Docker私有仓库部署

JJLAAA 2021-02-23 17:58:34
docker 部署 仓库 私有


Docker私有仓库部署

0 需求

  • 构建Docker私有仓库可避免开发生产时可能产生的网络问题;
  • 使用Docker Registry私有仓库部署,使用Docker Auth做身份验证
  • 考虑到使用场景:发布镜像一般需要认证,拉取镜像则不需要,不同环境也需要不同的访问策略。简单的http验证扩展能力受限,docker_auth提供了基于token的docker registry验证实现方式,可以更好的支持实际场景:

    • 支持第三方用户认证
    • 支持较为丰富ACL策略配置
    • 配置部署易于上手

本文经过作者亲自验证,如果读者实践时出错,欢迎在评论区指出

1. Docker安装

1.1 清除旧Docker安装痕迹

如果是第一次安装,可以略过此步骤

sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get purge docker-ce docker-ce-cli containerd.io
sudo rm -rf /var/lib/docker

1.2 安装Docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker

更多安装方法参考Install Docker Engine on Ubuntu

1.3 Docker 配置

  • 配置阿里云镜像

    sudo tee /etc/docker/daemon.json << eof
    {
    "registry-mirrors": ["https://jioksect.mirror.aliyuncs.com"]
    }
    eof
    sudo systemctl daemon-reload
    sudo systemctl restart docker

2 Docker Auth 安装部署

mkdir -p /opt/docker_auth/config /opt/docker_auth/log && touch /opt/docker_auth/config/auth_config.yml
echo '
server:
addr: ":5001"
certificate: "/root/cert.pem"
key: "/root/cert.key"
token:
issuer: "Auth Service"
expiration: 900
users:
"root":
password: "${passwd}"
"": {}
acl:
- match: {account: "root"}
actions: ["*"]
- match: {account: ""} # 匿名用户只能拉取镜像
actions: ["pull"]' > /opt/docker_auth/config/auth_config.yml
  1. ${passwd}生成方式

    1. 用户密码生成方式:htpasswd -nB root

      1. htpasswd -nB root执行时要求输入的密码就是docker login时输入的root用户密码
  2. 更多配置方式参考:docker_auth配置示例

部署容器

docker run -d \
--name=docker_auth \
-p ${port}:5001 \
--restart=always \
-v /opt/docker_auth/config:/config:ro \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
-v /opt/docker_auth/log:/logs \
cesanta/docker_auth:1.6.0 --v=2 --alsologtostderr /config/auth_config.yml
  • 注意:如果要将Docker镜像服务做成公网服务的话,需要将Docker Auth的服务端口同样暴露到公网(可以使用frp暴露),因为执行docker login命令时,会向Docker Auth发起验证请求

3 Docker Registry镜像安装与容器配置

3.1 拉取Docker Registry镜像

docker pull registry:2.7.0
mkdir -p /opt/docker_registry/config /opt/docker_registry/data && touch /opt/docker_registry/config/config.yml

3.2 设置配置文件

echo 'version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
token:
autoredirect: true
realm: ${docker_auth_url}/auth
service: Docker registry
issuer: Auth Service
rootcertbundle: /root/cert.pem
http:
addr: :5000
tls:
certificate: /root/cert.pem
key: /root/cert.key
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3' > /opt/docker_registry/config/config.yml
  • ${docker_auth_url}即为Docker Auth服务的公网地址

    • 注意如果Docker Auth使用与Docker Registry Nginx相同的证书的话,注意这里的${docker_auth_url}要使用证书对应的域名而不要使用公网IP,否则在docker login时会出现签名错误
  • Docker Auth默认提供的是HTTPS服务,所以${docker_auth_url}应当使用HTTPS协议
  • 证书可以从阿里云免费申请

3.3 启动服务

docker run -d \
-p ${port}:5000 \
--restart=always \
--name=registry \
-v /opt/docker_registry/config/:/etc/docker/registry/ \
-v /opt/docker_registry/data:/var/lib/registry \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
registry:2.3
  • 可使用frp暴露Docker Registry服务

3.4 使用Nginx提供HTTPS服务

echo 'server {
listen 443 ssl;
server_name ${host_name};
#ssl证书文件位置(常见证书文件格式为:crt/pem)
ssl_certificate /etc/nginx/ssl/registry-cert.pem;
#ssl证书key位置
ssl_certificate_key /etc/nginx/ssl/registry-cert.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Real-IP $remote_addr;
# 可使用frp暴露内网服务
proxy_pass https://${host_name};
}
}' >> /opt/nginx/dockerRegistry.conf
  • 使用Docker 容器部署Nginx服务即可
  • 在Nginx服务HTTPS 服务使用的证书可以是Docker Auth服务使用的同一套证书

4 (可选)使用docker-compose一键部署Docker私有仓库服务

echo 'version: '3.7'
services:
auth:
image: cesanta/docker_auth:1.6.0
volumes:
- /opt/docker_auth/config:/config:ro
- /opt/docker_auth/log:/logs
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
container_name: docker_auth
restart: always
command: --v=2 --alsologtostderr /config/auth_config.yml
ports:
- ${auth_port}:5001
docker_registry:
image: registry:2.3
container_name: registry
depends_on:
- auth
ports:
- ${registry_port}:5000
volumes:
- /opt/docker_registry/config:/etc/docker/registry
- /opt/docker_registry/data:/var/lib/registry
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
restart: always' >> /opt/docker_registry/registry.yaml
cd /opt/docker_registry && docker-compose -f registry.yaml up -d

5 使用Docker私有仓库服务

5.1 开启HTTP形式访问私有仓库

vim /etc/docker/daemon.json

在json结构中添加如下节点

{
"insecure-registries":
[ "${registry_hostname}:${port}"]
}

重启Docker服务

systemctl daemon-reload
systemctl restart docker

5.2 尝试使用私有仓库服务

5.2.1 推送镜像

docker login ${registry_hostname}:${port}

6 参考链接

7 TODO

版权声明
本文为[JJLAAA]所创,转载请带上原文链接,感谢
https://segmentfault.com/a/1190000039264241

  1. 开源办公开发平台丨Mysql5.7两套四节点主从结构环境搭建教程(二)
  2. 开源办公开发平台丨Mysql5.7两套四节点主从结构环境搭建教程(一)
  3. Open source office development platform mysql5.7 two sets of four node master-slave structure environment building tutorial (2)
  4. HTTP的“无状态”和REST的“状态转换”
  5. Open source office development platform mysql5.7 two sets of four node master-slave structure environment building tutorial (1)
  6. 【大数据哔哔集20210128】使用Hive计算环比和同比
  7. 【大数据哔哔集20210125】Kafka将逐步弃用对zookeeper的依赖
  8. 【大数据哔哔集20210124】有人问我Kafka Leader选举?我真没慌
  9. 【大数据哔哔集20210123】别问,问就是Kafka高可靠
  10. Spring 事务、异步和循环依赖有什么关系?
  11. Spring 动态代理时是如何解决循环依赖的?为什么要使用三级缓存?
  12. "Stateless" of HTTP and "state transition" of rest
  13. [big data bibiji 20210128] use hive to calculate month on month and year on year
  14. [big data bibiji 20210125] Kafka will gradually abandon its dependence on zookeeper
  15. [big data beeps 20210124] someone asked me about Kafka leader election? I'm not in a panic
  16. [big data bibiji 20210123] don't ask, ask is Kafka highly reliable
  17. jQuery Gantt Package 在Visual Studio中创建一个新的ASP.NET项目
  18. What is the relationship between spring transactions, asynchrony, and circular dependencies?
  19. How to solve circular dependency in spring dynamic proxy? Why use level 3 caching?
  20. Unicode码的二进制转换(Java)
  21. JAVA的函数式接口
  22. JAVA里的元祖类
  23. JQuery Gantt package to create a new ASP.NET project
  24. Binary conversion of Unicode code (Java)
  25. The functional interface of Java
  26. Yuanzu class in Java
  27. Java中的CPU占用高和内存占用高的问题排查
  28. HashMap连环问你能答出几道?
  29. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  30. java中的反射和代理
  31. Troubleshooting of high CPU and memory usage in Java
  32. How many questions can you answer?
  33. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  34. Reflection and proxy in Java
  35. Java中的CPU占用高和内存占用高的问题排查
  36. Linux OOM(out of memory)
  37. mysql 自定义函数因参数名称报错
  38. Troubleshooting of high CPU and memory usage in Java
  39. Linux OOM(out of memory)
  40. MySQL user defined function error due to parameter name
  41. echarts-gl 3D 地图柱状图可视化GDP
  42. Visualization of histogram of ecarts GL 3D map
  43. 金三银四如何应对Redis面试,一文深入Redis实战实践!
  44. 阿里资深架构师定制金三银四面试整理出来的一份Java核心知识点.pdf
  45. 为什么Java开发工程师工资高,却很多人想转行?
  46. How to deal with the interview of redis!
  47. Ali senior architect customizes a Java core knowledge point sorted out in the interview of golden, silver and four.pdf
  48. Why do java development engineers have high salaries, but many people want to change careers?
  49. 用注解开发SpringMVC
  50. Developing spring MVC with annotations
  51. 编译redis报错/deps/hiredis/libhiredis.a解决
  52. Compile redis report error / DEPs / hirredis / libhirredis. A solution
  53. 用注解开发SpringMVC
  54. Developing spring MVC with annotations
  55. Spring学习笔记-01
  56. Centos安装和卸载docker
  57. Spring learning notes-01
  58. Installing and uninstalling docker in CentOS
  59. Java基础-异常
  60. Java基础-反射