存在/etc/sysconfig/docker-network中
san@yongc-dong:~$ docker run --name bbox1 --rm -it --net mybr0 busybox
eth0 Link encap:Ethernet HWaddr 02:42:AC:1F:00:01
inet addr:172.31.0.1 Bcast:172.31.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2874 (2.8 KiB) TX bytes:0 (0.0 B)為運行中的容器添加網絡$ docker network connect bridge bbox1
查看docker網絡
$ docker network ls
root@san-dong # docker network ls
ID NAME DRIVER SCOPE
37f00a3e739c bridge bridge local
1cd7af35c54a host host local
75c791849a76 none null local查看指定網絡 root@san-dong # docker network inspect 37f00a3e739c
刪除網絡$docker network disconnect mybr0 bbox1
創建疊加網絡$ docker network create
搭建本地私有registry
對企業內部使用docker如果沒有統一的私有registry倉庫;默認是從docker.io上,網絡連接問題,下載鏡像那是相當的痛苦;所以為了愉快的使用docker提高工作效率;我們需要部署本地的私有registry
部署registry方式通常有兩種;一種通過容器(registry)方式;一種安裝服務(docker-distribution)自行部署;本文主要通過安裝服務部署;
架構圖:
部署環境:
客戶端1:
ubuntu 16.04
docker 版本: 18.03.0-ce
hostname: san-dong
ip:172.16.0.188
需要服務:docker
registry服務器(客戶端2):
centos7.x_x64
docker版本:18.04.0-ce
hostname: registry
ip: 172.16.0.4
需要服務:docker-distribution
nginx:1.12.2 (epel安裝,用於做反代)
安裝docker-distribution服務
[root@registry ~]# yum install docker-distribution
[root@registry ~]# rpm -ql docker-distribution
其中 配置文件/etc/docker-distribution/registry/config.yml
默認存儲目錄:/var/lib/registry配置文件:
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory #存在內存當緩存
filesystem:
rootdirectory: /var/lib/registry #存放位置
http: #http協議
addr: :5000 #偵聽在5000端口啟動服務[root@registry ~]# systemctl docker-distribution
至此registry本地倉庫配置完成
在客戶端上推送鏡像到私有registry倉庫:
#客戶端上(模擬開發工作主機)鏡像
san@san-dong:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx tomcat e982d826d0f1 7 days ago 388MB
nginx v1.0 ea7ac1a661bf 7 days ago 388MB
centos v0.1.0 b30913017782 7 days ago 388MB
nginx latest b30913017782 7 days ago 388MB
busybox v0.1.1 549a7aba89bd 7 days ago 1.15MB
busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB
centos latest e934aafc2206 2 weeks ago 199MB
busybox latest 8ac48589692a 2 weeks ago 1.15MB
1、把要推的鏡像打上registry標簽
san@san-dong:~$ sudo docker tag centos:v0.1.0 172.16.0.4:5000/centos:latest
san@san-dong:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx tomcat e982d826d0f1 7 days ago 388MB
nginx v1.0 ea7ac1a661bf 7 days ago 388MB
172.16.0.4:5000/centos latest b30913017782 7 days ago 388MB2、推送到registry
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos
The push refers to repository [172.16.0.4:5000/centos]
Get https://172.16.0.4:5000/v2/: http: server gave HTTP response to HTTPS client
以上提示是需要https(默認強制https)而我們的registry用的是http;因此需要修改客戶端與registry之間的認證即把默認的https修改為http;
#ubuntu16.04 (centos 7 docker version 18.04.0-ce):
san@san-dong:~$ cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:5000"]}
重啟docker
san@san-dong:~$ systemctl restart docker註意這裏的deamon.json文件名其實可以用其他名稱,但格式必須是json格式
如果您的docker是CentOS7 且 版本是18.03-ce及之前的版本需要如下修改(沒辦法docker更新速度太快):
修改 /etc/sysconfig/docker
ADD_REGISTRY="--add-registry 172.16.0.4:5000"
INSECURE_REGISTRY="--insecure-registry 172.16.0.4:5000"
重啟docker systemctl restart docker
再次推送鏡像到registry
#成功(ubuntu 16.04)推送類似如下:
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos
The push refers to repository [172.16.0.4:5000/centos]
60c2902e0aff: Pushed
214c17cfa38b: Pushed
43e653f84b79: Pushed
latest: digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8 size: 948此時在服務器端可以在/var/lib/registry下已經 存在
[root@registry centos]# pwd
var/lib/registry/docker/registry/v2/repositories/centos
[root@registry centos]# ls
_layers _manifests _uploads
面臨問題:任何人都可以訪問了~ 如是企業內部使用到這裏就夠了;如果跨IDC或安全性要求高時則此時用nginx做反代 做認證;
基於nginx反代並做基礎認證的registry私有倉庫
需要安裝nginx服務
安裝nginx
[root@registry ~]# yum install epel-release -y
[root@registry ~]# yum install nginx -y
[root@registry ~]# yum install httpd-tools -y
###安裝完先不啟動添加認證用戶
[root@registry ~]# htpasswd -c -m /etc/nginx/.ngxpasswd san
修改docker-distribution偵聽接口(改為127.0.0.1)
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
....省略(和上面一致)...
http:
addr: 127.0.0.1:5000
重啟docker-distribution
[root@registry ~]# systemctl restart docker-distribution
#查看
[root@registry conf.d]# netstat -ntpul |grep registry
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 2547/registrynginx配置:
[root@registry nginx]# egrep -v ‘(^#|^$)‘ nginx.conf
....省略....
client_max_body_size 0; ##重要
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://localhost:5000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Docker Registry Service";
auth_basic_user_file "/etc/nginx/.ngxpasswd";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
###檢查nginx配置
# nginx -t
[root@registry ~]# systemctl restart nginx
[root@registry ~]# netstat -ntpul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2574/nginx: master上傳客戶端上的鏡像並推送到registry
先登錄registry
san@san-dong:~$ sudo docker login 172.16.0.4:80 #做了反代不能用http://172.16.0.4:80
Username: san
Password:
Login Succeeded登錄成功後修改要推送鏡像標簽:
root@san-dong:/etc/docker# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest b30913017782 7 days ago 388MB
busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB
centos latest e934aafc2206 2 weeks ago 199MB
#對centos打標簽:
root@san-dong:/etc/docker# docker tag centos:latest 172.16.0.4:80/san/centos:latest
#推送到本地倉庫:
root@san-dong:/etc/docker# docker push 172.16.0.4:80/san/centos:latest
The push refers to repository [172.16.0.4:80/san/centos]
43e653f84b79: Mounted from san/nginx
latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529
此時到鏡像倉庫中就可以查看到/var/lib/registry/下
在registry上安裝docker並模擬客戶端從私有registry上下載鏡像
安裝docker服務這裏就不再詳說了;可參考上一篇文章;版本是18.04-ce(更新太快,上一篇文章中版本還是18.0.3-ce)
安裝完後啟動docker服務並修改配置
查看docker版本
[root@registry ~]# docker --version
Docker version 18.04.0-ce, build 3d479c0
[root@registry ~]# systemctl restart docker
[root@registry ~]# cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:80" ] }登錄registry(其實中本地,這裏是模擬邏輯一樣)
[root@registry ~]# docker login 172.16.0.4:80
Username: san
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Are you sure you want to proceed? [y/N] y
Login Succeeded從registry中獲取鏡像
[root@registry ~]# docker pull 172.16.0.4:80/centos
Using default tag: latest
latest: Pulling from centos
469cfcc7a4b3: Pull complete
9710c34f15fa: Pull complete
a53634549a5e: Pull complete
Digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8
Status: Downloaded newer image for 172.16.0.4:80/centos:latest
#查看下載到本地的鏡像
[root@registry ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.0.4:80/centos latest b30913017782 7 days ago 388MB
registry latest d1fd7d86a825 3 months ago 33.3MB
啟動下載的鏡像
[root@registry ~]# docker run -d -it --name centos 172.16.0.4:80/centos
e11ecaf81abbbd698cdb3d58813ccaaec297c9fab490e9d0f63a7150054f2140
[root@registry ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e11ecaf81abb 172.16.0.4:80/centos "/bin/bash" 15 seconds ago Up 13 seconds 80/tcp centos補充:
出現如下提示:
san@san-dong:~$ sudo docker push 172.16.0.4:80/san/busybox:latest
The push refers to repository [172.16.0.4:80/san/busybox]
0314be9edf00: Preparing
no basic auth credentials表示沒有認證登錄
多用戶時, 用什麽賬號登錄時打標簽就用什麽用戶 push時也要對應;換用戶登出時san@san-dong:~$ docker login 172.16.0.4:80
別外:一般企業內部registry不需要做認證;也可以用ftp集中保存tar格式鏡像用時下載 load進去;
docker網絡管理與本地私有Registry創建部署