如何搭建代理镜像仓库

背景:

不知道各位有没有我这种尴尬:kubernetes搭建过程中需要拉取到一些镜像,比如: dockerhub的镜像,这个还好。毕竟有加速器。but k8s.gcr.io,quay.io.这些怎么搞?正巧搭建kubeadm 1.25,helm安装cilium的时候悲摧了。下载不动怎么搞?docker时代的时候我还可以直接导入,但是containerd时代了 导入了还是要麻烦一些阿?搜索引擎搜了一下,找到下面三个文章,借鉴一下!
参照:搭建Docker镜像仓库代理
搭建容器仓库的镜像服务器(gcr, ghcr, quay, k8s-gcr)
真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!

搭建镜像代理仓库

其中米开朗基杨大佬写的真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!搭建一个k3s集群搞比较全国,但是我国外服务器就一台,还是轻量级的服务器....开始就是下载镜像然后上传到国内harbor仓库的......这里就用搭建Docker镜像仓库代理的方式去操作了!

前提条件

服务器在国外
四个域名 以及ssl证书

安装Docker

注意:我这台服务器为轻量服务器,ubuntu操作系统(docker我之前其实早安装了......)

apt-get update
apt-get upgrade
apt-get install docker*

如果是centos 请参照:

yum update
 
yum install -y yum-utils device-mapper-persistent-data lvm2
 
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce

配置Docker

  1. 设置 Docker 的日志格式为 json,日志文件大小为 100M,最多保存 3 个日志;
  2. 设置 Docker 镜像私有仓库和官方镜像加速地址;
  3. 设置 Docker 的数据目录到 /data/docker;
  4. 设置 Docker 的 Storage Driver 为 overlay2。

    [root@dqzboy ~]# mkdir /etc/docker
    [root@dqzboy ~]# cat << EOF > /etc/docker/daemon.json
    {
      "log-driver": "json-file",
     "log-opts": {
       "max-size": "100m",
       "max-file": "3"
     },
      "insecure-registry": [
     "hub.dqzboy.com"
      ],
      "registry-mirror": "https://a7ye1cuu.mirror.aliyuncs.com",
      "data-root": "/data/docker",
      "exec-opts": ["native.cgroupdriver=systemd"],
      "storage-driver": "overlay2",
      "storage-opts": [
     "overlay2.override_kernel_check=true"
      ]
    }
    EOF

    启动 Docker

    systemctl enable docker && systemctl start docker

    安装 Docker Compose

    看版本吧,我没有安装什么最新的 ,毕竟能跑起来就可以对我来说

    curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    chmod +x /usr/local/bin/docker-compose
    ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
    docker-compose --version

    image.png
    启动镜像仓库代理

    git clone 相关registry-proxy仓库配置文件

     git clone https://github.com/findsec-cn/registry-proxy.git
     cd registry-proxy

    自定义修改配置文件

  5. 将域名的证书放置到 cert 目录下,并把证书文件名称命名为该目录下的server名称;
  6. 其中 server.crt 为 ssl 证书文件, server.key 为 ssl 私钥。
  7. 注意:证书一定要是对应域名的,不然进行下载镜像会提示x509
  8. 修改 nginx.conf 配置文件,将配置文件中的域名替换成自己的域名(xxx.com)

    docker-compose.yaml修改

    我这里先修改以下docker-compose.yaml,原github项目只代理了gcr.io,k8s.gcr.io,恩我这里主要是使用代理quay.io仓库,如果代理其他仓库可类似方法!

    version: '2'
    services:
      local:
     container_name: reg-local
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - DELETE_ENABLED=true
     volumes:
       - ~/data/registry:/var/lib/registry
     ports:
       - 5000:5000
     networks:
       - registry-net
      quay:
     container_name: reg-quay
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://quay.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      gcr:
     container_name: reg-gcr
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://gcr.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      k8s-gcr:
     container_name: reg-k8s-gcr
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://k8s.gcr.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      ui:
     container_name: reg-ui
     image: findsec/registry-ui:latest
     restart: always
     links:
       - local:reg-local
     environment:
       - REGISTRY_TITLE=My Private Docker Registry
       - REGISTRY_URL=http://reg-local:5000
       - DELETE_IMAGES=true
     networks:
       - registry-net
      nginx:
     container_name: reg-nginx
     image: nginx:alpine
     restart: always
     ports:
       - 80:80
       - 443:443
     links:
       - ui:reg-ui
       - gcr:reg-gcr
       - quay:reg-quay
       - k8s-gcr:reg-k8s-gcr
        
     volumes:
       - ./nginx.conf:/etc/nginx/conf.d/default.conf
       - ./cert:/etc/nginx/ssl
     networks:
       - registry-net
    
    networks:
      registry-net:

    依着葫芦画瓢。根据仓库中yaml文件中gcr配置 生成一个quay的配置:
    如何搭建代理镜像仓库_第1张图片
    nginx相关配置中link也添加上quay配置:
    如何搭建代理镜像仓库_第2张图片

    修改nginx.conf中域名:
     sed -i 's/xxx.com/zhangpeng.com/g' nginx.conf

    image.png
    添加quay域名相关配置:
    如何搭建代理镜像仓库_第3张图片
    最终配置文件如下:

    server {
     listen       80;
     listen       443 ssl;
    
     server_name  hub.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-ui:80;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  gcr.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-gcr:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  k8s-gcr.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-k8s-gcr:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  quay.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-quay:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    ssl证书

    一定记得要上传ssl证书到cert目录下:
    image.png
    当然了你也可以修改docker-compose.yaml.修改nginx中volumes中挂载路径
    如何搭建代理镜像仓库_第4张图片
    也可以修改nginx.conf文件中ssl_certificate ssl_certificate_key 文件名:
    如何搭建代理镜像仓库_第5张图片

    启动镜像仓库代理

    docker-compose up -d
    docker-compose logs -f

    可能会出现证书配置不对的报错,哈哈哈自己解决以下.....

    解析域名

    我的域名用的dnspod
    如何搭建代理镜像仓库_第6张图片

    使用镜像仓库代理

    本地工作环境为rocky 8.5安装了podman 使用podman进行测试:

    ###要下载镜像
    [root@zhangpeng ~]# podman pull k8s.gcr.io/pause:3.6
    ###通过镜像仓库代理方式下载:
    [root@zhangpeng ~]# podman pull k8s-gcr.zhangpeng.com/pause:3.6
    

    image.png
    访问hub.zhangpeng.com。可以看到我们下载的镜像被缓存了
    如何搭建代理镜像仓库_第7张图片

    接下来可以进阶的:

    image的清理

    不能一直缓存吧,空间写满了怎么办,最苯的方法写一个crontab:

    • /2 /usr/bin/rm -rf /var/lib/registry/ &>/dev/null

      ## 防白嫖认证
      服务器镜像代理被白嫖怎么办?最简单的搞一个htpasswd搞一下:

      apt-get install apache2-utils

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663215731715-0400026f-de42-4e02-bb84-ee07e2582eb8.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=613&id=u6ea56dcf&margin=%5Bobject%20Object%5D&name=image.png&originHeight=552&originWidth=1558&originalType=binary&ratio=1&rotation=0&showTitle=false&size=165037&status=done&style=none&taskId=u12cbfe81-8e65-42f1-a55c-7ef08d1fc0f&title=&width=1731.1111569698958)

    htpasswd -c passwd zhangpeng

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216091653-bca81c8d-5e5a-40cc-bbce-ffcc40ab5288.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=362&id=u19bf4674&margin=%5Bobject%20Object%5D&name=image.png&originHeight=326&originWidth=1030&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75803&status=done&style=none&taskId=u5b34d78f-ceaa-4093-9f8a-ba43c839947&title=&width=1144.4444747618695)
    然后修改nginx.conf文件,我这里为了演示只修改了k8s-gcr这一个的相关配置,其他的都如此就可以:

    server {
    listen 80;
    listen 443 ssl;

    server_name k8s-gcr.zhangpeng.com;

    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    auth_basic "请输入用户和密码"; # 验证时的提示信息
    auth_basic_user_file /etc/nginx/passwd; # 认证文件
    location / {

     proxy_pass   http://reg-k8s-gcr:5000;
    
     proxy_buffering off;
     proxy_request_buffering off;

    }
    }

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223421666-9b74a6d3-6550-4c75-b61f-9559c071f32b.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=452&id=ub4a6ba27&margin=%5Bobject%20Object%5D&name=image.png&originHeight=407&originWidth=784&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62319&status=done&style=none&taskId=u35803e53-44c0-4f33-807c-abc0f4aa46b&title=&width=871.1111341876755)
    重启docker-compose服务:
    注:当前registry目录下

    docker-compose down
    docker-compose up -d

    本地测试:
    还拿pause镜像为例,恩显示认证失败了

    podman pull k8s-gcr.zhangpeng.com/pause:3.5

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216471176-42b0a7cb-ab51-4d3e-9684-8454658ba38c.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=87&id=u5cf5f600&margin=%5Bobject%20Object%5D&name=image.png&originHeight=78&originWidth=1515&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23494&status=done&style=none&taskId=ud8147e18-4bee-4668-b5dc-647e6d21077&title=&width=1683.3333779264392)

    podman login k8s-gcr.zhangpeng.com
    podman pull k8s-gcr.zhangpeng.com/pause:3.5

    如下图,pull成功:
    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216534534-88291b53-a02d-478b-ac06-5836315f2e17.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=ude8b7067&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=1639&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70759&status=done&style=none&taskId=u3cb41aab-9547-497c-8ed7-6b3934e724e&title=&width=1821.1111593540816)
    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223726340-5a5d7c8c-4e8a-4765-9ada-f3402cb8966c.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=794&id=u898d4747&margin=%5Bobject%20Object%5D&name=image.png&originHeight=715&originWidth=1620&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88829&status=done&style=none&taskId=u87b13877-eb9d-4338-8e5a-ba0d4e9b8a1&title=&width=1800.0000476837172)
    ## 其他的?
    容器运行时配置的配置,参照米开朗基杨大佬:
    [https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10](https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10)
    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663224003069-1475caa7-1633-4422-b21d-b7e0aeca9dbf.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=513&id=u1c52a7ec&margin=%5Bobject%20Object%5D&name=image.png&originHeight=462&originWidth=1011&originalType=binary&ratio=1&rotation=0&showTitle=false&size=107943&status=done&style=none&taskId=ud60903dd-3662-432f-af03-30ff64dbf2d&title=&width=1123.333363091505)

你可能感兴趣的:(如何搭建代理镜像仓库)