参考:http://book.itmuch.com/3%20%E4%BD%BF%E7%94%A8Docker%E6%9E%84%E5%BB%BA%E5%BE%AE%E6%9C%8D%E5%8A%A1/3.5%20Docker%E7%A7%81%E6%9C%89%E4%BB%93%E5%BA%93%E7%9A%84%E6%90%AD%E5%BB%BA%E4%B8%8E%E4%BD%BF%E7%94%A8.html
https://www.cnblogs.com/zhaojiankai/p/7813969.html

部署Registry仓库(废)

docker使用国内镜像进行加速

常用站点

1
2
3
4
5
6
https://registry.docker-cn.com
http://hub-mirror.c.163.com
https://3laho3y3.mirror.aliyuncs.com
http://f1361db2.m.daocloud.io
https://mirror.ccs.tencentyun.com
http://mirrors.ustc.edu.cn/

编辑文件/etc/docker/daemon.json
insecure-registries指定私有仓库的ip:port,可以使用http登陆

1
2
3
4
{
    "registry-mirrors": ["https://registry.docker-cn.com","http://hub-mirror.c.163.com","https://docker.mirrors.ustc.edu.cn"],
    "insecure-registries": ["127.0.0.1:5000"]
}

重启docker daemon

1
systemctl restart docker

下载registry镜像

1
docker pull registry

创建数据卷

1
2
3
4
sudo mkdir -p /opt/docker-registry/docker-registry
sudo mkdir -p /opt/docker-registry/docker-registry-auth

sudo rm -rf /opt/docker-registry/docker-registry /opt/docker-registry/docker-registry-auth

生成SSL证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo mkdir -p /opt/registry/certs/
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/registry-test.key -x509 -days 365 -out /opt/registry/certs/registry-test.crt

openssl req -x509 -days 3650 -subj "/C=CN/ST=FuJian/L=FuZhou/CN=Registry/O=Company/CN=registry.docker.com"
-nodes -newkey rsa:2048 -keyout ${dir}/certs/registry.key -out ${dir}/certs/registry.crt


#Country Name (2 letter code) [XX]:CN
#State or Province Name (full name) []:FuJian
#Locality Name (eg, city) [Default City]:FuZhou
#Organization Name (eg, company) [Default Company Ltd]:dasu
#Organizational Unit Name (eg, section) []:edu
#Common Name (eg, your name or your server's hostname) []:registry.docker.com
#Email Address []:1368299513@qq.com

在每一个docker客户端宿主机上配置/etc/hosts,以使客户端宿主机可以解析域名”registry.docker.com”。并创建与这个registry服务器域名一致的目录(因为我这里的域名是假的)

1
2
3
4
5
6
7
vi /etc/hosts
127.0.0.1 registry.docker.com

sudo mkdir -p /etc/docker/certs.d/registry.docker.com:5000

#将证书 registry-test.crt 复制到每一个docker客户端宿主机/etc/docker/certs.d/registry.docker.com:5000/ca.crt,不需要重启docker
scp -p /opt/registry/certs/registry-test.crt root@192.168.221.128:/etc/docker/certs.d/registry.docker.com\:5000/ca.crt

创建用户授权文件

1
2
3
4
5
6
7
8
9
# username: wyy  passwd: 123456
# root用户
docker run --name create_auth --entrypoint htpasswd registry -Bbn wyy 123456 >> /opt/docker-registry/docker-registry-auth/htpasswd

# delete tmp container
docker rm create_auth

# show htpassed content
cat /opt/docker-registry/docker-registry-auth/htpasswd

运行容器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# no ssl
# 浏览器访问的时候需要填写账号密码
sudo docker run -d -p 5000:5000 --restart=always --name my-registry \
-v /opt/docker-registry/docker-registry-auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_DELETE_ENABLED=true" \
-v /opt/docker-registry/docker-registry:/var/lib/registry/ \
registry

# ssl
# 浏览器访问的时候需要填写账号密码
sudo docker run -d -p 5000:5000 --restart=always --name my-registry \
-v /opt/docker-registry/docker-registry-auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_DELETE_ENABLED=true" \
-v /opt/docker-registry/docker-registry:/var/lib/registry/ \
-v /opt/registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-test.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry-test.key \
registry


# --privileged=true
# -v ${dir}/config.yml:/etc/docker/registry/config.yml \
sudo docker stop my-registry
sudo docker rm my-registry

sudo docker exec -it my-registry sh

仓库配置文件

https://docs.docker.com/registry/configuration/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
    delete:
        enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

登录docker registry

1
2
3
# 账号密码是上一步创建
sudo docker login -u wyy -p 123456 registry.docker.com:5000
sudo docker logout registry.docker.com:5000

验证是否运行成功

打开浏览器,访问下面的链接

1
2
# ssl需要http访问
https://registry.docker.com/v2/_catalog

返回{"repositories":[]}说明正常

推送镜像到私有仓库

1
2
3
# 先登陆才能push
docker tag registry registry.docker.com:5000/nginx
docker push registry.docker.com:5000/nginx

私有仓库拉取镜像到本地

1
docker pull registry.docker.com:5000/nginx

私有仓库操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 查看镜像
curl -s --insecure --user wyy:123456 https://registry.docker.com:5000/v2/_catalog
# 查看镜像标签
curl -s --insecure --user wyy:123456 https://registry.docker.com:5000/v2/{image_name}/tags/list

# 删除镜像先获取镜像的sha256值
curl --header "Accept: application/vnd.docker.distribution.manifest.v2+json" -I -X HEAD --insecure --user wyy:123456 https://registry.docker.com:5000/v2/{image_name}/manifests/{image_tag}
# Docker-Content-Digest: sha256:6832be243d5328ab03b34a794f14de591b492833f2ef1bc7267bd69c73253dcb

curl --insecure --user wyy:123456 -X DELETE https://registry.docker.com:5000/v2/{image_name}/manifests/sha256:6832be243d5328ab03b34a794f14de591b492833f2ef1bc7267bd69c73253dcb

#你再来使用curl来查询所有的镜像它还是存在的,你使用curl查询这个镜像的tag你会看到tag变为了null,然后你pull也是会失败的。也就是说你删除镜像仅仅只是阻止了pull,然后查询那里只是让tag变为了null,把私有仓库容器的/var/lib/registry/docker/registry/v2/repositories/下对应镜像名字的文件夹删除掉


# 回收空间
docker exec name bin/registry garbage-collect /etc/docker/registry/config.yml
# 存放镜像的地方
/var/lib/registry/docker/registry/v2/blob

部署registry web

https://github.com/jc21/docker-registry-ui

https://www.github.com/squidnyan/docker-registry-ui

harbor

安装docker-registry-frontend

https://hub.docker.com/r/konradkleine/docker-registry-frontend/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# no ssl
sudo docker run \
-d --name registry-frontend \
--link my-registry \
--restart always \
-e ENV_DOCKER_REGISTRY_HOST=my-registry \
-e ENV_DOCKER_REGISTRY_PORT=5000 \
-e ENV_MODE_BROWSE_ONLY=true \
-p 8089:80 \
-p 8443:443 \
konradkleine/docker-registry-frontend:latest

# 192.168.221.128
# ssl
sudo docker run \
--name registry-frontend \
--add-host registry.docker.com:192.168.221.128  \
--restart always \
-e ENV_USE_SSL=yes \
-e ENV_DOCKER_REGISTRY_HOST=registry.docker.com  \
-e ENV_DOCKER_REGISTRY_PORT=5000 \
-e ENV_DOCKER_REGISTRY_USE_SSL=1 \
-e ENV_REGISTRY_PROXY_PORT=5000 \
-e ENV_REGISTRY_PROXY_FQDN=registry.docker.com \
-e ENV_DEFAULT_REPOSITORIES_PER_PAGE=50 \
-v /opt/registry/certs/registry-test.crt:/etc/apache2/server.crt:ro \
-v /opt/registry/certs/registry-test.key:/etc/apache2/server.key:ro \
-v /etc/docker/certs.d:/etc/docker/certs.d \
-p 443:443 \
konradkleine/docker-registry-frontend:latest

# -e ENV_DOCKER_REGISTRY_USE_SSL=1 \
# -e ENV_REGISTRY_PROXY_FQDN=registry.docker.com \
# -e ENV_REGISTRY_PROXY_PORT=5000 \

sudo docker exec -it registry-frontend bash

sudo docker stop registry-frontend
sudo docker rm registry-frontend

echo "ServerName 127.0.0.1:80" >> /etc/apache2/apache2.conf
/etc/init.d/apache2 restart

浏览器访问localhost:8089,输入账号密码即可访问

安装docker-registry-web

https://hub.docker.com/r/hyper/docker-registry-web/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# my-registry为registry容器名称
# 仓库登陆链接 http://localhost:5000/v2
# REGISTRY_BASIC_AUTH 这个是仓库账号和密码的base64
# 获取方法,
echo "wyy:123456" | base64 # d3l5OjEyMzQ1Ngo=

sudo docker run -d --restart=always \
-p 8088:8080 \
--name registry-web \
--add-host registry.docker.com:172.17.0.2  \
-e REGISTRY_URL=http://172.17.0.2:5000/v2 \
-e REGISTRY_NAME=127.0.0.1:5000 \
-e REGISTRY_BASIC_AUTH="d3l5OjEyMzQ1Ngo=" \
-e REGISTRY_READONLY=true \
-v $(pwd)/db:/data \
hyper/docker-registry-web

sudo docker run -d --restart=always \
-p 8088:8080 \
--name registry-web \
--add-host registry.docker.com:192.168.221.128  \
-e REGISTRY_URL=https://registry.docker.com:5000/v2 \
-e REGISTRY_NAME=127.0.0.1:5000 \
-e REGISTRY_BASIC_AUTH="d3l5OjEyMzQ1Ngo=" \
-e REGISTRY_READONLY=false \
-e REGISTRY_TRUST_ANY_SSL=true \
-e REGISTRY_AUTH_ENABLED=true \
-v /etc/docker/certs.d:/etc/docker/certs.d \
-v $(pwd)/registry-web.yml:/conf/config.yml:ro \
-v /opt/registry/certs/registry-test.key:/conf/auth.key:ro \
-v $(pwd)/db:/data \
hyper/docker-registry-web

sudo docker exec -it registry-web bash

sudo docker stop registry-web
sudo docker rm registry-web

conf/registry-web.yml

admin/admin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
registry:
  # Docker registry url
  url: '172.17.0.2:5000/v2'
  # web registry context path
  # empty string for root context, /app to make web registry accessible on http://host/app
  # context_path: ''
  # Trust any SSL certificate when connecting to registry
  trust_any_ssl: true
  #  base64 encoded token for basic authentication
  basic_auth: 'd3l5OjEyMzQ1Ngo='
  # To allow image delete, should be false
  readonly: false
  # Docker registry fqdn
  name: 'localhost:5000'
  # Authentication settings
  auth:
    # Enable authentication
    enabled: true
    # Allow registry anonymous access
    # allow_anonymous: true # not implemented
    # Token issuer
    # should equals to auth.token.issuer of docker registry
    issuer: 'wyy'
    # Private key for token signing
    # certificate used on auth.token.rootcertbundle should signed by this key
    key: /conf/auth.key

浏览器访问localhost:8088