随笔 - 40  文章 - 0  评论 - 5  阅读 - 12857 

docker registry搭建私有镜像仓库

目录

大神实践

https://www.cnblogs.com/gcgc/p/10489385.html

推送到私有镜像仓示例

1、拉取并运行registry镜像:

拉取:docker pull registry

注:下载到的版本默认为 docker.io/registry:latest

2、运行regsitry镜像:

docker run -d -v /home/docker/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry:latest

注:

-v /home/docker/registry:/var/lib/registry,Registry服务默认会将上传的镜像保存在容器里面的/var/lib/registry目录,将主机的/home/docker/registry目录挂载到该目录,即可实现将镜像保存到主机的/home/docker/registry目录了。

-p 5000:5000,将registry服务默认的5000端口映射到宿主机的5000端口上。

—name,运行起来的容器名称为registry 。

3、拉取一个用于测试的镜像:

docker pull hello-world:latest

4、给测试镜像重新打上tag:

docker tag hello-world:latest 127.0.0.1:5000/hello-world:1.0

注:将hello-world:latest镜像打上127.0.0.1:5000/hello-world:1.0标签,此时查看镜像列表可以看到两个镜像。

docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest feb5d9fea6a5 4 months ago 13.26 kB

127.0.0.1:5000/hello-world 1.0 feb5d9fea6a5 4 months ago 13.26 kB

5、将打上tag的镜像推送到私有仓库:

docker push 127.0.0.1:5000/hello-world1.0

6、查看推送成功的镜像:

此时可以通过调用regsitry的v2接口查看镜像信息:curl http://127.0.0.1:5000/v2/_catalog

{
  "repositories": [
    "hello-world"
  ]
}

常见问题解决

问题1:解决推送过程中出现的getsocket:connection refused.
现象:

docker push 127.0.0.1:5000/registry:1.0
The push refers to repository [7.220.62.96:5000/registry]
Get https://7.220.62.96:5000/v2/: http: server gave HTTP response to HTTPS client
解决:vim /etc/docker/daemon.json
增加:

{
    "insecure-registries": [
        "7.220.62.96:5000"
    ]
}

重启docker服务:systemctl restart docker
再次推送,成功。

问题2:

registry的启动上传任务接口,不支持大写的name,否则会404。

开启外部2375访问

背景:集成了docker-java.jar第三方开源插件,封装docker命名远程执行操作,需要开启2375端口。

1、编辑docker文件:/usr/lib/systemd/system/docker.service

vim /usr/lib/systemd/system/docker.service

2、修改ExecStart行为下面内容:

ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock \

注:原始的内容如下,只需要在前面补充即可。

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash

ExecStart=/usr/bin/dockerd $OPTIONS \
                           $DOCKER_STORAGE_OPTIONS \
                           $DOCKER_NETWORK_OPTIONS \
                           $INSECURE_REGISTRY
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target

3、重新加载docker配置:

systemctl daemon-reload  // 1,加载docker守护线程
systemctl restart docker // 2,重启docker

registry启动用户认证

链接:https://mojo-zd.github.io/2018/04/12/Docker-Registry-V2认证机制,以及如何构建自己的Registy-Auth-Server/

默认情况下docker registry将会从/etc/docker/registry/config.yml读取所有的配置信息。

auth鉴权部分的配置:

auth:
  silly:
    realm: silly-realm
    service: silly-service
  token:
    realm: token-realm
    service: token-service
    issuer: registry-token-issuer
    rootcertbundle: /root/certs/bundle
  htpasswd:
    realm: basic-realm
    path: /path/to/htpasswd

注:registry默认不开启auth配置。用户可以自定义其中一种实现来完成registry的认证配置。

完整的registry配置信息如下:

version: 0.1
log:
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
  hooks:
    - type: mail
      disabled: true
      levels:
        - panic
      options:
        smtp:
          addr: mail.example.com:25
          username: mailuser
          password: password
          insecure: true
        from: sender@example.com
        to:
          - errors@example.com
loglevel: debug # deprecated: use "log"
storage:
  filesystem:
    rootdirectory: /var/lib/registry
    maxthreads: 100
  azure:
    accountname: accountname
    accountkey: base64encodedaccountkey
    container: containername
  gcs:
    bucket: bucketname
    keyfile: /path/to/keyfile
    rootdirectory: /gcs/object/name/prefix
    chunksize: 5242880
  s3:
    accesskey: awsaccesskey
    secretkey: awssecretkey
    region: us-west-1
    regionendpoint: http://myobjects.local
    bucket: bucketname
    encrypt: true
    keyid: mykeyid
    secure: true
    v4auth: true
    chunksize: 5242880
    rootdirectory: /s3/object/name/prefix
  swift:
    username: username
    password: password
    authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
    tenant: tenantname
    tenantid: tenantid
    domain: domain name for Openstack Identity v3 API
    domainid: domain id for Openstack Identity v3 API
    insecureskipverify: true
    region: fr
    container: containername
    rootdirectory: /swift/object/name/prefix
  oss:
    accesskeyid: accesskeyid
    accesskeysecret: accesskeysecret
    region: OSS region name
    endpoint: optional endpoints
    internal: optional internal endpoint
    bucket: OSS bucket
    encrypt: optional data encryption setting
    secure: optional ssl setting
    chunksize: optional size valye
    rootdirectory: optional root directory
  inmemory:  # This driver takes no parameters
  delete:
    enabled: false
  redirect:
    disable: false
  cache:
    blobdescriptor: redis
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    readonly:
      enabled: false
auth:
  silly:
    realm: silly-realm
    service: silly-service
  token:
    realm: token-realm
    service: token-service
    issuer: registry-token-issuer
    rootcertbundle: /root/certs/bundle
  htpasswd:
    realm: basic-realm
    path: /path/to/htpasswd
middleware:
  registry:
    - name: ARegistryMiddleware
      options:
        foo: bar
  repository:
    - name: ARepositoryMiddleware
      options:
        foo: bar
  storage:
    - name: cloudfront
      options:
        baseurl: https://my.cloudfronted.domain.com/
        privatekey: /path/to/pem
        keypairid: cloudfrontkeypairid
        duration: 3000s
  storage:
    - name: redirect
      options:
        baseurl: https://example.com/
reporting:
  bugsnag:
    apikey: bugsnagapikey
    releasestage: bugsnagreleasestage
    endpoint: bugsnagendpoint
  newrelic:
    licensekey: newreliclicensekey
    name: newrelicname
    verbose: true
http:
  addr: localhost:5000
  prefix: /my/nested/registry/
  host: https://myregistryaddress.org:5000
  secret: asecretforlocaldevelopment
  relativeurls: false
  tls:
    certificate: /path/to/x509/public
    key: /path/to/x509/private
    clientcas:
      - /path/to/ca.pem
      - /path/to/another/ca.pem
    letsencrypt:
      cachefile: /path/to/cache-file
      email: emailused@letsencrypt.com
  debug:
    addr: localhost:5001
  headers:
    X-Content-Type-Options: [nosniff]
notifications:
  endpoints:
    - name: alistener
      disabled: false
      url: https://my.listener.com/event
      headers: <http.Header>
      timeout: 500
      threshold: 5
      backoff: 1000
redis:
  addr: localhost:6379
  password: asecret
  db: 0
  dialtimeout: 10ms
  readtimeout: 10ms
  writetimeout: 10ms
  pool:
    maxidle: 16
    maxactive: 64
    idletimeout: 300s
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
  file:
    - file: /path/to/checked/file
      interval: 10s
  http:
    - uri: http://server.to.check/must/return/200
      headers:
        Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
      statuscode: 200
      timeout: 3s
      interval: 10s
      threshold: 3
  tcp:
    - addr: redis-server.domain.com:6379
      timeout: 3s
      interval: 10s
      threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]
  password: [password]
compatibility:
  schema1:
    signingkeyfile: /etc/registry/key.json

docker登录镜像仓

#docker login
[root@HN01 ~]# docker login 7.220.62.96:5000
Username: root
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
[https://docs.docker.com/engine/reference/commandline/login/#credentials-store](https://docs.docker.com/engine/reference/commandline/login/#credentials-store)
Login Succeeded
# 查看密码保存位置及格式
[root@HN01 ~]# cat /root/.docker/config.json
{
        "auths": {
                "7.220.62.96:5000": {
                        "auth": "cm9vdDpodWF3ZWlAMTIz"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.0 (linux)"
        }
}
#docker logout
[root@HN01 ~]# docker logout 7.220.62.96:5000
Removing login credentials for 7.220.62.96:5000

注:cm9vdDpodWF3ZWlAMTIz,base64解码之后为:
root:huawei@123
即是以“用户名:密码”使用base64加密进行存储的。

注:如果是使用http请求访问,则需要在请求头中添加鉴权字段,key为:Authorization,value为:Basic cm9vdDpodWF3ZWlAMTIz。
注:使用curl命令时,可以使用下面两种方式
1、curl -H "Authorization: Basic cm9vdDpodWF3ZWlAMTIz" http://localhost:5000/v2/_catalog -v
2、curl -u root:huawei@123 http://localhost:5000/v2/_catalog -v

regsitry的垃圾回收

1、regisrty gc时会中断push服务,链接:https://blog.csdn.net/xts_huangxin/article/details/51693890

原因:gc是非事务性操作。删除前最好置为read-only,而此时registry将暂时不能提供push服务。

2、垃圾回收的方式:

docker exec registry1 registry garbage-collect /etc/docker/registry/config.yml

3、垃圾回收的耗时:

gc时间待确认,使用blobs 5.2G + repositries 28M的数据测试需要花2-3秒的扫描和清理时间

docker pull镜像

curl -k -s --header "Accept: application/vnd.docker.distribution.manifest.v2+json" https://krm.registry.com:5000/v2/docker_auth/manifests/1.0

registry默认是1.0的,如果要获取2.0的manifest,需要在请求头中增加“Accept: application/vnd.docker.distribution.manifest.v2+json”。

posted on   彦承  阅读(602)  评论(0编辑  收藏  举报
相关博文:
· 容器镜像学习笔记
· 将jar包以docker方式部署
· 8.Registry 私有镜像仓库
· Docker注册中心
· Docker仓库之Registry私有镜像仓库的搭建与使用
阅读排行:
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
点击右上角即可分享
微信分享提示
AI FOR CODE 大赛