跳转至

私有仓库部署

官方提供的 registry 镜像 ,基础镜像仓库,纯命令操作,没有UI页面提供

  • server: 172.16.1.28

  • client: 172.16.1.27

registry-server 部署

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# 获取官方最新镜像
docker pull registry:3
# 创建仓库的本地存储
mkdir -p /opt/registry/data && cd /opt/registry
# 启动容器
docker run -d \
--restart=always \
--name registry \
-p 5000:5000 \
-v /opt/registry/data:/var/lib/registry \
registry:3

# 启动后测试
$ curl http://172.16.1.28:5000/v2/_catalog
{"repositories":[]}

docker 私有仓库默认基于https 传输,需要在客户端配置不使用https

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# client 修改
$ cat /etc/docker/daemon.json 
{
  "registry-mirrors": [
    "https://docker.1ms.run",
    "https://docker.xuanyuan.me",
    "https://docker.m.daocloud.io",
    "https://docker.1panel.live",
    "https://hub.rat.dev"
  ],
  "insecure-registries": ["172.16.1.28:5000"]    #添加私有仓库
}

# 重启client的docker服务
systemctl daemon-reload && systemctl restart docker

推送

Bash
1
2
3
4
5
6
7
# 尝试推送一个镜像,要先修改镜像tag
$ docker tag alpine:latest 172.16.1.28:5000/myalpine:v1
# 推送测试
$ docker push 172.16.1.28:5000/myalpine:v1
# 查看仓库
$ curl 172.16.1.28:5000/v2/_catalog
{"repositories":["myalpine"]}

拉取

Bash
1
2
3
# 先删除本地的镜像
docker rmi 172.16.1.28:5000/myalpine:v1
docker pull 172.16.1.28:5000/myalpine:v1

配置认证-安全加固

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# 创建目录
$ mkdir -p /opt/registry/{data,auth} && cd /opt/registry
# 使用htpasswd工具,生成基于http基本认证密码文件
$ yum install httpd-tools    # 基于rpm 管理安装工具包
$ apt install apache2-utils    # 基于apt 管理安装包
# 生成密码文件
$ htpasswd -Bbn admin admin123456 > /opt/registry/auth/passwd
# -B 强制密码加密
# -b 命令行密码
# -n 不更新加密文件
$ cat auth/passwd 
admin:$2y$05$ik.3rAt3ZFRzclXVADctAeZ.YO/LXuNBKJHXQHdzkPVfzdB853nVC

# 使用compose.yml 启动
$ vim docker-compose.yml
services:
  registry-server:
    image: registry:3
    restart: always
    volumes:
      - /opt/registry/data:/var/lib/registry
      - /opt/registry/auth:/etc/registry/auth
    environment:
      - REGISTRY_STORAGE_DELETE_ENABLED=true
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=basic-realm
      - REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd
    container_name: registry-server
    ports:
      - 5000:5000

# 测试浏览器需要输入账户密码
http://172.16.1.28:5000/v2/_catalog
# docker client 测试
$ docker push 172.16.1.28:5000/myalpine:v1
The push refers to repository [172.16.1.28:5000/myalpine]
418dccb7d85a: Preparing 
no basic auth credentials    # 这里提示需要认证

# 登陆一下,凭据存储在用户目录的.docker
$ docker login 172.16.1.28:5000
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

# 查看一下
$ cat /root/.docker/config.json 
{
    "auths": {
        "172.16.1.28:5000": {
            "auth": "YWRtaW46YWRtaW4xMjM0NTY="
        }
    }
}
# 测试提交成功
$ docker push 172.16.1.28:5000/alpine:v1
The push refers to repository [172.16.1.28:5000/alpine]
418dccb7d85a: Mounted from myalpine 
v1: digest: sha256:7b9b6a044d921dfcaea2a843ff19d725948590352198f93cb878fd2c19d7ba3c size: 527