Docker registry 镜像仓库
docker 安装:https://www.cnblogs.com/jhxxb/p/11410816.html
一、安装仓库服务
创建 SSL 证书
https://docs.docker.com/engine/security/protect-access
https://docs.docker.com/registry/insecure/#use-self-signed-certificates
一般情况下,证书只支持域名访问,要使其支持 IP 地址访问,需要修改配置文件 openssl.cnf
# 在其中的 [ v3_ca ] 部分,添加 subjectAltName 选项 sudo mkdir -p /etc/pki/tls sudo vim /etc/pki/tls/openssl.cnf [ v3_ca ] subjectAltName = IP:10.74.2.71 # 生成证书,Common Name 写 registry 域名 mkdir -p certs openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:myregistry.domain.com Email Address []: # 修改权限,安装证书文件到 docker 客户端 sudo chcon -Rt svirt_sandbox_file_t ./certs sudo mkdir -p /etc/docker/certs.d/10.74.2.71:5000/ sudo cp ./certs/domain.crt /etc/docker/certs.d/10.74.2.71:5000/ca.crt
创建账号
https://docs.docker.com/registry/configuration/#auth
https://docs.docker.com/registry/deploying/#native-basic-auth
Linux 中, > 表示覆盖原文件内容,>> 表示追加内容,下面两个镜像命令都可以生成用户名密码
sudo mkdir -p /opt/registry/auth docker run --rm --entrypoint htpasswd registry:2.6.2 -Bbn user pass >> /opt/registry/auth/htpasswd docker run --rm --entrypoint htpasswd httpd:2 -Bbn user pass >> /opt/registry/auth/htpasswd
创建镜像仓库
docker run -d --name registry \ --restart=always --privileged=true \ -v /opt/registry/data:/var/lib/registry \ -e REGISTRY_STORAGE_DELETE_ENABLED=true \ -v /opt/registry/auth:/auth \ -e REGISTRY_AUTH=htpasswd \ -e REGISTRY_AUTH_HTPASSWD_REALM=basic-realm \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /opt/registry/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -p 5000:5000 \ registry
-v /opt/registry/data:/var/lib/registry:自定义镜像存放路径
-e REGISTRY_STORAGE_DELETE_ENABLED=true:开启删除镜像的功能
-v /opt/registry/auth:/auth:认证文件路径,用于 docker login 时的用户名密码验证
-v /opt/registry/certs:/certs:SSL 证书文件路径,用于 docker login 时的 https 验证
编辑配置
https://github.com/Joxit/docker-registry-ui#using-cors
https://github.com/distribution/distribution/blob/main/docs/configuration.md
docker exec -it registry vi etc/docker/registry/config.yml version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] Access-Control-Allow-Origin: ['*'] Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE'] Access-Control-Expose-Headers: ['Docker-Content-Digest'] health: storagedriver: enabled: true interval: 10s threshold: 3 docker restart registry
二、基本使用
取消 docker login 时的 https 验证(若仓库没有配置 SSL):修改 docker 配置文件:/etc/docker/daemon.json,增加内容 "insecure-registries": ["10.74.2.71:5000"]
https://docs.docker.com/registry/deploying/#considerations-for-air-gapped-registries
{
"registry-mirrors": ["https://82m9ar63.mirror.aliyuncs.com", "https://hub-mirror.c.163.com"],
"insecure-registries": ["10.74.2.71:5000"]
}
重启服务
systemctl daemon-reload && systemctl restart docker
命令
https://docs.docker.com/registry/#basic-commands
# 登录登出 docker login 10.74.2.71:5000 -u user -p pass docker logout 10.74.2.71:5000 # 拷贝一个镜像,并重命名(用于测试下一步的上传) docker tag 28dzdaf856cb 11.71.91.51:5000/openjdk:alpine # 推送镜像到本地镜像仓库 docker push 11.71.91.51:5000/openjdk:alpine # 拉取本地仓库中的镜像 docker pull 11.71.91.51:5000/openjdk:alpine
删除,不会实际删除镜像文件,需要手动清理
https://docs.docker.com/registry/garbage-collection/#run-garbage-collection
docker exec -it registry sh registry garbage-collect /etc/docker/registry/config.yml du -sch /var/lib/registry
API
https://github.com/distribution/distribution/blob/main/docs/spec/api.md
# 查看本地镜像仓库的镜像 curl http://11.71.91.51:5000/v2/_catalog # 查看本地镜像仓库镜像的 tag curl http://11.71.91.51:5000/v2/openjdk/tags/list
三、第三方 UI 界面
https://hub.docker.com/r/joxit/docker-registry-ui
参数说明:https://github.com/Joxit/docker-registry-ui#available-options
若 UI 也想用 HTTPS 访问:https://github.com/Joxit/docker-registry-ui/tree/main/examples/issue-20
不要使用 127.0.0.1,会指向容器本机,非宿主机。把 REGISTRY_URL 换成 NGINX_PROXY_PASS_URL 就会使用 Nginx 代理访问仓库(不会出现跨域问题)
docker run -d --name registry-ui \ --restart=always \ -e DELETE_IMAGES=true \ -e SINGLE_REGISTRY=true \ -e PULL_URL=10.74.2.71:5000 \ -e REGISTRY_URL=https://10.74.2.71:5000 \ -p 5001:80 \ joxit/docker-registry-ui
当 SINGLE_REGISTRY 设置为 false 时(默认 false),界面上会出现一个菜单,允许动态更改 docker registry URL
访问服务器 5001 端口
https://hub.docker.com/_/registry
https://docs.docker.com/registry
https://www.cnblogs.com/wswind/p/11854854.html
https://blog.csdn.net/xts_huangxin/article/details/51693890
https://www.cnblogs.com/Dapeng-W/p/docker-registry_htpasswd.html
https://blog.csdn.net/weixin_46380571/article/details/108771308
相关文章
- docker推送镜像到私有仓库
- 导出导入Docker镜像
- 自动化集成:Pipeline整合Docker+K8S
- 创建自己的Docker基础镜像
- docker镜像制作必备技能
- 微服务轮子项目(41) -Docker私有镜像仓库
- jenkins构建jar包为镜像并上传到docker仓库
- 创建Docker镜像
- Docker技术入门与实战(第2版)3.1 获取镜像
- 深入浅出Docker(二):Docker命令行探秘
- Docker 启动镜像(转载)
- docker镜像批量打包
- 《Docker容器:利用Kubernetes、Flannel、Cockpit和Atomic构建和部署》——第2章 搭建容器运行时环境 2.1标准Linux系统的Docker配置
- Docker容器命令
- Docker镜像加速
- 《Docker技术入门与实战》——3.3 搜寻镜像
- CentOS7 配置Docker非安全镜像仓库地址列表
- 【Docker学习笔记5Day】-创建Docker镜像
- CentOS7安装docker
- Docker(二):Docker常用命令之镜像的创建:Dockerfile 与 commit
- 2、linux下安装Docker教程并换成阿里云镜像仓库源
- docker registry私有镜像仓库
- 通过运行一个tomcat容器来记录下初学docker常用的几个命令---镜像篇
- Docker 镜像制作 --2
- Docker搭建私有镜像仓库与WordPress