Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » DOF100 - Présentation de la Formation » DOF105 - Validation de la Formation

Ceci est une ancienne révision du document !

Table des matières

DOF201 - Stocker les Images Docker
- LAB #1 - Installer un Registre Privé

Version : 2020.01

Dernière mise-à-jour : 2020/02/18 15:06

DOF201 - Stocker les Images Docker

Cette unité contient un LAB :

LAB #1 - Installer un Registre Privé.

LAB #1 - Installer un Registre Privé

Préparation

Créez un répertoire nommé myDocker :

root@debian9:~/mongodb# mkdir ~/myDocker
root@debian9:~/mongodb# cd ~/myDocker
root@debian9:~/myDocker#

Créez le fichier myEntrypoint.sh :

root@debian9:~/myDocker# vi myEntrypoint.sh
root@debian9:~/myDocker# cat myEntrypoint.sh 
#!/bin/bash
if [ -z "$myVariable" ]; then
	echo "La variable myVariable doit être renseignée"
	return 1
fi

while true;
do
	echo $1 \($(date +%H:%M:%S)\);
	sleep "$myVariable";
done

Testez ce script :

root@debian9:~/myDocker# myVariable=3 . ./myEntrypoint.sh salut
salut (20:04:39)
salut (20:04:42)
salut (20:04:45)
salut (20:04:48)
salut (20:04:51)
^C
root@debian9:~/myDocker#

Rendez ce script exécutable :

root@debian9:~/myDocker# chmod u+x myEntrypoint.sh

Créez maintenant le fichier Dockerfile dans le répertoire ~/myDocker :

root@debian9:~/myDocker# vi Dockerfile
root@debian9:~/myDocker# cat Dockerfile
FROM centos:latest
MAINTAINER i2tch "infos@i2tch.eu"
COPY myEntrypoint.sh /entrypoint.sh
ENV myVariable 3
ENTRYPOINT ["/entrypoint.sh"]
CMD ["mycommand"]

Générez maintenant l'image :

root@debian9:~/myDocker# docker build -t i2tch/mydocker .
Sending build context to Docker daemon  3.072kB
Step 1/6 : FROM centos:latest
 ---> 9f38484d220f
Step 2/6 : MAINTAINER i2tch "infos@i2tch.eu"
 ---> Running in 02c700ed04da
Removing intermediate container 02c700ed04da
 ---> 4274107d52e2
Step 3/6 : COPY myEntrypoint.sh /entrypoint.sh
 ---> 7a3923372768
Step 4/6 : ENV myVariable 3
 ---> Running in 3288bf6291ad
Removing intermediate container 3288bf6291ad
 ---> 3edb630c1511
Step 5/6 : ENTRYPOINT ["/entrypoint.sh"]
 ---> Running in 8dcba2c41520
Removing intermediate container 8dcba2c41520
 ---> 11962052539c
Step 6/6 : CMD ["mycommand"]
 ---> Running in f891fbcfaad0
Removing intermediate container f891fbcfaad0
 ---> 7925ba23abb2
Successfully built 7925ba23abb2
Successfully tagged i2tch/mydocker:latest

Installer un Registre Local

Pour installer un registre privé, il convient d'utiliser une image publique de docker :

root@debian9:~/bestp# cd ..
root@debian9:~# docker run -d --name registry -p 88:5000 registry:2.0
Unable to find image 'registry:2.0' locally
2.0: Pulling from library/registry
4d2e9ae40c41: Pull complete 
a3ed95caeb02: Pull complete 
7c8152785df5: Pull complete 
8b04aafd7cd8: Pull complete 
c97c75d2d42e: Pull complete 
4b3ef98bba76: Pull complete 
edee0288d356: Pull complete 
ea2a9399d365: Pull complete 
ddf532273b60: Pull complete 
e9e91aa1843e: Pull complete 
6144b0ffbb4c: Pull complete 
Digest: sha256:3cac1869696e4ff3435bbc30391749ac373f7471736dbb48dfa9bfde08c4efd2
Status: Downloaded newer image for registry:2.0
c4c7cad999cdd77df78a21897bd11c4742a094c1c76a2134fbe4a4d2d92bff0e

Utilisez maintenant lynx à partir d'un terminal de votre machine hôte pour vérifier que le régistre est actif :

root@debian9:~# lynx --dump http://localhost:88/v2
{}root@debian9:~#

Important - Notez la réponse du serveur est {} soit une liste JSON vide.

Renommez l'image i2tch/mydocker afin de pointer vers le nouveau registre :

root@debian9:~# docker tag i2tch/mydocker localhost:88/mydocker

Important - Notez que le tag i2tch/mydocker cache le nom du registre par défaut qui est le registre public de Docker Hub.

Envoyez votre image localhost:88/mydocker sur ce nouveau registre :

root@debian9:~# docker push localhost:88/mydocker
The push refers to a repository [localhost:88/mydocker]
873a8ac77d4d: Pushed 
b362758f4793: Pushed 
latest: digest: sha256:30866da81d92d2a1015b869c596ddd6e188f33894c41d8effa2161e5c2862b1f size: 5531

Constatez maintenant la présence de l'image dans le registre :

root@debian9:~# lynx --dump http://localhost:88/v2/mydocker/tags/list
{"name":"mydocker","tags":["latest"]}

root@debian9:~# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testcache               latest              c3b03bddaaad        18 minutes ago      120MB
<none>                  <none>              1df8c3603628        23 minutes ago      120MB
i2tch/mydocker          latest              c37edbd43993        45 minutes ago      193MB
localhost:88/mydocker   latest              c37edbd43993        45 minutes ago      193MB
i2tch/mongodb2          latest              65e81f78c0f5        12 hours ago        240MB
i2tch/mongodb1          latest              2de862819e94        12 hours ago        240MB
i2tch/mongodb           latest              01c4aa152be2        12 hours ago        1.04GB
ubuntu                  latest              ccc7a11d65b1        3 weeks ago         120MB
centos                  latest              328edcd84f1b        4 weeks ago         193MB
nginx                   latest              b8efb18f159b        6 weeks ago         107MB
debian                  wheezy-slim         884ca0b949e5        6 weeks ago         46.9MB
hello-world             latest              1815c82652c0        2 months ago        1.84kB
registry                2.0                 3bccd459597f        2 years ago         549MB

Créer un Serveur de Registre Dédié

Actuellement, le registre privé créé ci-dessus n'est pas accessible à partir du réseau local car il est référencé par localhost. Il convient donc maintenant de mettre en place un serveur dédié.

Arrêtez votre machine virtuelle Debian_9. Créez le réseau NAT NatNetwork :

Fichier > Paramètres > Réseau > bouton + > OK

Configurez la carte réseau pour la machine virtuelle Debian_9 en “NatNetwork”.

Créez un clone de la machine virtuelle appelé Registry en réinitialisant l'adresse MAC du clone.

Créez les redirections de ports dans le réseau NAT NatNetwork de VirtualBox :

Fichier > Paramètres > Réseau > NatNetwork > Redirection de ports

Nom	Protocole	IP hôte	Port hôte	IP invité	Port invité
Debian_9	TCP	127.0.0.1	2022	10.0.2.15	22
Registry	TCP	127.0.0.1	4022	10.0.2.4	22

Démarrez les deux machines virtuelles.

Modifiez le nom d'hôte du clone, puis déconnectez-vous et reconnectez-vous via ssh :

root@debian9:~# nmcli general hostname registry
root@debian9:~# hostname
registry

Editez le fichier /etc/hosts :

root@registry:~# vi /etc/hosts
root@registry:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	debian9.i2tch.loc   	debian9
10.0.2.4	myregistry.i2tch.loc    myregistry
10.0.2.15   debian9.i2tch.loc       debian9

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Créez maintenant un certificat auto-signé avec openssl :

root@registry:~# cd / && mkdir certs && openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
............................................................++
.......................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:VAR
Locality Name (eg, city) []:Toulon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:I2TCH LTD
Organizational Unit Name (eg, section) []:TRAINING
Common Name (e.g. server FQDN or YOUR name) []:myregistry
Email Address []:
root@debian9:/# ls certs/
domain.crt  domain.key

Supprimez le conteneur registry :

root@registry:/# docker rm registry
registry

Créez un conteneur en mode sécurisé avec TLS à partir de l'image registry :

root@registry:/# docker run -d -p 5000:5000 --name registry -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2.0
943c01b67cf3f461270a55ac3d9df6622cc9d74e5f272e17153183ff29ee5932
root@debian9:/# 

root@registry:/# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                        PORTS                    NAMES
943c01b67cf3        registry:2.0        "registry cmd/regi..."   31 seconds ago      Up 24 seconds                 0.0.0.0:5000->5000/tcp   registry
ea239635e141        testcache           "more /tmp/moment"       40 minutes ago      Exited (0) 40 minutes ago                              test1
21b0490a93dd        i2tch/mydocker      "/entrypoint.sh my..."   About an hour ago   Exited (137) 18 minutes ago                            myDocker
b9773e4aa06d        i2tch/mongodb2      "docker-entrypoint..."   2 hours ago         Exited (0) 18 minutes ago                              mongo2
bdb4bc0f81de        i2tch/mongodb1      "docker-entrypoint..."   12 hours ago        Created                       27017/tcp                mongo1
f5b45072b831        i2tch/mongodb       "bash"                   13 hours ago        Exited (137) 18 minutes ago                            mongo
9731a48f126a        nginx               "nginx -g 'daemon ..."   13 hours ago        Exited (0) 18 minutes ago                              cocky_gates
eacd70596e23        nginx               "nginx -g 'daemon ..."   13 hours ago        Exited (0) 13 hours ago                                adoring_yonath
cffb4456e9c4        ubuntu              "/bin/bash"              14 hours ago        Exited (0) 14 hours ago                                i2tch

Configurer le Client

Supprimez le conteneur registry :

root@debian9:~# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
c4c7cad999cd        registry:2.0        "registry cmd/regi..."   4 hours ago         Exited (2) 4 hours ago                         registry
ea239635e141        testcache           "more /tmp/moment"       4 hours ago         Exited (0) 4 hours ago                         test1
21b0490a93dd        i2tch/mydocker      "/entrypoint.sh my..."   4 hours ago         Exited (137) 4 hours ago                       myDocker
b9773e4aa06d        i2tch/mongodb2      "docker-entrypoint..."   5 hours ago         Exited (0) 4 hours ago                         mongo2
bdb4bc0f81de        i2tch/mongodb1      "docker-entrypoint..."   16 hours ago        Created                    27017/tcp           mongo1
f5b45072b831        i2tch/mongodb       "bash"                   16 hours ago        Exited (137) 4 hours ago                       mongo
9731a48f126a        nginx               "nginx -g 'daemon ..."   16 hours ago        Exited (0) 4 hours ago                         cocky_gates
eacd70596e23        nginx               "nginx -g 'daemon ..."   17 hours ago        Exited (0) 17 hours ago                        adoring_yonath
cffb4456e9c4        ubuntu              "/bin/bash"              17 hours ago        Exited (0) 17 hours ago                        i2tch
root@debian9:~# docker rm registry
registry
root@debian9:~# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
ea239635e141        testcache           "more /tmp/moment"       4 hours ago         Exited (0) 4 hours ago                         test1
21b0490a93dd        i2tch/mydocker      "/entrypoint.sh my..."   4 hours ago         Exited (137) 4 hours ago                       myDocker
b9773e4aa06d        i2tch/mongodb2      "docker-entrypoint..."   5 hours ago         Exited (0) 4 hours ago                         mongo2
bdb4bc0f81de        i2tch/mongodb1      "docker-entrypoint..."   16 hours ago        Created                    27017/tcp           mongo1
f5b45072b831        i2tch/mongodb       "bash"                   16 hours ago        Exited (137) 4 hours ago                       mongo
9731a48f126a        nginx               "nginx -g 'daemon ..."   16 hours ago        Exited (0) 4 hours ago                         cocky_gates
eacd70596e23        nginx               "nginx -g 'daemon ..."   17 hours ago        Exited (0) 17 hours ago                        adoring_yonath
cffb4456e9c4        ubuntu              "/bin/bash"              17 hours ago        Exited (0) 17 hours ago                        i2tch

ainsi que l'image du registry :

root@debian9:~# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testcache               latest              c3b03bddaaad        4 hours ago         120MB
<none>                  <none>              1df8c3603628        4 hours ago         120MB
i2tch/mydocker          latest              c37edbd43993        5 hours ago         193MB
localhost:88/mydocker   latest              c37edbd43993        5 hours ago         193MB
<none>                  <none>              d6b51963df8d        5 hours ago         193MB
i2tch/mongodb2          latest              65e81f78c0f5        16 hours ago        240MB
i2tch/mongodb1          latest              2de862819e94        16 hours ago        240MB
i2tch/mongodb           latest              01c4aa152be2        16 hours ago        1.04GB
ubuntu                  latest              ccc7a11d65b1        3 weeks ago         120MB
centos                  latest              328edcd84f1b        4 weeks ago         193MB
nginx                   latest              b8efb18f159b        6 weeks ago         107MB
debian                  wheezy-slim         884ca0b949e5        6 weeks ago         46.9MB
hello-world             latest              1815c82652c0        2 months ago        1.84kB
registry                2.0                 3bccd459597f        2 years ago         549MB

root@debian9:~# docker rmi registry:2.0
Untagged: registry:2.0
Untagged: registry@sha256:3cac1869696e4ff3435bbc30391749ac373f7471736dbb48dfa9bfde08c4efd2
Deleted: sha256:3bccd459597f38e78ce95a408e506099644ca713d79157d2f3e3a7975f1c9146
Deleted: sha256:e486d081a2821af119adbc458214cacf510ebb519cdf31e04ac3d4c6ac521c31
Deleted: sha256:d206757aba612d90965729f186dfb70aa5e63b53dafd7e7b20a76005acddfe24
Deleted: sha256:1b953394add763fbaa50446b03d636f453fa75b2d12676ceb4b71681b4da6e7d
Deleted: sha256:e8a2cacb793cb843e35bbf64e9c73d685d83ecc8192fbdbc098b0e5fbcced848
Deleted: sha256:19eec9bf8dcc3cb15b93cdcff717057444c540ee641cf20b7ef647d19b9d1df4
Deleted: sha256:2fb6f2d834e4dd55a7a6bb1472f5c293242e6439982332143d7332642a238d40
Deleted: sha256:e08b039d73e73f17b3fa02ebf9a28ef156a7b43b828cd67ed422b9d7a01e5482
Deleted: sha256:bd85e070a996530cc5f576bc5f56a0e3a159e00091410987416844de6e018415
Deleted: sha256:6269effe5aa88dfc0071a2841605d95c0d809111333b5044b2459b43e5879f44
Deleted: sha256:784ff50f126370cb3be928cd14a078605990efda458e73ad43f2a2e40e1efda2
Deleted: sha256:29efd197b6056e252ebb46fe1b315489c2f8e032eb32d1f6fcd0119ee9536df7
Deleted: sha256:3d42e373d713bfab9403159f282ba4cfaa7b4f33e57d5e36d4d2ca0ca1a2f4e7
Deleted: sha256:518c6772b2fc316c63e9f4f9745e3587f169ec916fd26749b0ce7bf1f36bb93b
Deleted: sha256:e74bff63859c2597691fffd6fe95b35b0803f6791bc6565072bf07067574dba3
Deleted: sha256:f76baad394e6d835fa0e166254e9f70af873fe43232c67ac198a67865084ccee
Deleted: sha256:b0eba742532f664bab6fc6d5bd00c60141397ba299f6743457f7ead64d7c714d
Deleted: sha256:c10c49233bc62ce69aafa1a44a62d8639a7be08d68b1c23d6b25ebb13e5324b0
Deleted: sha256:1c8e9ba14469736fa03ede127e47f5821ca97b3029385ec1348e87932c875ff8
Deleted: sha256:611f5c9e21fce8d870f9ba82248980ca3baaaf95afef2b17504372d1ca03cb5a
Deleted: sha256:4cb1abe123254326dba72305ef897fdf5364ebb1823413e13dbced41990f951e
Deleted: sha256:e10e5ea91f007db418b284f4adc5f0b98f374d79ae52b9687b0d6d33865ffbcf
Deleted: sha256:c69ae1aa46985cbaf186b6354c61a1d2e0d6af47133db47bf04f0c6eb9c858e9

root@debian9:~# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testcache               latest              c3b03bddaaad        4 hours ago         120MB
<none>                  <none>              1df8c3603628        4 hours ago         120MB
i2tch/mydocker          latest              c37edbd43993        5 hours ago         193MB
localhost:88/mydocker   latest              c37edbd43993        5 hours ago         193MB
<none>                  <none>              d6b51963df8d        5 hours ago         193MB
i2tch/mongodb2          latest              65e81f78c0f5        16 hours ago        240MB
i2tch/mongodb1          latest              2de862819e94        16 hours ago        240MB
i2tch/mongodb           latest              01c4aa152be2        16 hours ago        1.04GB
ubuntu                  latest              ccc7a11d65b1        3 weeks ago         120MB
centos                  latest              328edcd84f1b        4 weeks ago         193MB
nginx                   latest              b8efb18f159b        6 weeks ago         107MB
debian                  wheezy-slim         884ca0b949e5        6 weeks ago         46.9MB
hello-world             latest              1815c82652c0        2 months ago        1.84kB

Renommez l'image i2tch/mydocker afin de pointer vers le serveur de registre :

root@debian9:~# docker tag i2tch/mydocker myregistry:5000/mydocker
root@debian9:~# docker images
REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
testcache                  latest              c3b03bddaaad        4 hours ago         120MB
<none>                     <none>              1df8c3603628        4 hours ago         120MB
i2tch/mydocker             latest              c37edbd43993        5 hours ago         193MB
localhost:88/mydocker      latest              c37edbd43993        5 hours ago         193MB
myregistry:5000/mydocker   latest              c37edbd43993        5 hours ago         193MB
<none>                     <none>              d6b51963df8d        5 hours ago         193MB
i2tch/mongodb2             latest              65e81f78c0f5        16 hours ago        240MB
i2tch/mongodb1             latest              2de862819e94        16 hours ago        240MB
i2tch/mongodb              latest              01c4aa152be2        16 hours ago        1.04GB
ubuntu                     latest              ccc7a11d65b1        3 weeks ago         120MB
centos                     latest              328edcd84f1b        4 weeks ago         193MB
nginx                      latest              b8efb18f159b        6 weeks ago         107MB
debian                     wheezy-slim         884ca0b949e5        6 weeks ago         46.9MB
hello-world                latest              1815c82652c0        2 months ago        1.84kB

Editez le fichier /etc/hosts afin de pointer le 10.0.2.4 vers le nom myregistry :

root@debian9:~# vi /etc/hosts
root@debian9:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	debian9.i2tch.loc   	debian9
10.0.2.4	myregistry.i2tch.loc    myregistry
10.0.2.15   debian9.i2tch.loc       debian9

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

De la machine virtuelle registry envoyez une copie du fichier /certs/domain.crt vers le répertoire /tmp de la machine virtuelle Debian_9 en le renommant ca.crt :

root@registry:~# scp /certs/domain.crt trainee@10.0.2.15:/tmp/ca.crt
The authenticity of host '10.0.2.15 (10.0.2.15)' can't be established.
ECDSA key fingerprint is 79:00:60:0e:2b:71:5e:cb:1a:08:45:e8:ab:45:b8:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.2.15' (ECDSA) to the list of known hosts.
trainee@10.0.2.15's password: 
domain.crt                                                                                                                            100% 2017     2.0KB/s   00:00

Dans la machine virtuelle Debian_9, déplacez le fichier /tmp/ca.crt vers le répertoire /etc/docker/certs.d/myregistry:5000/ :

root@debian9:~# mkdir -p /etc/docker/certs.d/myregistry:5000
root@debian9:~# mv /tmp/ca.crt /etc/docker/certs.d/myregistry:5000/

Testez la réponse du registre :

root@debian9:~# curl http://myregistry:5000/v2/

Finalement, envoyez l'image au registre :

root@debian9:~# docker push myregistry:5000/mydocker
The push refers to a repository [myregistry:5000/mydocker]
873a8ac77d4d: Pushed 
b362758f4793: Pushed 
latest: digest: sha256:30866da81d92d2a1015b869c596ddd6e188f33894c41d8effa2161e5c2862b1f size: 5531

<html>

</html>

Piste : • LDF604 - Validation de la Formation • LCF307 - Gestion du Balayage des Ports • LCF606 - Gestion de la Sécurité • DOF202 - Docker Compose, Docker Machine et Docker Swarm • XW330 - Validation de la Formation • DOF201 - Stocker les Images Docker • LCF306 - Gestion de l'Authentification • DOF605 - Docker Compose, Docker Machine et Docker Swarm • LRF407 - System Hardening • DOF105 - Validation de la Formation