部署docker-registry私有仓库

部署docker-registry私有仓库

创建文件夹

  sudo mkdir -p /var/docker-data/{registry,certs,auth}
  ​
  sudo openssl req -subj '/C=CN/ST=GD/L=GZ/CN=192.192.49.87'
    -newkey rsa:4096 -nodes -sha256 -keyout /var/docker-data/certs/domain.key 
    -x509 -days 365 -out /var/docker-data/certs/domain.crt
    
  sudo mkdir -p /etc/docker/certs.d/192.192.49.87
  sudo cp /var/docker-data/certs/domain.crt /etc/docker/certs.d/192.192.49.87/ca.crt
  ​
  #可能需要OS级信任
  sudo cp /etc/dockercerts/domain.crt /etc/pki/ca-trust/source/anchors/192.192.49.87.crt
  sudo update-ca-trust
  ​
  docker container stop registry && docker container rm -v registry

启动

  docker run -d 
    --restart=always 
    --name registry 
    -v /var/docker-data/certs:/certs 
    -v /var/docker-data/auth:/auth 
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt 
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key 
    -e REGISTRY_STORAGE_DELETE_ENABLED="true" 
    -p 443:443 
    registry:2

查看镜像

  curl -X GET --insecure  https://192.192.49.87/v2/_catalog

客户端配置

  sudo mkdir -p /etc/docker/certs.d/192.192.49.87
  sudo cp /var/docker-data/certs/domain.crt /etc/docker/certs.d/192.192.49.87/ca.crt
  ​
  #可能需要OS级信任
  sudo cp /etc/dockercerts/domain.crt /etc/pki/ca-trust/source/anchors/192.192.49.87.crt
  sudo update-ca-trust
  ​
  #测试
  sudo docker pull busybox
  sudo docker tag busybox 192.192.49.87/busybox
  sudo docker push 192.192.49.87/busybox
  ​

删除仓库镜像

  #先查找镜像的Docker-Content-Digest
  curl -v -k -H "Accept: application/vnd.docker.distribution.manifest.v2+json" 
  -X GET  https://192.192.49.87/v2/busybox/manifests/latest 2>&1 | 
  grep 'Docker-Content-Digest'| awk '{print ($3)}'
  ​
  #再删除元数据
  #允许删除 -e REGISTRY_STORAGE_DELETE_ENABLED="true"
  curl-v -k -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE  https://192.192.49.87/v2/busybox/manifests/<Docker-Content-Digest的值>
  ​
  #容器内执行garbage-collect垃圾回收，清磁盘
  docker exec -it registry  /bin/registry 
  garbage-collect  /etc/docker/registry/config.yml

接入认证

  #用户admin，密码niot1234
  docker run --entrypoint htpasswd registry:2 -Bbn admin niot1234 > /var/docker-data/auth/htpasswd
  ​
  docker container stop registry
  docker rm registry
  ​
  #重启容器
  docker run -d 
    --restart=always 
    --name registry 
    -v /var/docker-data/certs:/certs 
    -v /var/docker-data/auth:/auth 
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt 
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key 
    -e REGISTRY_STORAGE_DELETE_ENABLED="true" 
    -e "REGISTRY_AUTH=htpasswd" 
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd 
    -p 443:443 
    registry:2

docker-compose 配置

安装

  sudo curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  ​
  sudo chmod +x /usr/local/bin/docker-compose
  ​
  sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
  docker-compose --version

创建docker-registry-compose.yml

  registry:
    restart: always
    image: registry:2
    ports:
      - 443:443
    environment:
      REGISTRY_HTTP_ADDR: 0.0.0.0:443
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
  #    REGISTRY_AUTH: htpasswd
  #    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
  #    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
    volumes:
      - /var/docker-data/registry:/var/lib/registry
      - /var/docker-data/certs:/certs
      - /var/docker-data/auth:/auth

启动

  sudo docker-compose -f docker-registry-compose.yml up -d

END