【docker】【三】docker进阶

# 让docker服务端监听本地1234端口
docker daemon -H 0.0.0.0:1234
# docker 默认启动配置文件在 /etc/default/docker 
# 对于systemd 用户管理启动服务的系统 配置文件在 /etc/systemd/system/docker.service.d/docker.conf

# 让客户端链接监听1234的服务端 显示版本信息
docker -H tcp://127.0.0.1:1234 version

docker run -d -p 5000:5000 --restart=always --name registry registry:2.1
# 使用自定义配置文件 默认配置文件在 /etc/docker/registry/config.yml
docker run -d -p 5000:5000 --restart=always --name registry \ 
-v /home/user/registry-conf/conf.yml:/etc/docker/registry/config.yml registry:2.1
# 使用自定义存储位置 默认存储位置在 /var/lib/registry
docker run -d -p 5000:5000 --restart=always --name registry \
-v /opt/dada/registry:/var/lib/registry registry:2.1

# 配置使用TLS证书
openssl req -newkey rsa:4096 -nodes -sha256 -leyout myrepo.key -x509 -days 365 -out myrepo.crt
# 生成的证书 需要安装到 /etc/docker/certs.d/myrepo.com:5000/ca.crt

# 配置启用证书
docker run -d -p 5000:5000 --restart=always --name registry \
-v \`pwd\`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/myrepo.key \
registry:2.1

# 使用nexus3部署docker仓库
docker pull sonatype/nexus3
docker run -d --name nexus --restart=always -p 5000:5000 -p 8081:8081 sonatype/nexus3

# 管理访问权限
# 使用nginx代理进行权限认证
sudo apt-get -y install nginx
# 增加配置
# docker-registry.conf
# 本地的registry服务监听在5000端口
upstream docker-registry{
    server localhost:5000;
}
# 代理服务器监听在15000端口
server{
    listen 15000;
    server_name private-registry-server.ccom;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
    # ssl 配置
    ssl on;
    ssl_certificate /etc/ssl/certs/myrepo.crt;
    ssl_certificate_key /etc/ssl/private/myrepo.key;
    proxy_pass http://docker-registry;
    proxy_set_header Host \$http\_post;
    proxy\_set\_header X-Real-IP \\$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy\_add\_x\_forwarded\_for;
    proxy\_set\_header X-Forwarded-Proto \\$scheme;
    proxy_read_timeout 600;
    client_max_body_size 0;
    chunked_transfer_encoding on;
    location /{
        auth_basic "Please Input username/password";
        auth_basic_user_file docker-registry-htpasswd;
        proxy_pass http://docker-registry;
    }
    location /v2/ {
        if (\$http\_user\_agent ~ "^(docker\\/1\\.(3|4|5(?!\\.[0-9]-dev))|Go).*\\$"){
            return 404;
        }
        proxy_pass http://dicker-registry;
    }
}

# 配置文件存储在 /etc/nginx/docker-registry-htpasswd 文件中
# 文件格式每行为 username:pass 即可。pass存储的不是明文 而是crypt函数加密的字符串。
# 安装apache2-utils 进行crypt函数加密密码
sudo apt-get install apache2-utils -y

# docker-compose.yml 
registry:
  restart: always
  image:registry:2.1
  ports:
    - 5000:5000
  environment:
    REGISTRY_HTTP_TLS_KEY:/certs/myrepo.key
    REGISTRY_AUTH:htpasswd
    REGISTRY_AUTH_HTPASSWD_OATH:/auth/docker-registry-htpasswd
  volumns:
    - /path/to/data:/var/lib/registry
    - /path/to/certs:/certs
    - /path/to/auth:/auth

version: 0.1 # 版本信息
log:
  accesslog:
    disabled: true
  level: debug # debug info warn error
  formatter: text # text json logstash
  fields: # 用于过滤日志
    service: registry
    environment: staging
  hooks: # 异常时邮件
    - type: mail
      disabled: true
      levels:
        - panic
      options:
        smtp:
          addr: mail.example.com:25
          username: mailuser
          password: password
          insecure: true
        from: sender@example.com
        to:
          - errors@example.com
loglevel: debug # deprecated: use "log"
storage: # 存储选项
  filesystem:
    rootdirectory: /var/lib/registry
    maxthreads: 100
  azure:
    accountname: accountname
    accountkey: base64encodedaccountkey
    container: containername
  gcs:
    bucket: bucketname
    keyfile: /path/to/keyfile
    rootdirectory: /gcs/object/name/prefix
    chunksize: 5242880
  s3:
    accesskey: awsaccesskey
    secretkey: awssecretkey
    region: us-west-1
    regionendpoint: http://myobjects.local
    bucket: bucketname
    encrypt: true
    keyid: mykeyid
    secure: true
    v4auth: true
    chunksize: 5242880
    multipartcopychunksize: 33554432
    multipartcopymaxconcurrency: 100
    multipartcopythresholdsize: 33554432
    rootdirectory: /s3/object/name/prefix
  swift:
    username: username
    password: password
    authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
    tenant: tenantname
    tenantid: tenantid
    domain: domain name for Openstack Identity v3 API
    domainid: domain id for Openstack Identity v3 API
    insecureskipverify: true
    region: fr
    container: containername
    rootdirectory: /swift/object/name/prefix
  oss:
    accesskeyid: accesskeyid
    accesskeysecret: accesskeysecret
    region: OSS region name
    endpoint: optional endpoints
    internal: optional internal endpoint
    bucket: OSS bucket
    encrypt: optional data encryption setting
    secure: optional ssl setting
    chunksize: optional size valye
    rootdirectory: optional root directory
  inmemory:  # This driver takes no parameters
  delete: # 是否允许删除镜像功能
    enabled: false
  redirect:
    disable: false
  cache: # 对镜像元数据的缓存功能
    blobdescriptor: redis
  maintenance: # 维护相关功能
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    readonly:
      enabled: false
auth: # 认证选项
  silly: # 测试使用 进要求请求头带有认证域即可
    realm: silly-realm
    service: silly-service
  token: # 需要额外的token服务支持
    realm: token-realm
    service: token-service
    issuer: registry-token-issuer
    rootcertbundle: /root/certs/bundle
  htpasswd: # 基于apache htpasswd密码文件权限检查
    realm: basic-realm
    path: /path/to/htpasswd
middleware:
  registry:
    - name: ARegistryMiddleware
      options:
        foo: bar
  repository:
    - name: ARepositoryMiddleware
      options:
        foo: bar
  storage:
    - name: cloudfront
      options:
        baseurl: https://my.cloudfronted.domain.com/
        privatekey: /path/to/pem
        keypairid: cloudfrontkeypairid
        duration: 3000s
  storage:
    - name: redirect
      options:
        baseurl: https://example.com/
reporting:
  bugsnag:
    apikey: bugsnagapikey
    releasestage: bugsnagreleasestage
    endpoint: bugsnagendpoint
  newrelic:
    licensekey: newreliclicensekey
    name: newrelicname
    verbose: true
http: # http服务相关
  addr: localhost:5000 # 服务监听地址
  prefix: /my/nested/registry/
  host: https://myregistryaddress.org:5000
  secret: asecretforlocaldevelopment # 安全相关的随机字符串
  relativeurls: false
  tls: # 证书相关文件路径信息
    certificate: /path/to/x509/public
    key: /path/to/x509/private
    clientcas:
      - /path/to/ca.pem
      - /path/to/another/ca.pem
    letsencrypt:
      cachefile: /path/to/cache-file
      email: emailused@letsencrypt.com
  debug:
    addr: localhost:5001
  headers:
    X-Content-Type-Options: [nosniff]
  http2: # 是否开启支持
    disabled: false
notifications:
  endpoints:
    - name: alistener
      disabled: false
      url: https://my.listener.com/event
      headers: <http.Header>
      timeout: 500
      threshold: 5
      backoff: 1000
      ignoredmediatypes:
        - application/octet-stream
redis:
  addr: localhost:6379
  password: asecret
  db: 0
  dialtimeout: 10ms
  readtimeout: 10ms
  writetimeout: 10ms
  pool:
    maxidle: 16
    maxactive: 64
    idletimeout: 300s
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
  file:
    - file: /path/to/checked/file
      interval: 10s
  http:
    - uri: http://server.to.check/must/return/200
      headers:
        Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
      statuscode: 200
      timeout: 3s
      interval: 10s
      threshold: 3
  tcp:
    - addr: redis-server.domain.com:6379
      timeout: 3s
      interval: 10s
      threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]
  password: [password]
compatibility:
  schema1:
    signingkeyfile: /etc/registry/key.json
validation:
  enabled: true
  manifests:
    urls:
      allow:
        - ^https?://([^/]+\.)*example\.com/
      deny:
        - ^https?://www\.example\.com/

#!/bin/bash
# Usage: push_images image1 [image2...]
# Author: zhoyq@gitee
# Create: 2018-08-08
registry=127.0.0.1:5000
echo_r(){
    [ $# -ne 1 ] && return 0
    echo -e "\\033[31m$1\033[0m"
}
echo_g(){
    [ $# -ne 1 ] && return 0
    echo -e "\\033[32m$1\033[0m"
}
echo_y(){
    [ $# -ne 1 ] && return 0
    echo -e "\\033[33m$1\033[0m"
}
echo_b(){
    [ $# -ne 1 ] && return 0
    echo -e "\\034[33m$1\033[0m"
}
usage(){
    docker images
    echo "Usage:$0 registry 1:tag1 [registry2:tag2...]"
}
[ $# -ne 1 ] && usage && exit
echo_b "The registry server is $registry"
for image in "$@"
do
  echo_b "Uploading $image"
  docker tag $image $registry/$image
  docker push $registry/$image
  docker rmi $registry/$image
  echo_g "Done"
done
# 需要给与权限
# chmod a+x push_images.sh

#!/bin/bash
# Usage: push_all
# Author: zhoyq@gitee
# Create: 2018-08-08
for image in `docker images | grep -v "REPOSITORY" | grep -v "<none>" | awk '{print $1":"$2}'`
do
  push_images.sh $image
done

# docker Bench
git clone https://github.com/docker/docker-bench-security.git
# 对本地环境进行快速检查
docker run -it --net host --pid host --cap-add audit\_control \\
-v /var/lib:/var/lib \\
-v /var/run/docker.sock:/var/run/docker.sock \\
-v /usr/lib/systemd:/usr/lib/systemd \\
-v /etc:/etc --label docker\_bench\_security \\
docker/docker-bench-security

# clair
git clone https://github.com/coreos/clair.git
curl -L https://raw.githubuseracontent.com/coreos/clair/v1.2.2/docker-compose.yml -o $HOME/docker-compose.yml
mkdir $HOME/clair\_config
curl -L https://raw.githubuseracontent.com/coreos/clair/v1.2.2/config.example.yaml -o $HOME/clair_config/config.yaml
# 编辑文件数据库地址
docker-compose -f $HOME/docker-compose.yml up -d

# libnetwork的跨主机方案，需要使用一个键值数据库作为网络信息信息。
# 例如 Consul Etcd ZooKeeper
# 启动一个Consul容器
docker run -d -p 8500:8500 -h consul progrium/consul -server -bootstrap
# 设置docker启动选项
DOCKER\_OPTS="$DOCKER_OPTS --cluster-store=consul://<CONSUL_NODE>:8500 --cluster-advertise=eth0:2376" 
# 重新启动docker服务
# service docker restart 
systemctl restart docker 
# 创建网络
docker network create -d overlay multi
# 运行一个容器
docker run -it --name=c1 --net=multi busybox
# 在另外一台服务器上运行第二个实例
docker run -it --name=c2 --net=multi busybox
# 检查连通性
ping c1