docker容器端口映射，容器间关联，仓库搭建（不加密，加密，加密认证）

一，容器端口映射：

[root@foundation92 Desktop]# docker run -d --name web -p 8080:80 nginx   #将本机的8080端口映射到容器的80端口
[root@foundation92 Desktop]# docker inspect web   #查看容器信息，获取容器IP

浏览器测试：





可以看见使用本机：172.25.254.92:8080和使用容器：172.17.0.2:80访问可以看见同样的效果。

同样：可以查看iptables的nat表看见端口映射的情况：iptables -nL -t nat

在nat网络模式下进行容器端口映射的时候要防止和本机的端口冲突

二，容器间互联：

--link 参数可以在不映射端口的前提下为两个容器间建立安全连接, --link 参数可以连接一个或多个容器到将要创建的容器。
--link 参数的格式为 --link name:alias，其中 name 是要链接的容器的名称，alias 是这个连接的别名

[root@foundation92 Desktop]# docker run -d --name web1 nginx
root@foundation92 Desktop]# docker run -it --name web2 --link web1:web3 nginx bash  #新建容器web2，并将web1连接到web2，取名为web3，但是web3本身不是容器
root@891278bc09b3:/# cat /etc/hosts
127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2  web3 cbf7dff3dfb2 web1
172.17.0.3  891278bc09b3
root@a78b76ddc807:/# ping web3      #pingweb3可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.049 ms
^C--- web3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.049/0.060/0.071/0.000 ms
root@a78b76ddc807:/# ping web2
^C
root@a78b76ddc807:/# ping web1  #可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
^C--- web3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.071/0.071/0.071/0.000 ms

#说明web1和web3时同一个容器

在使用Docker的时候，经常可能需要连接到其他的容器，比如：web服务需要连接数据库。按照往常的做法，需要先启动数据库的容器，映射出端口来，然后配置好客户端的容器，再去访问。其实针对这种场景，Docker提供了--link 参数来满足

三，docker私有仓库的搭建并配置仓库认证：

为什么还要搭建私有仓库？

dockerhub上镜像的上传和下载速度可能会有影响，而且依赖与网络带宽。

[root@foundation92 Desktop]# docker push nginx
The push refers to a repository [docker.io/library/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
unauthorized: authentication required
可以看见上传镜像受阻。
原因是网络受阻：
[root@foundation92 Desktop]# ping docker.io
PING docker.io (**34.234.103.99**) 56(84) bytes of data

#创建仓库（临时测试（不安全，未添加认证））：

docker run -d -p 5000:5000 --name registry registry:2.3.1    #用仓库镜像registry:2.3.1创建仓库registry
docker tag game2048 172.25.254.92:5000/game2048  #将本地镜像game2048修改名字为172.25.254.92:5000/game2048
[root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048  #上传172.25.254.92:5000/game2048镜像到本地仓库，发现报错，只支持HTTPS上传
The push refers to a repository [172.25.254.92/game2048]
Get https://172.25.254.92/v1/_ping: dial tcp 172.25.254.92:443: getsockopt: connection refused

临时解决方案：
vim /etc/docker/daemon.json
{
"insecure-registries": ["172.25.254.92:5000"]
}

再次上传成功：
[root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048
The push refers to a repository [172.25.254.92:5000/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushing [======>
4000
] 6.742 MB/50.1 MB
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364

#创建加密的仓库：

创建公钥和私钥：
mkdir /tmp/docker/certs
cd /tmp/docker

root@foundation92 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt  #创建密钥
Generating a 4096 bit RSA private key
.....++
................................................................................................................................................................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi;an
Organization Name (eg, company) [Default Company Ltd]:redhat
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:mytestregistry.com
Email Address []:root@:mytestregistry.com

[root@foundation92 docker]# cd certs/
[root@foundation92 certs]# ls
domain.crt  domain.key

创建加密仓库：
mkdir -p /etc/docker/certs.d/mytestregistry.com
cp /tmp/docker/domain.crt /etc/docker/certs.d/mytestregistry.com/ca.crt
vim /etc/hosts
172.25.254.92   mytestregistry.com

docker run -d  --restart=always  --name=mytestregistry  -v /tmp/docker/certs:/certs -v /opt/mytestregistry:/var/lib/registry  -e REGISTRY_HTTP_ADDR=0.0.0.0:443  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key  -p 443:443 registry:2.3.1  #创建加密仓库,并将本地仓库/opt/mytestregistry映射到容器的/var/lib/registry目录

docker tag game2048 mytestregistry.com/game2048  #将所需要上传的镜像重新命名

mv /etc/docker/daemon.json       #移除解决临时上传的文件

root@foundation92 certs]# docker push mytestregistry.com/game2048  #可以看出成功完成加密上传。
The push refers to a repository [mytestregistry.com/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364

[root@foundation92 repositories]# cd /opt/mytestregistry/docker/registry/v2/repositories          #进入本地仓库目录查看上传的镜像
[root@foundation92 repositories]# ls
game2048

#从本地仓库中获取镜像：
docker rmi mytestregistry.com/game2048       #删除本第改名的game2048镜像

Untagged: mytestregistry.com/game2048:latest
Untagged: mytestregistry.com/game2048@sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5

docker rmi game2048  #删除原本的game2048镜像

Untagged: game2048:latest
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36

docker pull mytestregistry.com/game2048    #从本地仓库中下载上传的game2048（修改过镜像名称）jingx
Using default tag: latest
latest: Pulling from game2048
3690ec4760f9: Pull complete
2e2d6e8f545b: Pull complete
aa8a6a9d7067: Pull complete
173507b749da: Pull complete
dc19969f59b2: Pull complete
Digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5
Status: Downloaded newer image for mytestregistry.com/game2048:latest

docker tag mytestregistry.com/game2048 game2048  #重新改回镜像名称，恢复镜像
#仓库认证：
cd /tmp/docker/
mkdir auth             #创建存放认证帐号密码文件的目录
[root@foundation92 docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn authtest authtestpasswd > auth/htpasswd   #创建认证的帐号和密码
[root@foundation92 docker]# cd auth/
[root@foundation92 auth]# ls
htpasswd
[root@foundation92 auth]# cat htpasswd   #查看存放认证帐号和密码的文件
authtest:$2y$05$ymWyu11dw/TG9.3xEAWWA.9YfYSQo.x6KV2DYzmg2hLvnC0eAojGa
[root@foundation92 docker]# cd /opt/
[root@foundation92 opt]# mkdir mytestregistryauth  #创建认证仓库的本地目录
[root@foundation92 auth]# docker run -d  --restart=always  --name=mytestregistryauth  -v /tmp/docker/certs:/certs  -v /opt/mytestregistryauth/:/var/lib/registry -v /tmp/docker/auth/:/auth -e REGISTRY_AUTH=htpasswd -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key  -p 443:443  registry:2.3.1    #创建加密和认证仓库
244f10f6b5c9e92343a9faae3a8710070c0822b678c4bd18d1959dd9d0e68d79
[root@foundation92 auth]# docker tag nginx mytestregistry.com/nginx
[root@foundation92 auth]# docker push mytestregistry.com/nginx  #上传镜像，上传不成功，是因为仓库需要认证
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
no basic auth credentials
[root@foundation92 auth]# docker login -u authtest -p authtestpasswd mytestregistry.com   #登陆仓库
Login Succeeded
[root@foundation92 auth]# docker push mytestregistry.com/nginx  #成功上传镜像
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Pushed
3f3324023e75: Pushed
f0d7d68f89e5: Pushed
917c0fc99b35: Pushed
latest: digest: sha256:32d30bd4dd97cddf9c476ea4665149577601741fedf6e91256f552b2975005f9 size: 1978

#查看仓库的镜像：
[root@foundation92 repositories]# cd /opt/mytestregistryauth/docker/registry/v2/repositories
[root@foundation92 repositories]# ls
nginx