拉取镜像
docker pull registry:2.6.2
生成账号密码文件,这里采用htpasswd方式认证
docker run --rm --entrypoint htpasswd registry:2.6.2 -Bbn admin 123456 > /data/k8s/registry/auth/htpasswd
备注:该账号密码是在登录私库和访问api接口的时候也需要,上述就是生成一个带账号为admin,密码为123456的加密htpasswd文件
配置文件
cat <<EOF > /data/k8s/registry/config/config.yml
version: 0.1
log:
fields:
service: registry
storage:
filesystem:
rootdirectory: /var/lib/registry
maxthreads: 100
delete:
enabled: true
redirect:
disable: true
cache:
blobdescriptor: inmemory
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
auth:
htpasswd:
realm: basic-realm
path: /auth/htpasswd
http:
addr: 5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
EOF
备注:上述配置采用的是本地文件存储镜像文件的方式,你也可以换成其他存储方式,比如s3、oss、azure、gcs、swift等
启动服务
docker run --name="docker-registry" \
--restart always\
-p 5000:5000 \
-v /data/docker-registry/config/config.yml:/etc/docker/registry/config.yml \
-v /data/docker-registry/auth/htpasswd:/auth/htpasswd \
-v /data/docker-registry/imgdata:/var/lib/registry
-d registry:2.6.2
配置docker不验证私有仓库安全配置,如果不配置这个需要配置证书(在每一台需要使用私有仓库的机器都要配置)
cat <<EOF > /etc/docker/daemon.json
{
"insecure-registries" : [
"192.168.0.10:5000"
]
}
EOF
systemctl restart docker
备注:
192.168.0.10:5000是你registry所在主机的IP地址和端口号,修改docker配置后重启docker服务,让配置生效
登录docker-registry(Username: admin Password:123456),然后就可以push或者pull目录了
docker login -u admin -p 123456 192.168.0.10:5000
浏览器访问如下网址,输入账号密码可以看到基础信息
http://192.168.0.10:5000/v2/_catalog
docker-registry的api文档
https://docs.docker.com/registry/spec/api/
给镜像打标签
docker tag redis localhost:5000/redis:latest
推动镜像到镜像仓库
docker push localhost:5000/redis:latest
拉取镜像私有镜像仓库里面的镜像
docker pull localhost:5000/redis:latest
含所有可配置项(config.yml)
version: 0.1 log: accesslog: disabled: true level: debug formatter: text fields: service: registry environment: staging hooks: - type: mail disabled: true levels: - panic options: smtp: addr: mail.example.com:25 username: mailuser password: password insecure: true from: [email protected] to: - [email protected] loglevel: debug # deprecated: use "log" storage: filesystem: rootdirectory: /var/lib/registry maxthreads: 100 azure: accountname: accountname accountkey: base64encodedaccountkey container: containername gcs: bucket: bucketname keyfile: /path/to/keyfile rootdirectory: /gcs/object/name/prefix chunksize: 5242880 s3: accesskey: awsaccesskey secretkey: awssecretkey region: us-west-1 regionendpoint: http://myobjects.local bucket: bucketname encrypt: true keyid: mykeyid secure: true v4auth: true chunksize: 5242880 multipartcopychunksize: 33554432 multipartcopymaxconcurrency: 100 multipartcopythresholdsize: 33554432 rootdirectory: /s3/object/name/prefix swift: username: username password: password authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth tenant: tenantname tenantid: tenantid domain: domain name for Openstack Identity v3 API domainid: domain id for Openstack Identity v3 API insecureskipverify: true region: fr container: containername rootdirectory: /swift/object/name/prefix oss: accesskeyid: accesskeyid accesskeysecret: accesskeysecret region: OSS region name endpoint: optional endpoints internal: optional internal endpoint bucket: OSS bucket encrypt: optional data encryption setting secure: optional ssl setting chunksize: optional size valye rootdirectory: optional root directory inmemory: # This driver takes no parameters delete: enabled: false redirect: disable: false cache: blobdescriptor: redis maintenance: uploadpurging: enabled: true age: 168h interval: 24h dryrun: false readonly: enabled: false auth: silly: realm: silly-realm service: silly-service token: realm: token-realm service: token-service issuer: registry-token-issuer rootcertbundle: /root/certs/bundle htpasswd: realm: basic-realm path: /path/to/htpasswd middleware: registry: - name: ARegistryMiddleware options: foo: bar repository: - name: ARepositoryMiddleware options: foo: bar storage: - name: cloudfront options: baseurl: https://my.cloudfronted.domain.com/ privatekey: /path/to/pem keypairid: cloudfrontkeypairid duration: 3000s storage: - name: redirect options: baseurl: https://example.com/ reporting: bugsnag: apikey: bugsnagapikey releasestage: bugsnagreleasestage endpoint: bugsnagendpoint newrelic: licensekey: newreliclicensekey name: newrelicname verbose: true http: addr: localhost:5000 prefix: /my/nested/registry/ host: https://myregistryaddress.org:5000 secret: asecretforlocaldevelopment relativeurls: false tls: certificate: /path/to/x509/public key: /path/to/x509/private clientcas: - /path/to/ca.pem - /path/to/another/ca.pem letsencrypt: cachefile: /path/to/cache-file email: [email protected] debug: addr: localhost:5001 headers: X-Content-Type-Options: [nosniff] http2: disabled: false notifications: endpoints: - name: alistener disabled: false url: https://my.listener.com/event headers: <http.Header> timeout: 500 threshold: 5 backoff: 1000 ignoredmediatypes: - application/octet-stream redis: addr: localhost:6379 password: asecret db: 0 dialtimeout: 10ms readtimeout: 10ms writetimeout: 10ms pool: maxidle: 16 maxactive: 64 idletimeout: 300s health: storagedriver: enabled: true interval: 10s threshold: 3 file: - file: /path/to/checked/file interval: 10s http: - uri: http://server.to.check/must/return/200 headers: Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==] statuscode: 200 timeout: 3s interval: 10s threshold: 3 tcp: - addr: redis-server.domain.com:6379 timeout: 3s interval: 10s threshold: 3 proxy: remoteurl: https://registry-1.docker.io username: [username] password: [password] compatibility: schema1: signingkeyfile: /etc/registry/key.json validation: enabled: true manifests: urls: allow: - ^https?://([^/]+\.)*example\.com/ deny: - ^https?://www\.example\.com/
后端s3存储配置(config.yml)
version: 0.1 log: fields: service: registry storage: s3: accesskey: 3AAPGH64L44PXBPE5FJC secretkey: 7n0ogaXFeDt9nTqQR2GyArIcKDIU9nhdsXMAMfj4 region: us-east-1 regionendpoint: http://192.168.0.10:7480 bucket: docker-registry secure: true v4auth: true chunksize: 5242880 multipartcopychunksize: 33554432 multipartcopymaxconcurrency: 100 multipartcopythresholdsize: 33554432 rootdirectory: /images redirect: disable: true cache: blobdescriptor: inmemory maintenance: uploadpurging: enabled: true age: 168h interval: 24h dryrun: false http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3