Docker私有仓库部署
- 构建Docker私有仓库可避免开发生产时可能产生的网络问题
- 使用Docker Registry私有仓库部署,使用Docker Auth做身份验证
Docker安装
清除旧Docker安装痕迹
- 如果是第一次安装,可以略过此步骤
sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get purge docker-ce docker-ce-cli containerd.io
sudo rm -rf /var/lib/docker安装Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker- 更多安装方法参考Install Docker Engine on Ubuntu
Docker 配置
sudo tee /etc/docker/daemon.json << eof
{
"registry-mirrors": ["https://jioksect.mirror.aliyuncs.com"]
}
eof
sudo systemctl daemon-reload
sudo systemctl restart docker- 首先配置阿里云镜像加速器以加速公共镜像拉取速度,随后搭建好私有镜像仓库后,可使用同样的方法将镜像源更新为私有仓库地址
Docker Auth部署
配置文件
- 这里以最简单的用户列表 + ACL的形式描述用户认证和权限控制的配置,在实际开发中更多的会用到Docker Auth提供的Google用户认证、GitHub用户认证、OIDC认证等等功能,具体可参考Docker Auth示例配置
mkdir -p /opt/docker_auth/config /opt/docker_auth/log && touch /opt/docker_auth/config/auth_config.yml
echo '
server:
addr: ":5001"
certificate: "/root/cert.pem"
key: "/root/cert.key"
token:
issuer: "Auth Service"
expiration: 900
users:
"root":
password: "${passwd}"
"": {} # 允许匿名访问
acl:
- match: {account: "root"}
actions: ["*"]
- match: {account: ""} # 匿名用户只能拉取镜像
actions: ["pull"]' > /opt/docker_auth/config/auth_config.yml${passwd}生成方式:htpasswd -nB roothtpasswd -nB root执行时要求输入的密码就是docker login时输入的root用户密码
certificate与key两个属性中指定的证书可以申请阿里云的免费证书,或者直接使用
letsencrypt- 证书签发的域名时Docker Auth提供用户认证服务的域名
- issuer属性中的名称务必与下边Docker Registry部署配置文件中的issuer属性值保持一致
容器部署
docker run -d \
--name=docker_auth \
-p ${port}:5001 \
--restart=always \
-v /opt/docker_auth/config:/config:ro \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
-v /opt/docker_auth/log:/logs \
cesanta/docker_auth --v=2 --alsologtostderr /config/auth_config.yml- 这里需要注意的是,Docker Registry服务需要通过内网或者公网与Docker Auth服务取得联系
Docker Registry部署
配置文件
docker pull registry
mkdir -p /opt/docker_registry/config /opt/docker_registry/data && touch /opt/docker_registry/config/config.yml
echo 'version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
token:
autoredirect: true
realm: ${docker_auth_url}/auth
service: Docker registry
issuer: Auth Service
rootcertbundle: /root/cert.pem
http:
addr: :5000
tls:
certificate: /root/cert.pem
key: /root/cert.key
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3' > /opt/docker_registry/config/config.yml${docker_auth_url}即为可访问的Docker Auth服务的地址(以https://开头的域名)- 更详细的配置参考 Docker Registry Review
容器部署
docker run -d \
-p ${port}:5000 \
--restart=always \
--name=registry \
-v /opt/docker_registry/config/:/etc/docker/registry/ \
-v /opt/docker_registry/data:/var/lib/registry \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
registry使用Nginx提供HTTPS服务
mkdir -p /opt/nginx/ && mkdir -p /opt/nginx/ssl
echo 'server {
listen 443 ssl;
server_name ${host_name};
#ssl证书文件位置(常见证书文件格式为:crt/pem)
ssl_certificate /etc/nginx/ssl/registry-cert.pem;
#ssl证书key位置
ssl_certificate_key /etc/nginx/ssl/registry-cert.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://${host_name};
}
}' >> /opt/nginx/dockerRegistry.conf${host_name}即Docker Registry对外提供服务的域名- 证书可以从阿里云免费申请,绑定到对应的${host_name}域名即可,并放置到
/opt/nginx/ssl目录下 - 使用Docker 容器部署Nginx服务即可,关于使用Docker部署Nginx此处不再赘述,可以参考下边的使用Docker Compose部署的部分
使用Docker Compose部署Docker私有仓库服务
echo 'version: '3.7'
services:
auth:
image: cesanta/docker_auth
volumes:
- /opt/docker_auth/config:/config:ro
- /opt/docker_auth/log:/logs
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
container_name: docker_auth
restart: always
command: --v=2 --alsologtostderr /config/auth_config.yml
ports:
- ${auth_port}:5001
docker_registry:
image: registry
container_name: registry
depends_on:
- auth
ports:
- ${registry_port}:5000
volumes:
- /opt/docker_registry/config:/etc/docker/registry
- /opt/docker_registry/data:/var/lib/registry
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
restart: always' >> /opt/docker_registry/registry.yaml
nginx:
image: nginx
container_name: docker_registry_nginx
restart: always
ports:
- 443:443
volumes:
- /opt/nginx/conf:/etc/nginx/conf.d/
- /opt/nginx/ssl/:/etc/nginx/ssl/
cd /opt/docker_registry && docker-compose -f registry.yaml up -d使用Docker私有仓库服务
开启HTTP形式访问私有仓库
- 在
/etc/docker/daemon.json中添加如下配置项
{
"insecure-registries":
[ "${registry_hostname}:${port}"]
}- 重启Docker服务
systemctl daemon-reload
systemctl restart docker尝试使用私有仓库服务
推送镜像
- 登录到自己的私有仓库:
docker login ${registry_hostname}:${port} 为镜像打上正确的tag(若不打合适的tag的话,会默认提交到DockerHub中):
docker tag [OPTIONS] IMAGE[:TAG] [REGISTRY_HOST/][USERNAME/]NAME[:TAG]- eg:
docker tag myApp:v1 localhost:8080/myname/myApp:v1
- eg:
推送镜像:
docker push [OPTIONS] IMAGE_NAME[:TAG]- eg:
docker push localhost:8080/myname/myApp:v1
- eg:
如果使用的是官方DockerHub仓库的服务的话:
docker login --username usernamedocker tag my-image username/my-repodocker push username/my-repo
拉取镜像
docker pull [OPTIONS] NAME[:TAG]
参考链接
- Docker Auth示例配置
- Docker Registry Review
- docker local registry exec htpasswd executable file not found in $PATH
- Private registry push fail: server gave HTTP response to HTTPS client
- Docker私有仓库
- Docker push and pull using separate credentials
- Docker Registry v2 + Token Auth Server (Registry v2 认证)实例
- Docker私有仓库Registry及Auth-server认证搭建
- Configuring a registry
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。