docker私有倉庫-https+nginx

1、概述

使用的是registry-2.4版本，由於在這個版本開始提供了garbage-collect，可以清理掉blobs，2.1開始提供了api的刪除功能，可是隻是刪除的index並無釋放掉磁盤空間，因此2.4版本增長了garbage-collect。官方不建議刪除blobs，可是構建上傳的很老的鏡像已經沒有用了，因此須要定時清理。

部署：

一、搭建docker私有倉庫，線上使用的話必需要保證安全，須要作認證+https

建立目錄：

# mkdir -p /data/registry/ && cd /data/registry/ && mkdir auth certs

建立密碼文件：

#cd /data/registry/

#docker run --entrypoint htpasswd daocloud.io/registry -Bbn huoqiu huoqiu123> auth/htpasswd

 

建立證書：

# openssl req -x509 -days 3650 -subj '/CN=huoqiu.oo.com/' -nodes -newkey rsa:2048 -keyout certs/registry.key -out certs/registry.crt

建立存放證書的目錄：

#mkdir -p /etc/docker/certs.d/huoqiu.oo.com/

#cp /data/registry/certs/registry.crt  /etc/docker/certs.d/huoqiu.oo.com/

 

建立容器：

#cd /data/registry/

建立conf目錄並建立config.yml文件：

#mkdir  conf

# cat config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
    delete:
        enabled: true
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: :5000
    headers:
        X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

默認是不支持刪除的，須要增長刪除支持：

storage:
    delete:
        enabled: true

#cat tt.sh

#!/bin/bash

dir=$(cd `dirname $0`;pwd)
docker stop registry && docker rm registry
docker run -d -p 5000:5000 -p 443:5000 --restart=always \
--name registry \
-v $dir/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on huoqiu.oo.com" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v $dir/certs:/certs \
-v $dir/data:/var/lib/registry \
-v $dir/conf/config.yml:/etc/docker/registry/config.yml \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
daocloud.io/registry:2.4

 

#chmod +x tt.sh

#sh tt.sh

 

設置nginx代理：

首先將建立的證書copy到nginx服務器上面，

#scp  /data/registry/certs/*  nginx:/root/oo

#cat sb.conf

server {
client_max_body_size 0;
server_name huoqiu.oo.com;
listen 443;
ssl on;
ssl_certificate /root/oo/registry.crt;
ssl_certificate_key /root/oo/registry.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://10.10.9.3:443;
}
}

 

登錄：

docker  login  huoqiu.oo.com

輸入用戶名、密碼。此時會生成/root/.docker/config.json文件，記錄認證信息。 

 

2、清理registry

清理老的鏡像有兩個步驟：

一、找到相應鏡像的dgists

數據目錄放到了物理機的/data/registry/data目錄下面，咱們要先找出要刪除的dgists：

好比咱們這裏要刪除的鏡像名稱是fireball/saturn,若是是其餘的鏡像，就去/data/registry/data/docker/registry/v2/repositories/目錄下面找。

# cd /data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags

咱們查找超過100天的鏡像的dgists：

# find . -name link -mtime +100 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'

而後在調用api去刪除

curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:dgists的值（上面那個命令查出來的結果）

參數解釋：

-k，由於咱們用的是https，因此這裏加-k跳過檢測，不然會報錯

huou:histry， 是registry的用戶名和密碼

 

二、使用gc清理數據文件

docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml

 

爲了方便使用，寫了一個清理腳本：

# cat registry-clean.sh

#!/bin/bash

dir="/data/registry/data/docker/registry/v2/repositories/fireball/saturn/_manifests/tags"

cd $dir

dgists=`find . -name link -mtime +10 | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`

for i in $dgists
do
    curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
done


if [ $? -eq 0 ];then
    docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
fi

 

只保留最近10天的鏡像.

 

上面的腳本只能清理特定的鏡像，使用不是很靈活，下面給出一個交互式的：

#cat interaction-clean

 

#!/bin/bash
#docker private registry clean imag that five days ago

#repositories dir
dir="/data/registry/data/docker/registry/v2/repositories/"

a="/_manifests/tags"

#link a full addr
while getopts ":g:p:l:h:t:" opt
do
case $opt in
     g)
     dir_tag1=$dir$OPTARG
     ;;
     p)
     dir_tag2=$dir_tag1/$OPTARG
     dir_tag=$dir_tag2$a
     ;;
     l)
     dir_tag3=$dir_tag2/$OPTARG
     dir_tag=$dir_tag3$a
     ;;
     t)
     b=$OPTARG
     ;;
     ?)
     echo "if your url have three layers like: https://<url>/fireball/saturn
          $0 -g(group) -p(project) -t(time,if not set default is 5)"
     echo "if your url have three layers like: https://<url>/fireball/test/saturn
          $0 -g(group) -l  -p(project -t(time,if not set default is 5))"
     exit 1;;
   esac
done

#---------------------------------------------------------------------------------------------------------#
cd $dir_tag

#date that to find,the default is 5
tm=${b:-5}

#find all of dgists that meet the requirements
dgists=`find . -name link -mtime +$tm | grep current|xargs grep  "sha256" | awk -F ":" '{print $3}'`

#delet dgists
for i in $dgists
do
    echo $i
    curl   -k  -I -X DELETE  https://huou:histry@localhost:5000/v2/fireball/saturn/manifests/sha256:$i
done

#delete true data,use garbage-collect
if [ $? -eq 0 ];then
    docker exec -it registry  /bin/registry garbage-collect /etc/docker/registry/config.yml
fi

 

Usage：

interaction-clean  -h