[docker]搭建私有registry

導入導出鏡像比較麻煩,共享鏡像佔了工做中一大部分時間.node

搭建了個本地registry, 不支持用戶名密碼驗證的 和 支持用戶名密碼驗證的兩種.docker

參考:

https://docs.docker.com/registry/#requirements
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
https://docs.docker.com/registry/deploying/#restricting-accessshell

我須要倉庫,我不須要驗證

node1(192.168.14.132)-做爲docker倉庫

docker run -d -p 5000:5000 -v /data/docker/registy:/var/lib/registry  registry:2

node2(192.168.14.133)-做爲客戶端push鏡像到倉庫

$ cat /etc/docker/daemon.json 
{
    "insecure-registries" : ["192.168.14.132:5000"]
}
$ systemctl restart docker

$ docker info
...
Experimental: false
Insecure Registries:
 192.168.14.132:5000  #看到這玩意了
 127.0.0.0/8
...
docker tag centos 192.168.14.132:5000/maotai/centos
docker push  192.168.14.132:5000/maotai/centos
[root@node1 repositories]# tree -L 1 ./maotai
./maotai #根據用名來操做
├── busybox
└── centos

打tag有講究,把對應人的名字打上,容易區分json

查看centos

查看倉庫中的鏡像:dom

GET /v2/_catalog

查看鏡像的 tag:ui

GET /v2/huayong/busybox/tags/list

我須要支持用戶名密碼驗證的倉庫

稍微比較麻煩,docker要求驗證時候不能明文傳輸用戶名密碼.全部只能https了.rest

mkdir /data/registry/auth/{certs,auth} -p
cd /data/registry/auth/certs
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout domain.key -out domain.crt -subj "/CN=reg.maotai.com"
cd /data/registry/auth
## 建立testuser/testpassword
docker run \
  --entrypoint htpasswd \
  registry:2 -Bbn testuser testpassword > auth/htpasswd

cd /data/registry
docker run -d \
  -p 5000:5000 \
  --restart=always \
  -v /data/docker/registy:/var/lib/registry \
  -v /etc/localtime:/etc/localtime \
  --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

客戶端一樣須要配置daemon.jsoncode

相關文章
相關標籤/搜索