| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
登錄
$ sudo docker login Username: netkiller Password: Email: netkiller@msn.com Login Succeeded
搭建私有倉庫只需兩步
docker pull registry docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry --name registry registry
操作演示
neo@ubuntu:~$ docker pull registry Using default tag: latest latest: Pulling from library/registry 169185f82c45: Pull complete 046e2d030894: Pull complete 188836fddeeb: Pull complete 832744537747: Pull complete 7ceea07e80be: Pull complete Digest: sha256:870474507964d8e7d8c3b53bcfa738e3356d2747a42adad26d0d81ef4479eb1b Status: Downloaded newer image for registry:latest neo@ubuntu:~$ docker run -d -p 5000:5000 -v /opt/registry:/tmp/registry registry 38a6d3b5e18e378b7765fa00374426db3a06c64f4b9219a1f85dc42a6a66ef28 neo@ubuntu:~$ docker ps | grep registry 38a6d3b5e18e registry "/entrypoint.sh /etc…" 35 seconds ago Up 33 seconds 0.0.0.0:5000->5000/tcp
設置允許http協議訪問,有兩種方式,一種是修改 /etc/docker/daemon.json並添加 “insecure-registries” 項
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["127.0.0.1:5000"]
}
另一種方式是修改 /etc/default/docker 中加入下面內容
neo@ubuntu:~$ sudo vim /etc/default/docker DOCKER_OPTS="--insecure-registry 0.0.0.0:5000"
修改 /lib/systemd/system/docker.service
# 加入 EnvironmentFile=/etc/default/docker # 尾部加入 $DOCKER_OPTS ExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTS
完整的例子
neo@ubuntu:~$ sudo vim /lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target docker.socket firewalld.service Wants=network-online.target Requires=docker.socket [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required EnvironmentFile=/etc/default/docker # for containers run by docker ExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID LimitNOFILE=1048576 # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity # Uncomment TasksMax if your systemd version supports it. # Only systemd 226 and above support this version. TasksMax=infinity TimeoutStartSec=0 # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process # restart the docker process if it exits prematurely Restart=on-failure StartLimitBurst=3 StartLimitInterval=60s [Install] WantedBy=multi-user.target
重啟 Docker
neo@ubuntu:~$ sudo systemctl daemon-reload neo@ubuntu:~$ sudo systemctl restart docker neo@ubuntu:~$ ps ax | grep docker 19548 ? Ssl 0:00 /usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --insecure-registry 0.0.0.0:5000
驗證 5000 連接埠可以訪問
neo@ubuntu:~$ curl -XGET http://localhost:5000/v2/_catalog
{"repositories":[]}
本地鏡像推送到遠程私有倉庫
docker pull busybox docker tag busybox docker.netkiller.cn:5000/busybox docker push docker.netkiller.cn:5000/busybox
操作演示
[root@localhost ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
697743189b6d: Pull complete
Digest: sha256:061ca9704a714ee3e8b80523ec720c64f6209ad3f97c0ff7cb9ec7d19f15149f
Status: Downloaded newer image for busybox:latest
[root@localhost ~]# docker tag busybox docker.netkiller.cn:5000/busybox
[root@localhost ~]# docker push docker.netkiller.cn:5000/busybox
The push refers to repository [docker.netkiller.cn:5000/busybox]
adab5d09ba79: Pushed
latest: digest: sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e size: 527
查看遠程私有倉庫
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog
{"repositories":["busybox"]}
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
從私有倉庫拉鏡像
docker pull docker.netkiller.cn:5000/busybox
如果我們想要查詢私有倉庫中的所有鏡像,使用docker search命令:
docker search registry_ipaddr:5000/
如果要查詢倉庫中指定賬戶下的鏡像,則使用如下命令:
docker search registry_ipaddr:5000/account/
操作演示
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog
{"repositories":["busybox"]}
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
/etc/docker/registry/config.yml
cat config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
創建密碼檔案
docker run --entrypoint htpasswd registry -Bbn testuser testpassword > auth/htpasswd
啟動 docker
docker run -d -p 5000:5000 --restart=always --name docker-hub \ -v /opt/registry:/var/lib/registry \ -v /opt/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ registry
登錄
docker login -u testuser -p testpassword docker.netkiller.cn:5000
退出
docker logout docker.netkiller.cn:5000
查看倉庫 http://registry:5000/v2/_catalog
curl -XGET http://registry:5000/v2/_catalog
查看鏡像
curl -XGET http://registry:5000/v2/image_name/tags/list
刪除鏡像
DELETE /v2/<name>/manifests/<reference> name:鏡像名稱 reference: 鏡像對應sha256值
處理器測試
curl -I -X DELETE http://registry:5000/v2/netkiller/manifests/sha256:6a67ba482a8dd4f8143ac96b1dcffa5e45af95b8d3e37aeba72401a5afd7ab8e
Harbor 是 Vmware 公司開源的 企業級的 Docker Registry 管理項目,它提供 Dcoker Registry 管理 WebUI,可基于角色訪問控制, AD/LDAP 整合,日誌審核等功能,完全的支持中文。