docker registry:设置私有的镜像缓存仓库

发表于 | 更新于: | 分类于
字数统计: 1.4k | 阅读时长 ≈ 8 min
对一个外网不稳定,但项目全部容器化的企业来说,设置一个私有化的镜像仓库是十分必要的,私有化镜像有harbor、docker registry等,这里主要介绍用docker registry搭建一个具有 proxy cache 功能的私有镜像仓库。

背景介绍

docker 提供了官方的 registry 仓库镜像,可以通过docker hub进行拉取:

docker pull registry

但是直接拉取的registry我们并不知道如何设置,我们可以看看他的Dockerfile地址,git地址:

https://github.com/docker/distribution-library-image

通过这个仓库知道主要是通过config-example.yml来配置。

resgistry 的配置

version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
  hooks:
    - type: mail
      disabled: true
      levels:
        - panic
      options:
        smtp:
          addr: mail.example.com:25
          username: mailuser
          password: password
          insecure: true
        from: sender@example.com
        to:
          - errors@example.com
loglevel: debug # deprecated: use "log"
storage:
  filesystem:
    rootdirectory: /var/lib/registry
    maxthreads: 100
  azure:
    accountname: accountname
    accountkey: base64encodedaccountkey
    container: containername
  gcs:
    bucket: bucketname
    keyfile: /path/to/keyfile
    credentials:
      type: service_account
      project_id: project_id_string
      private_key_id: private_key_id_string
      private_key: private_key_string
      client_email: client@example.com
      client_id: client_id_string
      auth_uri: http://example.com/auth_uri
      token_uri: http://example.com/token_uri
      auth_provider_x509_cert_url: http://example.com/provider_cert_url
      client_x509_cert_url: http://example.com/client_cert_url
    rootdirectory: /gcs/object/name/prefix
    chunksize: 5242880
  s3:
    accesskey: awsaccesskey
    secretkey: awssecretkey
    region: us-west-1
    regionendpoint: http://myobjects.local
    bucket: bucketname
    encrypt: true
    keyid: mykeyid
    secure: true
    v4auth: true
    chunksize: 5242880
    multipartcopychunksize: 33554432
    multipartcopymaxconcurrency: 100
    multipartcopythresholdsize: 33554432
    rootdirectory: /s3/object/name/prefix
  swift:
    username: username
    password: password
    authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
    tenant: tenantname
    tenantid: tenantid
    domain: domain name for Openstack Identity v3 API
    domainid: domain id for Openstack Identity v3 API
    insecureskipverify: true
    region: fr
    container: containername
    rootdirectory: /swift/object/name/prefix
  oss:
    accesskeyid: accesskeyid
    accesskeysecret: accesskeysecret
    region: OSS region name
    endpoint: optional endpoints
    internal: optional internal endpoint
    bucket: OSS bucket
    encrypt: optional enable server-side encryption
    encryptionkeyid: optional KMS key id for encryption
    secure: optional ssl setting
    chunksize: optional size valye
    rootdirectory: optional root directory
  inmemory:  # This driver takes no parameters
  delete:
    enabled: false
  redirect:
    disable: false
  cache:
    blobdescriptor: redis
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    readonly:
      enabled: false
auth:
  silly:
    realm: silly-realm
    service: silly-service
  token:
    autoredirect: true
    realm: token-realm
    service: token-service
    issuer: registry-token-issuer
    rootcertbundle: /root/certs/bundle
  htpasswd:
    realm: basic-realm
    path: /path/to/htpasswd
middleware:
  registry:
    - name: ARegistryMiddleware
      options:
        foo: bar
  repository:
    - name: ARepositoryMiddleware
      options:
        foo: bar
  storage:
    - name: cloudfront
      options:
        baseurl: https://my.cloudfronted.domain.com/
        privatekey: /path/to/pem
        keypairid: cloudfrontkeypairid
        duration: 3000s
        ipfilteredby: awsregion
        awsregion: us-east-1, use-east-2
        updatefrenquency: 12h
        iprangesurl: https://ip-ranges.amazonaws.com/ip-ranges.json
  storage:
    - name: redirect
      options:
        baseurl: https://example.com/
reporting:
  bugsnag:
    apikey: bugsnagapikey
    releasestage: bugsnagreleasestage
    endpoint: bugsnagendpoint
  newrelic:
    licensekey: newreliclicensekey
    name: newrelicname
    verbose: true
http:
  addr: localhost:5000
  prefix: /my/nested/registry/
  host: https://myregistryaddress.org:5000
  secret: asecretforlocaldevelopment
  relativeurls: false
  draintimeout: 60s
  tls:
    certificate: /path/to/x509/public
    key: /path/to/x509/private
    clientcas:
      - /path/to/ca.pem
      - /path/to/another/ca.pem
    letsencrypt:
      cachefile: /path/to/cache-file
      email: emailused@letsencrypt.com
      hosts: [myregistryaddress.org]
  debug:
    addr: localhost:5001
    prometheus:
      enabled: true
      path: /metrics
  headers:
    X-Content-Type-Options: [nosniff]
  http2:
    disabled: false
notifications:
  events:
    includereferences: true
  endpoints:
    - name: alistener
      disabled: false
      url: https://my.listener.com/event
      headers: <http.Header>
      timeout: 1s
      threshold: 10
      backoff: 1s
      ignoredmediatypes:
        - application/octet-stream
      ignore:
        mediatypes:
           - application/octet-stream
        actions:
           - pull
redis:
  addr: localhost:6379
  password: asecret
  db: 0
  dialtimeout: 10ms
  readtimeout: 10ms
  writetimeout: 10ms
  pool:
    maxidle: 16
    maxactive: 64
    idletimeout: 300s
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
  file:
    - file: /path/to/checked/file
      interval: 10s
  http:
    - uri: http://server.to.check/must/return/200
      headers:
        Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
      statuscode: 200
      timeout: 3s
      interval: 10s
      threshold: 3
  tcp:
    - addr: redis-server.domain.com:6379
      timeout: 3s
      interval: 10s
      threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]
  password: [password]
compatibility:
  schema1:
    signingkeyfile: /etc/registry/key.json
    enabled: true
validation:
  manifests:
    urls:
      allow:
        - ^https?://([^/]+\.)*example\.com/
      deny:
        - ^https?://www\.example\.com/

和 proxy cache 相关的参数是 proxy 。

搭建 docker registry

okay,下面我们通过原始dockerfile构建一个缓存私有仓库:

1.修改config-example.conf文件

由于本机是intel的64位系统,因此选择amd64,修改里面的config-example.conf:

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io

2.构建registry镜像

构建registry镜像:

docker build -t docker-registry:v0.1 .

3.运行registry容器

运行registry容器:

docker run -d -p 5000:5000 --restart=always --name docker-registry \ 
          -v /home/registry:/var/lib/registry \
          docker-registry:v0.1

或者可以直接将配置文件挂载进去:

docker run -d -p 5000:5000 --restart=always --name docker-registry \
             -v `pwd`/config-example.yml:/etc/docker/registry/config.yml \
             -v /home/registry:/var/lib/registry \
             docker-registry:v0.1

4.测试缓存是否生效

在测试的daemon.json配置目标地址:

cat > /etc/docker/daemon.json << EOF 
{
	"insecure-registries": ["10.10.6.111:5000"],
	"registry-mirrors":["http://10.10.6.111:5000"]
}
EOF

重启容器服务service docker restart

测试:

docker pull node:8.4.0-onbuild

用docker logs 查看 registry 容器:

docker logs -f docker-registry

time="2019-10-31T07:48:33.210442036Z" level=info msg="Adding new scheduler entry for library/node@sha256:0485a8f7251f7823455cb5efb010ee034e7b44b13414d11080c4daae8af1acb3 with ttl=167h59m59.999996323s" go.version=go1.11.2 instance.id=154296c5-33a6-44cc-bc25-9cb74eb2fc47 service=registry version=v2.7.1 
time="2019-10-31T07:48:33.210850287Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="10.10.6.111:5000" http.request.id=05a32ff6-54f1-4b70-b86e-1802959c0ff2 http.request.method=GET http.request.remoteaddr="10.10.6.19:60562" http.request.uri="/v2/library/node/manifests/8.4.0-onbuild" http.request.useragent="docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \(linux\))" http.response.contenttype="application/vnd.docker.distribution.manifest.v2+json" http.response.duration=3.632741932s http.response.status=200 http.response.written=2213 
10.10.6.19 - - [31/Oct/2019:07:48:29 +0000] "GET /v2/library/node/manifests/8.4.0-onbuild HTTP/1.1" 200 2213 "" "docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \\(linux\\))"
time="2019-10-31T07:48:35.734990871Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="10.10.6.111:5000" http.request.id=76e0c7e6-b6e2-4d48-8baf-bcd296996e69 http.request.method=GET http.request.remoteaddr="10.10.6.19:60564" http.request.uri="/v2/library/node/blobs/sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704" http.request.useragent="docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \(linux\))" http.response.contenttype="application/octet-stream" http.response.duration=2.522583499s http.response.status=200 http.response.written=8639 
10.10.6.19 - - [31/Oct/2019:07:48:33 +0000] "GET /v2/library/node/blobs/sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704 HTTP/1.1" 200 8639 "" "docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \\(linux\\))"
time="2019-10-31T07:48:36.375234583Z" level=info msg="Adding new scheduler entry for library/node@sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704 with ttl=167h59m59.999996974s" go.version=go1.11.2 instance.id=154296c5-33a6-44cc-bc25-9cb74eb2fc47 service=registry version=v2.7.1

从日志可以看出缓存成功了~

PS: 镜像第一次拉取还比较慢,第二次拉取速度立刻飞起~大家可以试试

shikanon wechat
欢迎您扫一扫,订阅我滴↑↑↑的微信公众号!