zoukankan      html  css  js  c++  java
  • docker私有仓库-https+nginx

    一、概述

    使用的是registry-2.4版本,因为在这个版本开始提供了garbage-collect,能够清理掉blobs,2.1开始提供了api的删除功能,但是只是删除的index并没有释放掉磁盘空间,所以2.4版本增加了garbage-collect。官方不建议删除blobs,但是构建上传的很老的镜像已经没有用了,所以需要定时清理。

    部署:

    1、搭建docker私有仓库,线上使用的话必须要保证安全,需要做认证+https

    创建目录:

    # mkdir -p /data/registry/ && cd /data/registry/ && mkdir auth certs

    创建密码文件:

    #cd /data/registry/

    #docker run --entrypoint htpasswd daocloud.io/registry -Bbn huoqiu huoqiu123> auth/htpasswd

    创建证书:

    # openssl req -x509 -days 3650 -subj '/CN=huoqiu.oo.com/' -nodes -newkey rsa:2048 -keyout certs/registry.key -out certs/registry.crt

    创建存放证书的目录:

    #mkdir -p /etc/docker/certs.d/huoqiu.oo.com/

    #cp /data/registry/certs/registry.crt  /etc/docker/certs.d/huoqiu.oo.com/

    创建容器:

    #cd /data/registry/

    创建conf目录并创建config.yml文件:

    #mkdir  conf

    # cat config.yml

    version: 0.1
    log:
      fields:
        service: registry
    storage:
        delete:
            enabled: true
        cache:
            blobdescriptor: inmemory
        filesystem:
            rootdirectory: /var/lib/registry
    http:
        addr: :5000
        headers:
            X-Content-Type-Options: [nosniff]
    health:
      storagedriver:
        enabled: true
        interval: 10s
        threshold: 3

    默认是不支持删除的,需要增加删除支持:

    storage:
        delete:
            enabled: true

    #cat tt.sh

    #!/bin/bash
    
    dir=$(cd `dirname $0`;pwd)
    docker stop registry && docker rm registry
    docker run -d -p 5000:5000 -p 443:5000 --restart=always 
    --name registry 
    -v $dir/auth:/auth 
    -e "REGISTRY_AUTH=htpasswd" 
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on huoqiu.oo.com" 
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd 
    -v $dir/certs:/certs 
    -v $dir/data:/var/lib/registry 
    -v $dir/conf/config.yml:/etc/docker/registry/config.yml 
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt 
    -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key 
    daocloud.io/registry:2.4

    #chmod +x tt.sh

    #sh tt.sh

    设置nginx代理:

    首先将创建的证书copy到nginx服务器上面,

    #scp  /data/registry/certs/*  nginx:/root/oo

    #cat sb.conf

    server {
    client_max_body_size 0;
    server_name huoqiu.oo.com;
    listen 443;
    ssl on;
    ssl_certificate /root/oo/registry.crt;
    ssl_certificate_key /root/oo/registry.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1.2;
    #ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_prefer_server_ciphers on;
    location / {
    proxy_redirect off;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://10.10.9.3:443;
    }
    }

    登陆:

    docker  login  huoqiu.oo.com

    输入用户名、密码。此时会生成/root/.docker/config.json文件,记录认证信息。 

    二、清理registry

    清理老的镜像有两个步骤:

    1、找到相应镜像的dgists

    数据目录放到了物理机的/data/registry/data目录下面,我们要先找出要删除的dgists:

    比如我们这里要删除的镜像名称是fireball/saturn,如果是其他的镜像,就去/data/registry/data/docker/registry/v2/repositories/目录下面找。

    # cd /data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags

    我们查找超过100天的镜像的dgists:

    # find . -name link -mtime +100 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'

    然后在调用api去删除

    curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:dgists的值(上面那个命令查出来的结果)

    参数解释:

    -k,因为我们用的是https,所以这里加-k跳过检测,否则会报错

    huou:histry, 是registry的用户名和密码

    2、使用gc清理数据文件

    docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml

    为了方便使用,写了一个清理脚本:

    # cat registry-clean.sh

    #!/bin/bash
    
    dir="/data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags"
    
    cd $dir
    
    dgists=`find . -name link -mtime +10 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`
    
    for i in $dgists
    do
        curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
    done
    
    
    if [ $? -eq 0 ];then
        docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
    fi

    只保留最近10天的镜像.

    上面的脚本只能清理特定的镜像,使用不是很灵活,下面给出一个交互式的:

    #cat interaction-clean

    #!/bin/bash
    #docker private registry clean imag that five days ago
    
    #repositories dir
    dir="/data/registry/data/docker/registry/v2/repositories/"
    
    a="/_manifests/tags"
    
    #link a full addr
    while getopts ":g:p:l:h:t:" opt
    do
    case $opt in
         g)
         dir_tag1=$dir$OPTARG
         ;;
         p)
         dir_tag2=$dir_tag1/$OPTARG
         dir_tag=$dir_tag2$a
         ;;
         l)
         dir_tag3=$dir_tag2/$OPTARG
         dir_tag=$dir_tag3$a
         ;;
         t)
         b=$OPTARG
         ;;
         ?)
         echo "if your url have three layers like: https://<url>/fireball/saturn
              $0 -g(group) -p(project) -t(time,if not set default is 5)"
         echo "if your url have three layers like: https://<url>/fireball/test/saturn
              $0 -g(group) -l  -p(project -t(time,if not set default is 5))"
         exit 1;;
       esac
    done
    
    #---------------------------------------------------------------------------------------------------------#
    cd $dir_tag
    
    #date that to find,the default is 5
    tm=${b:-5}
    
    #find all of dgists that meet the requirements
    dgists=`find . -name link -mtime +$tm | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`
    
    #delet dgists
    for i in $dgists
    do
        echo $i
        curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
    done
    
    #delete true data,use garbage-collect
    if [ $? -eq 0 ];then
        docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
    fi

    Usage:

    interaction-clean  -h

  • 相关阅读:
    [YTU]_2436( C++ 习题 输出日期时间--友元类)
    [YTU]_2435 ( C++ 习题 输出日期时间--友元函数)
    病毒侵袭
    石子合并(区间DP经典例题)
    AC自动机模板2
    【模板】最近公共祖先(LCA)
    华华给月月出题
    线性筛素数
    华华开始学信息学
    华华和月月种树
  • 原文地址:https://www.cnblogs.com/cuishuai/p/9107069.html
Copyright © 2011-2022 走看看