Podman[1]是一种无守护进程的开源Linux原生工具,旨在使用开放容器倡议(OCI)容器和容器映像轻松查找、运行、构建、共享和部署应用程序。主要由RedHat改进驱动。了解有关Podman的更多信息:?Podman下一代Linux容器工具[2]?Podman入门指南[3]1.安装Podman和httpd-toolsregistry/mkdir-p/opt/registry/{auth,certs,data}Auth子目录存储htpasswd用于身份验证的文件。?Certs子目录存储存储库使用的证书验证。?Data目录存储存储在仓库中的实际图像。如果想单独挂载磁盘存储数据,可以使用parted命令sudoparted-s-aoptimal--/dev/sdbmklabelgptsudoparted-s-aoptimal--/dev/sdbmkpartprimary0%100%sudoparted-s--/dev/sdbalign-checkoptimal1sudopvcreate/dev/sdb1sudovgcreatevg0/dev/sdb1sudolvcreate-nregistry-l+100%FREEvg0sudomkfs.xfs/dev/vg0/registryecho"/dev/vg0/registry/opt/registry/dataxfs默认值00"|sudotee-a/etc/fstab安装验证$sudomount-a$df-hT/opt/registry/dataFilesystemTypeSizeUsedAvailUse%Mountedon/dev/mapper/vg0-registryxfs200G1.5G199G1%/opt/registry/data3.生成访问仓库的凭证3.1htpasswd用户名和密码认证由一个简单的htpasswd文件和一个SSL密钥对提供htpasswd将在this/opt/registry/auth/中创建一个名为Bcrypthtpasswd的文件directoryhtpasswd-bBc/opt/registry/auth/htpasswdregistryuserregistryuserpassword?b通过命令提供密码。?B使用Bcrypt来加密和存储密码。?c创建文件。?用户名为registryuser。?密码是registryuserpassword。请参阅文件$tac/opt/registry/auth/htpasswdregistryuser:$2y$05$XciI1wfzkUETe7XazJfc/uftBnMQfYOV1jOnbV/QOXw/SXhmLsApK3.2TLS密钥对是使用由可信机构(内部或外部)签名的密钥和证书创建的,或者只是自签名证书、存储库通过TLS进行保护。要使用自签名证书:cat<ssl.conf[req]prompt=nodistinguished_name=req_subjx509_extensions=x509_ext[req_subj]CN=Localhost[x509_ext]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:truesubject_natename]DNS.1=localhostIP.1=192.168.10.80EOFopensslreq-configssl.conf-new-x509-nodes-sha256-days365-newkeyrsa:4096-keyout/opt/registry/certs/domain.key-out/opt/registry/certs/domain.crtopensslx509-informPEM-in/opt/registry/certs/domain.crt-out/opt/registry/certs/domain.cert?reqOpenSSL生成并处理证书请求。?-newkeyOpenSSL创建一个新的私钥和匹配的证书请求。?rsa:4096OpenSSL生成一个4096位的RSA密钥。?-nodesOpenSSL私钥没有密码要求。私钥不会被加密。?-sha256OpenSSL使用sha256来签署请求。?-keyoutOpenSSL存储新密钥的名称和位置。?-x509OpenSSL生成自签名证书。?-daysOpenSSL密钥对有效的天数。?-outOpenSSL存储证书的位置。为证书输入适当的选项。CN=值是您的主机的主机名。主机的主机名应该可由DNS或/etc/hosts文件解析。$ll/opt/registry/certs/total12-rw-r--r--1rootroot1842Nov2120:01domain.cert-rw-r--r--1rootroot1842Nov2120:01domain.crt-rw--------1rootroot3272Nov2120:01domain.key将服务器证书、密钥和CA文件复制到podman证书文件夹中。您必须首先创建适当的文件夹mkdir-p/etc/containers/certs.d/192.168.10.80\:5000/cp-r/opt/registry/certs/*/etc/containers/certs.d/192.168.10.80\:5000/注意:如果存储库未使用TLS保护,则可能必须在存储库配置文件中将/etc/containers/registries.conf设置为不安全。该证书还必须受到您的主机和客户端的信任:cp/opt/registry/certs/domain.crt/etc/pki/ca-trust/source/anchors/update-ca-trusttrustlist|grep-i"<主机名>"4。启动容器$podmanimagesREPOSITORYTAGIMAGEIDCREATEDSIZEdocker.io/library/registrylatest81c944c2288b9daysago24.7MBpodmanrun--namemyregistry\-p5000:5000\-v/opt/registry/data:/var/lib/registry:z\-v/opt/registry/auth:/auth:z\-e"REGISTRY_AUTH=htpasswd"\-e"REGISTRY_AUTH_HTPASSWD_REALM=注册表领域"\-eREGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd\-v/opt/registry/certs:/certs:z\-e"REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt"\-e"REGISTRY_HTTP_TLS_KEY=/certs/domain.key"\-eREGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true\-d\docker.io/的详细信息library/registry:latest选项是:?--namemyregistry将容器命名为myregistry。?-p5000:5000将容器中的端口5000公开为主机上的端口5000。?-v/opt/registry/data:/var/lib/registry:z在主机/var/lib/registry上挂载/opt/registry/data,就像在具有正确SELinux上下文的容器中一样?-v/opt/registry/auth:/auth:z/opt/registry/auth安装在主机上,就像/auth在具有正确SELinux上下文的容器中一样。?-vopt/registry/certs:/certs:z在主机上安装/opt/registry/certs,就像在具有正确SELinux上下文的容器中一样。/certs-e"REGISTRY_AUTH=htpasswd"使用bcrypt加密htpasswd文件以进行身份??验证。由容器的REGISTRY_AUTH_HTPASSWD_PATH环境变量设置的文件位置。?-e"REGISTRY_AUTH_HTPASSWD_REALM=RegistryRealm"指定htpasswd。?-eREGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd在容器中用bcrypt加密/auth/htpasswd文件。?-e"REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt"设置证书文件的路径。?-e"REGISTRY_HTTP_TLS_KEY=/certs/domain.key"设置私钥路径。?-eREGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true为schema1清单提供向后兼容性。?-ddocker.io/library/registry:latest是一个允许存储和分发图像的注册表应用程序。注意:如果主机上运行了防火墙,则需要允许暴露的端口(5000)。firewall-cmd--add-port=5000/tcp--zone=internal--permanentfirewall-cmd--add-port=5000/tcp--zone=public--permanentfirewall-cmd--reloadorclosesystemctlstopfirewalld直接&&systemctldisablefirewalldsetenforce05.测试5.1登录dockerlogin-uregistryuser-pregistryuserpassword192.168.10.80:5000登录成功!5.2API访问$curl-k-u"registryuser:registryuserpassword"https://192.168.10.80:5000/v_catalog{"repositories":[]}?更多API访问策略请参考这里[4]5.3图片storagePullalpine:latestimagefromthepublic$podmanpullalpine:latestResolved"alpine"作为别名(/etc/containers/registries.conf.d/000-shortnames.conf)Tryingtopulldocker.io/library/alpine:最新...正在获取图像源签名复制blobca7dd9ec2225[----------------------------------]0.0b/0.0b复制配置bfe296a525完成将清单写入图像目标存储签名bfe296a525011f7eb76075d688c681ca4feaad5afe3b142b36e30f1a171dc99a标记podmantag1.192.la8601test1.laalpine:latest推入存储podmanpush192.168.10.80:5000/alpine:latest5.4查询镜像信息,查看是否入库$curl-k-u"registryuser:registryuserpassword"https://192.168.10.80:5000/v2/_catalog{"repositories":["alpine"]}查看图片标签$curl-k-u"registryuser:registryuserpassword"https://192.168.10.80:5000/v2/alpine/tags/list{"name":"alpine","tags":["latest"]}查看镜像清单$curl-k-u"registryuser:registryuserpassword"https://192.168.10.80:5000/v2/alpine/manifests/latest{"schemaVersion":1,"name":"alpine","tag":"latest","architecture":"amd64","fsLayers":[{"blobSum":"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"},{"blobSum":"sha256:60f8044dac9f779802600470f375c7ca7a8f7ad50e05b0ceb9e3b336fa5e7ad3"}],"history":[{"v1Compatibility":"{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"用户\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"附加标准错误\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"Image\":\"sha256:18f412e359de0426344f4fe1151796e2d9dc121b01d737e953f043a10464d0b7\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"容器\":\"3cd2ce612b9119be9673860022420eee020f0a6d44e9072ca25196f4f0a4613d\",\"container_config\":{\"主机名\":\"3cd2ce612b91\",\"域名\":\"\",\"用户\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"环境\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop)\",\"CMD[\\\"/bin/sh\\\"]\"],\"图像\":\"sha256:18f412e359de0426344f4fe1151796e2d9dc121b01d737e953f043a10464d0b7\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"创建特德\":\"2022-11-12T04:19:23.199716539Z\",\"docker_version\":\"20.10.12\",\"id\":\"260323e12fa2abcb1ff61576931037c6f8538afeb5ff82fa256670a20b3\",\"bos6b",\"id\":\"260323e12fa2abcb1ff61576931037c6f8538afeb5ff82fa256670a20b384"bos6b":\"linux\",\"parent\":\"faa2cddd53c99ad978614b839a2a20a47f143a4d6ecb86bda576dfb3124c0cad\",\"throwaway\":true}"},{"v1Compatibility":"{\"id\":\"faa2cddd53c99ad978614b839a2a20a47f143a4d6ecb86bda576dfb3124c0cad\",\“创建\”:\“2022-11-12T04:19:23.05154209Z\”,\“容器配置\”:{\“Cmd\”:[\”/bin/sh-c#(nop)添加文件:ceeb6e8632fafc657116cbf3afbd522185a16963230b57881073eda2在/\"]}}"}],"signatures":[{"header":{"jwk":{"crv":"P-256","kid":"5BQE:5CXW:TWNN:OFV7:ZPNY:ARAG:ZJ7K:Z5GI:ZVQ3:SZYQ:2M3J:D7YG”,“kty”:“EC”,“x”:“-JvBdARI6NPMx8g6d1zyPzmSkkZ8rKIcxdz2BEonpzU”,“y”:“4OlY36zLCvLHXzMrb4w8W2TZSJdVc5”,“ijWY9D”即,ESKM0Y9D},"signature":"ZL0HFyuq9G9cYsBzZZqMlwGK3aQMJHFKeQ2Dh8XByzGKtfoJCJ5kQY0W3yynzb3Mj9WYrzeabZwey-dZIHt_7Q","protected":"eyJmb3JtYXRMZW5ndGgiOjIwODgsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMi0xMS0yMVQxMjoyNjowM1oifQ"}]}参考:Howtoimplementasimplepersonal/privateLinuxcontainerimageregistryforinternaluse[5]dockerregistry仓库私搭并配置证书[6]参考链接[1]Podman:https://podman.io/[2]Podman下一代Linux容器工具:https://blog.csdn.net/xixihahalelehehe/article/details/125618884[3]Podman入门指南:https://blog.csdn.net/xixihahalelehehe/article/details/121611523[4]更多API接入攻略请参考这里:https://ghostwritten.blog.csdn.net/article/details/105926147[5]如何实现一个简单的个人/私有Linux容器镜像注册中心供内部使用:https://www.redhat.com/sysadmin/simple-container-registry[6]dockerregistrywarehouseprivate构建和配置证书:https://ghostwritten.blog.csdn.net/article/details/105926147
