목차
접기
이번 포스팅에서는 2개의 호스트를 사용합니다.
하나는 Master Node로 Registry 서버 역할을 할 노드히고, 하나는 Worker Node로 Registry에 이미지를 Pull/Push 할 노드입니다
저는 AWS EC2를 사용하여 구성하였습니다 :)
1. Docker Registry 설정하기
1-1) Master Node 확인
두개의 호스트 중 먼저 Mager 노드의 설정을 확인해봅니다 :)
먼저, Hostname을 확인합니다. (호스트 이름 변경은 #hostnamectl set-hostname <변경할 이름> 명령어로 변경 가능합니다)
[root@docker-master /]# hostnamectl
Static hostname: docker-master.test.dom
Icon name: computer-vm
Chassis: vm
Machine ID: 3d5c05376530a2eb49e3e90576f83c5b
Boot ID: 6e41fcc8e6b84010806c700415ff349c
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-1062.12.1.el7.x86_64
Architecture: x86-64호스트의 IP를 확인합니다.
[root@docker-master /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:86:58:3f:58:7c brd ff:ff:ff:ff:ff:ff
inet 172.31.6.114/20 brd 172.31.15.255 scope global dynamic ens5
valid_lft 2884sec preferred_lft 2884sec
inet6 fe80::86:58ff:fe3f:587c/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:23:65:ae:a6 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever호스트 이름과 IP를 정의한 파일 /etc/hosts 을 확인합니다!
[root@docker-master /]# vi /etc/hosts
[root@docker-master /]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.6.114 docker-master.test.dom
127.31.3.201 docker-worker.test.domping으로 호스트간의 통신을 테스트 합니다.
[root@docker-master centos]# ping -c3 docker-worker.test.dom
PING docker-worker.test.dom (127.31.3.201) 56(84) bytes of data.
64 bytes from docker-worker.test.dom (127.31.3.201): icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from docker-worker.test.dom (127.31.3.201): icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from docker-worker.test.dom (127.31.3.201): icmp_seq=3 ttl=64 time=0.038 ms
--- docker-worker.test.dom ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.028/0.035/0.040/0.007 ms
1-2) Worker Node 확인
두개의 호스트 중 두번째, Worker 노드의 설정을 확인해봅니다 :)
먼저, Hostname을 확인합니다. (호스트 이름 변경은 #hostnamectl set-hostname <변경할 이름> 명령어로 변경 가능합니다)
[root@docker-worker /]# hostnamectl
Static hostname: docker-worker.test.dom
Icon name: computer-vm
Chassis: vm
Machine ID: 3d5c05376530a2eb49e3e90576f83c5b
Boot ID: 1a791934c0e447128740450f9e9f731e
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-1062.12.1.el7.x86_64
Architecture: x86-64호스트의 IP를 확인합니다.
[root@docker-worker /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:c2:72:d9:ee:7c brd ff:ff:ff:ff:ff:ff
inet 172.31.3.201/20 brd 172.31.15.255 scope global dynamic ens5
valid_lft 2471sec preferred_lft 2471sec
inet6 fe80::c2:72ff:fed9:ee7c/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:6e:fa:50:8e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:6eff:fefa:508e/64 scope link
valid_lft forever preferred_lft forever호스트 이름과 IP를 정의한 파일 /etc/hosts 을 확인합니다!
[root@docker-worker /]# vi /etc/hosts
[root@docker-worker /]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.6.114 docker-master.test.dom
127.31.3.201 docker-worker.test.domping으로 호스트간의 통신을 테스트 합니다.
[root@docker-worker /]# ping -c3 docker-master.test.dom
PING docker-master.test.dom (172.31.6.114) 56(84) bytes of data.
64 bytes from docker-master.test.dom (172.31.6.114): icmp_seq=1 ttl=64 time=0.170 ms
64 bytes from docker-master.test.dom (172.31.6.114): icmp_seq=2 ttl=64 time=0.133 ms
64 bytes from docker-master.test.dom (172.31.6.114): icmp_seq=3 ttl=64 time=0.134 ms
--- docker-master.test.dom ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.133/0.145/0.170/0.022 ms
1-3) Master Node PrivateRegistry 구성하기
이번에는 Master 호스트에서 Private Registry를 구성해보려고 합니다.
registry라는 컨테이너를 실행해봅시다! :)
[root@docker-master /]# docker run -d -p 5000:5000 -v /var/lib/registry:/var/lib/registry --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for registry:2
d941526862ea2e603743a83b0a80228a64ed5797af75446c5af3598b2e554b38컨테이너 목록을 확인해보니, Registry컨테이너가 잘 운영중이네요.
[root@docker-master /]# docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d941526862ea registry:2 "/entrypoint.sh /etc…" 8 seconds ago Up 7 seconds 0.0.0.0:5000->5000/tcp registry
1-4) Worker Node Private Regisrty 사용하기
도커 데몬을 조금 수정할 예정입니다. :)
기본적으로 docker 명령어로 이미지를 Pull 할때는 모두 https 통신입니다.
그런데, 저희가 앞에서 만든 Master 호스트의 Registry는 SSL 설정이 안되어있어서.. http통신만 가능합니다.
만약 아래의 설정을 하지 않고, Master 호스트에 설정된 Private Repository를 사용하려고 한다면, 오류를 만나게 됩니다 :)
즉, http 통신이 가능하도록 아래 insecure 설정을 해줘야합니다.
자, /etc/docker/daemon.json 을 수정합니다!
[root@docker-worker /]# cat /etc/docker/daemon.json
{
"insecure-registries": ["docker-master.test.dom:5000"]
}자 데몬 설정이 반영 될 수있도록 docker 데몬을 재시작 합니다.
[root@docker-worker /]# systemctl restart docker데몬에 이상이 없는지, Status를 확인해봅시다 :)
[root@docker-worker /]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since 화 2020-09-29 00:56:51 UTC; 3s ago
Docs: https://docs.docker.com
Main PID: 11589 (dockerd)
Tasks: 10
Memory: 43.4M
CGroup: /system.slice/docker.service
└─11589 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.690900672Z" level=info msg="ccR...grpc
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.690917992Z" level=info msg="Cli...grpc
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.699194401Z" level=info msg="[gr...ay2"
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.704697067Z" level=info msg="Loa...rt."
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.828753543Z" level=info msg="Def...ess"
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.865544811Z" level=info msg="Loa...ne."
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.882722824Z" level=info msg="Doc...3.13
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.882802675Z" level=info msg="Dae...ion"
9월 29 00:56:51 docker-worker.test.dom systemd[1]: Started Docker Application Container Engine.
9월 29 00:56:51 docker-worker.test.dom dockerd[11589]: time="2020-09-29T00:56:51.901919765Z" level=info msg="API...ock"
Hint: Some lines were ellipsized, use -l to show in full.이제 httpd 이미지를 pull (이미지 다운로드) 하고, 태그를 달아서 master 노드에 있는 Private Registry에 이미지를 Push 하겠습니다.
[root@docker-worker /]# docker pull httpd:latest
latest: Pulling from library/httpd
d121f8d1c412: Already exists
9cd35c2006cf: Pull complete
b6b9dec6e0f8: Pull complete
fc3f9b55fcc2: Pull complete
802357647f64: Pull complete
Digest: sha256:5ce7c20e45b407607f30b8f8ba435671c2ff80440d12645527be670eb8ce1961
Status: Downloaded newer image for httpd:latest
docker.io/library/httpd:latest이미지를 확인해봅시다.
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest 417af7dc28bc 13 days ago 138MBhttpd 이미지의 태그를 변경해봅시다.
docker tag <옵션> <이미지 이름>:<태그> <저장소 주소, 사용자명>/<이미지 이름>:<태그>
레포지토리가 docker-master.test.dom:5000/httpd로 바뀌었네요!
[root@docker-worker /]# docker tag httpd docker-master.test.dom:5000/httpd
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest 417af7dc28bc 13 days ago 138MB
docker-master.test.dom:5000/httpd latest 417af7dc28bc 13 days ago 138MBPush 명령어로 이 이미지를 Master Private Registry로 푸쉬 합니다.
[root@docker-worker /]# docker push docker-master.test.dom:5000/httpd
The push refers to repository [docker-master.test.dom:5000/httpd]
9f3f3dd7b0c2: Pushed
51eabf53c0c9: Pushed
6ce7826117a0: Pushed
d37da03a9458: Pushed
07cab4339852: Pushed
latest: digest: sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db size: 1366Registry 테스트 전에, 이미지를 모두 깨끗하게 지워줍시다.
헷갈리지 않게요 :)
[root@docker-worker /]# docker rmi -f $(docker images -q)
Untagged: docker-master.test.dom:5000/httpd:latest
Untagged: docker-master.test.dom:5000/httpd@sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Untagged: httpd:latest
Untagged: httpd@sha256:5ce7c20e45b407607f30b8f8ba435671c2ff80440d12645527be670eb8ce1961
Deleted: sha256:417af7dc28bc66aa2cc4af18cbfa934cc55f46721b101beac68b9f5c33d7fcb2
Deleted: sha256:2929da9174351249481441a39d499183fa7bb416fbfc2dfc36cdcfca001ace81
Deleted: sha256:46fba7aa125a55a717a218e2750c991bbf4d9e7bb66c56bacde76338a5b38f16
Deleted: sha256:a8151056fecd4987dd3fcde6579e8d34b72c1e39dfd5ac63209cffa0b0befb08
Deleted: sha256:97635989e45ed57deef09cd09be52d008a073f2e1e045a1ba91956fbc2db2961이미지가 전부 잘 지워졌네요.
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
자, 이번에는 docker Pull 명령어로 httpd 이미지를 다시 다운로드 합시다!
아까 처음과 다른점은 httpd 이미지 앞에 특정 레포지토리에서 가져오도록 지정했습니다.
[root@docker-worker /]# docker pull docker-master.test.dom:5000/httpd
Using default tag: latest
latest: Pulling from httpd
d121f8d1c412: Already exists
9cd35c2006cf: Pull complete
b6b9dec6e0f8: Pull complete
fc3f9b55fcc2: Pull complete
802357647f64: Pull complete
Digest: sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Status: Downloaded newer image for docker-master.test.dom:5000/httpd:latest
docker-master.test.dom:5000/httpd:latest도커 이미지를 확인해봅니다.
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-master.test.dom:5000/httpd latest 417af7dc28bc 13 days ago 138MB
1-5) Master Node 실 저장 경로 확인 & 레지스트리 컨테이너 삭제
Master 노드 어디에 이미지들이 저장되는지 확인해봅니다.
[root@docker-master /]# ls -al /var/lib/registry/docker/registry/v2/repositories/httpd/_layers/sha256/
합계 4
drwxr-xr-x. 8 root root 4096 9월 29 01:08 .
drwxr-xr-x. 3 root root 20 9월 29 01:08 ..
drwxr-xr-x. 2 root root 18 9월 29 01:08 417af7dc28bc66aa2cc4af18cbfa934cc55f46721b101beac68b9f5c33d7fcb2
drwxr-xr-x. 2 root root 18 9월 29 01:08 802357647f642714e7ed35c6c28be6f1e8e3591764bc588f752cec6e13fb304b
drwxr-xr-x. 2 root root 18 9월 29 01:08 9cd35c2006cf02c3040a3d4b7feed7e0c53d77a8318a97d632929194b0352e67
drwxr-xr-x. 2 root root 18 9월 29 01:08 b6b9dec6e0f83ec34ba156463e1156deef38009e6f19b663864805527339bd0f
drwxr-xr-x. 2 root root 18 9월 29 01:08 d121f8d1c4128ebc1e95e5bfad90a0189b84eadbbb2fbaad20cbb26d20b2c8a2
drwxr-xr-x. 2 root root 18 9월 29 01:08 fc3f9b55fcc21c05be1d8ef3a6cf5a15967138bd8e4511195b8d36b80f9f0f5e이제 Registry 컨테이너를 삭제합니다.
[root@docker-master /]# docker rm -f $(docker ps -aq)
b4e345ad93cf
2. Docker Registry SSL 인증서 적용하기
2-1) Master Node - 인증서 생성하기
이번에는 SSL 인증이 가능한 Private Registry를 만들겠습니다.
먼저 인증서 생성을 진행합니다. 인증서 생성을 위해 /etc/pki/tls/certs 경로로 이동하여 파일 목록을 확인합니다.
[root@docker-master /]# cd /etc/pki/tls/certs/
[root@docker-master certs]# ls -al
합계 12
drwxr-xr-x. 2 root root 117 2월 29 2020 .
drwxr-xr-x. 5 root root 81 2월 29 2020 ..
-rw-r--r--. 1 root root 2516 8월 9 2019 Makefile
lrwxrwxrwx. 1 root root 49 2월 29 2020 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 2월 29 2020 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8월 9 2019 make-dummy-cert
-rwxr-xr-x. 1 root root 829 8월 9 2019 renew-dummy-cert이제 RSA 키 파일을 생성하고, 생성된 파일을 확인합니다. (master.key)
[root@docker-master certs]# openssl genrsa -out master.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................................................................................+++
.+++
e is 65537 (0x10001)
[root@docker-master certs]# ls -al
합계 16
drwxr-xr-x. 2 root root 135 9월 29 01:14 .
drwxr-xr-x. 5 root root 81 2월 29 2020 ..
-rw-r--r--. 1 root root 2516 8월 9 2019 Makefile
lrwxrwxrwx. 1 root root 49 2월 29 2020 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 2월 29 2020 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8월 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 1675 9월 29 01:14 master.key
-rwxr-xr-x. 1 root root 829 8월 9 2019 renew-dummy-cert
이번에는 CSR 인증서를 생성성하고, 목록을 확인해봅시다. (master.csr)
[root@docker-master certs]# openssl req -new -key master.key -out master.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:seoul
Locality Name (eg, city) [Default City]:seoul
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:docker-master.test.dom
Email Address []:test@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@docker-master certs]# ls -al
합계 20
drwxr-xr-x. 2 root root 153 9월 29 01:17 .
drwxr-xr-x. 5 root root 81 2월 29 2020 ..
-rw-r--r--. 1 root root 2516 8월 9 2019 Makefile
lrwxrwxrwx. 1 root root 49 2월 29 2020 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 2월 29 2020 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8월 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 1054 9월 29 01:17 master.csr
-rw-r--r--. 1 root root 1675 9월 29 01:14 master.key
-rwxr-xr-x. 1 root root 829 8월 9 2019 renew-dummy-cert이제, 진짜 인증서를 만들어줍니다.
master.crt가 생성되었습니다!
[root@docker-master certs]# openssl x509 -req -days 90 -in master.csr -signkey master.key -out master.crt
Signature ok
subject=/C=KR/ST=seoul/L=seoul/O=test/OU=test/CN=docker-master.test.dom/emailAddress=test@email.com
Getting Private key
[root@docker-master certs]# ls -al
합계 24
drwxr-xr-x. 2 root root 171 9월 29 01:19 .
drwxr-xr-x. 5 root root 81 2월 29 2020 ..
-rw-r--r--. 1 root root 2516 8월 9 2019 Makefile
lrwxrwxrwx. 1 root root 49 2월 29 2020 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 2월 29 2020 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8월 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 1302 9월 29 01:19 master.crt
-rw-r--r--. 1 root root 1054 9월 29 01:17 master.csr
-rw-r--r--. 1 root root 1675 9월 29 01:14 master.key
-rwxr-xr-x. 1 root root 829 8월 9 2019 renew-dummy-cert
인증서 파일을 사용 가능하도록 docker 경로에 복사하고 docker 데몬을 재시작 합니다.
[root@docker-master certs]# mkdir /etc/docker/certs.d
[root@docker-master certs]# cp master.* /etc/docker/certs.d/
[root@docker-master certs]# cp master.crt /etc/pki/ca-trust/source/anchors/
[root@docker-master certs]# update-ca-trust
[root@docker-master certs]# systemctl restart docker
2-2) Master Node - SSL 레지스트리 생성하기
컨테이너를 실행합니다.
[root@docker-master /]# docker run -d -p 5000:5000 \
--restart=always --name registry\
-v /var/lib/registry:/var/lib/registry\
-v /etc/docker/certs.d:/certs\
-e REGISRTY_HTTP_TLS_CERTIFICATE=/certs/master.crt\
-e REGISTRY_HTTP_TLS_KEY=/certs/master.key registry:2
39facd6dabadcdfafae07efde3a620f1b0a4995a1668b68ef91c5de1839f4e3a컨테이너 목록을 확인합니다. Registry 컨테이너가 잘 운영되고 있네요 :)
[root@docker-master /]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
39facd6dabad registry:2 "/entrypoint.sh /etc…" 11 seconds ago Up 10 seconds 0.0.0.0:5000->5000/tcp registry
2-3) Worker Node - 테스트 하기
자, Worker Node에서 테스트 해봅시다!.
Master Node에 생성한 SSL Private Registry를 사용해봅시다!
먼저, 이미지에 태그를 달아줄건데, 형식은 아래와 같습니다.
docker tag <옵션> <이미지 이름>:<태그> <저장소 주소, 사용자명>/<이미지 이름>:<태그>
도커 태그를 새로 달아줍시다 :)
[root@docker-worker /]# docker tag docker-master.test.dom:5000/httpd:latest docker-master.test.dom:5000/httpd:sslversion도커 이미지를 확인해보면, 위에서 설정한것처럼 태그가 변경된것을 볼 수 있습니다.
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-master.test.dom:5000/httpd latest 417af7dc28bc 13 days ago 138MB
docker-master.test.dom:5000/httpd sslversion 417af7dc28bc 13 days ago 138MB이제 이미지를 Push 합니다!
[root@docker-worker /]# docker push docker-master.test.dom:5000/httpd:sslversion
The push refers to repository [docker-master.test.dom:5000/httpd]
9f3f3dd7b0c2: Pushed
51eabf53c0c9: Pushed
6ce7826117a0: Pushed
d37da03a9458: Pushed
07cab4339852: Pushed
sslversion: digest: sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db size: 1366Master 노드에 구성해놓은 레지스트리에 이미지를 Push했으니, 이제 다시 Pull 해볼 차례입니다.그전에 worker 노드에 이미지를 확인하고 전체 삭제 하겠습니다.
docker images 명령어로 확인했을때 아무것도 안나오면 됩니다!!
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-master.test.dom:5000/httpd latest 417af7dc28bc 13 days ago 138MB
docker-master.test.dom:5000/httpd sslversion 417af7dc28bc 13 days ago 138MB
[root@docker-worker /]# docker rmi -f $(docker images -q)
Untagged: docker-master.test.dom:5000/httpd:latest
Untagged: docker-master.test.dom:5000/httpd:sslversion
Untagged: docker-master.test.dom:5000/httpd@sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Deleted: sha256:417af7dc28bc66aa2cc4af18cbfa934cc55f46721b101beac68b9f5c33d7fcb2
Deleted: sha256:2929da9174351249481441a39d499183fa7bb416fbfc2dfc36cdcfca001ace81
Deleted: sha256:46fba7aa125a55a717a218e2750c991bbf4d9e7bb66c56bacde76338a5b38f16
Deleted: sha256:a8151056fecd4987dd3fcde6579e8d34b72c1e39dfd5ac63209cffa0b0befb08
Deleted: sha256:97635989e45ed57deef09cd09be52d008a073f2e1e045a1ba91956fbc2db2961
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE도커 이미지를 Pull 해서 이미지를 잘 받아오는지 확인합니다 :)
아주 잘 받아오네요!!
[root@docker-worker /]# docker pull docker-master.test.dom:5000/httpd:sslversion
sslversion: Pulling from httpd
d121f8d1c412: Already exists
9cd35c2006cf: Pull complete
b6b9dec6e0f8: Pull complete
fc3f9b55fcc2: Pull complete
802357647f64: Pull complete
Digest: sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Status: Downloaded newer image for docker-master.test.dom:5000/httpd:sslversion
docker-master.test.dom:5000/httpd:sslversion
[root@docker-worker /]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-master.test.dom:5000/httpd sslversion 417af7dc28bc 13 days ago 138MB
2-4) Master Node - 레지스트리 컨테이너 삭제하기
자 이제 테스트가 완료되었으니 컨테이너를 삭제합니다 :)
Master 노드에서 컨테이너를 삭제해주세요.
[root@docker-master /]# docker rm -f $(docker ps -aq)
39facd6dabad
3. Docker Registry SSH 인증서 + 사용자 인증 적용하기
지금까지 Master 노드에 도커 이미지 저장소를 만들고 사용해봤고, HTTPS를 사용할 수 있도록 SSL인증서를 적용해봤습니다.
마지막으로, 사용자 인증도 함께 사용할 수 있도록 합니다 :)
3-1) Master Node - 사용자 인증 설정하기
사용자 인증 라이브러리는 httpd 에서 제공하는 httpd-tools 를 사용합니다 :)
먼저 사용자 인증 라이브러리를 설치합니다.
[root@docker-master /]# yum install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: d36uatko69830t.cloudfront.net
* extras: d36uatko69830t.cloudfront.net
* updates: d36uatko69830t.cloudfront.net
base | 3.6 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-93.el7.centos will be installed
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-93.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-93.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-5.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================
Installing:
httpd-tools x86_64 2.4.6-93.el7.centos base 92 k
Installing for dependencies:
apr x86_64 1.4.8-5.el7 base 103 k
apr-util x86_64 1.5.2-6.el7 base 92 k
Transaction Summary
=============================================================================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 288 k
Installed size: 584 k
Is this ok [y/d/N]: y
Downloading packages:
(1/3): apr-1.4.8-5.el7.x86_64.rpm | 103 kB 00:00:00
(2/3): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00
(3/3): httpd-tools-2.4.6-93.el7.centos.x86_64.rpm | 92 kB 00:00:00
---------------------------------------------------------------------------------------------------------------------------------------------
Total 3.1 MB/s | 288 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.8-5.el7.x86_64 1/3
Installing : apr-util-1.5.2-6.el7.x86_64 2/3
Installing : httpd-tools-2.4.6-93.el7.centos.x86_64 3/3
Verifying : apr-1.4.8-5.el7.x86_64 1/3
Verifying : httpd-tools-2.4.6-93.el7.centos.x86_64 2/3
Verifying : apr-util-1.5.2-6.el7.x86_64 3/3
Installed:
httpd-tools.x86_64 0:2.4.6-93.el7.centos
Dependency Installed:
apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7
Complete!htpasswd 명령어로 사용자를 추가해줍니다.
조금이따가 이 사용자로 로그인 테스트를 진행할 예정이니, 계정과 비밀번호를 까먹지 않게 주의하세요.
[root@docker-master /]# htpasswd -Bc /etc/docker/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
3-2) Master Node - SSL + 인증 기능이 적용된 레지스트리 생성
SSL 및 사용자인증 기능이 추가된 Registry 컨테이너를 생성합니다.
[root@docker-master /]# docker run -d -p 5000:5000 --restart=always --name registry \
-v /var/lib/registry:/var/lib/registry \
-v /etc/docker/certs.d:/certs \
-v /etc/docker:/auth \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/master.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/master.key \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" registry:2정상동작하는지도 확인합니다 :)
잘 동작하네요! 이제 다음 단계로 넘어가서 테스트 해봅시다.
[root@docker-master /]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2bf8c98f110d registry:2 "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:5000->5000/tcp registry
3-3) Worker Node - 테스트 하기!
먼저 docker login <레지스트리> 명령어로 로그인 합니다.
만약 로그인하지 않고 레지스트리를 사용하려고 하면 에러가 나옵니다 :) 정상이에요.
위에서 만들었던 admin 사용자로 로그인 합니다.
[root@docker-worker /]# docker login docker-master.test.dom:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded테스트 전에 Worker 노드에 있는 이미지를 다 삭제합니다.
[root@docker-worker /]# docker rmi -f $(docker images -q)
Untagged: docker-master.test.dom:5000/httpd:sslversion
Untagged: docker-master.test.dom:5000/httpd@sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Deleted: sha256:417af7dc28bc66aa2cc4af18cbfa934cc55f46721b101beac68b9f5c33d7fcb2
Deleted: sha256:2929da9174351249481441a39d499183fa7bb416fbfc2dfc36cdcfca001ace81
Deleted: sha256:46fba7aa125a55a717a218e2750c991bbf4d9e7bb66c56bacde76338a5b38f16
Deleted: sha256:a8151056fecd4987dd3fcde6579e8d34b72c1e39dfd5ac63209cffa0b0befb08
Deleted: sha256:97635989e45ed57deef09cd09be52d008a073f2e1e045a1ba91956fbc2db2961SSL 및 사용자 인증 기능이 추가된 레지스트리에서 정상적으로 컨테이너 이미지가 다운받아지네요 :)
[root@docker-worker /]# docker pull docker-master.test.dom:5000/httpd:sslversion
sslversion: Pulling from httpd
d121f8d1c412: Already exists
9cd35c2006cf: Pull complete
b6b9dec6e0f8: Pull complete
fc3f9b55fcc2: Pull complete
802357647f64: Pull complete
Digest: sha256:ee876fb8588d58d25eb95840c5d81d211f0ebf238c7c10cbaea10861f6a027db
Status: Downloaded newer image for docker-master.test.dom:5000/httpd:sslversion
docker-master.test.dom:5000/httpd:sslversion
성공입니다!
고생하셨습니다😁
728x90