作者:刘宾, [email protected]
转载请注明出处,谢谢!
1. Registry单独配置
参考:
https://docs.docker.com/registry/
http://blog.csdn.net/ztsinghua/article/details/51496658
1.1 无TLS, 无用户认证本地启动
只能用于localhost访问,非localhost主机无法访问该registry.
启动:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
验证:
docker push localhost:5000/my-ubuntu
1.2 加载本地卷
启动:
docker run -d -p 5000:5000 --restart=always --name registry -v /docker/registry/data:/var/lib/registry registry:2
1.3 TLS方式, 无用户认证启动
制作根证书和私钥,制作服务证书和私钥,用根证书签字服务证书。最后,设置客户端OS信任根证书。
-
服务器制作根证书和私钥
- 根私钥:
openssl genrsa -out devdockerCA.key 2048
- 根证书:
CN设置为MYDOMAIN
openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt
-
服务器制作服务证书和私钥
- 服务私钥
openssl genrsa -out domain.key 2048
2. 服务证书签名请求
CN设置为MYDOMAIN
> openssl req -new -key domain.key -out iot-registry.csr
3. 根证书签字服务证书
如果MYDOMAIN为IP需要 -extfile
> echo subjectAltName = IP:192.168.32.28 > extfile.cnf
> openssl x509 -req -in iot-registry.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extfile extfile.cnf 客户端设置OS信任服务器根证书
在Docker客户端机器上,设置
sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
sudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
sudo update-ca-certificates
/etc/ca-certificates.conf
- 客户端重启docker
sudo service docker restart
-
服务器启动registry
- mkdir certs
- 将step 2 中制作的domain.key和domain.crt拷贝到certs目录,供registry使用
- 启动registry
docker run -d --restart=always --name registry -v
pwd/certs:/certs -p 443:443 \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2验证:
docker push MYDOMAIN/my-ubuntu
1.4 TLS方式, 带用户认证启动
步骤同1.3, 修改Registry启动参数,如下:
- 创建用户文件, htpasswd
htpasswd -Bbc certs/htpasswd username1 password1
htpasswd -Bb certs/htpasswd username2 password2
- 启动registry
docker run -d --restart=always --name registry -v
pwd/certs:/certs -p 443:443 \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd \
registry:2
验证:
curl -k https://username:password@MYDOMAIN
docker login https://MYDOMAIN
user: xxx
password: xxx
Success.
docker push MYDOMAIN/my-ubuntu
docker-compose.yml
registry:
restart: always
image: registry:2
ports:
- 192.168.32.28:443:443
environment:
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
- REGISTRY_HTTP_TLS_KEY=/certs/domain.key
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_AUTH=htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
- REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd
- REGISTRY_STORAGE_DELETE_ENABLED=true
volumes:
- /srv/docker/registry/registry:/var/lib/registry
- /home/liub/project/registry/certs:/certs
2. Nginx + Registry模式启动
参考: http://blog.csdn.net/zstack_org/article/details/53301211?locationNum=12&fps=1
2.1 无用户认证,无TLS启动
- docker-compose.yml文件, ./docker-compose.yml
nginx:
image: "nginx:1.9"
ports:
- 5043:443
links:
- registry:registry
volumes:
- ./nginx/:/etc/nginx/conf.d
registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
volumes:
- ./data:/var/lib/registry
- registry.conf文件, ./nginx/registry.conf
upstream docker-registry {
server registry:5000;
}
server {
listen 443;
server_name myregistrydomain.com;
# SSL
# ssl on;
# ssl_certificate /etc/nginx/conf.d/domain.crt;
# ssl_certificate_key /etc/nginx/conf.d/domain.key;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
# auth_basic "registry.localhost";
# auth_basic_user_file /etc/nginx/conf.d/registry.password;
# add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
- 启动registry
docker-compose up
验证:
curl http://localhost:5043/v2/
{}
2.2 用户登陆认证支持
- 用户创建
sudo apt-get -y install apache2-utils
htpasswd -c registry.password USERNAME1
htpasswd registry.password USERNAME2
- 修改registry.conf
打开auth_basic, auth_basic_user_file和add_header参数,如下:
upstream docker-registry {
server registry:5000;
}
server {
listen 443;
server_name myregistrydomain.com;
# SSL
# ssl on;
# ssl_certificate /etc/nginx/conf.d/domain.crt;
# ssl_certificate_key /etc/nginx/conf.d/domain.key;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
auth_basic "registry.localhost";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
- 启动registry
docker-compose up
验证:
curl http://localhost:5043/v2/
401 Authorization Required
401 Authorization Required
nginx/1.9.7
curl http://user:password@localhost:5043/v2/
{}
2.3 TLS方式启动
通过配置nginx使用TLS,nginx使用1.3章节中创建的证书和私钥。
- 修改registry.conf
打开ssl, ssl_certificate和ssl_certificate_key参数,如下:
upstream docker-registry {
server registry:5000;
}
server {
listen 443;
server_name myregistrydomain.com;
# SSL
ssl on;
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
auth_basic "registry.localhost";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
- 修改docker-compose.yml文件
开启443 HTTPS接口
nginx:
image: "nginx:1.9"
ports:
- 443:443
links:
- registry:registry
volumes:
- ./nginx/:/etc/nginx/conf.d
registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- ./data:/data
- 启动registry
443端口需要root权限。
sudo docker-compose up
验证:
curl https://USERNAME:PASSWORD@MYDOMAIN/v2/
curl: (60) SSL certificate problem: self signed certificate
curl -k https://USERNAME:PASSWORD@MYDOMAIN/v2/
{}
docker login https://MYDOMAIN
user: xxx
password: xxx
success!
docker push MYDOMAIN/hello
3. registry使用
首先需要docker login.
3.1 查询registry image列表
curl -k https://username:password@MYDOMAIN/v2/_catalog
3.2 查询image标签列表
curl -k https://username:password@MYDOMAIN/v2/image_name/tags/list
3.3 拉取image
docker pull image:tag
3.4 上传image
docker push image:tag
3.5 删除image
修改config.yml, delete enable = true.参见之前。
curl -k -X DELETE https://username:password@MYDOMAIN/v2/image_name/manifests/image 摘要
登陆到registry
registry garbage-collect /etc/docker/registry/config.yml
4. python开发包
4.1 docker操作
https://github.com/docker/docker-py
https://docker-py.readthedocs.io/en/stable/
4.2 registry操作
REST接口