Upload and download of Docker warehouse and image

Docker Warehouse

Warehouses are places where image files are centrally stored. Sometimes the warehouse and the warehouse registration server (Registry) are confused, not strictly differentiated. In fact, the warehouse registration server often holds multiple warehouses, each of which contains multiple mirrors, each with a different label (tag).

a Docker Registry can contain multiple warehouses ( Repository ); Each warehouse can contain multiple labels ( Tag ), and each label corresponds to a mirror.

Warehouses are divided into public and private warehouses (both).

Once the user has created their own image, they can use the push command to upload it to a public or private repository so that the next time you use the mirror on another machine, you just need to get down from the warehouse pull .

first, to build a private warehouse

Download Registry Image

Docker Pull Registry

Start a container from this image after download

[Email protected] ~]# Docker run-d-P 5000:5000--name Registry registry:2.3.1

View, Port is open

View Presence Mirror

[email protected] ~]# Docker images

Use Mark this docker tag image as game2048 localhost:5000/game2048

Format isdocker tag IMAGE[:TAG] [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG]




[[email protected] ~]# Docker tag game2048 localhost:5000/game2048 to the existing mirror tag

[email protected] ~]# Docker images

Use docker push image of upload tag

[email protected] ~]# Docker push localhost:5000/game2048

with curl view mirrors in the warehouse

[Email protected] ~]# Curl 127.0.0.1:5000/v2/_catalog
{"Repositories": ["game2048"]}

To see {"repositories":["game2048"]} that the image has been successfully uploaded.

Delete the existing mirror before attempting to download the image from the private repository

[email protected] ~]# Docker RMI localhost:5000/game2048

Pull Mirror

[email protected] ~]# Docker pull localhost:5000/game2048

[[email protected] ~]# docker image ls

If you don't want to use 127.0.0.1:5000 as the warehouse address, such as want to let the other host of the network segment can also push the image to the private warehouse. You'll have to use an 192.168.122.1:5000 intranet address like this as a private warehouse address, and you'll find that you can't push the image successfully.

this is because Docker by default does not allow non- HTTPS mode to push the image. We can either remove this restriction via the Docker configuration option or view the next section to configure a private repository that can be HTTPS accessed.

Upload an image again

This problem may be caused by the client using Https,docker registry without the HTTPS service. One way to handle this is to change the customer's address "192.168.1.100:5000" request to HTTP.

Many articles now address this issue by modifying Docker's configuration file "Etc/systemconfig/docker" and restarting Docker. But found that the docker1.12.3 version does not have this file, according to create this file online, and fill in the appropriate content, restart Docker no effect, still reported this error.

Workaround:

Under the "/etc/docker/" directory, create a "Daemon.json" file. Write in File:

{"Insecure-registries": ["192.168.122.1:5000"]}

After saving exits, restart Docker.

Edit the daemon file, write to the local IP and port

[Email protected] docker]# vim Daemon.json

Restart Service, manually turn on registry

Upload again

[email protected] docker]# Docker push 192.168.122.1:5000/nginx

Close and delete

second, generate self-signed certificate

Generate a self-signed certificate on the server host, create a folder to hold the certificate

[Email protected] docker]# pwd
/tmp/docker
[Email protected] docker]#mkdir certs
[Email protected] docker]#OpenSSL req-newkey rsa:4096-nodes-sha256-keyout certs/domain.key-x509-days 365-out certs/domain.crt
Generating a 4096 bit RSA private key
................................................................................++
................................................................................++
Writing new private key to ' Certs/domain.key '
-----
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi ' an
Organization Name (eg, company) [Default company Ltd]:cara
Organizational Unit Name (eg, section) []:linux
Common name (eg, your name or your server ' s hostname) []:mycara.com
Email Address []:[email protected]

Certs folder to see the generation of two files

Run a warehouse image

[email protected] docker]# Docker run-d \
>--restart=always \
>--name Registry \
>-V ' pwd '/certs:/certs \
>-e registry_http_addr=0.0.0.0:443 \
>-e registry_http_tls_certificate=/certs/domain.crt \
>-e registry_http_tls_key=/certs/domain.key \
>-P 443:443 \
> registry:2.3.1

As below, the container starts, the port opens

The domain name must have the analysis

[Email protected] docker]# vim/etc/hosts

Configuring the Client

I do the experiment is a server, so it is configured on a single host.

If your server is used as a Docker repository and the client uploads or pulls the mirror on another host as a client, the following operation should have been performed on the client;

Create a Directory

[Email protected] certs]# mkdir-p/etc/docker/certs.d/mycara.com/
[[email protected] certs]# CP domain.crt/etc/docker/certs.d/mycara.com/ server-side generated. CRT replication to client server/etc/docker/ Under the certs.d/mycara.com/directory

Upload the image of the tag.

[email protected] certs]# Docker tag game2048 mycara.com/game2048
[email protected] certs]# Docker push mycara.com/game2048

Pull Mirror

[email protected] certs]# Docker pull mycara.com/game2048

Delete the original warehouse container, do the following experiment

third, the private warehouse certification

Create a file that holds the password account

[[email protected] docker]# mkdir Auth build Directory
[[email protected] docker]# ls
Auth certs
[[email protected] docker]# Docker run \
>--entrypoint htpasswd \
> REGISTRY:2.3.1-BBN admin cara > auth/htpasswd

[Email protected] docker]# CD auth/
[[email protected] auth]# ls
htpasswd
[email protected] auth]# cat htpasswd
admin:$2y$05$lib4ztanf0kcspw0irl2zoqo9zth5xpoypdjrh/vtcilfx3hgu0p.

Restart container

[email protected] opt]# Docker run-d--restart=always--name registryauth-v/tmp/docker/certs:/certs-v/opt/registryau Th:/var/lib/registry-v/tmp/docker/auth:/auth-e registry_auth=htpasswd-e "Registry_auth_htpasswd_realm=registry Realm "-E registry_auth_htpasswd_path=/auth/htpasswd-e registry_http_addr=0.0.0.0:443-e REGISTRY_HTTP_TLS_ CERTIFICATE=/CERTS/DOMAIN.CRT-E registry_http_tls_key=/certs/domain.key-p 443:443 registry:2.3.1
9b12ab89f5a4c0434bad1b09e7bbde24c7c6a3d02a94d928719e85ff41c15339

Now the client again pull, push will prompt an error, unable to submit, need to log into the private warehouse

[email protected] opt]# Docker tag Nginx Mycara.com/nginx
[[email protected] opt]# Docker login-u admin-p cara mycara.com login

Login succeeded
[[Email protected] opt]# CD
[[Email protected] ~]# CD. docker/
[email protected]. docker]# ls
Config.json
[email protected]. docker]# Cat Config.json
{
"Auths": {
"Mycara.com": {
"Auth": "ywrtaw46y2fyyq=="
}
}
}

Upload successful

[email protected]. docker]# Docker push Mycara.com/nginx
The push refers to a repository [Mycara.com/nginx]
5f70bf18a086:pushed
3f3324023e75:pushed
F0d7d68f89e5:pushed
917c0fc99b35:pushed
Latest:digest:sha256:e59bbe13ca0c309644d9bca972c1b660c170fbdee7ff81eda9ff966b86f14e63 size:1978
[email protected]. docker]# cd/opt/registryauth/docker/registry/v2/repositories/
[[email protected] repositories]# ls
Nginx

Sign Out

[email protected] opt]# Docker logout mycara.com

Upload and download of Docker warehouse and image