内网环境下,可以使用 Docker Registry 来解决k8s集群的镜像拉取问题,当然,公网情况下, Docker Registry 私密性更高,比共有仓库更适合
如果需要 Docker Registry 开启认证功能,可以直接看配置 Docker Registry 认证
官方文档
部署
启动带认证的 Docker Registry
TLS认证
用registry代理证书
-
创建cert目录
将证书文件.crt和.key复制到cert目录
-
启动容器
1
2
3
4
5
6
7
8
9
10
|
$ docker pull registry:latest
$ docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry
|
用nginx代理证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
http{
...
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server
{
listen 443 ssl;
server_name docker.example.com www.docker.example.com;
charset utf-8;
#网站证书文件位置
ssl_certificate /www/cert/docker.example.com/docker.example.com_bundle.crt;
ssl_certificate_key /www/cert/docker.example.com/docker.example.com.key;
#https会话缓存大小
ssl_session_cache shared:SSL:10m;
#https会话超时时间
ssl_session_timeout 5m;
#使用的TLS协议的类型
ssl_protocols TLSv1.2 TLSv1.3;
#配置加密套件类型,写法遵循 openssl 标准
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
proxy_ssl_session_reuse off;
access_log /www/wwwlogs/docker.example.com/gf-app-access.log;
error_log /www/wwwlogs/docker.example.com/gf-app-error.log;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
server
{
listen 80;
server_name docker.example.com www.docker.example.com;
location /v2/ {
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
...
}
|
密码认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ cd /www/server/registry/registry_auth
$ htpasswd -cBb htpasswd username passwd #创建用户名和密码
$ docker pull registry:latest
$ docker run -p 9094:5000 \
--restart=always \
--name registry \
-v /www/server/registry/registry:/var/lib/registry \
-v /www/server/registry/registry_auth:/auth/ \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-d registry
$ docker login -u username docker.example.com
Password: password #输入密码
|
Push镜像
1
2
|
docker tag centos:7 ip:端口/centos:7
docker push ip:端口/centos:7
|
小坑
1
|
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>413 Request Entity Too Large</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>413 Request Entity Too Large</h1></center>\r\n<hr><center>nginx/1.4.6 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n"
|
解决方法:在nginx的配置加入client_max_body_size 0;
Pull镜像
1
|
docker pull ip:port/image:tag
|
查看私有仓库镜像
向docker.example.com/v2/_catalog发送get请求
在请求头的Authorization字段加入Basic认证码
查看授权令牌
1
|
$ cat ~/.docker/config.json
|
