专栏首页康怀帅的专栏Docker 私有仓库安装配置 (Registry v2)

Docker 私有仓库安装配置 (Registry v2)

使用 Docker Compose + Docker machine 配置一个 Docker 私有仓库。

GitHub:https://github.com/khs1994-docker/registry

官方 GitHub:https://github.com/docker/distribution/releases

一种是使用 Docker Compose

一种是基于 registry 镜像 ,添加配置文件之后构建自己的镜像。具体查看 GitHub

准备

申请 SSL 证书放到 ssl 文件夹,这里不进行详细说明。

编辑 config.yml

version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/auth/nginx.htpasswd
http:
  addr: :443
  host: https://docker.domain.com
  headers:
    X-Content-Type-Options: [nosniff]
  http2:
    disabled: false
  tls:
    certificate: /etc/docker/registry/ssl/docker.domain.com.crt
    key: /etc/docker/registry/ssl/docker.domain.com.key
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

添加登陆用户

将以下命令中的 username password 替换为 用户名密码 ,也可以添加多个用户更多内容请搜索 htpasswd

$ docker run --rm \
    --entrypoint htpasswd \
    registry \
    # 部分 nginx 可能不能解密,你可以替换为下面的命令
    # -mbn username password > auth/nginx.htpasswd \
    -Bbn username password > auth/nginx.htpasswd

编辑 docker-compose.yml

version: '3'

services:
  registry:
    image: registry
#    restart: always
    ports:
      - "443:443"
      # - "5000:443"
    volumes:
      - ./:/etc/docker/registry
      - registry-data:/var/lib/registry
    depends_on:
      # - nginx  

volumes:
  registry-data:

启动

Swarm mode

由于 Docker Machine 不包含 Compose,这里使用 Swarm mode

$ docker-machine create \
      --driver virtualbox \
      --engine-opt dns=114.114.114.114 \
      --engine-registry-mirror https://registry.docker-cn.com \
      --virtualbox-memory 2048 \
      --virtualbox-cpu-count 2 \
      registry

$ docker-machine ip registry

$ docker-machine ssh registry

$ docker swarm init --advertise-addr=192.168.99.100

$ git clone --depth=1 https://github.com/khs1994-docker/registry.git

$ cd registry

# 修改配置之后

$ docker stack deploy -c docker-compose.yml registry

自定义镜像并运行

配置好所需文件,构建镜像,运行容器

$ docker build -t username/registry .

$ docker run -dit \
    --mount src=registry-data,target=/var/lib/registry \
    -p 443:443 \
    username/registry

Docker Compose

$ docker-compose up -d

Nginx 代理配置

https://docs.docker.com/registry/recipes/nginx/

若使用外部 Nginx,在 docker-compose.yml 将端口配置为 5000:443

upstream docker-registry {
    # 修改 IP
    server 127.0.0.1:5000;
}

  ## Set a variable to help us decide if we need to add the
  ## 'Docker-Distribution-Api-Version' header.
  ## The registry always sets this header.
  ## In the case of nginx performing auth, the header will be unset
  ## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
}

server {
    listen 443 ssl;
    # 修改域名
    server_name docker.domain.com;

    # SSL
    # 修改 SSL 路径
    ssl_certificate conf.d/ssl/docker.domain.com.crt;
    ssl_certificate_key conf.d/ssl/docker.domain.com.key;

    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:1m;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
    chunked_transfer_encoding on;

    location /v2/ {
      # Do not allow connections from docker 1.5 and earlier
      # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
      if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
        return 404;
      }

      # To add basic authentication to v2 use auth_basic setting.
      # nginx not support bcrypt.
      auth_basic "Registry realm";
      auth_basic_user_file conf.d/auth/nginx.htpasswd;

      ## If $docker_distribution_api_version is empty, the header will not be added.
      ## See the map directive above where this variable is defined.
      add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

      proxy_pass                          http://docker-registry;
      proxy_set_header  Host              $http_host;   # required for docker client's sake
      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_read_timeout                  900;
    }
}

测试私有仓库功能

修改 /etc/hosts,替换为对应 IP

127.0.0.1 docker.domain.com

网页查看

https://docker.domain.com/v2/_catalog

命令行登录

$ docker login docker.domain.com
#接下来输入用户名、密码

命令行操作

$ docker pull nginx:alpine
$ docker tag nginx docker.khs1994.com/nginx:alpine
$ docker push docker.khs1994.com/nginx:alpine
$ docker rm docker.domain.com/nginx:alpine
$ docker pull docker.domain.com/nginx:alpine

命令参考

$ docker exec {docker-registry id} registry [command]

垃圾回收

https://docs.docker.com/registry/garbage-collection/

$ docker exec -it {docker-registry id} \
    bin/registry garbage-collect [--dry-run] /etc/docker/registry/config.yml

搜索

参考 API:https://docs.docker.com/registry/spec/api/

查看版本

$ docker exec {docker-registry id} registry --version

registry github.com/docker/distribution v2.6.0

帮助信息

$ docker exec [docker-registry id] registry help
 

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Docker CE for Mac v17.12 正式支持 k8s

    视频:https://www.bilibili.com/video/av17307986/

    康怀帅
  • Docker PHP 最佳实践

    参考示例配置文件在 config/nginx 新建 *.conf NGINX 配置文件

    康怀帅
  • Docker 桌面版支持 kubernetes

    Docker for Mac v17.12 正式支持 k8s。 Docker for Windows v18.02-rc1 正式支持 k8s。 相关文章 Bet...

    康怀帅
  • docker︱在nvidia-docker中使用tensorflow-gpu/jupyter

    docker小白… 搭建基础:宿主机已经有CUDA8.0 一、安装 参考:Docker Compose + GPU + TensorFlow = ❤ ...

    素质
  • Docker学习记录(1)——搭建自己的Docker Registry

    最近在编写Kubernetes demo的时候,遇到了一个问题:当相同的Pod部署到不同的Node上时,每个Node都得下载Pod中指定的镜像文件。 由于“墙”...

    胡了了
  • .net core项目实战之开发环境搭建

    首先建议采用 Windows 10 专业版/企业版/教育版,且必须是64位操作系统,原因是docker装起来比较方便,Win7装起来比较麻烦,且不确定是否有其他...

    Bug生活2048
  • docker使用笔记

    1)mkdir /etc/systemd/system/docker.service.d

    用户1396155
  • 超详细记录公司多用户Docker仓库创建安全认证和应用

    概述:超详细记录建立公司内部多用户Docker仓库,自定义CA证书,https安全认证。服务器作为远程Docker仓库,其他开发端(如server2,serve...

    王小雷
  • docker常用命令

    更新 : @snakeliwei 的提醒, 现在的docker有了专门清理资源(container、image、网络)的命令。 docker 1.13 中增加了...

    用户1437675
  • macos命令行启动docker服务

    版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。 ...

    逝兮诚

扫码关注云+社区

领取腾讯云代金券