@Tmacy 2020-06-04T06:06:50.000000Z 字数 3067 阅读 854

Docker Registry

docker

build

https://github.com/docker/distribution/blob/master/BUILDING.md

Config

https://docs.docker.com/registry/configuration

Deploy a registry server

https://docs.docker.com/registry/deploying/#copy-an-image-from-docker-hub-to-your-registry

Test an insecure registry

https://docs.docker.com/registry/insecure/

启动registry

将下面配置文件放在一个目录下:docker -t registry build .即可生成容器仓库镜像。

Dockerfile

FROM deepin/minibase:v0.1
COPY /config-dev.yml /etc/docker/registry/config.yml
COPY /bin/registry /bin/registry
VOLUME ["/var/lib/registry"]
EXPOSE 5000
ENTRYPOINT ["registry"]
CMD ["serve", "/etc/docker/registry/config.yml"]

config-dev.yml

version: 0.1
log:
  level: info
  fields:
    service: registry
    environment: development
storage:
    delete:
      enabled: true
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
    maintenance:
        uploadpurging:
            enabled: false
http:
    addr: :5000
    debug:
        addr: :5001
        prometheus:
            enabled: true
            path: /metrics
    headers:
        X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

启动容器仓库

启动仓库前，先创建容器仓库目录/opt/docker_registry，启动容器时会映射此目录到仓库主目录里

docker run --name registry -d \
       -v /opt/docker_registry:/var/lib/registry  \
       -p 5000:5000 \
       deepin/registry:v0.1

推送镜像

创建localhost本地的image

docker tag deepin/minibase:v0.1 localhost:5000/minibase:v0.1

推送到本地仓库

docker push localhost:5000/minibase:v0.1

如果不推送localhost，使用ip地址取代，需要配置https服务。

测试

curl localhost:5000/v2/_catalog

如果返回刚才上传的镜像名称，表示已经可以用。

{"repositories":["minibase"]}

配置https

生成自认证

mkdir -p certs && openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/test.key -x509 -days 365 -out certs/test.crt

配置仓库域名（可选）

cat /etc/hosts
127.0.0.1   localhost
127.0.1.1   sw6a
10.2.3.118  dockerhub.deepin.io

使用nginx配置https代理服务

安装

aptitude install nginx

配置

cat /etc/nginx/sites-available/default

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name dockerhub.deepin.io;
    ssl_certificate /etc/ssl/certs/test.pem;
    ssl_certificate_key /etc/ssl/certs/test.key;
    ssl_session_timeout 10m;    
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256::ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    location / {
            proxy_pass http://127.0.0.1:5000;
            proxy_read_timeout      900;
            proxy_connect_timeout   300;
            proxy_redirect          off;
            proxy_set_header    Host                $http_host;
     		proxy_set_header    X-Real-IP           $remote_addr;
            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

启动容器仓库配置证书

docker run --name registry -d \
    -v /etc/ssl/certs:/certs \
    -v /opt/docker_registry:/var/lib/registry  \
    -e "REGISTRY_HTTP_TLS_KEY=/certs/test.pem" \
    -e "REGISTRY_HTTP_TLS_KEY=/certs/test.key" \
    -p 5000:5000 \
    deepin/registry:v0.1

测试链接

systemctl start nginx
curl -k https://dockerhub.deepin.io/v2/_catalog

如果正常返回json数据，表示正常。

客户端配置

docker的仓库需要登录，可以配置客户端上传下载
拷贝test.crt到/etc/docker/certs.d/dockerhub.deepin.io/test.crt中，如果没有此路径需要手动创建。

docker login dockerhub.deepin.io后输入用户名密码，返回下面输出表示登录成功

Login Succeeded

上传image：

需要先命名一个镜像为仓库地址的镜像，例如下面：

docker tag deepin/minibase:v0.1 dockhub.deepin.io/minibase:v0.1

之后利用push来上传

docker push dockhub.deepin.io/minibase:v0.1

上传完成后输入下面命令

curl -k https://dockerhub.deepin.io/v2/_catalog

得到：

{"repositories":["minibase"]}

问题

一般是认证问题，需要检查dockerd进程是否增加--insecure-registry 选项
配置其为你的域名或者IP地址

nginx 配置

默认配置上传有限制，会出现上传失败的情况。
增加http中的配置

http{
client_max_body_size 2G;
}