docker---私有仓库搭建
HTTP
部署
shell
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/data/registry:/var/lib/registry \
registry:2- 使用官方的
registry镜像来启动私有仓库。默认情况下,仓库会被创建在容器的/var/lib/registry目录下。你可以通过-v参数来将镜像文件存放在本地的指定路径,当然你也可以选择其它本地路径,上面的只是一个示例。
使用
-
配置非HTTPS方式推送镜像
shellcat <<EOF | tee /etc/docker/daemon.json { "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ], "insecure-registries": [ "your_ip_addr:5000" ] } EOF systemctl daemon-reload systemctl restart docker -
push and pull
shelldocker tag $image $registry_host_address:5000/$image docker push $registry_host_address:5000/$image docker pull $registry_host_address:5000/$image -
check images
shellcurl your_ip_address:5000/v2/_catalog
HTTPS
部署
-
registry_name
shellexport registry_name=registry.domain.local -
生成证书
shellsudo -E mkdir -p /opt/registry/certs/ sudo -E openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/domain.key \ -subj "/CN=${registry_name}" \ -addext "subjectAltName = DNS:${registry_name}" \ -x509 -days 365 -out /opt/registry/certs/domain.crt -
deploy registry
shelldocker run -d \ --restart=always \ --name registry \ -v /opt/registry/certs:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -p 443:443 \ registry:2 -
add certificate to host trust chain
-
任何需要访问registry的主机都需要配置
-
cat /etc/os-release -
case "ubuntu"|"debian"
shellsudo cp /opt/registry/certs/domain.crt /usr/local/share/ca-certificates/$registry_name.crt sudo update-ca-certificates -
case "centos"|"fedora"|"alinux"
shellsudo cat /opt/registry/certs/domain.crt >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust -
case "rhel"
shell# https://access.redhat.com/solutions/3220561 sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract cd /etc/pki/tls/certs/ && sudo openssl x509 -in ca-bundle.crt -text -noout -
case others, Please manual add registry certificates to host trust chain.
-
-
Append the entry to allow ip-address resolved to the registry name
任何需要访问registry的主机都需要配置
shellregistry_ip=`hostname -I | awk '{print $1}'` echo "$registry_ip $registry_name" | sudo tee -a /etc/hosts -
Verifiy registry service works
shellexport no_proxy=$no_proxy,$registry_name if ! curl https://$registry_name/v2/_catalog ; then if ! nc -zv $registry_name 443 ; then echo "ERROR: failed to connect to 443 port " fi echo "ERROR: registry service is not ready" exit 1 fi
使用
push and pull
shell
docker tag $image $registry_address/$image
docker push $registry_address/$image
docker pull $registry_address/$image注意:
push的时候,需要把docker仓库设置成insecure-registriespull时不需要设置
注意
镜像拉取
shell
docker pull swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/registry:2
docker tag swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/registry:2 docker.io/registry:2