美文网首页云计算我爱编程程序员
如何搭建私有容器库 Registry

如何搭建私有容器库 Registry

作者: 橄榄树下的托马斯 | 来源:发表于2018-05-28 16:40 被阅读19次

作者:刘宾, thomas_liub@hotmail.com
转载请注明出处,谢谢!


1. Registry单独配置

参考:
https://docs.docker.com/registry/
http://blog.csdn.net/ztsinghua/article/details/51496658

1.1 无TLS, 无用户认证本地启动

只能用于localhost访问,非localhost主机无法访问该registry.

启动:

docker run -d -p 5000:5000 --restart=always --name registry registry:2

验证:

docker push localhost:5000/my-ubuntu

1.2 加载本地卷

启动:

docker run -d -p 5000:5000 --restart=always --name registry -v /docker/registry/data:/var/lib/registry registry:2

1.3 TLS方式, 无用户认证启动

制作根证书和私钥,制作服务证书和私钥,用根证书签字服务证书。最后,设置客户端OS信任根证书。

  1. 服务器制作根证书和私钥

    1. 根私钥:

    openssl genrsa -out devdockerCA.key 2048

    1. 根证书:
      CN设置为MYDOMAIN

    openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

  2. 服务器制作服务证书和私钥

    1. 服务私钥

    openssl genrsa -out domain.key 2048
    2. 服务证书签名请求
    CN设置为MYDOMAIN
    > openssl req -new -key domain.key -out iot-registry.csr
    3. 根证书签字服务证书
    如果MYDOMAIN为IP需要 -extfile
    > echo subjectAltName = IP:192.168.32.28 > extfile.cnf
    > openssl x509 -req -in iot-registry.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extfile extfile.cnf

  3. 客户端设置OS信任服务器根证书
    在Docker客户端机器上,设置

sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
sudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
sudo update-ca-certificates
/etc/ca-certificates.conf

  1. 客户端重启docker

sudo service docker restart

  1. 服务器启动registry

    1. mkdir certs
    2. 将step 2 中制作的domain.key和domain.crt拷贝到certs目录,供registry使用
    3. 启动registry

    docker run -d --restart=always --name registry -v pwd/certs:/certs -p 443:443 \
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    registry:2

    验证:

    docker push MYDOMAIN/my-ubuntu

1.4 TLS方式, 带用户认证启动

步骤同1.3, 修改Registry启动参数,如下:

  1. 创建用户文件, htpasswd

htpasswd -Bbc certs/htpasswd username1 password1
htpasswd -Bb certs/htpasswd username2 password2

  1. 启动registry

docker run -d --restart=always --name registry -v pwd/certs:/certs -p 443:443 \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd \
registry:2

验证:

curl -k https://username:password@MYDOMAIN
docker login https://MYDOMAIN
user: xxx
password: xxx
Success.
docker push MYDOMAIN/my-ubuntu

docker-compose.yml

registry:
  restart: always
  image: registry:2
  ports:
    - 192.168.32.28:443:443
  environment:
    - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
    - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
    - REGISTRY_HTTP_ADDR=0.0.0.0:443
    - REGISTRY_AUTH=htpasswd
    - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
    - REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd
    - REGISTRY_STORAGE_DELETE_ENABLED=true
  volumes:
    - /srv/docker/registry/registry:/var/lib/registry
    - /home/liub/project/registry/certs:/certs

2. Nginx + Registry模式启动

参考: http://blog.csdn.net/zstack_org/article/details/53301211?locationNum=12&fps=1

2.1 无用户认证,无TLS启动

  1. docker-compose.yml文件, ./docker-compose.yml
nginx:
  image: "nginx:1.9"
  ports:
    - 5043:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  volumes:
    - ./data:/var/lib/registry
  1. registry.conf文件, ./nginx/registry.conf
upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;
  # SSL
  # ssl on;
  # ssl_certificate /etc/nginx/conf.d/domain.crt;
  # ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)  
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    # auth_basic "registry.localhost";
    # auth_basic_user_file /etc/nginx/conf.d/registry.password;
    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}
  1. 启动registry

docker-compose up

验证:

curl http://localhost:5043/v2/
{}

2.2 用户登陆认证支持

  1. 用户创建

sudo apt-get -y install apache2-utils
htpasswd -c registry.password USERNAME1
htpasswd registry.password USERNAME2

  1. 修改registry.conf
    打开auth_basic, auth_basic_user_file和add_header参数,如下:
upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;
  # SSL
  # ssl on;
  # ssl_certificate /etc/nginx/conf.d/domain.crt;
  # ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    auth_basic "registry.localhost";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}
  1. 启动registry

docker-compose up

验证:

curl http://localhost:5043/v2/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>


<center>nginx/1.9.7</center>
</body>
</html>
curl http://user:password@localhost:5043/v2/
{}

2.3 TLS方式启动

通过配置nginx使用TLS,nginx使用1.3章节中创建的证书和私钥。

  1. 修改registry.conf
    打开ssl, ssl_certificate和ssl_certificate_key参数,如下:
upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;

  # SSL
  ssl on;
  ssl_certificate /etc/nginx/conf.d/domain.crt;
  ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;
  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    auth_basic "registry.localhost";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}
  1. 修改docker-compose.yml文件
    开启443 HTTPS接口
nginx:
  image: "nginx:1.9"
  ports:
    - 443:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - ./data:/data
  1. 启动registry
    443端口需要root权限。

sudo docker-compose up

验证:

curl https://USERNAME:PASSWORD@MYDOMAIN/v2/
curl: (60) SSL certificate problem: self signed certificate
curl -k https://USERNAME:PASSWORD@MYDOMAIN/v2/
{}
docker login https://MYDOMAIN
user: xxx
password: xxx
success!
docker push MYDOMAIN/hello

3. registry使用

首先需要docker login.

3.1 查询registry image列表

curl -k https://username:password@MYDOMAIN/v2/_catalog

3.2 查询image标签列表

curl -k https://username:password@MYDOMAIN/v2/image_name/tags/list

3.3 拉取image

docker pull image:tag

3.4 上传image

docker push image:tag

3.5 删除image

修改config.yml, delete enable = true.参见之前。

curl -k -X DELETE https://username:password@MYDOMAIN/v2/image_name/manifests/image 摘要
登陆到registry
registry garbage-collect /etc/docker/registry/config.yml

4. python开发包

4.1 docker操作

https://github.com/docker/docker-py
https://docker-py.readthedocs.io/en/stable/

4.2 registry操作

REST接口

相关文章

网友评论

    本文标题:如何搭建私有容器库 Registry

    本文链接:https://www.haomeiwen.com/subject/byvgjftx.html