目录
docker
在本地从DockerHub下载镜像的方法
在OpenEuler系统上安装Docker的方法
1、获取安装包,地址:https://download.docker.com/linux/static/stable/aarch64/ (注意架构,链接是arm的)
本次以19.03.5为例:
https://download.docker.com/linux/static/stable/aarch64/docker-19.03.5.tgz
2、安装(把上一步下载的压缩文件,上传到节点上):
# 解压
tar xvpf docker-19.03.5.tgz
# 拷贝
cp -p docker/* /usr/bin
# 制作service
cat >/usr/lib/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
[Service]
Type=notify
EnvironmentFile=-/run/flannel/docker
WorkingDirectory=/usr/local/bin
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock --selinux-enabled=false --log-opt max-size=1g
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
# 重启生效
systemctl daemon-reload && systemctl restart docker
3、测试:
[root@doublenet-master-iulob gandalf]# docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:22:27 2019
OS/Arch: linux/arm64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:28:58 2019
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc3
GitCommit: 96b6fe042960db9b65af87b7806955051c19772b
docker-init:
Version: 0.18.0
GitCommit: fec3683
docker 镜像的命名规则
1、镜像名称:[a-z0-9]+(?:[._-][a-z0-9]+)*,长度1-256。
The rules for a repository name are as follows:
1、A repository name is broken up into path components. A component of a repository name must be at least one lowercase, alpha-numeric characters, optionally separated by periods, dashes or underscores. More strictly, it must match the regular expression [a-z0-9]+(?:[._-][a-z0-9]+)*.
2、If a repository name has two or more path components, they must be separated by a forward slash (“/”).
3、The total length of a repository name, including slashes, must be less than 256 characters.
2、镜像版本:(目前没找到官方的校验规则,当前版本的FC里面用的是镜像名称的规则增加大写,即:
[a-zA-Z0-9]+(?:[._-][a-zA-Z0-9]+)*
docker dangling 虚悬镜像
1、什么是虚悬镜像(docker
2、查看虚悬镜像:
docker images -f dangling=true
举例:
C:\Users\s00574212>docker images -f dangling=true
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox <none> 7cfbbec8963d 3 weeks ago 4.86MB
3、删除虚悬镜像:
docker image prune // 会提示是否确定,输入y即可
举例:
[root@docker dangling]# docker image prune
WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
Deleted Images:
deleted: sha256:5677308707382034cc80e3ce4ca3e8a8b19548f1de0b89f1318649d15837a86d
Total reclaimed space: 0B
[root@docker dangling]#
docker manifest multi arch
1、开启实验特性:(docker manifest 是实验功能,需要开启实验特性开关
否则会报下面的错误:
docker manifest create is only supported on a Docker cli with experimental cli features enabled
第一步:
$vim /etc/docker/daemon.json
{
"experimental": true
}
第二步,两种方式:
1)临时方法:
export DOCKER_CLI_EXPERIMENTAL=enabled
2)永久方法:
$vim ~/.docker/config.json
{
"experimental": "enabled"
}
第三步:
重启docker:systemctl daemon-reload && systemctl restart docker
2、操作步骤:
1、查看本地镜像仓库的两个版本的nginx镜像:(外面导入,手动load进来的,此时还在本地镜像仓库)
[root@HN01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx amd64 080ed0ed8312 8 days ago 142MB
nginx arm64 f71a4866129b 8 days ago 135MB
2、给这两个镜像打tag,并推送到本地的远端仓库
[root@HN01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5001/nginx amd64 080ed0ed8312 8 days ago 142MB
127.0.0.1:5001/nginx arm64 f71a4866129b 8 days ago 135MB
3、创建manifest list
[root@HN01 ~]# docker manifest create --insecure 127.0.0.1:5001/nginx:1.0 127.0.0.1:5001/nginx:amd64 127.0.0.1:5001/nginx:arm64
Created manifest list 127.0.0.1:5001/nginx:1.0
说明:
1)A地址 -> 127.0.0.1:5001/nginx:1.0,是manifest list地址,也就是最后统一了架构后的镜像地址。
2)B地址 -> 127.0.0.1:5001/nginx:amd64 和 C地址 -> 127.0.0.1:5001/nginx:arm64 是在本地的远端仓库已经存在的镜像地址。
3)--insecure指令,这个指令主要是用来防止你的本地的远端仓库没有https证书的问题,最好加上(很重要,不加会挂,当然我本地起的registry是http的,没有证书,如果有证书的https,应该就没有这个问题了)
4)如果A地址已经存在,或者说A=B或者A=C,进一步的,也就是你并不想创建一个新的manifest list镜像地址,而是想用已有的镜像地址,那么可以参考这个命令:
$docker manifest create --insecure --amend 127.0.0.1:5001/nginx:arm64 127.0.0.1:5001/nginx:amd64
这样命令通过增加--amend选项,将amd64的架构信息增加到了arm64架构中。
3.1、设置manifest list
# $ docker manifest annotate [OPTIONS] MANIFEST_LIST MANIFEST
$ docker manifest annotate 127.0.0.1:5001/nginx:1.0 127.0.0.1:5001/nginx:amd64 --arch amd64
$ docker manifest annotate 127.0.0.1:5001/nginx:1.0 127.0.0.1:5001/nginx:arm64 --arch arm64
4、推送manifest list
[root@HN01 ~]# docker manifest push 127.0.0.1:5001/nginx:1.0
sha256:f23a8d452a44913317da82811ec7a06d3c476d47fb93800d67efd7ac7ca8b838
(说明:有时候推送push会报下面的错,不知道啥原因,可以尝试用postman发送put请求来推送这个manifest信息,也能达到目的)
failed to configure transport: error pinging v2 registry: Get https://7.220.62.96:5001/v2/: http: server gave HTTP response to HTTPS client
5、查看已经push的manifest
[root@HN01 ~]# docker manifest inspect 127.0.0.1:5001/nginx:1.0
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1570,
"digest": "sha256:bfb112db4075460ec042ce13e0b9c3ebd982f93ae0be155496d050bb70006750",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1570,
"digest": "sha256:3be40d1de9db30fdd9004193c2b3af9d31e4a09f43b88f52f1f67860f7db4cb2",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
}
}
]
}
注意:上面 manifests 中的 digest 字段的
6、把当前的本地仓库的镜像全部删除,然后从本地的远端仓库拉取符合本机架构和os的nginx镜像下来:
[root@HN01 ~]# docker pull 127.0.0.1:5001/nginx:1.0
1.0: Pulling from nginx
f1f26f570256: Pull complete
7f7f30930c6b: Pull complete
2836b727df80: Pull complete
e1eeb0f1c06b: Pull complete
86b2457cc2b0: Pull complete
9862f2ee2e8c: Pull complete
Digest: sha256:f23a8d452a44913317da82811ec7a06d3c476d47fb93800d67efd7ac7ca8b838
Status: Downloaded newer image for 127.0.0.1:5001/nginx:1.0
[root@HN01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5001/nginx 1.0 080ed0ed8312 8 days ago 142MB
说明:拉取成功,镜像id为080ed0ed8312,根据之前的数据可以看出这个镜像是amd64版本的,符合预期,测试成功。
7、此时还是可以从本地的远端仓库里面,直接把另外两个镜像下载下来,结果如下:
[root@HN01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5001/nginx 1.0 080ed0ed8312 8 days ago 142MB
127.0.0.1:5001/nginx amd64 080ed0ed8312 8 days ago 142MB
127.0.0.1:5001/nginx arm64 f71a4866129b 8 days ago 135MB
registry latest b8604a3fe854 16 months ago 26.2MB
3、regsitry http 请求步骤:
一句话:rest接口还是那些封装好的接口,只是需要先上传那些异构架构的镜像,然后再创建并推送一个manifest即可。
#docker manifest create --insecure 127.0.0.1:5001/registry:1.0 127.0.0.1:5001/registry:amd64 127.0.0.1:5001/registry:arm64
1、访问v2接口:
GET http://127.0.0.1:5001/v2/
2、获取registry:amd64的元数据manifest信息:
GET http://127.0.0.1:5001/v2/registry/manifests/amd64
3、获取registry:amd64的配置config信息:
GET http://127.0.0.1:5001/v2/registry/blobs/sha256:b8604a3fe8543c9e6afc29550de05b36cd162a97aa9b2833864ea8a5be11f3e2
4、访问v2接口:
GET http://127.0.0.1:5001/v2/
5、获取registry:arm64的元数据manifest信息:
GET http://127.0.0.1:5001/v2/registry/manifests/arm64
6、获取registry:arm64的配置config信息:
GET http://127.0.0.1:5001/v2/registry/blobs/sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412
#docker manifest push 127.0.0.1:5001/registry:1.0
1、访问v2接口:
GET http://127.0.0.1:5001/v2/
2、推送manifest元数据信息:
PUT http://127.0.0.1:5001/v2/registry/manifests/1.0
Content-Type:application/vnd.docker.distribution.manifest.list.v2+json
Body:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1363,
"digest": "sha256:36cb5b157911061fb610d8884dc09e0b0300a767a350563cbfd88b4b85324ce4",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 525,
"digest": "sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"platform": {
"architecture": "amd64",
"os": "linux"
}
}
]
}
返回值:201 Created
响应头:
Docker-Content-Digest: sha256:57492e4c7cebd7529c273ef142a6a4cb47da0ff3275bb287f1716e49ae53db29
Docker-Distribution-Api-Version: registry/2.0
Location:http://127.0.0.1:5001/v2/registry/manifests/sha256:57492e4c7cebd7529c273ef142a6a4cb47da0ff3275bb287f1716e49ae53db29
#docker pull 127.0.0.1:5001/registry:1.0
1、访问v2接口:
GET http://127.0.0.1:5001/v2/
这里注意,响应体中就包含了127.0.0.1:5001/registry:1.0镜像的元数据信息
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1363,
"digest": "sha256:36cb5b157911061fb610d8884dc09e0b0300a767a350563cbfd88b4b85324ce4",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 525,
"digest": "sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"platform": {
"architecture": "amd64",
"os": "linux"
}
}
]
}
客户端拿到这些信息之后,从manifests字段中遍历过滤,找到符合自己架构和系统的镜像,然后再发起下载请求。
2、获取manifest元数据信息:
GET http://10.169.62.89:5001/v2/registry/manifests/sha256:36cb5b157911061fb610d8884dc09e0b0300a767a350563cbfd88b4b85324ce4
响应体:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 3112,
"digest": "sha256:b8604a3fe8543c9e6afc29550de05b36cd162a97aa9b2833864ea8a5be11f3e2"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2817409,
"digest": "sha256:79e9f2f55bf5465a02ee6a6170e66005b20c7aa6b115af6fcd04fad706ea651a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 299640,
"digest": "sha256:0d96da54f60b86a4d869d44b44cfca69d71c4776b81d361bc057d6666ec0d878"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 6823927,
"digest": "sha256:5b27040df4a23c90c3837d926f633fb327fb3af9ac4fa5d5bc3520ad578acb10"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 398,
"digest": "sha256:e2ead8259a04d39492c25c9548078200c5ec429f628dcf7b7535137954cc2df0"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 214,
"digest": "sha256:3790aef225b922bc97aaba099fe762f7b115aec55a0083824b548a6a1e610719"
}
]
}
3、分层拉取layer,首先拉取的是config层:
GET http://10.169.62.89:5001/v2/registry/blobs/sha256:b8604a3fe8543c9e6afc29550de05b36cd162a97aa9b2833864ea8a5be11f3e2
然后再是其他层,这里注意,因为有些层是各个镜像之间共享的,所以这里不见得会拉取所有的层,已经在本地仓库存在的就不会拉取了,如果全部存在的话,这个第三步就不用执行了。(这里的存在的判断,是在本地进行的,不与远端仓库交互)
4、其他命令:
docker manifest annotate Add additional information to a local image manifest
docker manifest create Create a local manifest list for annotating and pushing to a registry
docker manifest inspect Display an image manifest, or manifest list
docker manifest push Push a manifest list to a repository
docker manifest rm Delete one or more manifest lists from local storage
举例:给127.0.0.1:5001/nginx:arm64镜像,添加额外的arch信息,值为arm
docker manifest annotate 127.0.0.1:5001/nginx:1.0 127.0.0.1:5001/nginx:arm64 --arch arm
127.0.0.1:5001/library/nginx amd64 080ed0ed8312
127.0.0.1:5001/library/nginx arm64 f71a4866129b
文件内容说明:
080ed0ed8312,里面是原来的config.json配置信息,也是直接 docker images 命令查看到的 IMAGE ID 字段。
754b702434e0,里面是原来的manifest.json信息
在 /root/xxx/docker/registry/v2/repositories/library 下面,使用 tree 命令,查看结构如下:
── nginx
├── _layers
│ └── sha256
│ ├── 080ed0ed8312deca92e9a769b518cdfa20f5278359bd156f3469dd8fa532db6b
│ │ └── link
│ ├── 25ce04aa22b4a1001cf9cc09e6ff038cf5b61cefc0679bcc2ee84ca2f5050dda
│ │ └── link
│ ├── 3804935bde6232033371fe05e57419a2708f4d771ed7ce3bf83f2821db9ecbd0
│ │ └── link
│ ├── 3af14c9a24c941c626553628cf1942dcd94d40729777f2fcfbcd3b8a3dfccdd6
│ │ └── link
│ ├── 4d0bf5b5e17b1bf57a06893ca4cdb58189efcf348b817d33850aa04ab403e4f1
│ │ └── link
│ ├── 748eb15c313c9805c2d084e182f69fc7dc2271e29ebe43809617131112f6d561
│ │ └── link
│ ├── 95457f8a16fd7d0e872c8ccd8ffa84b79b8aa56a39ca5a84bf54c1fab9bac712
│ │ └── link
│ ├── 9c603f82aa71812742cd6204e08c92fbf5138873c609a55537b5729bb07cb563
│ │ └── link
│ ├── a0b795906dc1f8bb47568da6335c0b5e5049aefc9b0bf3bfe6a9a90e55e8ca36
│ │ └── link
│ ├── af29ec691175380d67613953dfb815a47cbcdc5a10221ab1047668cda2efc9ee
│ │ └── link
│ ├── c05840a11ed9714c3d386161962a7108d0c74c7f09c39949f46934ca3b90341e
│ │ └── link
│ ├── f71a4866129b6332cfd0dddb38f2fec26a5a125ebb0adde99fbaa4cb87149ead
│ │ └── link
│ ├── f7ec7b6b86f3cc0d3ca9318079b4fbe3d5073fa7421495e9e0b11588f59247e7
│ │ └── link
│ └── ff4557f62768fd99a55c9596bcc2ade44045c47a089a898a14d73b50a306c74d
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ ├── 754b702434e0aedf41c6c8a27843e3b0ae3d37a98ab6c4e8799d349b931bea77
│ │ │ └── link
│ │ └── db6e539b7caadb2e3a48d5ef132633db5f82ae0d2acfd9f329dac84c0afb449d
│ │ └── link
│ └── tags
│ ├── amd64
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── db6e539b7caadb2e3a48d5ef132633db5f82ae0d2acfd9f329dac84c0afb449d
│ │ └── link
│ └── arm64
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 754b702434e0aedf41c6c8a27843e3b0ae3d37a98ab6c4e8799d349b931bea77
│ └── link
└── _uploads
手动创建(未推送)了 manifest list 之后,使用 docker manifest inspect 查看:
[root@HN01 data]# docker manifest create --insecure 127.0.0.1:5001/library/nginx:1.0 127.0.0.1:5001/library/nginx:amd64 127.0.0.1:5001/library/nginx:arm64
Created manifest list 127.0.0.1:5001/library/nginx:1.0
[root@HN01 data]#
[root@HN01 data]#
[root@HN01 data]# docker manifest inspect 127.0.0.1:5001/library/nginx:1.0
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:db6e539b7caadb2e3a48d5ef132633db5f82ae0d2acfd9f329dac84c0afb449d",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:754b702434e0aedf41c6c8a27843e3b0ae3d37a98ab6c4e8799d349b931bea77",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
}
}
]
}
注意:这里的 manifests[0].digest 为 127.0.0.1:5001/library/nginx:amd64 的 manifest 的 hash值,size 为 manifest 文件在 blob 目录下面的文件大小,architecture、os、variant字段都来自于 127.0.0.1:5001/library/nginx:amd64 镜像的 config 文件。
推送了 manifest list 之后:
[root@HN01]# docker manifest push 127.0.0.1:5001/library/nginx:1.0
sha256:d06690ad6d8f5e2359d36d049fd2b7b3a6415ec63e70b339369e0bdf8e7f91b0
相当于只是在 tags 下面新增了一个 1.0 的 manifest 文件
│ └── tags
│ ├── 1.0
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── d06690ad6d8f5e2359d36d049fd2b7b3a6415ec63e70b339369e0bdf8e7f91b0
│ │ └── link
│ ├── amd64
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── db6e539b7caadb2e3a48d5ef132633db5f82ae0d2acfd9f329dac84c0afb449d
│ │ └── link
│ └── arm64
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 754b702434e0aedf41c6c8a27843e3b0ae3d37a98ab6c4e8799d349b931bea77
│ └── link
调用获取 manifest 的 get 接口,reference 是 digest,就可以查询到多架构镜像的详情:
GET http://7.220.62.96:5001/v2/library/nginx/manifests/sha256:d06690ad6d8f5e2359d36d049fd2b7b3a6415ec63e70b339369e0bdf8e7f91b0
Accept: application/vnd.docker.distribution.manifest.v2+json
可以得到下面的信息:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:db6e539b7caadb2e3a48d5ef132633db5f82ae0d2acfd9f329dac84c0afb449d",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:754b702434e0aedf41c6c8a27843e3b0ae3d37a98ab6c4e8799d349b931bea77",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
}
}
]
}
Response Header:
Content-Type:application/vnd.docker.distribution.manifest.list.v2+json
Docker-Content-Digest:sha256:d06690ad6d8f5e2359d36d049fd2b7b3a6415ec63e70b339369e0bdf8e7f91b0
Content-Length:772
错误信息:
1、unsupported manifest media type and no default available: application/vnd.docker.distribution.manifest.v1+prettyjws
[root@doublenet-master-iulob gandalf]# docker manifest create 110.1.28.12:7443/library/nginx:2.0 110.1.28.12:7443/library/nginx:arm64 110.1.28.12:7443/library/nginx:amd64
unsupported manifest media type and no default available: application/vnd.docker.distribution.manifest.v1+prettyjws
用的是18.09.0的版本的docker。(用最新的24.0.4版本也是同样的错误)
docker desktop配置
1、配置本地代理:
docker desktop -> settings -> Resources -> PROXIES -> Web Server(HTTP) + Secure Web Server(HTTPS)
http://域账号:密码@proxyhk.huawei.com:8080 4.3.2版本
http://proxyhk.huawei.com:8080 4.17.0版本
注:4.17.0版本的输入域账号和密码,点击保存会自动清除掉,不知道什么原因,导致拉镜像报错,举例如下:
C:\Users\s00574212>docker pull hello-world
Using default tag: latest
[2023-04-06T03:33:36.904409200Z][docker-credential-desktop][W] Windows version might not be up-to-date: The system cannot find the file specified.
Error response from daemon: Get "https://registry-1.docker.io/v2/": writing response to registry-1.docker.io:443: connecting to 172.18.100.92:8080: dial tcp 172.18.100.92:8080: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.
ping proxyhk.huawei.com
C:\Users\s00574212>ping proxyhk.huawei.com
正在 Ping proxyhk.huawei.com.web3.hwgslb.com [172.18.100.92] 具有 32 字节的数据
说明是docker desktop访问代理时,没有权限导致的,怎么解决不清楚?换到低版本的?
需要把Docker Engine里面的 registry-mirrors 配置改为空,这样可以从默认的官方的镜像仓拉取镜像。
使用 curl 访问 registry 的命令
1、带鉴权头信息登录:
curl -H "Authorization: Basic cm9vdDpodWF3ZWlAMTIz" http://localhost:5000/v2 -v
2、使用用户名和密码登录:
curl -u root:huawei@123 [http://localhost:5000/v2 -v](http://localhost:5000/v2 -v)
举例:
1、用户名,shenjl;密码:weihua@123
2、将用户名和密码拼接为字符串A(即用冒号相连),shenjl:weihua@123
3、将拼接出来的字符串使用Base64编码,得到字符串B,c2hlbmpsOndlaWh1YUAxMjM=
4、第三方仓库的地址C,https://51.32.18.77:7443
5、将字符串B和C,替换到下面的位置:curl -H "Authorization: Basic <B>" <C>/v2/ -v
举例:
curl -H "Authorization: Basic c2hlbmpsOndlaWh1YUAxMjM=" https://51.32.18.77:7443/v2/ -v
6、上一步的操作,如果调用成功,返回状态码为200,且返回值为{},则表示登录成功。
curl -H "Authorization: Basic c2hlbmpsOndlaWh1YUAxMjM=" https://51.32.18.77:7443/v2/_catalog -v
使用 postman 访问 registry 的 urls
docker 重启命令
说明:当修改了 docker 的配置文件时,需要重启进程才会生效。
# docker
systemctl daemon-reload
systemctl restart docker.service
docker 的常见命令
docker pull
1、功能:拉取镜像。
2、语法:docker pull [OPTIONS] NAME[:TAG|@DIGEST]
3、操作方式举例:
docker pull nginx // 从默认镜像仓拉取nginx镜像,默认latest版本
docker pull nginx:1.0 // 从默认镜像仓拉取nginx镜像,指定1.0版本
docker pull 51.32.18.120:7443/library/nginx:1.0 // 从指定镜像仓拉取nginx镜像,指定1.0版本
docker pull --platform=amd64 nginx:1.0 // 指定架构为amd64
docker pull -a nginx // 拉取全部版本
docker pull nginx@sha256:b7d7a3945c3689bff125769372bd0ac99d4980719a463108038d5d9d7084dcda // 拉取指定digest版本
docker pull nginx:1.0@sha256:b7d7a3945c3689bff125769372bd0ac99d4980719a463108038d5d9d7084dcda // 拉取指定digest版本
注:上面的按照digest拉取的镜像,到本地镜像仓后,没有tag信息,显示为<none>。
注:存在相同镜像仓库名称,相同镜像版本的不同内容的镜像,此时可以通过指定digest值来拉取特定的版本,否则会拉取最新覆盖的版本。
docker tag
1、功能:给已有镜像打tag。
2、语法:docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
3、操作方式举例:
docker tag nginx:1.0 nginx:2.0 // 基于nginx的1.0版本,新增一个tag版本为2.0,实际上两个版本的imageDigest是一样的
docker tag nginx nginx:2.0 // 基于nginx的latest版本,新增一个tag版本为2.0,实际上两个版本的imageDigest是一样的
docker login
1、登录 https 的 harbor 镜像仓报错,x509: certificate signed by unknown authority
[root@HN01 ~]# docker login -u admin -p weihua@123 7.220.62.96:4443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://7.220.62.96:4443/v2/: x509: certificate signed by unknown authority
解决方案:把 ca.crt 保存到下面的目录即可
/etc/docker/certs.d/7.220.62.96:4443/ca.crt
其中:7.220.62.96:4443,为 registry 的地址
docker 的配置文件
1、路径:/etc/docker/daemon.json
registry-mirrors: # 数组格式,需要有schema,跟isula不一样,否则会报错:failed to start daemon: invalid mirror: "51.32.17.130:7443" is not a valid URI
{
"registry-mirrors":[
"https://51.32.17.130:7443"
]
}
insecure-registries:# 数组格式,docker 会先尝试 https,失败后再尝试 http。
if HTTPS is available but the certificates is invalid, ignore the error about the certificate.
if HTTPS is not available, fall back to HTTP.
2、docker 的鉴权文件:/root/.docker/config.json
[root@HN01 .docker]# cat config.json
{
"auths": {
"10.169.62.89:5001": {
"auth": "YWRtaW46d2VpaHVhQDEyMw=="
},
"127.0.0.1:5000": {
"auth": "cm9vdDpodWF3ZWlAMTIz"
},
"7.220.62.96:5000": {
"auth": "cm9vdDpodWF3ZWlAMTIz"
},
"7.220.62.96:5005": {
"auth": "cm9vdDpodWF3ZWlAMTIz"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (linux)"
},
"experimental": "enabled"
}
注:执行 docker logout 7.220.62.96:5005,会从上面的config.json文件中移除对应条目
docker save 打包不同后缀的镜像
1、tar:(默认)
docker save <image>:<tag> -o /xxx_dir/xxx_name.tar
2、tar.gz:
# 导出镜像并进行压缩保存:
docker save <image>:<tag> | gzip > /xxx_dir/xxx_name.tar.gz
# 恢复镜像文件
gunzip -c /xxx_dir/xxx_name.tar.gz | docker load
docker 快速删除所有的容器
1、删除全部容器,如果容器已经全部停止的话可以这样使用:
docker rm $(docker ps -aq) // -q :静默模式,只显示容器编号。
2、停止并删除全部容器,如果不想挨个去停用容器,可以使用这条命令:
docker stop $(docker ps -q) & docker rm $(docker ps -aq)
3、删除所有镜像,需要保证镜像没有被使用:
docker rmi -f $(docker images -qa) // -q :静默模式,只显示镜像ID。
4、删除所有的标签为none的镜像:
docker rmi $(docker images -f "dangling=true" -q)
docker的文件组织结构
/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx # tree
.
├── _layers
│ └── sha256
│ ├── 080ed0ed8312deca92e9a769b518cdfa20f5278359bd156f3469dd8fa532db6b
│ │ └── link
│ ├── 0ed5ae6eff71083dc1d5a2f96cb7dfbf2b8bae00c5bdaa51801b339ed1c74132
│ │ └── link
│ ├── 1f2e49eb7fad1d23992cd1b12b4e474a0eab02180607669190fae2fff11e002d
│ │ └── link
│ ├── 2ef0e55c2efc4704cbf06538e2712bed5b42dac7e612c9e2171603307ce403e0
│ │ └── link
│ ├── 4d12160cd24e0ed72716aff832e81e5c5ced3c89bb092c97ebf99876dd9b6b1a
│ │ └── link
│ ├── 4ecc17102fe86f7fb76274c5ef3d05f3bb42a584652d9b6a1e101a8db750ae69
│ │ └── link
│ ├── 65c0f28e542218041d83b367bca3bd730faa0000ce90cb871af50beefe004bba
│ │ └── link
│ ├── 6f261895b0297065c1e3b91453a9f4fb37b91235bba02a71e241715dd9204b33
│ │ └── link
│ ├── 7b9a682f912461bb9667583f06835ae7172b5fc244ead83d375df4ebc1e7fdd2
│ │ └── link
│ ├── 811f3caa888b1ee5310e2135cfd3fe36b42e233fe0d76d9798ebd324621238b9
│ │ └── link
│ ├── 86fa88bbfb867d867df7a225105615d79e95f6d62d1250be877d99318ffab27c
│ │ └── link
│ ├── 8c8ee3407f3623fe51674138bba540c279b1bb4fea49fc8fd1306a235abab027
│ │ └── link
│ ├── 9bf4fc579eaa72564c27534cf799d106db752dbaadcc1a668288b5f7141947f2
│ │ └── link
│ ├── a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
│ │ └── link
│ ├── ca0963c4743907a54a066b92476aa74af5519da43f30c2840a8a170db12097ed
│ │ └── link
│ ├── e2bcc14dbbeedea44072a7e6876c8980413e90fc1a5eda744a3abf7fe03255ca
│ │ └── link
│ ├── f71a4866129b6332cfd0dddb38f2fec26a5a125ebb0adde99fbaa4cb87149ead
│ │ └── link
│ └── feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ ├── 28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7a
│ │ │ └── link
│ │ ├── 7f1b8416a3abaf76840af573c44263667f34e5a4885f5c480464e1da3b01f4a0
│ │ │ └── link
│ │ ├── 89f40c947313d60d446ba4a9fea35a8ba8f9c99288258747b0720d883e5c348d
│ │ │ └── link
│ │ └── 95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5
│ │ └── link
│ └── tags
│ ├── 2.0
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── 89f40c947313d60d446ba4a9fea35a8ba8f9c99288258747b0720d883e5c348d
│ │ └── link
│ ├── amd64
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ ├── 28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7a
│ │ │ └── link
│ │ └── 95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5
│ │ └── link
│ ├── arm64
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── 7f1b8416a3abaf76840af573c44263667f34e5a4885f5c480464e1da3b01f4a0
│ │ └── link
│ └── normalpush
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 7f1b8416a3abaf76840af573c44263667f34e5a4885f5c480464e1da3b01f4a0
│ └── link
└── _uploads
50 directories, 31 files
结论:
1、tags下面的各个版本包含current和index两个子目录,用来处理镜像的版本相同但实际的内容不同的情况,每次都会用最新的覆盖。以上面的amd64版本为例,存在两个版本的tag相同,但实际的内容不一样,28*的是后面push的,会覆盖原来的,也就是说current里面的存放的是最新的link,此时通过docker pull xxx/shenjl2/nginx:amd64 拿到的是最后上传的那个版本,但是也可以用下面的方式来获取原来的那个版本:
docker pull xxx/shenjl2/nginx:amd64@sha256:95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # tree
.
├── current
│ └── link
└── index
└── sha256
└── 95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5
└── link
4 directories, 2 files
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # cat current/link
sha256:95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # cat index/sha256/95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5/link
sha256:95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # tree
.
├── current
│ └── link
└── index
└── sha256
├── 28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7a
│ └── link
└── 95e8d2787de93054db7726a2604ff77ce1e4f0861a74b7eed6f571edc130c0c5
└── link
5 directories, 3 files
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # cat index/sha256/28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7a/link
sha256:28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7aVRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
VRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 # cat current/link
sha256:28a1207f180f1062559d6140e60de73b3ef1bb1e013fe84d7b183597cc134c7aVRM01:/opt/krm/registry/docker/registry/v2/repositories/shenjl2/nginx/_manifests/tags/amd64 #
isula
isula 重启命令
说明:当修改了 isula 的配置文件时,需要重启进程才会生效。
# isula
systemctl daemon-reload
systemctl restart isulad.service
isula 的常见命令
1、查看是否安装成功:isula version
2、登录/登出本地镜像仓:
登录:isula login -u username registryAddress ,如:isula login -u admin 51.32.18.113:7443
登出:isula logout registryAddress,如:isula logout -u 51.32.18.113:7443
[root@fasfasfasf-fasfasf-folhz isula]# isula login -u admin 51.32.18.113:7443
Password: Login Succeeded
[root@fasfasfasf-fasfasf-folhz isula]# cat /root/.isulad/auths.json
{
"auths": {
"51.32.18.113:7443": {
"auth": "MDAwMDAwMDIwMDAwMDAwMTY4OUQwOTg1QkEwQkI0QUMwNTA1Q0Y0MTRDRjg3RTQ3MDIyMzBCQjYxMTZDOEZDRDZDRTdEQUZFMjVGMDA5NzcwMDAwMDAwMjAwMDAyODAwQzNENkU2Njc3RkNDOUZCQzYxOUNDMTZEMEY5REY5QTdBNjI4MDcyNkIwQzU4Q0U5Njg4NDZBQ0JCM0UxQzMzMjAwMDAwMDA0NDUwODNERjI0OEEzRTI0ODM0QTEyQThEQjM1RDMzNkZDNUU0MDNENzQwMjU1N0VCM0RFNDlDMzcyRkI0N0U2NkM1RjA3MzYxQjc4Mjc5RTQ2REY4MkFEQzVCQjdFMjA5RUY1REE5OEUxM0IwRTUzMTU4RTkxQjNCRTQxMzc0Q0E="
}
}
}
[root@fasfasfasf-fasfasf-folhz isula]# isula logout -u 51.32.18.113:7443
Logout Succeeded
[root@fasfasfasf-fasfasf-folhz isula]# cat /root/.isulad/auths.json
{
"auths":{}
}
[root@nic-many-master-azbii .isulad]# isula pull 51.32.18.120:7443/shenjl/shenjl/busybox:latest
Image "51.32.18.120:7443/shenjl/shenjl/busybox:latest" pulling
Failed to pull image 51.32.18.120:7443/shenjl/shenjl/busybox:latest with error: registry response invalid status code 401
3、查看本地镜像列表:isula images
4、将镜像包 load 到本地镜像仓库:isula load -i /home/gandalf/docker_auth_2.0.tar
5、给本地镜像仓库的镜像打 tag:isula tag busybox:1.0 51.32.18.113:7443/library/busybox:1.0
6、从其他镜像仓拉取镜像:isula pull 51.32.18.113:7443/library/busybox:1.0
注:isula 没有 push 的命令。
isula 的配置文件
1、isulad 的配置文件:/etc/isulad/daemon.json
{
"group": "isula",
"default-runtime": "lcr",
"graph": "/opt/k8s/cri/isulad",
"state": "/var/run/isulad",
"engine": "lcr",
"log-level": "ERROR",
"pidfile": "/var/run/isulad.pid",
"log-opts": {
"log-file-mode": "0600",
"log-path": "/var/lib/isulad",
"max-file": "1",
"max-size": "30KB"
},
"log-driver": "stdout",
"container-log": {
"driver": "json-file"
},
"hook-spec": "/etc/default/isulad/hooks/default.json",
"start-timeout": "2m",
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"registry-mirrors": [
"51.32.18.113:7443"
],
"pod-sandbox-image": "registry.simbaos.com/pause:3.5",
"native.umask": "secure",
"network-plugin": "cni",
"cni-bin-dir": "/opt/cni/bin",
"cni-conf-dir": "/etc/cni/net.d",
"image-layer-check": false,
"use-decrypted-key": true,
"insecure-skip-verify-enforce": false
}
2、isula 的鉴权文件:/root/.isulad/auths.json
该记录了 isula 的登录信息,登录成功一次之后就不用重复登录了,后面可以直接访问第三方镜像仓库。
root@fasfasfasf-fasfasf-folhz isulad]# cat /root/.isulad/auths.json
{
"auths": {
"51.32.18.113:7443": {
"auth": "MDAwMDAwMDIwMDAwMDAwMTQ2RjcxNjE2N0EwRDk3MjhCMERFNjY0QkQyRTdGMjZFREUxMTkyMTVBQ0EzNjYwQTcxOUFENEQ2NTc4NjE1MkYwMDAwMDAwMjAwMDAyODAwM0RBQzEzQkY1NUJFOTJBQTkwMUM0OTQ5NjNFQkQ4NEI5OTI1MzQyQjRDMjU4NDZCMDI1NUMyODI0MzZDMjVFNTAwMDAwMDA0RTZGNTcxMDk0QkEyQjAyMzkxREFBRUQ2NjFFNzVBRUQ4NENCRDE0NzgxNEE4NTk1ODVFOUY5OUQ3M0U1RUExNjk3MERCOTU0RTg3MEY4QjMwRTc1MjQ3MTA0NjBGRTMwNEMwNzk3QkI2N0VBN0QyRg=="
}
}
}
isula-build
isula-build 重启命令
说明:当修改了 isula-build 的配置文件时,需要重启进程才会生效。
# isula-build
systemctl daemon-reload
systemctl restart isula-build.service
isula-build 工具安装
说明:创建的集群的节点,默认只安装了 isula,没有安装 isula-build,如果需要推送镜像,需要手动安装 isula-build 工具。
注:isula 和 isula-build 不是一个东西,事实上,这俩关系不大(怨念.jpg
注:isulad 是容器引擎,isula 是配套的客户端工具,isula-build 是 isula 推出的容器镜像构建工具,主要是为了构建的镜像能在 docker 上面跑。
一句话安装:
rpm -ivh isula-build-0.9.5-6.oe1.x86_64.rpm && systemctl start isula-build && isula-build version
一句话卸载:
rpm -qa | grep isula-build && rpm -e $(rpm -qa | grep isula-build)
1、下载 isula-build 的安装包,比如:isula-build-0.9.5-6.oe1.x86_64.rpm
2、拷贝文件到服务器上,如:/home/gandalf/isula-build-0.9.5-6.oe1.x86_64.rpm
3、使用 root 账户进行安装:rpm -ivh isula-build-0.9.5-6.oe1.x86_64.rpm
[root@test-master-piovk gandalf]# rpm -ivh isula-build-0.9.5-6.oe1.x86_64.rpm
warning: isula-build-0.9.5-6.oe1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b25e7f66: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:isula-build-0.9.5-6.oe1 ################################# [100%]
4、验证是否安装成功:isula-build version
[root@test-master-piovk gandalf]# isula-build version
Client:
Version: 0.9.5-6
Go Version: go1.15.7
Git Commit: b82408f
Built: Tue Mar 30 11:08:00 2021
OS/Arch: linux/amd64
invalid socket path: unix:///var/run/isula_build.sock
5、如果第四步执行失败,报错:invalid socket path: unix:///var/run/isula_build.sock,则需要手动执行:systemctl start isula-build,原因是 isula-build 安装之后默认是不启动的。
[root@test-master-piovk gandalf]# systemctl start isula-build
[root@test-master-piovk gandalf]# isula-build version
Client:
Version: 0.9.5-6
Go Version: go1.15.7
Git Commit: b82408f
Built: Tue Mar 30 11:08:00 2021
OS/Arch: linux/amd64
Server:
Version: 0.9.5-6
Go Version: go1.15.7
Git Commit: b82408f
Built: Tue Mar 30 11:08:00 2021
OS/Arch: linux/amd64
注:
1)isula-build 和 isula 的 login 动作区分,后者登录了不代表前者已登录。
2)isula-build 和 isula 的 本地镜像仓区分,两者的 images 命令得到的结果不一样。
isula-build 的常见命令
0、重启isula-build服务:
systemctl daemon-reload && systemctl restart isula-build
1、查看是否安装成功:isula-build version
2、登录本地镜像仓:isula-build login -u admin 51.32.18.113:7443
[root@fasfasfasf-fasfasf-folhz gandalf]# isula-build login -u admin 51.32.18.113:7443
Password:
Login Succeeded
[root@fasfasfasf-fasfasf-folhz gandalf]#
3、查看本地镜像列表:isula-build ctr-img images
4、将镜像包 load 到本地镜像仓库:isula-build ctr-img load -i /home/gandalf/docker_auth_2.0.tar
5、给本地镜像仓库的镜像打 tag:isula-build ctr-img tag busybox:1.0 51.32.18.113:7443/library/busybox:1.0
6、推送镜像到其他镜像仓:isula-build ctr-img push 51.32.18.113:7443/library/busybox:1.0
isula-build 的配置文件
根目录:/etc/isula-build
[root@fasfasfasf-fasfasf-fcvej gandalf]# ll /etc/isula-build
total 32
-rw------- 1 root root 85 Apr 17 17:13 auth.json // 登录鉴权文件
-rw------- 1 root root 1056 Apr 17 17:25 configuration.toml // isula-builder 总体配置文件,用于设置 isula-builder 日志级别、持久化目录和运行时目录、OCI runtime等。
-r--r--r-- 1 root root 459 Apr 17 17:26 isula-build.pub
-rw------- 1 root root 94 Mar 30 2021 policy.json // 镜像pull/push策略文件
-rw------- 1 root root 5488 Mar 30 2021 registries.toml // 针对各个镜像仓库的配置文件
-rw------- 1 root root 6222 Mar 30 2021 storage.toml // 本地持久化存储的配置文件,包含所使用的存储驱动的配置。
1、isula-build 的镜像仓库的配置文件:/etc/isula-build/registries.toml
[registries.insecure]
registries = ["51.32.12.106:5000"] # Registries that do not use TLS when pulling images or uses self-signed certificates.
insecure = true # 仅上面的配置不够,需要找到这行,去掉前面的注释,将值改为true才可以
2、isula-build 的鉴权文件:/etc/isula-build/auth.json
该记录了 isula-build 的登录信息,登录成功一次之后就不用重复登录了,后面可以直接访问第三方镜像仓库。
[root@fasfasfasf-fasfasf-folhz isula-build]# cat auth.json
{
"auths": {
"51.32.18.113:7443": {
"auth": "YWRtaW46d2VpaHVhQDEyMw=="
}
}
}
[root@fasfasfasf-fasfasf-folhz isula-build]# pwd
/etc/isula-build
[root@fasfasfasf-fasfasf-folhz isula-build]#
注:base64解码之后,admin:weihua@123,说明isula-build的鉴权信息是明文存放的。
3、isula-build 的总体配置文件:/etc/isula-build/configuration.toml
###############################################################################
# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
# isula-build licensed under the Mulan PSL v2.
# You can use this software according to the terms and conditions of the Mulan PSL v2.
# You may obtain a copy of Mulan PSL v2 at:
# http://license.coscl.org.cn/MulanPSL2
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v2 for more details.
# Author: iSula Team
# Create: 2020-1-20
# Description: This is config file for isula-build
################################################################################
debug = false // 设置是否打开debug日志
loglevel = "" // 设置日志级别
group = "isula"
# Temporary storage location
run_root = "/var/run/isula-build/" // 设置运行时数据根目录
# Primary Read/Write location of isula-build
data_root = "/var/lib/isula-build/" // 设置本地持久化目录
# Default "runc" found in $PATH
runtime = ""
experimental = true // Indicates whether to enable experimental features.
isula-build的manifest list启用
说明:manifest为实验特性,使用时需开启客户端和服务端的实验选项,方式详见客户端总体说明和配置服务章节。
方式一:临时方案,export临时变量(有效)
export ISULABUILD_CLI_EXPERIMENTAL=enabled
方式二:永久方案,修改isula-build的总体配置文件(无效,不知道还差什么)
vim /etc/isula-build/configuration.toml
// 增加下面的描述
experimental = true // Indicates whether to enable experimental features.
// 重启isula-build
systemctl daemon-reload && systemctl restart isula-build
// 验证
[root@fasfasfasf-fasfasf-fcvej isula-build]# isula-build info
General:
MemTotal: 7708155904
MemFree: 255885312
SwapTotal: 0
SwapFree: 0
OCI Runtime: runc
DataRoot: /var/lib/isula-build/
RunRoot: /var/run/isula-build/
Builders: 0
Goroutines: 11
Experimental: true // 看这里看这里
Store:
Storage Driver: overlay
Backing Filesystem: extfs
Registry:
Search Registries:
Insecure Registries:
操作步骤:
1、
isula-build manifest create 51.32.17.130:7443/shenjl1/busybox:1.0 51.32.17.130:7443/shenjl1/busybox:amd64 51.32.17.130:7443/shenjl1/busybox:arm64
>3f26aa36a10cb06b443c8bb8597cad4595fda5e0f3477cc063b4b534c7da600a
2、isula-build manifest inspect 51.32.17.130:7443/shenjl2/nginx:1.0
>
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:ac676386fd60b9aa2454feb5ec8b7addb2e4d183095891bee2739e7ad8a9f681",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1238,
"digest": "sha256:212674a7bd7f500330233e849c2d74d6504267c9b4c6228368a1df9e5e55fe7a",
"platform": {
"architecture": "arm64",
"os": "linux"
}
}
]
}
3、isula-build manifest push 51.32.17.130:7443/shenjl2/nginx:1.0 51.32.17.130:7443/shenjl2/nginx:2.0
注:这里跟docker不一样,主要指定本地镜像的名称版本,以及远端镜像的名称版本
Q:isula的daemon.json配置文件
位置:/etc/isulad/daemon.json
{
"group": "isula",
"default-runtime": "lcr",
"graph": "/opt/k8s/cri/isulad",
"state": "/var/run/isulad",
"engine": "lcr",
"log-level": "ERROR",
"pidfile": "/var/run/isulad.pid",
"log-opts": {
"log-file-mode": "0600",
"log-path": "/var/lib/isulad",
"max-file": "1",
"max-size": "30KB"
},
"log-driver": "stdout",
"container-log": {
"driver": "json-file"
},
"hook-spec": "/etc/default/isulad/hooks/default.json",
"start-timeout": "2m",
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"registry-mirrors": [
"51.32.18.113:7443"
],
"insecure-registries": [
"51.32.18.114:32500"
]
"pod-sandbox-image": "registry.simbaos.com/pause:3.5",
"native.umask": "secure",
"network-plugin": "cni",
"cni-bin-dir": "/opt/cni/bin",
"cni-conf-dir": "/etc/cni/net.d",
"image-layer-check": false,
"use-decrypted-key": true,
"insecure-skip-verify-enforce": false
}