博主简介:
云计算领域优质创作者
2022年CSDN新星计划python赛道第一名2022年CSDN原力计划优质作者
阿里云ACE认证高级工程师
阿里云开发者社区专家博主交流社区:CSDN云计算交流社区欢迎您的加入!
目录
1. 示例配置
2. 选项
1.版本信息
2.log选项
3.hooks选项
4.存储选项
5.认证选项
6.HTTP选项
7.通知选项
8.redis选项
9.健康监控选项
10.代理选项
11.验证选项
结束语
Docker Registry提供了一些样例配置,用户可以直接使用它们来进行开发或生产部署。
|
博主将以下面的示例配置来介绍如何使用配置文件来管理私有仓库。
|
代码如下: |
version: 0.1
log:
level: debug
fields:
service: registry
environment: development
hooks:
- type: mail
disabled: true
levels:
- panic
options:
smtp:
addr: mail.example.com:25
username: mailuser
password: password
insecure: true
from: [email protected]
to:
- [email protected]
storage:
delete:
enabled: true
cache:
blobdescriptor: redis
filesystem:
rootdirectory: /var/lib/registry
maintenance:
uploadpurging:
enabled: false
http:
addr: :5000
debug:
addr: localhost:5001
headers:
X-Content-Type-Options: [nosniff]
redis:
addr: localhost:6379
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
notifications:
endpoints:
- name: local-5003
url: http://localhost:5003/callback
headers:
Authorization: [Bearer ]
timeout: 1s
threshold: 10
backoff: 1s
disabled: true
- name: local-8083
url: http://localhost:8083/callback
timeout: 1s
threshold: 10
backoff: 1s
disabled: true
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
这些选项以yaml文件格式提供,用户可以直接进行修改,也可以添加自定义的模板段。
|
默认情况下,变量可以从环境变量中读取,例如log.level:debug可以配置为:
|
export LOG_LEVEL=debug
比较重要的选项包括版本信息、log选项、hooks选项、存储选项、认证选项、HTTP选项、通知选项、redis选项、健康监控选项、代理选项和验证选项等。下面分别介绍这些选项。
|
version:0.1
日志相关: |
log:
level: debug
formatter: text
fields:
service: registry
environment: staging
参数说明: ·level:字符串类型,标注输出调试信息的级别,包括debug、info、warn、error。
·fomatter:字符串类型,日志输出的格式,包括text、json、logstash等。
·fields:增加到日志输出消息中的键值对,可以用于过滤日志。
|
配置当仓库发生异常时,通过邮件发送日志时的参数: |
hooks:
- type: mail
levels:
- panic
options:
smtp:
addr: smtp.sendhost.com:25
username: sendername
password: password
insecure: true
from: [email protected]
to:
- [email protected]
storage选项将配置存储的引擎,默认支持包括本地文件系统、 Google云存储、AWS S3云存储和OpenStack Swift分布式存储等,如下所示:
|
storage:
filesystem:
rootdirectory: /var/lib/registry
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
gcs:
bucket: bucketname
keyfile: /path/to/keyfile
rootdirectory: /gcs/object/name/prefix
s3:
accesskey: awsaccesskey
secretkey: awssecretkey
region: us-west-1
regionendpoint: http://myobjects.local
bucket: bucketname
encrypt: true
keyid: mykeyid
secure: true
v4auth: true
chunksize: 5242880
multipartcopychunksize: 33554432
multipartcopymaxconcurrency: 100
multipartcopythresholdsize: 33554432
rootdirectory: /s3/object/name/prefix
swift:
username: username
password: password
authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.
myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
tenant: tenantname
tenantid: tenantid
domain: domain name for Openstack Identity v3 API
domainid: domain id for Openstack Identity v3 API
insecureskipverify: true
region: fr
container: containername
rootdirectory: /swift/object/name/prefix
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: OSS region name
endpoint: optional endpoints
internal: optional internal endpoint
bucket: OSS bucket
encrypt: optional data encryption setting
secure: optional ssl setting
chunksize: optional size valye
rootdirectory: optional root directory
inmemory:
delete:
enabled: false
cache:
blobdescriptor: inmemory
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
redirect:
disable: false
比较重要的选项如下: ·maintenance:配置维护相关的功能,包括对孤立旧文件的清理、开启只读模式等;
·delete:是否允许删除镜像功能,默认关闭;
·cache:开启对镜像层元数据的缓存功能,默认开启;
|
对认证类型的配置,如下所示: |
auth:
silly:
realm: silly-realm
service: silly-service
token:
realm: token-realm
service: token-service
issuer: registry-token-issuer
rootcertbundle: /root/certs/bundle
htpasswd:
realm: basic-realm
path: /path/to/htpasswd
比较重要的选项如下: ·silly:仅供测试使用,只要请求头带有认证域即可,不做内容检查 ·token:基于token的用户认证,适用于生产环境,需要额外的token服务来支持;
·htpasswd:基于Apache htpasswd密码文件的权限检查。
|
跟HTTP服务相关的配置,如下所示: |
http:
addr: localhost:5000
net: tcp
prefix: /my/nested/registry/
host: https://myregistryaddress.org:5000
secret: asecretforlocaldevelopment
relativeurls: false
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email: [email protected]
debug:
addr: localhost:5001
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
其中的参数如下: ·addr:必选,服务监听地址;
·secret:必选,跟安全相关的随机字符串,用户可以自己定义;
·tls:证书相关的文件路径信息;
·http2:是否开启http2支持,默认关闭。
|
有事件发生时候的通知系统。 |
notifications:
endpoints:
- name: alistener
disabled: false
url: https://my.listener.com/event
headers:
timeout: 500
threshold: 5
backoff: 1000
Registry可以用Redis来缓存文件块,这里可以配置相关选项: |
redis:
addr: localhost:6379
password: asecret
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
跟健康监控相关,主要是对配置服务进行检测判断系统状态,如下所示 |
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
file:
- file: /path/to/checked/file
interval: 10s
http:
- uri: http://server.to.check/must/return/200
headers:
Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
statuscode: 200
timeout: 3s
interval: 10s
threshold: 3
tcp:
- addr: redis-server.domain.com:6379
timeout: 3s
interval: 10s
threshold: 3
默认并未启用。 |
配置Registry作为一个pull代理,从远端(目前仅支持官方仓库)下拉Docker镜像,如下所示:
|
proxy:
remoteurl: https://registry-1.docker.io
username: [username]
password: [password]
之后,用户可以通过如下命令来配置Docker使用代理: |
$ docker --registry-mirror=https://myrepo.com:5000 daemon
限定来自指定地址的客户端才可以执行push操作: |
validation:
enabled: true
manifests:
urls:
allow:
- ^https?://([^/]+\.)*example\.com/
deny:
- ^https?://www\.example\.com/