docker容器端口映射,容器间关联,仓库搭建(不加密,加密,加密认证)
2018-02-27 21:58
956 查看
一,容器端口映射:
浏览器测试:
可以看见使用本机:172.25.254.92:8080和使用容器:172.17.0.2:80访问可以看见同样的效果。
同样:可以查看iptables的nat表看见端口映射的情况:iptables -nL -t nat
在nat网络模式下进行容器端口映射的时候要防止和本机的端口冲突
二,容器间互联:
三,docker私有仓库的搭建并配置仓库认证:
为什么还要搭建私有仓库?
dockerhub上镜像的上传和下载速度可能会有影响,而且依赖与网络带宽。
[root@foundation92 Desktop]# docker run -d --name web -p 8080:80 nginx #将本机的8080端口映射到容器的80端口 [root@foundation92 Desktop]# docker inspect web #查看容器信息,获取容器IP
浏览器测试:
可以看见使用本机:172.25.254.92:8080和使用容器:172.17.0.2:80访问可以看见同样的效果。
同样:可以查看iptables的nat表看见端口映射的情况:iptables -nL -t nat
在nat网络模式下进行容器端口映射的时候要防止和本机的端口冲突
二,容器间互联:
--link 参数可以在不映射端口的前提下为两个容器间建立安全连接, --link 参数可以连接一个或多个容器到将要创建的容器。 --link 参数的格式为 --link name:alias,其中 name 是要链接的容器的名称,alias 是这个连接的别名 [root@foundation92 Desktop]# docker run -d --name web1 nginx root@foundation92 Desktop]# docker run -it --name web2 --link web1:web3 nginx bash #新建容器web2,并将web1连接到web2,取名为web3,但是web3本身不是容器 root@891278bc09b3:/# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 web3 cbf7dff3dfb2 web1 172.17.0.3 891278bc09b3 root@a78b76ddc807:/# ping web3 #pingweb3可以ping通 PING web3 (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.049 ms ^C--- web3 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.049/0.060/0.071/0.000 ms root@a78b76ddc807:/# ping web2 ^C root@a78b76ddc807:/# ping web1 #可以ping通 PING web3 (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms ^C--- web3 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.071/0.071/0.071/0.000 ms #说明web1和web3时同一个容器 在使用Docker的时候,经常可能需要连接到其他的容器,比如:web服务需要连接数据库。按照往常的做法,需要先启动数据库的容器,映射出端口来,然后配置好客户端的容器,再去访问。其实针对这种场景,Docker提供了--link 参数来满足
三,docker私有仓库的搭建并配置仓库认证:
为什么还要搭建私有仓库?
dockerhub上镜像的上传和下载速度可能会有影响,而且依赖与网络带宽。
[root@foundation92 Desktop]# docker push nginx The push refers to a repository [docker.io/library/nginx] 5f70bf18a086: Preparing 3f3324023e75: Preparing f0d7d68f89e5: Preparing 917c0fc99b35: Preparing unauthorized: authentication required 可以看见上传镜像受阻。 原因是网络受阻: [root@foundation92 Desktop]# ping docker.io PING docker.io (**34.234.103.99**) 56(84) bytes of data #创建仓库(临时测试(不安全,未添加认证)): docker run -d -p 5000:5000 --name registry registry:2.3.1 #用仓库镜像registry:2.3.1创建仓库registry docker tag game2048 172.25.254.92:5000/game2048 #将本地镜像game2048修改名字为172.25.254.92:5000/game2048 [root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048 #上传172.25.254.92:5000/game2048镜像到本地仓库,发现报错,只支持HTTPS上传 The push refers to a repository [172.25.254.92/game2048] Get https://172.25.254.92/v1/_ping: dial tcp 172.25.254.92:443: getsockopt: connection refused 临时解决方案: vim /etc/docker/daemon.json { "insecure-registries": ["172.25.254.92:5000"] } 再次上传成功: [root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048 The push refers to a repository [172.25.254.92:5000/game2048] 88fca8ae768a: Pushed 6d7504772167: Pushed 192e9fad2abc: Pushed 36e9226e74f8: Pushing [======> 4000 ] 6.742 MB/50.1 MB 36e9226e74f8: Pushed 011b303988d2: Pushed latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364 #创建加密的仓库: 创建公钥和私钥: mkdir /tmp/docker/certs cd /tmp/docker root@foundation92 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt #创建密钥 Generating a 4096 bit RSA private key .....++ ................................................................................................................................................................................................................................................................................++ writing new private key to 'certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shaanxi Locality Name (eg, city) [Default City]:xi;an Organization Name (eg, company) [Default Company Ltd]:redhat Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:mytestregistry.com Email Address []:root@:mytestregistry.com [root@foundation92 docker]# cd certs/ [root@foundation92 certs]# ls domain.crt domain.key 创建加密仓库: mkdir -p /etc/docker/certs.d/mytestregistry.com cp /tmp/docker/domain.crt /etc/docker/certs.d/mytestregistry.com/ca.crt vim /etc/hosts 172.25.254.92 mytestregistry.com docker run -d --restart=always --name=mytestregistry -v /tmp/docker/certs:/certs -v /opt/mytestregistry:/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #创建加密仓库,并将本地仓库/opt/mytestregistry映射到容器的/var/lib/registry目录 docker tag game2048 mytestregistry.com/game2048 #将所需要上传的镜像重新命名 mv /etc/docker/daemon.json #移除解决临时上传的文件 root@foundation92 certs]# docker push mytestregistry.com/game2048 #可以看出成功完成加密上传。 The push refers to a repository [mytestregistry.com/game2048] 88fca8ae768a: Pushed 6d7504772167: Pushed 192e9fad2abc: Pushed 36e9226e74f8: Pushed 011b303988d2: Pushed latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364 [root@foundation92 repositories]# cd /opt/mytestregistry/docker/registry/v2/repositories #进入本地仓库目录查看上传的镜像 [root@foundation92 repositories]# ls game2048 #从本地仓库中获取镜像: docker rmi mytestregistry.com/game2048 #删除本第改名的game2048镜像 Untagged: mytestregistry.com/game2048:latest Untagged: mytestregistry.com/game2048@sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 docker rmi game2048 #删除原本的game2048镜像 Untagged: game2048:latest Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7 Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7 Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0 Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2 Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4 Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36 docker pull mytestregistry.com/game2048 #从本地仓库中下载上传的game2048(修改过镜像名称)jingx Using default tag: latest latest: Pulling from game2048 3690ec4760f9: Pull complete 2e2d6e8f545b: Pull complete aa8a6a9d7067: Pull complete 173507b749da: Pull complete dc19969f59b2: Pull complete Digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 Status: Downloaded newer image for mytestregistry.com/game2048:latest docker tag mytestregistry.com/game2048 game2048 #重新改回镜像名称,恢复镜像 #仓库认证: cd /tmp/docker/ mkdir auth #创建存放认证帐号密码文件的目录 [root@foundation92 docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn authtest authtestpasswd > auth/htpasswd #创建认证的帐号和密码 [root@foundation92 docker]# cd auth/ [root@foundation92 auth]# ls htpasswd [root@foundation92 auth]# cat htpasswd #查看存放认证帐号和密码的文件 authtest:$2y$05$ymWyu11dw/TG9.3xEAWWA.9YfYSQo.x6KV2DYzmg2hLvnC0eAojGa [root@foundation92 docker]# cd /opt/ [root@foundation92 opt]# mkdir mytestregistryauth #创建认证仓库的本地目录 [root@foundation92 auth]# docker run -d --restart=always --name=mytestregistryauth -v /tmp/docker/certs:/certs -v /opt/mytestregistryauth/:/var/lib/registry -v /tmp/docker/auth/:/auth -e REGISTRY_AUTH=htpasswd -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #创建加密和认证仓库 244f10f6b5c9e92343a9faae3a8710070c0822b678c4bd18d1959dd9d0e68d79 [root@foundation92 auth]# docker tag nginx mytestregistry.com/nginx [root@foundation92 auth]# docker push mytestregistry.com/nginx #上传镜像,上传不成功,是因为仓库需要认证 The push refers to a repository [mytestregistry.com/nginx] 5f70bf18a086: Preparing 3f3324023e75: Preparing f0d7d68f89e5: Preparing 917c0fc99b35: Preparing no basic auth credentials [root@foundation92 auth]# docker login -u authtest -p authtestpasswd mytestregistry.com #登陆仓库 Login Succeeded [root@foundation92 auth]# docker push mytestregistry.com/nginx #成功上传镜像 The push refers to a repository [mytestregistry.com/nginx] 5f70bf18a086: Pushed 3f3324023e75: Pushed f0d7d68f89e5: Pushed 917c0fc99b35: Pushed latest: digest: sha256:32d30bd4dd97cddf9c476ea4665149577601741fedf6e91256f552b2975005f9 size: 1978 #查看仓库的镜像: [root@foundation92 repositories]# cd /opt/mytestregistryauth/docker/registry/v2/repositories [root@foundation92 repositories]# ls nginx
相关文章推荐
- Docker:从环境搭建到容器端口映射
- 在 ubuntu 搭建需要签名认证的私有 docker registry 仓库
- docker 给运行中的容器设置端口映射
- 016-docker容器与宿主机的端口映射
- Docker Registry Server 搭建,配置免费HTTPS证书,及拥有权限认证、TLS 的私有仓库
- Docker搭建带有访问认证的私有仓库
- 理解Docker容器端口映射
- DOCKER 给运行中的容器添加映射端口
- docker 运行nginx并进入容器内部、端口映射
- docker挂载本地目录并映射端口,生产环境中的docker部署方案(多端口多容器)
- docker搭建私有仓库v2(Private Registry v2),自签发证书、公网访问、登录认证
- Docker 给运行中的容器设置端口映射的方法
- docker容器互联 分离部署PHP 和 nginx(端口映射方式)
- Docker ,Keepalived , 虚拟IP ,NAT,如何把Docker容器里的虚拟 IP和 端口映射到局域网
- Docker私有仓库Registry及Auth-server认证搭建
- docker(iptables)目标地址转换,运行中的容器映射端口
- win7用虚机搭建docker开发测试环境的网络配置,免去端口映射烦恼
- docker启动容器端口映射错误
- Docker Registry Server 搭建,配置免费HTTPS证书,及拥有权限认证的私有仓库
- Docker容器的端口映射