星伴同行

千里之行,始于脚下;会当凌绝顶,一览众山小。

部署docker-registry

1、环境准备

###关闭firewalld
shell>systemctl disable firewalld
shell>systemctl stop firewalld
##开启IP转发
shell>echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
shell>sudo sysctl -p

2、简单本地部署

shell>docker run -d --name registry \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
-p 5000:5000 \
--restart unless-stopped \
-v /data/app/registry:/var/lib/registry \
-v /etc/localtime:/etc/localtime \
registry:latest

3、如何上传至registry

3.1 拉取镜像或docker file

shell>docker pull ubuntu:16.04

3.2 修改镜像tar

shell>docker tag ubuntu:16.04 localhost:5000/my-ubuntu

3.3 推送至registry[因为registry没有设置密码证书等,所以不需要docker login]

shell>docker push localhost:5000/my-ubuntu

3.4 此时我们删除镜像

#####查看镜像
shell>docker images
shell>docker rm [###镜像ID###]
shell>docker images

3.5 从registry拉取镜像

shell>docker pull localhost:5000/my-ubuntu

如何删除registry镜像

格式:DELETE /v2/<name>/manifests/<reference>
<name>:镜像名称
<reference>: 镜像对应sha256值 
查看sha256值的方法
shell>docker ps
shell>docker exec -it ##containerid bash
shell>cat /var/lib/registry/docker/registry/v2/repositories/my-ubuntu/_manifests/tags/latest/current/link
########sha256:a3785f78ab8547ae2710c89e627783cfa7ee7824d3468cae6835c9f4eae23ff7#########

参考这个文件:查看镜像存在https://segmentfault.com/a/1190000024454194

删除容器里的文件

CONTAINER ID   IMAGE      COMMAND                  CREATED       STATUS         PORTS                                       NAMES
91e62de7b0de   registry   "/entrypoint.sh /etc…"   2 hours ago   Up 2 minutes   0.0.0.0:5000->5000/tcp, :::5000->5000/tcp   registry
[root@master ~]# 
[root@master ~]# 
[root@master ~]# docker exec -it 91e62de7b0de sh
/ #  du -sch /var/lib/registry
44.4M	/var/lib/registry
44.4M	total
============证明文件并没有删除

容器内执行以下语句

/ # registry garbage-collect /etc/docker/registry/config.yml 
my-ubuntu

0 blobs marked, 6 blobs and 0 manifests eligible for deletion
blob eligible for deletion: sha256:b6f50765242581c887ff1acc2511fa2d885c52d8fb3ac8c4bba131fd86567f2e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/b6/b6f50765242581c887ff1acc2511fa2d885c52d8fb3ac8c4bba131fd86567f2e  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
blob eligible for deletion: sha256:da8ef40b9ecabc2679fe2419957220c0272a965c5cf7e0269fa1aeeb8c56f2e1
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/da/da8ef40b9ecabc2679fe2419957220c0272a965c5cf7e0269fa1aeeb8c56f2e1  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
blob eligible for deletion: sha256:fb15d46c38dcd1ea0b1990006c3366ecd10c79d374f341687eb2cb23a2c8672e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/fb/fb15d46c38dcd1ea0b1990006c3366ecd10c79d374f341687eb2cb23a2c8672e  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
blob eligible for deletion: sha256:58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/58/58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
blob eligible for deletion: sha256:a3785f78ab8547ae2710c89e627783cfa7ee7824d3468cae6835c9f4eae23ff7
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/a3/a3785f78ab8547ae2710c89e627783cfa7ee7824d3468cae6835c9f4eae23ff7  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
blob eligible for deletion: sha256:b51569e7c50720acf6860327847fe342a1afbe148d24c529fb81df105e3eed01
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/b5/b51569e7c50720acf6860327847fe342a1afbe148d24c529fb81df105e3eed01  go.version=go1.11.2 instance.id=c3ea175d-5d25-4cc0-8142-ce9508be998f service=registry
/ #  du -sch /var/lib/registry
24.0K	/var/lib/registry
24.0K	total

4、如何部署证书和密码

4.1 生成ssl证书

shell>yum -y install openssl
shell>mkdir -p /data/app/registry/auth/certs
shell>vim /etc/pki/tls/openssl.cnf
####在其中的[ v3_ca]部分,添加subjectAltName选项:
subjectAltName = IP:192.168.8.61
#subjectAltName = DNS:myregistry.domain.com

shell>openssl req -subj "/C=CN/ST=GuangDong/L=ShenZhen/CN=Registry/O=Company/CN=test.io/" \
  -newkey rsa:4096 -nodes -sha256 -keyout /data/app/registry/certs/domain.key \
  -x509 -days 365 -out /data/app/registry/certs/domain.crt
#####使操作系统信任我们的自签名证书,解决X509错误
shell>cp /data/app/registry/auth/certs/domain.crt /etc/docker/certs.d/192.168.8.61/

4.2 上传镜像

shell>docker pull centos
shell>docker tag centos 192.168.8.61/centos

5、密码访问

使用htpasswd创建密码

shell>mkdir -p /data/app/registry/auth
shell>docker run \
  --entrypoint htpasswd \
  httpd:2 -Bbn testuser testpassword > /data/app/registry/auth/htpasswd

启动registry

shell>docker run -d \
  --restart=always \
  --name registry \
  -v /data/app/registry/certs/:/certs \
  -v /data/app/registry/lib/:/var/lib/registry \
  -v /data/app/registry/auth/:/auth \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -p 443:443 \
  registry
shell>docker login 192.168.8.61
###输入上面设置的密码
shell>docker push 192.168.8.61/centos

6、客户端登录

设置客户端信任服务端

###方法一:证书信任
shell>scp 192.168.8.61:/etc/docker/certs.d/192.168.8.61/domain.crt /etc/docker/certs.d/192.168.8.61/
###docker跳出认证,修改/etc/docker/daemon.json "insecure-registry"
shell>vim /etc/docker/daemon.json 
#####添加
"insecure-registry":["192.168.61.238"]

上传镜像

shell>docker pull centos
shell>docker tag centos 192.168.8.61/centos

打赏微海报分享