Docker private warehouse deployment

JJLAAA 2021-02-23 17:59:00
docker private warehouse deployment


Docker Private warehouse deployment

0 demand

  • structure Docker The private warehouse can avoid the network problems that may occur during the development and production ;
  • Use Docker Registry Private warehouse deployment , Use Docker Auth Do Authentication
  • Considering the usage scenarios : Publishing images generally requires authentication , You don't need to pull the image , Different environments also need different access policies . ordinary http Limited ability to verify scalability ,docker_auth Provides the basis for token Of docker registry Verify the implementation , Can better support the actual scene :

    • Third party user authentication is supported
    • More support ACL Policy configuration
    • Configuration deployment is easy to get started

This paper is verified by the author himself , If the reader makes mistakes in practice , Welcome to the comment area

1. Docker install

1.1 Remove old Docker Installation traces

If this is the first installation , You can skip this step

sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get purge docker-ce docker-ce-cli containerd.io
sudo rm -rf /var/lib/docker

1.2 install Docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker

Refer to for more installation methods Install Docker Engine on Ubuntu

1.3 Docker To configure

  • Configure alicloud image

    sudo tee /etc/docker/daemon.json << eof
    {
    "registry-mirrors": ["https://jioksect.mirror.aliyuncs.com"]
    }
    eof
    sudo systemctl daemon-reload
    sudo systemctl restart docker

2 Docker Auth Installation and deployment

mkdir -p /opt/docker_auth/config /opt/docker_auth/log && touch /opt/docker_auth/config/auth_config.yml
echo '
server:
addr: ":5001"
certificate: "/root/cert.pem"
key: "/root/cert.key"
token:
issuer: "Auth Service"
expiration: 900
users:
"root":
password: "${passwd}"
"": {}
acl:
- match: {account: "root"}
actions: ["*"]
- match: {account: ""} # Anonymous users can only pull images
actions: ["pull"]' > /opt/docker_auth/config/auth_config.yml
  1. ${passwd} generation

    1. User password generation method :htpasswd -nB root

      1. htpasswd -nB root The password required for execution is docker login Entered when root User password
  2. For more configuration methods, please refer to :docker_auth Configuration example

Deploy container

docker run -d \
--name=docker_auth \
-p ${port}:5001 \
--restart=always \
-v /opt/docker_auth/config:/config:ro \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
-v /opt/docker_auth/log:/logs \
cesanta/docker_auth:1.6.0 --v=2 --alsologtostderr /config/auth_config.yml
  • Be careful : If you want to Docker If the image service is made into a public network service , Need to put Docker Auth Our service ports are also exposed to the public network ( have access to frp expose ), Because execution docker login On command , Will send to Docker Auth Initiate validation request

3 Docker Registry Image installation and container configuration

3.1 Pull Docker Registry Mirror image

docker pull registry:2.7.0
mkdir -p /opt/docker_registry/config /opt/docker_registry/data && touch /opt/docker_registry/config/config.yml

3.2 Setup profile

echo 'version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
token:
autoredirect: true
realm: ${docker_auth_url}/auth
service: Docker registry
issuer: Auth Service
rootcertbundle: /root/cert.pem
http:
addr: :5000
tls:
certificate: /root/cert.pem
key: /root/cert.key
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3' > /opt/docker_registry/config/config.yml
  • ${docker_auth_url} That is to say Docker Auth The public address of the service ,

    • Note that if Docker Auth Use with Docker Registry Nginx With the same certificate , Notice the ${docker_auth_url} Use the domain name of the certificate instead of the public network IP, Otherwise, in the docker login There will be a signature error
  • Docker Auth The default is HTTPS service , therefore ${docker_auth_url} Should be used HTTPS agreement
  • Certificates can be applied for free from alicloud

3.3 Start the service

docker run -d \
-p ${port}:5000 \
--restart=always \
--name=registry \
-v /opt/docker_registry/config/:/etc/docker/registry/ \
-v /opt/docker_registry/data:/var/lib/registry \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
registry:2.3
  • You can use frp expose Docker Registry service

3.4 Use Nginx Provide HTTPS service

echo 'server {
listen 443 ssl;
server_name ${host_name};
#ssl Certificate file location ( The common certificate file format is :crt/pem)
ssl_certificate /etc/nginx/ssl/registry-cert.pem;
#ssl certificate key Location
ssl_certificate_key /etc/nginx/ssl/registry-cert.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Real-IP $remote_addr;
# You can use frp Expose intranet services
proxy_pass https://${host_name};
}
}' >> /opt/nginx/dockerRegistry.conf
  • Use Docker Container deployment Nginx The service can be
  • stay Nginx service HTTPS The certificate used by the service can be Docker Auth The same set of certificates used by the service

4 ( Optional ) Use docker-compose One key deployment Docker Private warehouse services

echo 'version: '3.7'
services:
auth:
image: cesanta/docker_auth:1.6.0
volumes:
- /opt/docker_auth/config:/config:ro
- /opt/docker_auth/log:/logs
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
container_name: docker_auth
restart: always
command: --v=2 --alsologtostderr /config/auth_config.yml
ports:
- ${auth_port}:5001
docker_registry:
image: registry:2.3
container_name: registry
depends_on:
- auth
ports:
- ${registry_port}:5000
volumes:
- /opt/docker_registry/config:/etc/docker/registry
- /opt/docker_registry/data:/var/lib/registry
- /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro
- /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro
restart: always' >> /opt/docker_registry/registry.yaml
cd /opt/docker_registry && docker-compose -f registry.yaml up -d

5 Use Docker Private warehouse services

5.1 Turn on HTTP Form access to private warehouses

vim /etc/docker/daemon.json

stay json Add the following nodes to the structure

{
"insecure-registries":
[ "${registry_hostname}:${port}"]
}

restart Docker service

systemctl daemon-reload
systemctl restart docker

5.2 Try using the private warehouse service

5.2.1 Push the mirror

docker login ${registry_hostname}:${port}

6 Reference link

7 TODO

版权声明
本文为[JJLAAA]所创,转载请带上原文链接,感谢
https://javamana.com/2021/02/20210223175807465R.html

  1. 开源办公开发平台丨Mysql5.7两套四节点主从结构环境搭建教程(二)
  2. 开源办公开发平台丨Mysql5.7两套四节点主从结构环境搭建教程(一)
  3. Open source office development platform mysql5.7 two sets of four node master-slave structure environment building tutorial (2)
  4. HTTP的“无状态”和REST的“状态转换”
  5. Open source office development platform mysql5.7 two sets of four node master-slave structure environment building tutorial (1)
  6. 【大数据哔哔集20210128】使用Hive计算环比和同比
  7. 【大数据哔哔集20210125】Kafka将逐步弃用对zookeeper的依赖
  8. 【大数据哔哔集20210124】有人问我Kafka Leader选举?我真没慌
  9. 【大数据哔哔集20210123】别问,问就是Kafka高可靠
  10. Spring 事务、异步和循环依赖有什么关系?
  11. Spring 动态代理时是如何解决循环依赖的?为什么要使用三级缓存?
  12. "Stateless" of HTTP and "state transition" of rest
  13. [big data bibiji 20210128] use hive to calculate month on month and year on year
  14. [big data bibiji 20210125] Kafka will gradually abandon its dependence on zookeeper
  15. [big data beeps 20210124] someone asked me about Kafka leader election? I'm not in a panic
  16. [big data bibiji 20210123] don't ask, ask is Kafka highly reliable
  17. jQuery Gantt Package 在Visual Studio中创建一个新的ASP.NET项目
  18. What is the relationship between spring transactions, asynchrony, and circular dependencies?
  19. How to solve circular dependency in spring dynamic proxy? Why use level 3 caching?
  20. Unicode码的二进制转换(Java)
  21. JAVA的函数式接口
  22. JAVA里的元祖类
  23. JQuery Gantt package to create a new ASP.NET project
  24. Binary conversion of Unicode code (Java)
  25. The functional interface of Java
  26. Yuanzu class in Java
  27. Java中的CPU占用高和内存占用高的问题排查
  28. HashMap连环问你能答出几道?
  29. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  30. java中的反射和代理
  31. Troubleshooting of high CPU and memory usage in Java
  32. How many questions can you answer?
  33. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  34. Reflection and proxy in Java
  35. Java中的CPU占用高和内存占用高的问题排查
  36. Linux OOM(out of memory)
  37. mysql 自定义函数因参数名称报错
  38. Troubleshooting of high CPU and memory usage in Java
  39. Linux OOM(out of memory)
  40. MySQL user defined function error due to parameter name
  41. echarts-gl 3D 地图柱状图可视化GDP
  42. Visualization of histogram of ecarts GL 3D map
  43. 金三银四如何应对Redis面试,一文深入Redis实战实践!
  44. 阿里资深架构师定制金三银四面试整理出来的一份Java核心知识点.pdf
  45. 为什么Java开发工程师工资高,却很多人想转行?
  46. How to deal with the interview of redis!
  47. Ali senior architect customizes a Java core knowledge point sorted out in the interview of golden, silver and four.pdf
  48. Why do java development engineers have high salaries, but many people want to change careers?
  49. 用注解开发SpringMVC
  50. Developing spring MVC with annotations
  51. 编译redis报错/deps/hiredis/libhiredis.a解决
  52. Compile redis report error / DEPs / hirredis / libhirredis. A solution
  53. 用注解开发SpringMVC
  54. Developing spring MVC with annotations
  55. Spring学习笔记-01
  56. Centos安装和卸载docker
  57. Spring learning notes-01
  58. Installing and uninstalling docker in CentOS
  59. Java基础-异常
  60. Java基础-反射