docker私有仓库-https+nginx

一、概述

使用的是registry-2.4版本，因为在这个版本开始提供了garbage-collect，能够清理掉blobs，2.1开始提供了api的删除功能，但是只是删除的index并没有释放掉磁盘空间，所以2.4版本增加了garbage-collect。官方不建议删除blobs，但是构建上传的很老的镜像已经没有用了，所以需要定时清理。

部署：

1、搭建docker私有仓库，线上使用的话必须要保证安全，需要做认证+https

创建目录：

# mkdir -p /data/registry/ && cd /data/registry/ && mkdir auth certs

创建密码文件：

#cd /data/registry/

#docker run --entrypoint htpasswd daocloud.io/registry -Bbn huoqiu huoqiu123> auth/htpasswd

创建证书：

# openssl req -x509 -days 3650 -subj '/CN=huoqiu.oo.com/' -nodes -newkey rsa:2048 -keyout certs/registry.key -out certs/registry.crt

创建存放证书的目录：

#mkdir -p /etc/docker/certs.d/huoqiu.oo.com/

#cp /data/registry/certs/registry.crt  /etc/docker/certs.d/huoqiu.oo.com/

创建容器：

#cd /data/registry/

创建conf目录并创建config.yml文件：

#mkdir  conf

# cat config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
    delete:
        enabled: true
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: :5000
    headers:
        X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

默认是不支持删除的，需要增加删除支持：

storage:
    delete:
        enabled: true

#cat tt.sh

#!/bin/bash

dir=$(cd `dirname $0`;pwd)
docker stop registry && docker rm registry
docker run -d -p 5000:5000 -p 443:5000 --restart=always 
--name registry 
-v $dir/auth:/auth 
-e "REGISTRY_AUTH=htpasswd" 
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on huoqiu.oo.com" 
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd 
-v $dir/certs:/certs 
-v $dir/data:/var/lib/registry 
-v $dir/conf/config.yml:/etc/docker/registry/config.yml 
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt 
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key 
daocloud.io/registry:2.4

#chmod +x tt.sh

#sh tt.sh

设置nginx代理：

首先将创建的证书copy到nginx服务器上面，

#scp  /data/registry/certs/*  nginx:/root/oo

#cat sb.conf

server {
client_max_body_size 0;
server_name huoqiu.oo.com;
listen 443;
ssl on;
ssl_certificate /root/oo/registry.crt;
ssl_certificate_key /root/oo/registry.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://10.10.9.3:443;
}
}

登陆：

docker  login  huoqiu.oo.com

输入用户名、密码。此时会生成/root/.docker/config.json文件，记录认证信息。 

二、清理registry

清理老的镜像有两个步骤：

1、找到相应镜像的dgists

数据目录放到了物理机的/data/registry/data目录下面，我们要先找出要删除的dgists：

比如我们这里要删除的镜像名称是fireball/saturn,如果是其他的镜像，就去/data/registry/data/docker/registry/v2/repositories/目录下面找。

# cd /data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags

我们查找超过100天的镜像的dgists：

# find . -name link -mtime +100 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'

然后在调用api去删除

curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:dgists的值（上面那个命令查出来的结果）

参数解释：

-k，因为我们用的是https，所以这里加-k跳过检测，否则会报错

huou:histry， 是registry的用户名和密码

2、使用gc清理数据文件

docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml

为了方便使用，写了一个清理脚本：

# cat registry-clean.sh

#!/bin/bash

dir="/data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags"

cd $dir

dgists=`find . -name link -mtime +10 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`

for i in $dgists
do
    curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
done


if [ $? -eq 0 ];then
    docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
fi

只保留最近10天的镜像.

上面的脚本只能清理特定的镜像，使用不是很灵活，下面给出一个交互式的：

#cat interaction-clean

#!/bin/bash
#docker private registry clean imag that five days ago

#repositories dir
dir="/data/registry/data/docker/registry/v2/repositories/"

a="/_manifests/tags"

#link a full addr
while getopts ":g:p:l:h:t:" opt
do
case $opt in
     g)
     dir_tag1=$dir$OPTARG
     ;;
     p)
     dir_tag2=$dir_tag1/$OPTARG
     dir_tag=$dir_tag2$a
     ;;
     l)
     dir_tag3=$dir_tag2/$OPTARG
     dir_tag=$dir_tag3$a
     ;;
     t)
     b=$OPTARG
     ;;
     ?)
     echo "if your url have three layers like: https://<url>/fireball/saturn
          $0 -g(group) -p(project) -t(time,if not set default is 5)"
     echo "if your url have three layers like: https://<url>/fireball/test/saturn
          $0 -g(group) -l  -p(project -t(time,if not set default is 5))"
     exit 1;;
   esac
done

#---------------------------------------------------------------------------------------------------------#
cd $dir_tag

#date that to find,the default is 5
tm=${b:-5}

#find all of dgists that meet the requirements
dgists=`find . -name link -mtime +$tm | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`

#delet dgists
for i in $dgists
do
    echo $i
    curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
done

#delete true data,use garbage-collect
if [ $? -eq 0 ];then
    docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
fi

Usage：

interaction-clean  -h