Docker Registry私有仓库搭建

部署registry

准备一个registry.mydocker.com 的证书

对私有registry取名registry.mydocker.com

目录规划

仓库数据目录：/data/docker/registry/registry/ --> /var/lib/registry/

SSL证书目录：/data/docker/registry/ssl/ --> /etc/docker/registry/ssl/

密码文件目录：/data/docker/registry/auth/ --> /etc/docker/registry/auth/

启动registry容器

[root@Docker_Machine_192.168.31.130 ~]# docker run -d \
 -v /data/docker/registry/registry/:/var/lib/registry/ \
 -v /data/docker/registry/ssl/:/etc/docker/registry/ssl/ \
 -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/registry/ssl/registry.mydocker.com.crt \
 -e REGISTRY_HTTP_TLS_KEY=/etc/docker/registry/ssl/registry.mydocker.com.key \
 --restart=always \
 --name registry.mydocker.com \
 --hostname registry.mydocker.com \
 registry
 [root@Docker_Machine_192.168.31.130 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
9215e587ea8e        registry            "/entrypoint.sh /etc…"   About an hour ago   Up 20 minutes       5000/tcp            registry.mydocker.com

配置ngx

server {
        listen 127.0.0.1:443 ssl;
        server_name registry.mydocker.com;
        index index.html index.htm index.php;
        root /data/web/webclose/;

        include ssl_registry.mydocker.com.conf;
        include deny_file.conf;

        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;

        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
        chunked_transfer_encoding on;

        location / {
           # Do not allow connections from docker 1.5 and earlier
           # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
           if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
               return 404;
           }
           proxy_pass         https://172.17.0.2:5000;
           proxy_set_header   Host   $host;
           expires off;
           proxy_redirect     off;
           proxy_set_header   X-Real-IP        $remote_addr;
           proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
           proxy_set_header  X-Forwarded-Proto $scheme;
        }
        access_log /data/logs/$host.log access;
}

常用手段

push

push 镜像前，需要tag在push

[root@Docker_Machine_192.168.31.130 ~]# docker tag me/percona-server-5.7.23.24   registry.mydocker.com/mysql/percona-server-5.7.23.24
[root@Docker_Machine_192.168.31.130 ~]# docker push registry.mydocker.com/mysql/percona-server-5.7.23.24
The push refers to repository [registry.mydocker.com/mysql/percona-server-5.7.23.24]
7705ebebf110: Pushed
158db895cdd8: Pushed
bcc97fbfc9e1: Pushed
latest: digest: sha256:a081a3396473904e67fd438b555576a41296057eeddf8af5f6cb2c93cc68064c size: 955

pull

[root@Docker_Machine_192.168.31.130 ~]# docker pull registry.mydocker.com/mysql/percona-server-5.7.23.24
Using default tag: latest
latest: Pulling from mysql/percona-server-5.7.23.24
Digest: sha256:a081a3396473904e67fd438b555576a41296057eeddf8af5f6cb2c93cc68064c
Status: Downloaded newer image for registry.mydocker.com/mysql/percona-server-5.7.23.24:latest
[root@Docker_Machine_192.168.31.130 ~]# docker images
REPOSITORY                                           TAG                 IMAGE ID            CREATED             SIZE
me/percona-server-5.7.23.24                          latest              5af5b8e6c4c8        2 months ago        775MB
registry.mydocker.com/mysql/percona-server-5.7.23.24   latest              5af5b8e6c4c8        2 months ago        775MB

垃圾回收

registry garbage-collect /etc/docker/registry/config.yml

[root@Docker_Machine_192.168.31.130 ~]# docker exec -it registry.mydocker.com sh
/ # registry garbage-collect /etc/docker/registry/config.yml
mysql/percona-server-5.7.23.24
mysql/percona-server-5.7.23.24: marking manifest sha256:a081a3396473904e67fd438b555576a41296057eeddf8af5f6cb2c93cc68064c
mysql/percona-server-5.7.23.24: marking blob sha256:5af5b8e6c4c84ed6945cd7a563b9128d8c0aa2107e2882aff6a5a27ef4c9b623
mysql/percona-server-5.7.23.24: marking blob sha256:7dc0dca2b1516961d6b3200564049db0a6e0410b370bb2189e2efae0d368616f
mysql/percona-server-5.7.23.24: marking blob sha256:554337fab389bc00d82df4a8deb7719c4f8898f458980d54ecc6b7edb65eb67f
mysql/percona-server-5.7.23.24: marking blob sha256:06fcba1e485b285ac7f3a5b54f6105b1e19504fc24b456252a0dcba8bd208adc

5 blobs marked, 0 blobs eligible for deletion

使用api

查看镜像 GET /v2/_catalog

[root@Docker_Machine_192.168.31.130 ~]# curl https://registry.mydocker.com/v2/_catalog
{"repositories":["mysql/percona-server-5.7.23.24"]}

删除镜像

DELETE /v2/<name>/manifests/<reference>

name:镜像名称

reference: 镜像对应sha256值

[root@Docker_Machine_192.168.31.130 ~]# curl -X DELETE  https://registry.mydocker.com/v2/percona-server-5.7.23.24/manifests/sha256:a081a3396473904e67fd438b555576a41296057eeddf8af5f6cb2c93cc68064c
{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}

这种情况是私有仓库不支持删除操作，需要在配置文件config.yml中增加delete:enabled:true字段

具体参考https://docs.docker.com/registry/spec/api/

Authentication的加持

创建账号密码

cd /data/dokcer/registry/auth
#registry 密码文件
docker run --rm --entrypoint htpasswd registry -Bbn  reguser  regpasswd > registry_htpasswd
#ngx密码文件
echo "reguser:`openssl passwd -crypt regpasswd 2> /dev/null`" > registry_ngxpasswd

启动registry容器

docker run -d \
 -v /data/docker/registry/registry/:/var/lib/registry/ \
 -v /data/docker/registry/ssl/:/etc/docker/registry/ssl/ \
 -v /data/docker/registry/auth/:/etc/docker/registry/auth/ \
 -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/registry/ssl/registry.mydocker.com.crt \
 -e REGISTRY_HTTP_TLS_KEY=/etc/docker/registry/ssl/registry.mydocker.com.key \
 -e REGISTRY_AUTH=htpasswd \
 -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
 -e REGISTRY_AUTH_HTPASSWD_PATH=/etc/docker/registry/auth/registry_htpasswd \
 --restart=always  \
 --name registry.mydocker.com \
 --hostname registry.mydocker.com \
 registry

配置ngx

map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
}

server {
        listen 127.0.0.1:443 ssl;
        server_name registry.mydocker.com;
        index index.html index.htm index.php;
        root /data/web/webclose/;

        include ssl_registry.mydocker.com.conf;
        include deny_file.conf;

        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
        chunked_transfer_encoding on;

        location / {
           # Do not allow connections from docker 1.5 and earlier
           # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
           if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
               return 404;
           }

           # To add basic authentication to v2 use auth_basic setting.
           auth_basic "Registry realm";
           auth_basic_user_file /data/docker/registry/auth/registry_ngxpasswd;

           ## If $docker_distribution_api_version is empty, the header is not added.
           ## See the map directive above where this variable is defined.
           add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

           proxy_pass         https://172.17.0.2:5000;
           expires off;
           proxy_set_header   Host              $host;
           proxy_set_header   X-Real-IP         $remote_addr;
           proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
           proxy_set_header   X-Forwarded-Proto $scheme;
        }
        access_log /data/logs/$host.log access;
}

使用api

curl -XGET -u reguser:regpasswd https://registry.mydocker.com/v2/_catalog

登录registry

配置认证后，使用 pull push 镜像时需要登陆registry

[root@Docker_Machine_192.168.31.130 ~]# docker login -u=reguser -p=regpasswd registry.mydocker.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@Docker_Machine_192.168.31.130 ~]# docker logout registry.mydocker.com
Removing login credentials for registry.mydocker.com

登录后就可以正常pull push等操作了。