[docker]搭建私有registry
导入导出镜像比较麻烦,共享镜像占了工作中一大部分时间.
搭建了个本地registry, 不支持用户名密码验证的 和 支持用户名密码验证的两种.
参考:
https://docs.docker.com/registry/#requirements
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
https://docs.docker.com/registry/deploying/#restricting-access
我需要仓库,我不需要验证
node1(192.168.14.132)-作为docker仓库
docker run -d -p 5000:5000 -v /data/docker/registy:/var/lib/registry registry:2
node2(192.168.14.133)-作为客户端push镜像到仓库
$ cat /etc/docker/daemon.json
{
"insecure-registries" : ["192.168.14.132:5000"]
}
$ systemctl restart docker
$ docker info
...
Experimental: false
Insecure Registries:
192.168.14.132:5000 #看到这玩意了
127.0.0.0/8
...
docker tag centos 192.168.14.132:5000/maotai/centos
docker push 192.168.14.132:5000/maotai/centos
[root@node1 repositories]# tree -L 1 ./maotai
./maotai #根据用名来操作
├── busybox
└── centos
打tag有讲究,把对应人的名字打上,容易区分
查看
查看仓库中的镜像:
GET /v2/_catalog
查看镜像的 tag:
GET /v2/huayong/busybox/tags/list
我需要支持用户名密码验证的仓库
稍微比较麻烦,docker要求验证时候不能明文传输用户名密码.所有只能https了.
mkdir /data/registry/auth/{certs,auth} -p
cd /data/registry/auth/certs
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout domain.key -out domain.crt -subj "/CN=reg.maotai.com"
cd /data/registry/auth
## 创建testuser/testpassword
docker run \
--entrypoint htpasswd \
registry:2 -Bbn testuser testpassword > auth/htpasswd
cd /data/registry
docker run -d \
-p 5000:5000 \
--restart=always \
-v /data/docker/registy:/var/lib/registry \
-v /etc/localtime:/etc/localtime \
--name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
客户端同样需要配置daemon.json