私有registry及证书配置
以静态pod运行资源清单
apiVersion: v1
kind: Pod
metadata:
labels:
component: registry
name: registry
namespace: default
spec:
nodeName: node01
containers:
- env:
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: Registry Realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: auth/htpasswd
- name: REGISTRY_HTTP_ADDR
value: 0.0.0.0:443
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /certs/fullchain.cer
- name: REGISTRY_HTTP_TLS_KEY
value: /certs/registry.huoyancredit.com.key
name: registry
image: registry
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
hostPort: 443
volumeMounts:
- name: self-registry-mirrors
mountPath: /var/lib/registry
readOnly: false
- name: auth
mountPath: /auth
readOnly: true
- name: certs
mountPath: /certs
readOnly: true
hostNetwork: false
volumes:
- name: self-registry-mirrors
hostPath:
path: /data
type: DirectoryOrCreate
- name: auth
hostPath:
path: /opt/auth
type: Directory
- name: certs
hostPath:
path: /opt/certs
type: Directory
以docker container运行
docker run -d --restart=always -v /opt/auth/:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /opt/certs/:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer -e REGISTRY_HTTP_TLS_KEY=/certs/registry.huoyancredit.com.key -p 443:443 registry docker run -d --restart=always -v /registry:/var/lib/registry -v /root/.acme.sh/mirrors.huoyancredit.com:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer -e REGISTRY_HTTP_TLS_KEY=/certs/mirrors.huoyancredit.com.key -p 443:443 registry
私有仓库web
docker run -itd -p 8080:8080 --name registry-web -e REGISTRY_URL=https://mirrors.huoyancredit.com/v2 -e REGISTRY_NAME=local hyper/docker-registry-web
文档:
https://blog.csdn.net/snipercai/article/details/78589368
https://github.com/mkuchin/docker-registry-web
Do not use registry as registry container name, it will break REGISTRY_NAME environment variable
docker run -d -p 5000:5000 --name registry-srv registry:2
docker run -it -p 8080:8080 --name registry-web --link registry-srv -e REGISTRY_URL=http://registry-srv:5000/v2 -e REGISTRY_NAME=localhost:5000 hyper/docker-registry-web
Connecting to docker registry with basic authentication and self-signed certificate
docker run -it -p 8080:8080 --name registry-web --link registry-srv \
-e REGISTRY_URL=https://registry-srv:5000/v2 \
-e REGISTRY_TRUST_ANY_SSL=true \
-e REGISTRY_BASIC_AUTH="YWRtaW46Y2hhbmdlbWU=" \
-e REGISTRY_NAME=localhost:5000 hyper/docker-registry-web
No authentication, with config file
Create configuration file config.yml,Any property in this config may be overridden with environment variable, for example property registry.auth.enabledwill become REGISTRY_AUTH_ENABLED
registry:
# Docker registry url
url: http://registry-srv:5000/v2
# Docker registry fqdn
name: localhost:5000
# To allow image delete, should be false
readonly: false
auth:
# Disable authentication
enabled: false
Run with docker
docker run -p 5000:5000 --name registry-srv -d registry:2
docker run -it -p 8080:8080 --name registry-web --link registry-srv -v $(pwd)/config.yml:/conf/config.yml:ro hyper/docker-registry-web
With authentication enabled
Generate private key and certificate
mkdir conf
openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=localhost" \
-nodes -x509 -keyout conf/auth.key -out conf/auth.cert
Create registry config conf/registry-srv.yml
version: 0.1
storage:
filesystem:
rootdirectory: /var/lib/registry
http:
addr: 0.0.0.0:5000
auth:
token:
# external url to docker-web authentication endpoint
realm: http://localhost:8080/api/auth
# should be same as registry.name of registry-web
service: localhost:5000
# should be same as registry.auth.issuer of registry-web
issuer: 'my issuer'
# path to auth certificate
rootcertbundle: /etc/docker/registry/auth.cert
Start docker registry
docker run -v $(pwd)/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro \
-v $(pwd)/conf/auth.cert:/etc/docker/registry/auth.cert:ro -p 5000:5000 --name registry-srv -d registry:2
Create configuration file conf/registry-web.yml
registry:
# Docker registry url
url: http://registry-srv:5000/v2
# Docker registry fqdn
name: localhost:5000
# To allow image delete, should be false
readonly: false
auth:
# Enable authentication
enabled: true
# Token issuer
# should equals to auth.token.issuer of docker registry
issuer: 'my issuer'
# Private key for token signing
# certificate used on auth.token.rootcertbundle should signed by this key
key: /conf/auth.key
Start registry-web
docker run -v $(pwd)/conf/registry-web.yml:/conf/config.yml:ro \
-v $(pwd)/conf/auth.key:/conf/auth.key -v $(pwd)/db:/data \
-it -p 8080:8080 --link registry-srv --name registry-web hyper/docker-registry-web
Web UI will be available on http://localhost:8080 with default admin user/password admin/admin.
delete images from repository,only deleted the metadata
添加delete并restart container
cat /etc/docker/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
