基于容器配置私有Registry

基于容器配置私有Registry

一、快速安装私有Registry

1、创建私有Registry

#docker run -d -p 5000:5000 --restart=always --name MyRegistry registry

2、配置客户端本机/etc/docker/daemon.json文件

本示例利用本地主机模拟私有Registry Client，通过Server，注意：由于Docker Client 默认使用Client Host上编辑/etc/docker/daemon.json配置文件，允许Docker Client 使用 "insecure-registries" : ["localhost:5000"]}

修改完成后，重新加载配置文件并重启。

systemctl daemon-reloadsystemctl restart docker.service

3、查看本地镜像存在镜像

# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEkcptun v1.5 ada612b11885 23 hours ago 7.67MBkcptun v1.4 3ab2d78d6329 23 hours ago 7.67MB

4、修改本地需上传镜像tag，设置上传点

# docker image tag kcptun:v1.4 localhost:5000/kcptun# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEkcptun v1.5 ada612b11885 23 hours ago 7.67MBkcptun v1.4 3ab2d78d6329 23 hours ago 7.67MBlocalhost:5000/kcptun latest 3ab2d78d6329 23 hours ago 7.67MB

5、上传镜像到私有Registry上的kcptun仓库

# docker push localhost:5000/kcptunThe push refers to repository [localhost:5000/kcptun]74b93d069f25: Layer already exists 8370d322a335: Layer already exists 01fd6df81c8e: Layer already exists latest: digest: sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350b size: 945

6、管理私有Registry上kcptun仓库中镜像

6.1、查询镜像仓库

# curl localhost:5000/v2/_catalog{"repositories":["kcptun"]}

6.2、查询镜像或tag版本

# curl localhost:5000/v2/仓库名称/tags/listroot@Renkailang-UOS:/home/renkailang# curl localhost:5000/v2/kcptun/tags/list{"name":"kcptun","tags":["latest","v1.5"]}

7、删除本地镜像：

# docker rmi localhost:5000/kcptun:latestUntagged: localhost:5000/kcptun:latestUntagged: localhost:5000/kcptun@sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350b

8、下载私有Registry上kcptun仓库中镜像：

# docker pull localhost:5000/kcptunUsing default tag: latestlatest: Pulling from kcptunDigest: sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350bStatus: Downloaded newer image for localhost:5000/kcptun:latestlocalhost:5000/kcptun:latest# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEkcptun v1.5 ada612b11885 23 hours ago 7.67MBkcptun v1.4 3ab2d78d6329 23 hours ago 7.67MBlocalhost:5000/kcptun latest 3ab2d78d6329 23 hours ago 7.67MB

二、自定义私有Registry存储位置

默认情况下，创建私有Registry作为​​docker 卷​​​保存在主机文件系统上。如果您想将私有Registry中的内容存储在主机文件系统上的特定位置，例如，您可以利用 SSD 或 SAN 、NFS挂载到宿主机的指定目录下，然后绑定到Docker 的​​/var/lib/registry/​​上，以拓展更好性能、更高容量。

1、设置本地卷挂载点

以下示例将主机目录绑定挂载 ​​/data/docker/registry/​​​到位于​​/var/lib/registry/​​。

#docker run -d -p 5000:5000 -v /data/docker/registry/:/var/lib/registry/ --restart=always --name registry registrya259c9480e46d32ab2838c306a06b765047efdc4d03be9b92993c7bf2aa66bae#查看容器运行状态# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESa259c9480e46 registry "/entrypoint.sh /etc…" 20 seconds ago Up 19 seconds 0.0.0.0:5000->5000/tcp registry

2、修改本地需上传镜像tag，设置上传点：

# docker tag kcptun:v1.3 localhost:5000/kcptun:v1.3# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEkcptun v1.3 9aec3788e0b2 24 hours ago 7.67MBlocalhost:5000/kcptun v1.3 9aec3788e0b2 24 hours ago 7.67MB

3、上传镜像

# docker push localhost:5000/kcptun:v1.3The push refers to repository [localhost:5000/kcptun]74b93d069f25: Pushed 8370d322a335: Pushed 01fd6df81c8e: Pushed v1.3: digest: sha256:8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742 size: 945

4、查看本地宿主机​​/data/docker/registry/​​目录

# tree /data/docker/registry//data/docker/registry/└── docker └── registry └── v2 ├── blobs │ └── sha256 │ ├── 52 │ │ └── 52bbe01f5fedf895709e1b229d0c0043ba31946608bb50466d34967382be612b │ │ └── data │ ├── 5c │ │ └── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa │ │ └── data │ ├── 89 │ │ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742 │ │ └── data │ ├── 9a │ │ └── 9aec3788e0b2d04b580a62612ccdc3ee36404055ce137b549b63efd688e6fbcc │ │ └── data │ └── d8 │ └── d8764f8cdfdb15d11ec947f9b2746953cd74d064af01bb289b7e61045663cb14 │ └── data └── repositories └── kcptun ├── _layers │ └── sha256 │ ├── 52bbe01f5fedf895709e1b229d0c0043ba31946608bb50466d34967382be612b │ │ └── link │ ├── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa │ │ └── link │ ├── 9aec3788e0b2d04b580a62612ccdc3ee36404055ce137b549b63efd688e6fbcc │ │ └── link │ └── d8764f8cdfdb15d11ec947f9b2746953cd74d064af01bb289b7e61045663cb14 │ └── link ├── _manifests │ ├── revisions │ │ └── sha256 │ │ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742 │ │ └── link │ └── tags │ └── v1.3 │ ├── current │ │ └── link │ └── index │ └── sha256 │ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742 │ └── link └── _uploads34 directories, 12 files

三、设置基于TLS证书私有Registry

1、准备工作

#您的私有registry 域名为Your registry URL is #您DNS、路由、防火墙设置均允许访问该域名。• Your DNS, routing, and firewall settings allow access to the registry’s host on port 443.#您已经从CA申请了相应证书文件。（说明：本示例采用自签名的方式，申请证书文件）• You have already obtained a certificate from a certificate authority (CA).

2、产生自签名证书及私钥，并保证在当前目录certs/下

#mkdir -p certs #openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -addext "subjectAltName = DNS:myregistry.domain.com" \ -x509 -days 365 -out certs/domain.crt

注意：

（1）CN应填写myregistry.domain.com域名名称。

（2）执行上述命令后，您将根据提示填写组织架构，一旦出错只能重新执行，建议在记事本编辑好后再复制过去，示例如下。

国家=CN省份=Sichuan城市=Chengdu组织=Chengdu Westone Co., Ltd.CN名称=myregistry.domain.com

（3）openssl版本应保证在1.1.1版本上才能支持addext参数，如果使用centos产生自签名证书则需要升级openssl版本，此处使用统信操作系统，默认版本为openssl 1.1.1d。

3、创建带有TLS自签名证书和私钥的Registry

docker run -d \ --restart=always \ --name registry \ -v "$(pwd)"/certs:/certs \ -v /data/docker/registry/:/var/lib/registry/ \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -p 443:443 \ registry

4、将TLS自签名证书通过所scp拷贝至客户端的宿主机上。

# scp -P 1026 renkailang@myregistry.domain.com:/data/docker/certs/domain.crt ./ renkailang@renkl.wicp.vip's password: domain.crt 100% 2114 331.5KB/s 00:00

5、添加自签名证书至受信任CA列表后，重启docker生效。

Ubuntu

# cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crtupdate-ca-certificates

Red Hat Enterprise Linux

# cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crtupdate-ca-trust

Oracle Linux

# update-ca-trust enable

Windows

Open Windows Explorer, right-click the certificate, and choose Install certificate.

Then, select the following options:

Store location: local machineCheckplace all certificates in the following storeClickBrowser, and selectTrusted Root Certificate AuthoritiesClickFinish

注意：添加完成后需要重启docker daemon进程才会生效。

6、测试镜像上传、下载

镜像上传：

# docker tag myregistry.domain.com/kcptun:v1.1 myregistry.domain.com/kcptun:v1.6# docker push myregistry.domain.com/kcptun:v1.6The push refers to repository [myregistry.domain.com/kcptun]8370d322a335: Layer already exists 01fd6df81c8e: Layer already exists v1.6: digest: sha256:2c970fd6897405b32f128b73215523d37a64ffb659570c9fef820b494833d421 size: 738

镜像下载：

# docker pull myregistry.domain.com/kcptun:v1.3v1.3: Pulling from kcptun5cc84ad355aa: Already exists d8764f8cdfdb: Already exists 52bbe01f5fed: Pull complete Digest: sha256:8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742Status: Downloaded newer image for myregistry.domain.com/kcptun:v1.3myregistry.domain.com/kcptun:v1.3

抓包验证

参考：

​​https://docs.docker.com/registry/deploying/#copy-an-image-from-docker-hub-to-your-registry​​

​​https://blog.csdn.net/qq_31821675/article/details/89211022​​

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。