构建Docker私有仓库可避免开发生产时可能产生的网络问题;html
使用Docker Registry私有仓库部署,使用Docker Auth作身份验证nginx
考虑到使用场景:发布镜像通常须要认证,拉取镜像则不须要,不一样环境也须要不一样的访问策略。简单的http验证扩展能力受限,docker_auth提供了基于token的docker registry验证明现方式,能够更好的支持实际场景:git
本文通过做者亲自验证,若是读者实践时出错,欢迎在评论区指出github
若是是第一次安装,能够略过此步骤docker
sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get purge docker-ce docker-ce-cli containerd.io
sudo rm -rf /var/lib/docker
复制代码
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker
复制代码
更多安装方法参考Install Docker Engine on Ubuntujson
配置阿里云镜像ubuntu
sudo tee /etc/docker/daemon.json << eof { "registry-mirrors": ["https://jioksect.mirror.aliyuncs.com"] } eof
sudo systemctl daemon-reload
sudo systemctl restart docker
复制代码
mkdir -p /opt/docker_auth/config /opt/docker_auth/log && touch /opt/docker_auth/config/auth_config.yml
echo ' server: addr: ":5001" certificate: "/root/cert.pem" key: "/root/cert.key" token: issuer: "Auth Service" expiration: 900 users: "root": password: "${passwd}" "": {} acl: - match: {account: "root"} actions: ["*"] - match: {account: ""} # 匿名用户只能拉取镜像 actions: ["pull"]' > /opt/docker_auth/config/auth_config.yml
复制代码
${passwd}
生成方式
htpasswd -nB root
htpasswd -nB root
执行时要求输入的密码就是docker login
时输入的root
用户密码部署容器vim
docker run -d \
--name=docker_auth \
-p ${port}:5001 \
--restart=always \
-v /opt/docker_auth/config:/config:ro \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
-v /opt/docker_auth/log:/logs \
cesanta/docker_auth:1.6.0 --v=2 --alsologtostderr /config/auth_config.yml
复制代码
docker login
命令时,会向Docker Auth发起验证请求docker pull registry:2.7.0
mkdir -p /opt/docker_registry/config /opt/docker_registry/data && touch /opt/docker_registry/config/config.yml
复制代码
echo 'version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry auth: token: autoredirect: true realm: ${docker_auth_url}/auth service: Docker registry issuer: Auth Service rootcertbundle: /root/cert.pem http: addr: :5000 tls: certificate: /root/cert.pem key: /root/cert.key headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3' > /opt/docker_registry/config/config.yml
复制代码
${docker_auth_url}即为Docker Auth服务的公网地址,bash
docker login
时会出现签名错误Docker Auth默认提供的是HTTPS服务,因此**${docker_auth_url}**应当使用HTTPS协议markdown
证书能够从阿里云免费申请
docker run -d \
-p ${port}:5000 \
--restart=always \
--name=registry \
-v /opt/docker_registry/config/:/etc/docker/registry/ \
-v /opt/docker_registry/data:/var/lib/registry \
-v /root/cert.pem:/root/cert.pem:ro \
-v /root/cert.key:/root/cert.key:ro \
registry:2.3
复制代码
echo 'server { listen 443 ssl; server_name ${host_name}; #ssl证书文件位置(常见证书文件格式为:crt/pem) ssl_certificate /etc/nginx/ssl/registry-cert.pem; #ssl证书key位置 ssl_certificate_key /etc/nginx/ssl/registry-cert.key; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $host; proxy_set_header X-Real-IP $remote_addr; # 可以使用frp暴露内网服务 proxy_pass https://${host_name}; } }' >> /opt/nginx/dockerRegistry.conf
复制代码
使用Docker 容器部署Nginx服务便可
在Nginx服务HTTPS 服务使用的证书能够是Docker Auth服务使用的同一套证书
补充:须要在nginx.conf
配置文件的http
模块中添加client_max_body_size 0;不然在镜像比较大时会出现Request Entity too large
错误
echo 'version: '3.7' services: auth: image: cesanta/docker_auth:1.6.0 volumes: - /opt/docker_auth/config:/config:ro - /opt/docker_auth/log:/logs - /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro - /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro container_name: docker_auth restart: always command: --v=2 --alsologtostderr /config/auth_config.yml ports: - ${auth_port}:5001 docker_registry: image: registry:2.3 container_name: registry depends_on: - auth ports: - ${registry_port}:5000 volumes: - /opt/docker_registry/config:/etc/docker/registry - /opt/docker_registry/data:/var/lib/registry - /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro - /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro restart: always' >> /opt/docker_registry/registry.yaml
cd /opt/docker_registry && docker-compose -f registry.yaml up -d
复制代码
vim /etc/docker/daemon.json
在json结构中添加以下节点
{
"insecure-registries":
[ "${registry_hostname}:${port}"]
}
复制代码
重启Docker服务
systemctl daemon-reload
systemctl restart docker
复制代码
docker login ${registry_hostname}:${port}
docker tag [OPTIONS] IMAGE[:TAG] [REGISTRYHOST/][USERNAME/]NAME[:TAG]
eg:docker tag myApp:v1 localhost:8080/myname/myApp:v1
docker push [OPTIONS] NAME[:TAG]
eg:docker push localhost:8080/myname/myApp:v1
docker login --username username
docker tag my-image username/my-repo
docker push username/my-repo
docker pull [OPTIONS] NAME[:TAG]