Docker官方提供的Docker Repostory在国内连接不稳定,可以自行搭建私服。
私服可直接使用Docker提供的registry2,需先搭建Docker运行环境。
镜像所在服务器及测试服务器系统均为CentOS 7.3 Docker版本 17.09.0-ce
本地使用Docker 18.03.0-ce-mac60
1.服务器下载registry image
docker pull registry
2 服务器配置证书
进入/etc/docker目录,生成证书
mkdir -p certs && openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt
根据提示输入基本信息,注意:CommonName需配置成域名 本例使用docker.registry.server
创建目录
mkdir -p /etc/docker/certs.d/docker.registry.server:5000
拷贝证书到该目录
cp certs/domain.crt /etc/docker/certs.d/docker.registry.server:5000/ca.crt
3.服务器配置hosts文件
配置host文件 vim /etc/hosts
10.26.98.81 docker.registry.server
4 服务器配置密码
mkdir auth && docker run --entrypoint htpasswd registry -Bbn [用户名] [密码] > auth/htpasswd
5 服务器使用证书和密码启动
进入/etc/docker目录
创建资源目录mkdir registryDir
启动docker (pwd
为当前路径 )
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/registryDir:/var/lib/registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry
6.查看container
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ba12615dde8 registry "/entrypoint.sh /e..." 8 seconds ago Up 8 seconds 0.0.0.0:5000->5000/tcp registry
7.服务器本机push image测试
docker tag tutum/ntpd localhost:5000/tutum/ntpd
docker push localhost:5000/tutum/ntpd
8.客户端登录registry
8.1 配置hosts文件
59.110.14.120 docker.registry.server
8.2 配置公钥,将服务端crt拷贝到客户机以下目录
/etc/docker/certs.d/docker.registry.server:5000/ca.crt
8.3 登录
docker login docker.registry.server:5000
输入用户名及密码,提示 Login Succeeded
8.4 上传
docker tag hello-world docker.registry.server:5000/hello-world
docker push docker.registry.server:5000/hello-world
9.查看私服中的资源
https://59.110.14.120:5000/v2/_catalog
使用用户名密码登录,结果如下
{
repositories: [
"hello-world"
]
}
登录常见错误
1.run registry时没使用证书
The push refers to a repository [59.110.14.120:5000/hello-world]
Get https://59.110.14.120:5000/v2/: http: server gave HTTP response to HTTPS client
2.客户端没配置密钥
Error response from daemon: Get https://docker.registry.server:5000/v2/: x509: certificate signed by unknown authority
参照正文9.2配置证书即可
注意:mac docker ce安装后没有/etc/docker文件夹,需要手动配置证书
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain domain.crt
配置完成后restart docker
http://container-solutions.com/adding-self-signed-registry-certs-docker-mac/
3.安装docker客户端的mac报错,与代理设置有关,
Error response from daemon: Get https://docker.registry.server:5000/v2/: proxyconnect tcp: dial tcp 192.168.65.1:58701: getsockopt: connection refused
参考
https://blog.csdn.net/xiaojiang0829/article/details/50605534
http://hanqunfeng.iteye.com/blog/2331644
https://docs.docker.com/registry/deploying/
https://docs.docker.com/registry/spec/api/