1. understand Registry
One registry It's a storage and content delivery system , It maintains a number of named Docker Mirror image , These images come in different tagged versions .（ for example ： There's a mirror named hello/world, It has two tags Namely 2.0 and 2.1）
By using docker push and docker pull Command and registry Interact .（ for example ：docker pull registry-1.docker.io/hello/world:2.1）
A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions. Users interact with a registry by using docker push and pull commands.
I said before. ,registry It's a storage system , It stores Docker Mirror image . that , Where is the image stored ？ The store itself is delegated to the driver . The default storage driver is local posix file system , Other cloud based storage drivers are also supported , for example Aliyun OSS
Because protecting access to managed images is critical , therefore Registry It supports TLS And basic authentication .
1.1. Understanding image naming
docker pull ubuntu instructions docker From the official Docker Hub China Latin America takes a name of ubuntu Mirror image . This order is actually docker pull docker.io/library/ubuntu Abbreviation
docker pull myregistrydomain:port/foo/bar instructions docker Pull to be located in myregistrydomain:port Mirror image foo/bar
1.2. Use cases
Run your own Registry Is with the CI/CD A great solution to integrate and complement systems . In a typical workflow , Commit to source version control system will trigger in CI Building on the system , If the build is successful , Push the new image to your Registry. then , come from Registry The notification of will trigger the deployment on the staging environment , Or notify other systems that a new image is available .
If you want to quickly deploy new images on a mainframe cluster , It's also an essential component .
It's also the best way to distribute images in an isolated network .
2. Deploy a registry server
# Run a local registry docker run -d -p --restart=always --name registry registry:2
2.1. Copy an image from Docker Hub to your registry
You can start your Docker Hub Pull up a mirror image , And push it to your own Registry On . In the following example , from Docker Hub Pull up image ubuntu:16.04, And re mark it as my-ubuntu, And then push it locally registry, Last , then ubuntu:16.04 and my-ubuntu Delete .
# 1. Pull the ubuntu:16.04 image from Docker Hub docker pull ubuntu:16.04 # 2. Tag the image as localhost:5000/my-ubuntu # ( Be careful , When tag The first part of is the host name and port when ,push when Docker It will be interpreted as registry The location of ） docker tag ubuntu:16.04 localhost:5000/my-ubuntu # 3. Push the image to the local registry running at localhost:5000 docker push localhost:5000/my-ubuntu # 4. Remove the locally-cached ubuntu:16.04 and localhost:5000/my-ubuntu images, so that you can test pulling the image from your registry. This does not remove the localhost:5000/my-ubuntu image from your registry. docker image remove ubuntu:16.04 docker image remove localhost:5000/my-ubuntu # 5. Pull the localhost:5000/my-ubuntu image from your local registry docker pull localhost:5000/my-ubuntu
Stop local registry
# stop the registry docker container stop registry # remove the container docker container stop registry && docker container rm -v registry
3. Basic configuration
For configuration container, You can give docker run Command specifies additional option parameters
# Automatic restart registry # -p The value of the option , The first is the host port , The second is the container port . In the container ,registry The default listening port is 5000 docker run -d -p 5000:5000 --restart=always --name registry registry:2 # Custom storage location docker run -d -p 5000:5000 --restart=always --name registry -v /mnt/registry:/var/lib/registry registry:2
3.1. Run an externally accessible registry
Run a machine that is accessible only on the local host registry It's no use , In order to make your registry It can be accessed by external hosts , Must first use TLS Protect registry.
Here is a will registry An example of running as a service ：
First , Get a certificate
Suppose your registry Of URL yes https://myregistry.domain.com/, Simultaneously assumed DNS, Routing and firewall settings allow access through ports 443 visit registry The host , And suppose you've gone from CA Get a certificate there .
that , Next
Create a certs Catalog
from CA Where to copy .crt and .key File to certs Catalog , Suppose you rename them to domain.crt and domain.key
restart registry, Point it to the use of TLS certificate
docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2
Now? Docker The client can go through registry The Internet address of pull and push 了
docker pull ubuntu:16.04 docker tag ubuntu:16.04 myregistry.domain.com/my-ubuntu docker push myregistry.domain.com/my-ubuntu docker pull myregistry.domain.com/my-ubuntu
take registry Run as a service
Compared to individual containers ,swarm services It has many advantages . They use a declarative model , This means that you define the required state , and Docker Then keep the service in that state . Services provide automatic load balancing extensions , And it has the ability to control service allocation and other advantages . The service also allows you to store sensitive data secretly , for example TLS certificate .
The following example will registry Start as a single copy service , It can be on the port 80 Access the... On any cluster node on registry, And assume that you are using the same TLS certificate .
# First , preservation TLS Certificates and key As secret docker secret create domain.crt certs/domain.crt docker secret create domain.key certs/domain.key # Next , Will you want to allow registry Of node Add a label docker node update --label-add registry=true node1 # We'll go on with the , Create a service , And authorized it to access two secret, And limit it to only when the label is registry=true Running on the node of docker service create --name registry --secret domain.crt --secret domain.key --constraint 'node.labels.registry==true' --mount type=bind,src=/mnt/registry,dst=/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt -e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key --publish published=443,target=443 --replicas 1 registry:2
Now you can do it any time swarm Node 443 Access service on Port .Docker The request is sent to the node running the service .
# start-up registry docker run -d -p 5000:5000 --name registry registry:2 # from Docker Hub Pull up image docker pull ubuntu # Call the image tag docker image tag ubuntu localhost:5000/myfirstimage # Push it to your own registry docker push localhost:5000/myfirstimage # Again from your own registry Pull the mirror image docker pull localhost:5000/myfirstimage # stop it registry And delete all the data docker container stop registry && docker container rm -v registry