The best practice of docker registry

PHP open source community 2020-11-07 19:01:03
best practice docker registry

1. understand Registry

One registry It's a storage and content delivery system , It maintains a number of named Docker Mirror image , These images come in different tagged versions .( for example : There's a mirror named hello/world, It has two tags Namely 2.0 and 2.1)

By using  docker push  and  docker pull  Command and registry Interact .( for example :docker pull

A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.
Users interact with a registry by using docker push and pull commands.

I said before. ,registry It's a storage system , It stores Docker Mirror image . that , Where is the image stored ? The store itself is delegated to the driver . The default storage driver is local posix file system , Other cloud based storage drivers are also supported , for example  Aliyun OSS

Because protecting access to managed images is critical , therefore Registry It supports TLS And basic authentication .

1.1. Understanding image naming

docker pull ubuntu  instructions docker From the official Docker Hub China Latin America takes a name of ubuntu Mirror image . This order is actually docker pull Abbreviation

docker pull myregistrydomain:port/foo/bar  instructions docker Pull to be located in myregistrydomain:port Mirror image foo/bar

1.2. Use cases

Run your own Registry Is with the CI/CD A great solution to integrate and complement systems . In a typical workflow , Commit to source version control system will trigger in CI Building on the system , If the build is successful , Push the new image to your Registry. then , come from Registry The notification of will trigger the deployment on the staging environment , Or notify other systems that a new image is available .

If you want to quickly deploy new images on a mainframe cluster , It's also an essential component .

It's also the best way to distribute images in an isolated network .


2. Deploy a registry server

# Run a local registry
docker run -d -p --restart=always --name registry registry:2

2.1. Copy an image from Docker Hub to your registry

You can start your Docker Hub Pull up a mirror image , And push it to your own Registry On . In the following example , from Docker Hub Pull up image ubuntu:16.04, And re mark it as my-ubuntu, And then push it locally registry, Last , then ubuntu:16.04 and my-ubuntu Delete .

# 1. Pull the ubuntu:16.04 image from Docker Hub
docker pull ubuntu:16.04
# 2. Tag the image as localhost:5000/my-ubuntu
# ( Be careful , When tag The first part of is the host name and port when ,push when Docker It will be interpreted as registry The location of )
docker tag ubuntu:16.04 localhost:5000/my-ubuntu
# 3. Push the image to the local registry running at localhost:5000
docker push localhost:5000/my-ubuntu
# 4. Remove the locally-cached ubuntu:16.04 and localhost:5000/my-ubuntu images, so that you can test pulling the image from your registry. This does not remove the localhost:5000/my-ubuntu image from your registry.
docker image remove ubuntu:16.04
docker image remove localhost:5000/my-ubuntu
# 5. Pull the localhost:5000/my-ubuntu image from your local registry
docker pull localhost:5000/my-ubuntu 

Stop local registry

# stop the registry
docker container stop registry
# remove the container
docker container stop registry && docker container rm -v registry


3. Basic configuration

For configuration container, You can give docker run Command specifies additional option parameters

# Automatic restart registry
# -p The value of the option , The first is the host port , The second is the container port . In the container ,registry The default listening port is 5000
docker run -d -p 5000:5000 --restart=always --name registry registry:2
# Custom storage location 
docker run -d -p 5000:5000 --restart=always --name registry -v /mnt/registry:/var/lib/registry registry:2

3.1. Run an externally accessible registry

Run a machine that is accessible only on the local host registry It's no use , In order to make your registry It can be accessed by external hosts , Must first use TLS Protect registry.

Here is a will registry An example of running as a service :

First , Get a certificate

Suppose your registry Of URL yes, Simultaneously assumed DNS, Routing and firewall settings allow access through ports 443 visit registry The host , And suppose you've gone from CA Get a certificate there .

that , Next

Create a certs Catalog

from CA Where to copy .crt and .key File to certs Catalog , Suppose you rename them to domain.crt and domain.key

restart registry, Point it to the use of TLS certificate

docker run -d
--name registry
-v "$(pwd)"/certs:/certs
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443

Now? Docker The client can go through registry The Internet address of pull and push 了

docker pull ubuntu:16.04
docker tag ubuntu:16.04
docker push
docker pull

take registry Run as a service

Compared to individual containers ,swarm services It has many advantages . They use a declarative model , This means that you define the required state , and Docker Then keep the service in that state . Services provide automatic load balancing extensions , And it has the ability to control service allocation and other advantages . The service also allows you to store sensitive data secretly , for example TLS certificate .

The following example will registry Start as a single copy service , It can be on the port 80 Access the... On any cluster node on registry, And assume that you are using the same TLS certificate .

# First , preservation TLS Certificates and key As secret
docker secret create domain.crt certs/domain.crt
docker secret create domain.key certs/domain.key
# Next , Will you want to allow registry Of node Add a label 
docker node update --label-add registry=true node1
# We'll go on with the , Create a service , And authorized it to access two secret, And limit it to only when the label is registry=true Running on the node of 
docker service create
--name registry 
--secret domain.crt 
--secret domain.key 
--constraint 'node.labels.registry==true' 
--mount type=bind,src=/mnt/registry,dst=/var/lib/registry 
-e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key
--publish published=443,target=443 
--replicas 1 

Now you can do it any time swarm Node 443 Access service on Port .Docker The request is sent to the node running the service .


4. file

# start-up registry
docker run -d -p 5000:5000 --name registry registry:2
# from Docker Hub Pull up image 
docker pull ubuntu
# Call the image tag
docker image tag ubuntu localhost:5000/myfirstimage
# Push it to your own registry
docker push localhost:5000/myfirstimage
# Again from your own registry Pull the mirror image 
docker pull localhost:5000/myfirstimage
# stop it registry And delete all the data 
docker container stop registry && docker container rm -v registry


本文为[PHP open source community]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云