概述
上一篇博客大致描述了docker的原理与传统虚拟机的使用,以及docker基本使用,本文主要描述docker的网络管理及重点介绍docker本地(内部)registry仓库的搭建及私有registry,用来统一保存与管理企业docker镜像;
docker网络
docker网络分四种类型:
closed container:封闭式容器
open container开放式:使用宿主机所有网络接口
联盟式网络:即多个容器共享一个网络
示例:
docker run --name bbox1 -it --rm --net bridge busybox
启动httpd -f -h /data/html
再启一个容器bbox2的网络关联到bbox1
docker run --name bbox2 --rm --net container:bbox1 -it busybox
此时两台使用同个个网络地址ifconfig
wget localhost/index.html
即访问本地的index.html却是bbox1上的web内容
Bridged:桥接式 expose(DNAT)
docker 启动后默认启动了三个网络接口 docker network list
san@yongc-dong:~$ docker network list
NETWORK ID NAME DRIVER SCOPE
ba4170b93ff8 bridge bridge local
4e8802445c71 host host local
d6685aeb00d4 none null local
查看docker桥接式网络:
san@yongc-dong:~$ docker network inspect bridge
bridge:默认关联到docker0上(私有网络)
host:使用物理主机网络空间(开放式)
none:不使用网络,关闭网络功能
创建不使用网络的容器
$ docker run --name bbox1 -it --rm --net none busybox
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0
给容器绑定主机名和解析
san@yongc-dong:~$ docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm --net bridge busybox
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.16.0.188 www.san.com
173.172.17.0.3 bbox1.san.com bbox1
/ # hostname
bbox1.san.com
/ # cat /etc/resolv.conf
nameserver 172.16.0.188
容器内部端口暴露到宿主机
容器暴露端口 -p选项(四种方式,自动添加到iptables nat中)
1,随机映射成宿主机端口
docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm -p 80 busybox
$docker port bbox1
80/tcp -> 0.0.0.0:32768
此时即可访问宿主机ip:32768即可访问容器web
2,-p port:port
-p 80:80
3,-p host::port :将容器的port映射到宿主机指定ip的随机端口上
-p 172.16.0.188::80
80/tcp -> 172.16.0.188:32768
4,-p host:port:port :将容器port映射到宿主机指定ip上的port
80/tcp -> 172.16.0.188:80
注意:可同进暴露多个端口;一个容器如需要暴露多个端口可使用多个-p 进行映射
docker 网络管理
docker daemon 修改docker网络
创建docker网络 docker network create
san@yongc-dong:~$ docker network create -d bridge --subnet=172.31.0.0/16 --ip-range=172.31.0.0/16 --gateway=172.31.255.254 mybr0
86e7cdf8507e0c1721e16f29693c471bfd2db0e4c7bc7be90a3f72ab7d699450
san@yongc-dong:~$ docker network ls
NETWORK ID NAME DRIVER SCOPE
5579bb2c46f9 bridge bridge local
4e8802445c71 host host local
86e7cdf8507e mybr0 bridge local
d6685aeb00d4 none null local
网络配置文件CentOS7保存在/etc/sysconfig/docker-network中
san@yongc-dong:~$ docker run --name bbox1 --rm -it --net mybr0 busybox
eth0 Link encap:Ethernet HWaddr 02:42:AC:1F:00:01
inet addr:172.31.0.1 Bcast:172.31.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2874 (2.8 KiB) TX bytes:0 (0.0 B)
为运行中的容器添加网络
$ docker network connect bridge bbox1
查看docker网络
$ docker network ls
root@san-dong # docker network ls
ID NAME DRIVER SCOPE
37f00a3e739c bridge bridge local
1cd7af35c54a host host local
75c791849a76 none null local
查看指定网络
root@san-dong # docker network inspect 37f00a3e739c
删除网络
$docker network disconnect mybr0 bbox1
创建叠加网络
$ docker network create
搭建本地私有registry
对企业内部使用docker如果没有统一的私有registry仓库;默认是从docker.io上,网络连接问题,下载镜像那是相当的痛苦;所以为了愉快的使用docker提高工作效率;我们需要部署本地的私有registry
部署registry方式通常有两种;一种通过容器(registry)方式;一种安装服务(docker-distribution)自行部署;本文主要通过安装服务部署;
架构图:
部署环境:
客户端1:
ubuntu 16.04
docker 版本: 18.03.0-ce
hostname: san-dong
ip:172.16.0.188
需要服务:docker
registry服务器(客户端2):
centos7.x_x64
docker版本:18.04.0-ce
hostname: registry
ip: 172.16.0.4
需要服务:docker-distribution
nginx:1.12.2 (epel安装,用于做反代)
安装docker-distribution服务
[root@registry ~]# yum install docker-distribution
[root@registry ~]# rpm -ql docker-distribution
其中 配置文件/etc/docker-distribution/registry/config.yml
默认存储目录:/var/lib/registry
配置文件:
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory #存在内存当缓存
filesystem:
rootdirectory: /var/lib/registry #存放位置
http: #http协议
addr: :5000 #侦听在5000端口
启动服务
[root@registry ~]# systemctl docker-distribution
至此registry本地仓库配置完成
在客户端上推送镜像到私有registry仓库:
#客户端上(模拟开发工作主机)镜像
san@san-dong:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx tomcat e982d826d0f1 7 days ago 388MB
nginx v1.0 ea7ac1a661bf 7 days ago 388MB
centos v0.1.0 b30913017782 7 days ago 388MB
nginx latest b30913017782 7 days ago 388MB
busybox v0.1.1 549a7aba89bd 7 days ago 1.15MB
busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB
centos latest e934aafc2206 2 weeks ago 199MB
busybox latest 8ac48589692a 2 weeks ago 1.15MB
1、把要推的镜像打上registry标签
san@san-dong:~$ sudo docker tag centos:v0.1.0 172.16.0.4:5000/centos:latest
san@san-dong:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx tomcat e982d826d0f1 7 days ago 388MB
nginx v1.0 ea7ac1a661bf 7 days ago 388MB
172.16.0.4:5000/centos latest b30913017782 7 days ago 388MB
2、推送到registry
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos
The push refers to repository [172.16.0.4:5000/centos]
Get https://172.16.0.4:5000/v2/: http: server gave HTTP response to HTTPS client
以上提示是需要https(默认强制https)而我们的registry用的是http;因此需要修改客户端与registry之间的认证即把默认的https修改为http;
#ubuntu16.04 (centos 7 docker version 18.04.0-ce):
san@san-dong:~$ cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:5000"]}
重启docker
san@san-dong:~$ systemctl restart docker
注意这里的deamon.json文件名其实可以用其他名称,但格式必须是json格式
如果您的docker是CentOS7 且 版本是18.03-ce及之前的版本需要如下修改(没办法docker更新速度太快):
修改 /etc/sysconfig/docker
ADD_REGISTRY="--add-registry 172.16.0.4:5000"
INSECURE_REGISTRY="--insecure-registry 172.16.0.4:5000"
重启docker systemctl restart docker
再次推送镜像到registry
#成功(ubuntu 16.04)推送类似如下:
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos
The push refers to repository [172.16.0.4:5000/centos]
60c2902e0aff: Pushed
214c17cfa38b: Pushed
43e653f84b79: Pushed
latest: digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8 size: 948
此时在服务器端可以在/var/lib/registry下已经 存在
[root@registry centos]# pwd
var/lib/registry/docker/registry/v2/repositories/centos
[root@registry centos]# ls
_layers _manifests _uploads
面临问题:任何人都可以访问了~ 如是企业内部使用到这里就够了;如果跨IDC或安全性要求高时则此时用nginx做反代 做认证;
基于nginx反代并做基础认证的registry私有仓库
需要安装nginx服务
安装nginx
[root@registry ~]# yum install epel-release -y
[root@registry ~]# yum install nginx -y
[root@registry ~]# yum install httpd-tools -y
###安装完先不启动
添加认证用户
[root@registry ~]# htpasswd -c -m /etc/nginx/.ngxpasswd san
修改docker-distribution侦听接口(改为127.0.0.1)
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
....省略(和上面一致)...
http:
addr: 127.0.0.1:5000
重启docker-distribution
[root@registry ~]# systemctl restart docker-distribution
#查看
[root@registry conf.d]# netstat -ntpul |grep registry
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 2547/registry
nginx配置:
[root@registry nginx]# egrep -v '(^#|^$)' nginx.conf
....省略....
client_max_body_size 0; ##重要
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://localhost:5000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Docker Registry Service";
auth_basic_user_file "/etc/nginx/.ngxpasswd";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
###检查nginx配置
# nginx -t
[root@registry ~]# systemctl restart nginx
[root@registry ~]# netstat -ntpul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2574/nginx: master
上传客户端上的镜像并推送到registry
先登录registry
san@san-dong:~$ sudo docker login 172.16.0.4:80 #做了反代不能用http://172.16.0.4:80
Username: san
Password:
Login Succeeded
登录成功后修改要推送镜像标签:
root@san-dong:/etc/docker# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest b30913017782 7 days ago 388MB
busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB
centos latest e934aafc2206 2 weeks ago 199MB
#对centos打标签:
root@san-dong:/etc/docker# docker tag centos:latest 172.16.0.4:80/san/centos:latest
#推送到本地仓库:
root@san-dong:/etc/docker# docker push 172.16.0.4:80/san/centos:latest
The push refers to repository [172.16.0.4:80/san/centos]
43e653f84b79: Mounted from san/nginx
latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529
此时到镜像仓库中就可以查看到/var/lib/registry/下
在registry上安装docker并模拟客户端从私有registry上下载镜像
安装docker服务这里就不再详说了;可参考上一篇文章;版本是18.04-ce(更新太快,上一篇文章中版本还是18.0.3-ce)
安装完后启动docker服务并修改配置
查看docker版本
[root@registry ~]# docker --version
Docker version 18.04.0-ce, build 3d479c0
[root@registry ~]# systemctl restart docker
[root@registry ~]# cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:80" ] }
登录registry(其实中本地,这里是模拟逻辑一样)
[root@registry ~]# docker login 172.16.0.4:80
Username: san
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Are you sure you want to proceed? [y/N] y
Login Succeeded
从registry中获取镜像
[root@registry ~]# docker pull 172.16.0.4:80/centos
Using default tag: latest
latest: Pulling from centos
469cfcc7a4b3: Pull complete
9710c34f15fa: Pull complete
a53634549a5e: Pull complete
Digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8
Status: Downloaded newer image for 172.16.0.4:80/centos:latest
#查看下载到本地的镜像
[root@registry ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.0.4:80/centos latest b30913017782 7 days ago 388MB
registry latest d1fd7d86a825 3 months ago 33.3MB
启动下载的镜像
[root@registry ~]# docker run -d -it --name centos 172.16.0.4:80/centos
e11ecaf81abbbd698cdb3d58813ccaaec297c9fab490e9d0f63a7150054f2140
[root@registry ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e11ecaf81abb 172.16.0.4:80/centos "/bin/bash" 15 seconds ago Up 13 seconds 80/tcp centos
补充:
出现如下提示:
san@san-dong:~$ sudo docker push 172.16.0.4:80/san/busybox:latest
The push refers to repository [172.16.0.4:80/san/busybox]
0314be9edf00: Preparing
no basic auth credentials
表示没有认证登录
多用户时, 用什么账号登录时打标签就用什么用户 push时也要对应;换用户登出时
san@san-dong:~$ docker login 172.16.0.4:80
别外:一般企业内部registry不需要做认证;也可以用ftp集中保存tar格式镜像用时下载 load进去;
|
QQ群⑧:
YunVN网友
发表于 2019-2-22 06:28:35
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
悔悟卡
匿名卡
显身卡