docker轻量级私有仓库registry

共计 3244 个字符，预计需要花费 9 分钟才能阅读完成。

由于墙的存在，很多镜像下载不下来，不得以得靠梯子，但是又很不稳定，又不想每个月花钱，无奈。。。只好搞一个私有仓库临时暂存，避免重置VM后镜像又丢失。既然要搞docker仓库，当然首选是harbor，可怜博主这边没资源跑这个，只能用docker官方自带得registry，虽然没有健全得管理功能，但足够轻量给私人使用

registry部署

[root@VM-8-17-centos ~]# mkdir /data/registry
[root@VM-8-17-centos ~]# docker run -d -p 5000:5000 --restart=always -v /data/registry:/var/lib/registry --name registry registry

使用nginx代理

此处使用nginx有两个功能：

• 提供ssl
• 提供basic认证

创建basic认证文件

# 安装httpd-tools提供htpasswd命令
yum install httpd-tools -y
# 设置用户/密码为： test/test1234
htpasswd -cb registry.htpasswd test test1234

准备ssl证书

# 此处使用阿里云得免费证书，读者可以自行创建私有证书也可，略
[root@VM-8-17-centos ~]# ll /www/server/panel/vhost/cert/
total 20
-rw-r--r-- 1 root root 4140 Sep 25 16:19 nginx.zip
-rw-r--r-- 1 root root   47 Sep 25 16:29 registry.htpasswd
-rw-r--r-- 1 root root 1675 Sep 25 16:19 registry.xadocker.cn.key
-rw-r--r-- 1 root root 3818 Sep 25 16:19 registry.xadocker.cn.pem

nginx代理配置

[root@VM-8-17-centos ~]# cat /www/server/panel/vhost/nginx/registry.xadocekr.cn.conf 
    upstream registry {
        server 127.0.0.1:5000;
    }

    server {
        listen       443 ssl;
        server_name  registry.xadocker.cn;

        ssl_certificate /www/server/panel/vhost/cert/registry.xadocker.cn.pem;
        ssl_certificate_key /www/server/panel/vhost/cert/registry.xadocker.cn.key;

        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        client_max_body_size 0;

        chunked_transfer_encoding on;

        location / {
          auth_basic "Registry realm";
          #auth_basic_user_file /root/registry/nginx/nginx.htpasswd;
          auth_basic_user_file /www/server/panel/vhost/cert/registry.htpasswd;
          add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

          proxy_pass                          http://registry;
          proxy_set_header  Host              $http_host;   # required for docker client's sake
          proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
          proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
          proxy_set_header  Authorization     ""; # see https://github.com/dotcloud/docker-registry/issues/170
          proxy_read_timeout                  900;
         # proxy_redirect off;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;

         # proxy_set_header  X-Forwarded-Proto "https";
         # proxy_set_header  X-Forwarded-Protocol "https";
        }
    }

# 校验nginx配置语法
[root@VM-8-17-centos ~]# nginx -t
nginx: the configuration file /www/server/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /www/server/nginx/conf/nginx.conf test is successful
[root@VM-8-17-centos ~]# nginx -s reload

docker客户端测试

# 配置登录信息
[root@k8s-master ~]# docker login registry.xadocker.cn
Username: test
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@k8s-master ~]# docker pull nginx:1.14.2
1.14.2: Pulling from library/nginx
Digest: sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
Status: Image is up to date for nginx:1.14.2
docker.io/library/nginx:1.14.2

# 测试上传
[root@k8s-master ~]# docker tag nginx:1.14.2 registry.xadocker.cn/nginx:1.14.2
[root@k8s-master ~]# docker push registry.xadocker.cn/nginx:1.14.2
The push refers to repository [registry.xadocker.cn/nginx]
82ae01d5004e: Layer already exists
b8f18c3b860b: Layer already exists
5dacd731af1b: Layer already exists
1.14.2: digest: sha256:706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078 size: 948