部署docker-registry私有仓库

创建文件夹

sudo mkdir -p /var/docker-data/{registry,certs,auth} ​ sudo openssl req -subj '/C=CN/ST=GD/L=GZ/CN=192.192.49.87'\ -newkey rsa:4096 -nodes -sha256 -keyout /var/docker-data/certs/domain.key \ -x509 -days 365 -out /var/docker-data/certs/domain.crt sudo mkdir -p /etc/docker/certs.d/192.192.49.87 sudo cp /var/docker-data/certs/domain.crt /etc/docker/certs.d/192.192.49.87/ca.crt #可能需要OS级信任 sudo cp /etc/dockercerts/domain.crt /etc/pki/ca-trust/source/anchors/192.192.49.87.crt sudo update-ca-trust docker container stop registry && docker container rm -v registry

启动

docker run -d \   --restart=always \   --name registry \   -v /var/docker-data/certs:/certs \   -v /var/docker-data/auth:/auth \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_STORAGE_DELETE_ENABLED="true" \ -p 443:443 \ registry:2

查看镜像

curl -X GET --insecure  https://192.192.49.87/v2/_catalog

客户端配置

sudo mkdir -p /etc/docker/certs.d/192.192.49.87 sudo cp /var/docker-data/certs/domain.crt /etc/docker/certs.d/192.192.49.87/ca.crt ​ #可能需要OS级信任 sudo cp /etc/dockercerts/domain.crt /etc/pki/ca-trust/source/anchors/192.192.49.87.crt sudo update-ca-trust #测试 sudo docker pull busybox sudo docker tag busybox 192.192.49.87/busybox sudo docker push 192.192.49.87/busybox

删除仓库镜像

#先查找镜像的Docker-Content-Digest curl -v -k -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ -X GET https://192.192.49.87/v2/busybox/manifests/latest 2>&1 | \ grep 'Docker-Content-Digest'| awk '{print ($3)}' #再删除元数据 #允许删除 -e REGISTRY_STORAGE_DELETE_ENABLED="true" curl-v -k -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \-X DELETE https://192.192.49.87/v2/busybox/manifests/
    
      #容器内执行garbage-collect垃圾回收，清磁盘 docker exec -it registry /bin/registry \ garbage-collect /etc/docker/registry/config.yml
    

接入认证

#用户admin，密码niot1234 docker run --entrypoint htpasswd registry:2 -Bbn admin niot1234 > /var/docker-data/auth/htpasswd ​ docker container stop registry docker rm registry ​ #重启容器 docker run -d \ --restart=always \ --name registry \ -v /var/docker-data/certs:/certs \ -v /var/docker-data/auth:/auth \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_STORAGE_DELETE_ENABLED="true" \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -p 443:443 \ registry:2

docker-compose 配置

安装

sudo curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose ​ sudo chmod +x /usr/local/bin/docker-compose ​ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose docker-compose --version

创建docker-registry-compose.yml

registry:   restart: always  image: registry:2 ports: - 443:443 environment: REGISTRY_HTTP_ADDR: 0.0.0.0:443 REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key # REGISTRY_AUTH: htpasswd # REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd # REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm volumes: - /var/docker-data/registry:/var/lib/registry - /var/docker-data/certs:/certs - /var/docker-data/auth:/auth

启动

sudo docker-compose -f docker-registry-compose.yml up -d

END