一、概述
使用的是registry-2.4版本,因为在这个版本开始提供了garbage-collect,能够清理掉blobs,2.1开始提供了api的删除功能,但是只是删除的index并没有释放掉磁盘空间,所以2.4版本增加了garbage-collect。官方不建议删除blobs,但是构建上传的很老的镜像已经没有用了,所以需要定时清理。
部署:
1、搭建docker私有仓库,线上使用的话必须要保证安全,需要做认证+https
创建目录:
# mkdir
-p
/data/registry/
&&
cd
/data/registry/
&&
mkdir
auth certs
创建密码文件:
#cd
/data/registry/
#docker run --entrypoint htpasswd daocloud.io
/registry
-Bbn huoqiu huoqiu123
> auth
/htpasswd
创建证书:
# openssl req -x509 -days 3650 -subj '/CN=huoqiu.oo.com/' -nodes -newkey rsa:2048 -keyout certs/registry.key -out certs/registry.crt
创建存放证书的目录:
#mkdir -p /etc/docker/certs.d/huoqiu.oo.com/
#cp /data/registry/certs/registry.crt /etc/docker/certs.d/huoqiu.oo.com/
创建容器:
#cd /data/registry/
创建conf目录并创建config.yml文件:
#mkdir conf
# cat config.yml
version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3
默认是不支持删除的,需要增加删除支持:
storage:
delete:
enabled: true
#cat tt.sh
#!/bin/bash dir=$(cd `dirname $0`;pwd) docker stop registry && docker rm registry docker run -d -p 5000:5000 -p 443:5000 --restart=always --name registry -v $dir/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on huoqiu.oo.com" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v $dir/certs:/certs -v $dir/data:/var/lib/registry -v $dir/conf/config.yml:/etc/docker/registry/config.yml -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key daocloud.io/registry:2.4
#chmod +x tt.sh
#sh tt.sh
设置nginx代理:
首先将创建的证书copy到nginx服务器上面,
#scp /data/registry/certs/* nginx:/root/oo
#cat sb.conf
server {
client_max_body_size 0;
server_name huoqiu.oo.com;
listen 443;
ssl on;
ssl_certificate /root/oo/registry.crt;
ssl_certificate_key /root/oo/registry.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://10.10.9.3:443;
}
}
登陆:
docker login huoqiu.oo.com
输入用户名、密码。此时会生成/root/.docker/config.json文件,记录认证信息。
二、清理registry
清理老的镜像有两个步骤:
1、找到相应镜像的dgists
数据目录放到了物理机的/data/registry/data目录下面,我们要先找出要删除的dgists:
比如我们这里要删除的镜像名称是fireball/saturn,如果是其他的镜像,就去/data/registry/data/docker/registry/v2/repositories/目录下面找。
# cd /data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags
我们查找超过100天的镜像的dgists:
# find . -name link -mtime +100 | grep current|xargs grep "sha256" | awk -F ":" '{print $3}'
然后在调用api去删除
curl -k -I -X DELETE https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:dgists的值(上面那个命令查出来的结果)
参数解释:
-k,因为我们用的是https,所以这里加-k跳过检测,否则会报错
huou:histry, 是registry的用户名和密码
2、使用gc清理数据文件
docker exec -it registry /bin/registry garbage-collect /etc/docker/registry/config.yml
为了方便使用,写了一个清理脚本:
# cat registry-clean.sh
#!/bin/bash dir="/data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags" cd $dir dgists=`find . -name link -mtime +10 | grep current|xargs grep "sha256" | awk -F ":" '{print $3}'` for i in $dgists do curl -k -I -X DELETE https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i done if [ $? -eq 0 ];then docker exec -it registry /bin/registry garbage-collect /etc/docker/registry/config.yml fi
只保留最近10天的镜像.
上面的脚本只能清理特定的镜像,使用不是很灵活,下面给出一个交互式的:
#cat interaction-clean
#!/bin/bash #docker private registry clean imag that five days ago #repositories dir dir="/data/registry/data/docker/registry/v2/repositories/" a="/_manifests/tags" #link a full addr while getopts ":g:p:l:h:t:" opt do case $opt in g) dir_tag1=$dir$OPTARG ;; p) dir_tag2=$dir_tag1/$OPTARG dir_tag=$dir_tag2$a ;; l) dir_tag3=$dir_tag2/$OPTARG dir_tag=$dir_tag3$a ;; t) b=$OPTARG ;; ?) echo "if your url have three layers like: https://<url>/fireball/saturn $0 -g(group) -p(project) -t(time,if not set default is 5)" echo "if your url have three layers like: https://<url>/fireball/test/saturn $0 -g(group) -l -p(project -t(time,if not set default is 5))" exit 1;; esac done #---------------------------------------------------------------------------------------------------------# cd $dir_tag #date that to find,the default is 5 tm=${b:-5} #find all of dgists that meet the requirements dgists=`find . -name link -mtime +$tm | grep current|xargs grep "sha256" | awk -F ":" '{print $3}'` #delet dgists for i in $dgists do echo $i curl -k -I -X DELETE https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i done #delete true data,use garbage-collect if [ $? -eq 0 ];then docker exec -it registry /bin/registry garbage-collect /etc/docker/registry/config.yml fi
Usage:
interaction-clean -h