* 参考
https://docs.docker.com/registry/deploying/
https://docs.docker.com/engine/security/certificates/
https://www.jianshu.com/p/267350c1ab2f
1. 准备
. dns解析: hub.example.com -> 192.168.10.32`
. docker服务安装 [略],详细方法点击 -> docker服务安装方法
2. 证书
. 使用自签名证书即可,san subjectAltName: *.example.org,127.0.0.1,192.168.10.32
. SSL证书生成 [略],详细方法点击 -> SSL证书生成方法
. 建立目录 mkdir -p /data/auth ,将生成的私匙 domain.key 和证书 domain.crt 复制到此目录
3. 认证
建立docker用户,写入 .htpasswd 文件
# docker run --rm --entrypoint htpasswd httpd:2 -Bbn docker docker > /data/auth/.htpasswd
4. 部署
# mkdir -p /data/compose/registry /data/{registry,registry-data,registry-ui}
# cat > /data/compose/registry/docker-compose.yml << EOF
version: "3"
services:
registry:
image: registry:2
container_name: registry
restart: always
ports:
- "5000:5000"
volumes:
- /data/auth/:/certs
- /data/registry-data:/var/lib/registry
- /data/registry/registry.yml:/etc/docker/registry/config.yml
environment:
REGISTRY_HTTP_ADDR: 0.0.0.0:5000
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Docker Registry Realm
REGISTRY_AUTH_HTPASSWD_PATH: /certs/.htpasswd
REGISTRY_STORAGE_DELETE_ENABLED: true
registry-ui:
image: quiq/docker-registry-ui
container_name: registry-ui
restart: always
ports:
- 8000:8000
environment:
TZ: Asia/Shanghai
volumes:
- /data/registry/registry-ui.yml:/opt/config.yml:ro
- /data/auth/domain.crt:/etc/ssl/certs/ca-certificates.crt:ro
# - /data/auth/.htpasswd:/run/secrets/htpasswd
- /data/registry-ui:/opt/data
EOF
# cat > /data/registry/registry.yml << EOF
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry-data
notifications:
endpoints:
- name: docker-registry-ui
url: http://192.168.10.32:8000/api/events
headers:
Authorization: [Bearer abcdefghijklmnopqrstuvwxyz1234567890] # need set save token in registry ui
timeout: 1s
threshold: 5
backoff: 10s
ignoredmediatypes:
- application/octet-stream
EOF
# cat > /data/registry/registry-ui.yml << EOF
listen_addr: 0.0.0.0:8000
base_path: /
registry_url: https://192.168.10.32:5000
verify_tls: true
registry_username: admin # user name and password for registry auth
registry_password: admin
event_listener_token: abcdefghijklmnopqrstuvwxyz1234567890 # same token as config in registry
event_retention_days: 7
event_database_driver: sqlite3
event_database_location: data/registry_events.db
event_deletion_enabled: True
cache_refresh_interval: 10
anyone_can_delete: true
admins: []
debug: true
purge_tags_keep_days: 90
purge_tags_keep_count: 2
EOF
# cd /data/compose/registry && docker compose up -d
5. 服务端测试
# curl -sk -u docker:docker https://192.168.10.32/v2/_catalog |python3 -m json.tool
{
"repositories": [
"alpine"
]
}
# curl -sk -u docker:docker https://hub.example.com/v2/_catalog |python3 -m json.tool
{
"repositories": [
"alpine"
]
}
console: http://192.168.10.32:8000
6. 客户端添加根证书
docker服务安装 [略]
# mkdir -p /etc/docker/certs.d/hub.example.com
# echo -n | openssl s_client -showcerts -connect hub.example.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/hub.example.com/ca.crt
7. 客户端测试
# docker login -u docker -p docker hub.example.com
# docker pull hub.example.com/alpine:3.18
# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
hub.example.com/alpine 3.18 7e01a0d0a1dc 2 weeks ago 7.34MB
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2016-10-24 openldap sshkey & 用户自定义属性
2014-10-24 piranha配置