docker 安装:https://www.cnblogs.com/jhxxb/p/11410816.html

 

一、安装仓库服务

创建 SSL 证书

https://docs.docker.com/engine/security/protect-access

https://docs.docker.com/registry/insecure/#use-self-signed-certificates

一般情况下,证书只支持域名访问,要使其支持 IP 地址访问,需要修改配置文件 openssl.cnf

# 在其中的 [ v3_ca ] 部分,添加 subjectAltName 选项
sudo vim /etc/pki/tls/openssl.cnf

[ v3_ca ]
subjectAltName = IP:10.74.2.71

# 生成证书,Common Name 写 registry 域名
mkdir -p certs
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server\'s hostname) []:myregistry.domain.com
Email Address []:

# 修改权限,安装证书文件到客户端
sudo chcon -Rt svirt_sandbox_file_t ./certs
sudo mkdir -p /etc/docker/certs.d/10.74.2.71:5000/
sudo cp ./certs/domain.crt /etc/docker/certs.d/10.74.2.71:5000/ca.crt

 

创建账号

https://docs.docker.com/registry/configuration/#auth

https://docs.docker.com/registry/deploying/#native-basic-auth

Linux 中, > 表示覆盖原文件内容,>> 表示追加内容,下面两个镜像命令都可以生成用户名密码

docker run --rm --entrypoint htpasswd registry:2.6.2 -Bbn user pass >> /opt/registry/auth/htpasswd
docker run --rm --entrypoint htpasswd httpd:2 -Bbn user pass >> /opt/registry/auth/htpasswd

 

创建镜像仓库

docker run -d --name registry \
--restart=always --privileged=true \
-v /opt/registry/data:/var/lib/registry \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
-v /opt/registry/auth:/auth
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=basic-realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
-v /opt/registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 5000:5000 \
registry

-v /opt/registry/data:/var/lib/registry:自定义镜像存放路径

-e REGISTRY_STORAGE_DELETE_ENABLED=true:开启删除镜像的功能

-v /opt/registry/auth:/auth:认证文件路径,用于 docker login 时的用户名密码验证

-v /opt/registry/certs:/certs:SSL 证书文件路径,用于  docker login 时的 https 验证

编辑配置

https://github.com/Joxit/docker-registry-ui#using-cors

https://github.com/distribution/distribution/blob/main/docs/configuration.md

docker exec -it registry vi etc/docker/registry/config.yml


version: 0.1
log:
  fields:
    service: registry
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: [\'*\']
    Access-Control-Allow-Methods: [\'HEAD\', \'GET\', \'OPTIONS\', \'DELETE\']
    Access-Control-Expose-Headers: [\'Docker-Content-Digest\']
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3


docker restart registry

 

二、基本使用

取消 docker login 时的 https 验证(若仓库没有配置 SSL):修改 docker 配置文件:/etc/docker/daemon.json,增加内容 “insecure-registries”: [“10.74.2.71:5000”]

https://docs.docker.com/registry/deploying/#considerations-for-air-gapped-registries

{
  "registry-mirrors": ["https://82m9ar63.mirror.aliyuncs.com", "https://hub-mirror.c.163.com"],
  "insecure-registries": ["10.74.2.71:5000"]
}

重启服务

systemctl daemon-reload && systemctl restart docker

命令

https://docs.docker.com/registry/#basic-commands

# 登录登出
docker login 10.74.2.71:5000 -u user -p pass
docker logout 10.74.2.71:5000

# 拷贝一个镜像,并重命名(用于测试下一步的上传)
docker tag 28dzdaf856cb 11.71.91.51:5000/openjdk:alpine

# 推送镜像到本地镜像仓库
docker push 11.71.91.51:5000/openjdk:alpine

# 拉取本地仓库中的镜像
docker pull 11.71.91.51:5000/openjdk:alpine

删除,不会实际删除镜像文件,需要手动清理

https://docs.docker.com/registry/garbage-collection/#run-garbage-collection

docker exec -it registry sh
registry garbage-collect /etc/docker/registry/config.yml
du -sch /var/lib/registry

API

https://github.com/distribution/distribution/blob/main/docs/spec/api.md

# 查看本地镜像仓库的镜像
curl http://11.71.91.51:5000/v2/_catalog

# 查看本地镜像仓库镜像的 tag
curl http://11.71.91.51:5000/v2/openjdk/tags/list

 

三、第三方 UI 界面

https://hub.docker.com/r/joxit/docker-registry-ui

参数说明:https://github.com/Joxit/docker-registry-ui#available-options

若 UI 也想用 HTTPS 访问:https://github.com/Joxit/docker-registry-ui/tree/main/examples/issue-20

不要使用 127.0.0.1,会指向容器本机,非宿主机。把 REGISTRY_URL 换成 NGINX_PROXY_PASS_URL 就会使用 Nginx 代理访问仓库(不会出现跨域问题)

docker run -d --name registry-ui \
--restart=always \
-e DELETE_IMAGES=true \
-e SINGLE_REGISTRY=true \
-e PULL_URL=10.74.2.71:5000 \
-e REGISTRY_URL=https://10.74.2.71:5000 \
-p 5001:80 \
joxit/docker-registry-ui

当 SINGLE_REGISTRY 设置为 false 时(默认 false),界面上会出现一个菜单,允许动态更改 docker registry URL

访问服务器 5001 端口

 

https://hub.docker.com/_/registry

https://docs.docker.com/registry

https://www.cnblogs.com/wswind/p/11854854.html

https://blog.csdn.net/xts_huangxin/article/details/51693890

https://www.cnblogs.com/Dapeng-W/p/docker-registry_htpasswd.html

https://blog.csdn.net/weixin_46380571/article/details/108771308

版权声明:本文为jhxxb原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/jhxxb/p/13637834.html