Docker Registry

Docker 私有库

为什么需要:

  • 严格控制图像的存储位置
  • 完全拥有您的图像分发管道
  • 将图像存储和分发紧密集成到您的内部开发工作流程中

基本命令

# 1. 启动
docker run -d -p 5000:5000 --restart=always --name registry registry:2
# 关闭并删除容器
# docker stop registry
# docker rm registry

# 2. 查看registry当前仓库的镜像
curl http://10.10.1.45:5000/v2/_catalog

# 3. 添加tag
docker tag nginx:1.19.4 localhost:5000/my-nginx

# 4. 推送到本地仓库
docker push localhost:5000/my-nginx

# 5. 删除本地缓存
docker image remove nginx:1.19.4
docker image remove localhost:5000/my-nginx

# 6. 本地仓库拉取
docker pull localhost:5000/my-nginx

运行一个外部可访问的仓库

这些示例假设如下:

  • 您的注册表 URL 是https://registry.vechainteam.com/.
  • 您的 DNS、路由和防火墙设置允许在端口 443 上访问注册表的主机。
  • 您已经从证书颁发机构 (CA) 获得了证书。

服务端启动

安装OpenSSL 1.1.1+, upgrade guide

# /usr/local/lib
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
tar -zxvf openssl-1.1.1k.tar.gz
cd openssl-1.1.1k
./config
make
make clean
make test
make install
# 备注:如果出现问题:error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
# 安装库:sudo yum install openssl11-libs
# OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1g FIPS  21 Apr 2020)
openssl version

生成自签名的ca证书,在minikube目录下, guide

mkdir -p certs

# 生成证书 - DNS:IP
openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -subj '/C=CN/ST=BeiJing/L=ChaoYang/O=V/OU=Blockchain/CN=DockerRegistry' \
  -addext "subjectAltName=DNS:10.10.1.66" \
  -x509 -days 365 -out certs/domain.crt

# 生成证书 - DNS:域名
openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -subj '/C=CN/ST=BeiJing/L=ChaoYang/O=V/OU=Blockchain/CN=DockerRegistry' \
  -addext "subjectAltName=DNS:myregistry.vechain.com" \
  -x509 -days 365 -out certs/domain.crt



# 查看证书
openssl x509 -in certs/domain.crt -text -noout

启动仓库

docker stop registry
docker rm registry
docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 5000:5000 \
  registry:2

指示每个 Docker 守护进程信任该证书

# 在操作系统级别信任证书,注意,证书名字必须是myregistryvechain.com.crt
\cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistryvechain.com.crt
update-ca-trust
systemctl restart docker

客户端推送及拉取

# 1. 推送镜像到仓库
# 本地推送 - 域名
docker tag localhost:5000/my-nginx myregistry.vechain.com:5000/my-nginx
docker push myregistry.vechain.com:5000/my-nginx
# 其他主机推送 - 域名(注意:需要配置系统级信任证书)
docker tag bdms-scheduler:1.0.0 myregistry.vechain.com:5000/bdms-scheduler
docker push myregistry.vechain.com:5000/bdms-scheduler

# 2. 查看registry当前仓库的镜像
curl https://myregistry.vechain.com:5000/v2/_catalog
curl https://myregistry.vechain.com:5000/v2/my-nginx/tags/list

# 3. 从仓库拉取镜像
docker pull myregistry.vechain.com:5000/my-nginx
docker pull myregistry.vechain.com:5000/bdms-scheduler

其他

证书格式转换

# crt 转 pem
openssl x509 -outform PEM -in $CERT_ADDRESS/ca.crt -out /home/rabbit/.docker/ca.pem
openssl x509 -outform PEM -in $CERT_ADDRESS/server.crt -out /home/rabbit/.docker/cert.pem

# ecdsa pricate key 转 pem
openssl ec -in $CERT_ADDRESS/server.key -out /home/rabbit/.docker/key.pem

你可能感兴趣的:(Docker Registry)