一、快速安装私有Registry
1、创建私有Registry
#docker run -d -p 5000:5000 --restart=always --name MyRegistry registry
2、配置客户端本机/etc/docker/daemon.json文件
本示例利用本地主机模拟私有Registry Client,通过http访问Registry Server,注意:由于Docker Client 默认使用https,但Registry服务器默认http对外服务,则在Docker Client Host上编辑/etc/docker/daemon.json配置文件,允许Docker Client 使用http。
{
"insecure-registries" : ["localhost:5000"]
}修改完成后,重新加载配置文件并重启。
systemctl daemon-reload
systemctl restart docker.service
3、查看本地镜像存在镜像
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
kcptun v1.5 ada612b11885 23 hours ago 7.67MB
kcptun v1.4 3ab2d78d6329 23 hours ago 7.67MB
4、修改本地需上传镜像tag,设置上传点
# docker image tag kcptun:v1.4 localhost:5000/kcptun
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
kcptun v1.5 ada612b11885 23 hours ago 7.67MB
kcptun v1.4 3ab2d78d6329 23 hours ago 7.67MB
localhost:5000/kcptun latest 3ab2d78d6329 23 hours ago 7.67MB
5、上传镜像到私有Registry上的kcptun仓库
# docker push localhost:5000/kcptun
The push refers to repository [localhost:5000/kcptun]
74b93d069f25: Layer already exists
8370d322a335: Layer already exists
01fd6df81c8e: Layer already exists
latest: digest: sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350b size: 945
6、管理私有Registry上kcptun仓库中镜像
6.1、查询镜像仓库
# curl localhost:5000/v2/_catalog
{"repositories":["kcptun"]}
6.2、查询镜像或tag版本
# curl localhost:5000/v2/仓库名称/tags/list
root@Renkailang-UOS:/home/renkailang# curl localhost:5000/v2/kcptun/tags/list
{"name":"kcptun","tags":["latest","v1.5"]}
7、删除本地镜像:
# docker rmi localhost:5000/kcptun:latest
Untagged: localhost:5000/kcptun:latest
Untagged: localhost:5000/kcptun@sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350b
8、下载私有Registry上kcptun仓库中镜像:
# docker pull localhost:5000/kcptun
Using default tag: latest
latest: Pulling from kcptun
Digest: sha256:73272f481c45ef5de2ca708df32e5167b21984568133c13f06bbb98bf2d1350b
Status: Downloaded newer image for localhost:5000/kcptun:latest
localhost:5000/kcptun:latest
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
kcptun v1.5 ada612b11885 23 hours ago 7.67MB
kcptun v1.4 3ab2d78d6329 23 hours ago 7.67MB
localhost:5000/kcptun latest 3ab2d78d6329 23 hours ago 7.67MB
二、自定义私有Registry存储位置
默认情况下,创建私有Registry作为docker 卷保存在主机文件系统上。如果您想将私有Registry中的内容存储在主机文件系统上的特定位置,例如,您可以利用 SSD 或 SAN 、NFS挂载到宿主机的指定目录下,然后绑定到Docker 的/var/lib/registry/上,以拓展更好性能、更高容量。
1、设置本地卷挂载点
以下示例将主机目录绑定挂载 /data/docker/registry/到位于/var/lib/registry/。
#docker run -d -p 5000:5000 -v /data/docker/registry/:/var/lib/registry/ --restart=always --name registry registry
a259c9480e46d32ab2838c306a06b765047efdc4d03be9b92993c7bf2aa66bae
#查看容器运行状态
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a259c9480e46 registry "/entrypoint.sh /etc…" 20 seconds ago Up 19 seconds 0.0.0.0:5000->5000/tcp registry
2、修改本地需上传镜像tag,设置上传点:
# docker tag kcptun:v1.3 localhost:5000/kcptun:v1.3
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
kcptun v1.3 9aec3788e0b2 24 hours ago 7.67MB
localhost:5000/kcptun v1.3 9aec3788e0b2 24 hours ago 7.67MB
3、上传镜像
# docker push localhost:5000/kcptun:v1.3
The push refers to repository [localhost:5000/kcptun]
74b93d069f25: Pushed
8370d322a335: Pushed
01fd6df81c8e: Pushed
v1.3: digest: sha256:8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742 size: 945
4、查看本地宿主机/data/docker/registry/目录
# tree /data/docker/registry/
/data/docker/registry/
└── docker
└── registry
└── v2
├── blobs
│ └── sha256
│ ├── 52
│ │ └── 52bbe01f5fedf895709e1b229d0c0043ba31946608bb50466d34967382be612b
│ │ └── data
│ ├── 5c
│ │ └── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa
│ │ └── data
│ ├── 89
│ │ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742
│ │ └── data
│ ├── 9a
│ │ └── 9aec3788e0b2d04b580a62612ccdc3ee36404055ce137b549b63efd688e6fbcc
│ │ └── data
│ └── d8
│ └── d8764f8cdfdb15d11ec947f9b2746953cd74d064af01bb289b7e61045663cb14
│ └── data
└── repositories
└── kcptun
├── _layers
│ └── sha256
│ ├── 52bbe01f5fedf895709e1b229d0c0043ba31946608bb50466d34967382be612b
│ │ └── link
│ ├── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa
│ │ └── link
│ ├── 9aec3788e0b2d04b580a62612ccdc3ee36404055ce137b549b63efd688e6fbcc
│ │ └── link
│ └── d8764f8cdfdb15d11ec947f9b2746953cd74d064af01bb289b7e61045663cb14
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742
│ │ └── link
│ └── tags
│ └── v1.3
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742
│ └── link
└── _uploads
34 directories, 12 files
三、设置基于TLS证书私有Registry
1、准备工作
#您的私有registry 域名为https://myregistry.domain.com/
• Your registry URL is https://myregistry.domain.com/
#您DNS、路由、防火墙设置均允许访问该域名。
• Your DNS, routing, and firewall settings allow access to the registry’s host on port 443.
#您已经从CA申请了相应证书文件。(说明:本示例采用自签名的方式,申请证书文件)
• You have already obtained a certificate from a certificate authority (CA).
2、产生自签名证书及私钥,并保证在当前目录certs/下
#mkdir -p certs
#openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-addext "subjectAltName = DNS:myregistry.domain.com" \
-x509 -days 365 -out certs/domain.crt
注意:
(1)CN应填写myregistry.domain.com域名名称。
(2)执行上述命令后,您将根据提示填写组织架构,一旦出错只能重新执行,建议在记事本编辑好后再复制过去,示例如下。
国家=CN
省份=Sichuan
城市=Chengdu
组织=Chengdu Westone Co., Ltd.
CN名称=myregistry.domain.com
(3)openssl版本应保证在1.1.1版本上才能支持addext参数,如果使用centos产生自签名证书则需要升级openssl版本,此处使用统信操作系统,默认版本为openssl 1.1.1d。
3、创建带有TLS自签名证书和私钥的Registry
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-v /data/docker/registry/:/var/lib/registry/ \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry
4、将TLS自签名证书通过所scp拷贝至客户端的宿主机上。
# scp -P 1026 renkailang@myregistry.domain.com:/data/docker/certs/domain.crt ./
renkailang@renkl.wicp.vip's password:
domain.crt 100% 2114 331.5KB/s 00:00
5、添加自签名证书至受信任CA列表后,重启docker生效。
Ubuntu
# cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
update-ca-certificates
Red Hat Enterprise Linux
# cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
update-ca-trust
Oracle Linux
# update-ca-trust enable
Windows
Open Windows Explorer, right-click the certificate, and choose Install certificate.
Then, select the following options:
- Store location: local machine
- Checkplace all certificates in the following store
- ClickBrowser, and selectTrusted Root Certificate Authorities
- ClickFinish
注意:添加完成后需要重启docker daemon进程才会生效。
6、测试镜像上传、下载
镜像上传:
# docker tag myregistry.domain.com/kcptun:v1.1 myregistry.domain.com/kcptun:v1.6
# docker push myregistry.domain.com/kcptun:v1.6
The push refers to repository [myregistry.domain.com/kcptun]
8370d322a335: Layer already exists
01fd6df81c8e: Layer already exists
v1.6: digest: sha256:2c970fd6897405b32f128b73215523d37a64ffb659570c9fef820b494833d421 size: 738
镜像下载:
# docker pull myregistry.domain.com/kcptun:v1.3
v1.3: Pulling from kcptun
5cc84ad355aa: Already exists
d8764f8cdfdb: Already exists
52bbe01f5fed: Pull complete
Digest: sha256:8985f260ab5ee934855712711bb5689c4864383b42e1119772539fde30e1d742
Status: Downloaded newer image for myregistry.domain.com/kcptun:v1.3
myregistry.domain.com/kcptun:v1.3
抓包验证
参考:
https://docs.docker.com/registry/deploying/#copy-an-image-from-docker-hub-to-your-registry
https://blog.csdn.net/qq_31821675/article/details/89211022
