博客

Docker搭建私有Registry仓库(Docker & Registry & SSL)

  • Post author:
  • Post category:其他

Docker搭建私有Registry仓库

依赖

  • 操作系统: CentOS 7.6

安装

参照安装(点击)

简易搭建

启动

docker pull registry
docker run --restart=always --name registry -p 80:5000 -v /data/registry:/var/lib/registry -d registry

测试

docker tag registry localhost/registry
docker push localhost/registry

配置

创建主机目录

volumns 目录里面存储的主机文件,和容器目录进行映射.

mkdir -p /root/volumns

创建registry容器需要的三个目录

cd /root/volumns/
mkdir -p registry/auth registry/certs registry/data

创建签名证书

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt -extensions v3_req

签名必须设置Common Name 为外网访问IP

Generating a 4096 bit RSA private key
................................++
...........................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:.
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:111.111.111.111
Email Address []:

导出到TLS

cat certs/domain.crt >> /etc/pki/tls/certs/ca-bundle.crt

配置SSL使用IP地址取代DNS

修改openssl配置文件

vi /etc/pki/tls/openssl.cnf

设置req_extension 为v3_req

[ req ]
req_extensions = v3_req # The extensions to add to a certificate request

添加subjectAltName 子配置

[ v3_req ]
subjectAltName = @alternative_names

添加alternative_names 配置

[ alternative_names ]
IP.1 = 111.111.111.111

创建密码文件

docker run --entrypoint htpasswd registry:2 -Bbn registry_user registry_passwd > auth/htpasswd

编写yaml

vim /root/registry.yaml

version: "3"
services:
    registry:        
    	image: registry:2        
    	ports:        
    		- 5000:5000 
    	environment:        
    		REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt        
    		REGISTRY_HTTP_TLS_KEY: /certs/domain.key        
    		REGISTRY_AUTH: htpasswd        
    		REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd        
    		REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm        
    	volumes:        
    		- /root/volumns/registry/data:/var/lib/registry        
    		- /root/volumns/registry/certs:/certs        
    		- /root/volumns/registry/auth:/auth
		deploy:
	      	restart_policy:
	        	condition: on-failure
	      	replicas: 1

运行

重启registry的docker host进程

service docker restart

启动registry容器

docker stack deploy -c /root/registry.yaml registry

启动后日志显示如下:

registry_1  | time="2019-08-03T06:31:43.752312809Z" level=info msg="redis not configured" go.version=go1.11.2 instance.id=b6ab14f6-1883-412a-9d0f-0704525ca9ba service=registry version=v2.7.1 
registry_1  | time="2019-08-03T06:31:43.755152618Z" level=info msg="Starting upload purge in 49m0s" go.version=go1.11.2 instance.id=b6ab14f6-1883-412a-9d0f-0704525ca9ba service=registry version=v2.7.1 
registry_1  | time="2019-08-03T06:31:43.76585622Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.11.2 instance.id=b6ab14f6-1883-412a-9d0f-0704525ca9ba service=registry version=v2.7.1 
registry_1  | time="2019-08-03T06:31:43.766510778Z" level=info msg="listening on [::]:5000, tls" go.version=go1.11.2 instance.id=b6ab14f6-1883-412a-9d0f-0704525ca9ba service=registry version=v2.7.1

显示正在监听5000端口

测试

测试SSL

检查ssl是否验证成功

curl -i -k -v https://111.111.111.111:5000

显示成功

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Cache-Control: no-cache
Cache-Control: no-cache
< Date: Sat, 03 Aug 2019 08:54:31 GMT
Date: Sat, 03 Aug 2019 08:54:31 GMT
< Content-Length: 0
Content-Length: 0

测试Login

切换到docker hub拉取hello-world测试程序

docker pull hello-world

拷贝证书到hello-world所在docker host主机

mkdir -p /etc/docker/certs.d/111.111.111.111:5000
cp certs/domain.crt /etc/docker/certs.d/111.111.111.111:5000/ca.crt

登录新的registry

docker login 111.111.111.111:5000 -u registry_user -p registry_passwd

显示 Login Succeeded

测试push

为镜像重命名

docker tag hello-world 111.111.111.111:5000/hello-world

测试推送

docker push 111.111.111.111:5000/hello-world

显示成功

The push refers to repository [111.111.111.111:5000/hello-world]
af0b15c8625b: Pushed 
latest: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524

测试pull

删除本地镜像

docker rmi 111.111.111.111:5000/hello-world

测试拉取

docker pull 111.111.111.111:5000/hello-world

显示成功


Using default tag: latest
latest: Pulling from hello-world
Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
Status: Downloaded newer image for 111.111.111.111:5000/hello-world:latest
111.111.111.111:5000/hello-world:latest

管理私有仓库

这里以localhost仓库为例展示管理操作

推送镜像

docker push localhost/hello-world

显示

The push refers to repository [localhost/hello-world]
af0b15c8625b: Pushed 
latest: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524

查询镜像

curl localhost/v2/_catalog

显示

{"repositories":["hello-world"]}

查询镜像tag

curl localhost/v2/hello-world/tags/list

显示

{"name":"hello-world","tags":["latest"]}

查询镜像digest_hash

curl  localhost/v2/hello-world/manifests/latest \
    --header "Accept: application/vnd.docker.distribution.manifest.v2+json"

显示

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1510,
      "digest": "sha256:fce289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 977,
         "digest": "sha256:1b930d010525941c1d56ec53b97bd057a67ae1865eebf042686d2a2d18271ced"
      }
   ]

sha256:1b930d010525941c1d56ec53b97bd057a67ae1865eebf042686d2a2d18271ced 就是latest的digest_hash

开启删除权限

查询删除权限

docker exec -it  registry sh -c 'cat /etc/docker/registry/config.yml'

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

开启删除权限

docker exec -it  registry sh -c "sed -i '/storage:/a\  delete:' /etc/docker/registry/config.yml"
docker exec -it  registry sh -c "sed -i '/delete:/a\    enabled: true' /etc/docker/registry/config.yml"

重启镜像

docker restart registry

删除镜像

执行删除

curl -I -X DELETE "localhost/v2/hello-world/manifests/sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a"

显示

HTTP/1.1 202 Accepted
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 22 Aug 2019 07:20:53 GMT
Content-Length: 0

回收空间

docker exec -it registry sh -c  "bin/registry garbage-collect  /etc/docker/registry/config.yml"
版权声明:本文为lizongti原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。