[docker]搭建私有registry

导入导出镜像比较麻烦,共享镜像占了工作中一大部分时间.

搭建了个本地registry, 不支持用户名密码验证的 和 支持用户名密码验证的两种.

参考:

https://docs.docker.com/registry/#requirements
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
https://docs.docker.com/registry/deploying/#restricting-access

我需要仓库,我不需要验证

node1(192.168.14.132)-作为docker仓库

docker run -d -p 5000:5000 -v /data/docker/registy:/var/lib/registry  registry:2

node2(192.168.14.133)-作为客户端push镜像到仓库

$ cat /etc/docker/daemon.json 
{
    "insecure-registries" : ["192.168.14.132:5000"]
}

$ systemctl restart docker

$ docker info
...
Experimental: false
Insecure Registries:
 192.168.14.132:5000  #看到这玩意了
 127.0.0.0/8
...

docker tag centos 192.168.14.132:5000/maotai/centos
docker push  192.168.14.132:5000/maotai/centos
[root@node1 repositories]# tree -L 1 ./maotai
./maotai #根据用名来操作
├── busybox
└── centos

打tag有讲究,把对应人的名字打上,容易区分

查看

查看仓库中的镜像:

GET /v2/_catalog

查看镜像的 tag:

GET /v2/huayong/busybox/tags/list

我需要支持用户名密码验证的仓库

稍微比较麻烦,docker要求验证时候不能明文传输用户名密码.所有只能https了.

mkdir /data/registry/auth/{certs,auth} -p
cd /data/registry/auth/certs
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout domain.key -out domain.crt -subj "/CN=reg.maotai.com"
cd /data/registry/auth
## 创建testuser/testpassword
docker run \
  --entrypoint htpasswd \
  registry:2 -Bbn testuser testpassword > auth/htpasswd

cd /data/registry
docker run -d \
  -p 5000:5000 \
  --restart=always \
  -v /data/docker/registy:/var/lib/registry \
  -v /etc/localtime:/etc/localtime \
  --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

客户端同样需要配置daemon.json

posted @ 2017-11-13 17:32  _毛台  阅读(365)  评论(0编辑  收藏  举报