docker registry:设置私有的镜像缓存仓库

背景介绍

docker 提供了官方的 registry 仓库镜像,可以通过docker hub进行拉取:

1
docker pull registry

但是直接拉取的registry我们并不知道如何设置,我们可以看看他的Dockerfile地址,git地址:

https://github.com/docker/distribution-library-image

通过这个仓库知道主要是通过config-example.yml来配置。

resgistry 的配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
version: 0.1
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging
hooks:
- type: mail
disabled: true
levels:
- panic
options:
smtp:
addr: mail.example.com:25
username: mailuser
password: password
insecure: true
from: sender@example.com
to:
- errors@example.com
loglevel: debug # deprecated: use "log"
storage:
filesystem:
rootdirectory: /var/lib/registry
maxthreads: 100
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
gcs:
bucket: bucketname
keyfile: /path/to/keyfile
credentials:
type: service_account
project_id: project_id_string
private_key_id: private_key_id_string
private_key: private_key_string
client_email: client@example.com
client_id: client_id_string
auth_uri: http://example.com/auth_uri
token_uri: http://example.com/token_uri
auth_provider_x509_cert_url: http://example.com/provider_cert_url
client_x509_cert_url: http://example.com/client_cert_url
rootdirectory: /gcs/object/name/prefix
chunksize: 5242880
s3:
accesskey: awsaccesskey
secretkey: awssecretkey
region: us-west-1
regionendpoint: http://myobjects.local
bucket: bucketname
encrypt: true
keyid: mykeyid
secure: true
v4auth: true
chunksize: 5242880
multipartcopychunksize: 33554432
multipartcopymaxconcurrency: 100
multipartcopythresholdsize: 33554432
rootdirectory: /s3/object/name/prefix
swift:
username: username
password: password
authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
tenant: tenantname
tenantid: tenantid
domain: domain name for Openstack Identity v3 API
domainid: domain id for Openstack Identity v3 API
insecureskipverify: true
region: fr
container: containername
rootdirectory: /swift/object/name/prefix
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: OSS region name
endpoint: optional endpoints
internal: optional internal endpoint
bucket: OSS bucket
encrypt: optional enable server-side encryption
encryptionkeyid: optional KMS key id for encryption
secure: optional ssl setting
chunksize: optional size valye
rootdirectory: optional root directory
inmemory: # This driver takes no parameters
delete:
enabled: false
redirect:
disable: false
cache:
blobdescriptor: redis
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
auth:
silly:
realm: silly-realm
service: silly-service
token:
autoredirect: true
realm: token-realm
service: token-service
issuer: registry-token-issuer
rootcertbundle: /root/certs/bundle
htpasswd:
realm: basic-realm
path: /path/to/htpasswd
middleware:
registry:
- name: ARegistryMiddleware
options:
foo: bar
repository:
- name: ARepositoryMiddleware
options:
foo: bar
storage:
- name: cloudfront
options:
baseurl: https://my.cloudfronted.domain.com/
privatekey: /path/to/pem
keypairid: cloudfrontkeypairid
duration: 3000s
ipfilteredby: awsregion
awsregion: us-east-1, use-east-2
updatefrenquency: 12h
iprangesurl: https://ip-ranges.amazonaws.com/ip-ranges.json
storage:
- name: redirect
options:
baseurl: https://example.com/
reporting:
bugsnag:
apikey: bugsnagapikey
releasestage: bugsnagreleasestage
endpoint: bugsnagendpoint
newrelic:
licensekey: newreliclicensekey
name: newrelicname
verbose: true
http:
addr: localhost:5000
prefix: /my/nested/registry/
host: https://myregistryaddress.org:5000
secret: asecretforlocaldevelopment
relativeurls: false
draintimeout: 60s
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email: emailused@letsencrypt.com
hosts: [myregistryaddress.org]
debug:
addr: localhost:5001
prometheus:
enabled: true
path: /metrics
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
notifications:
events:
includereferences: true
endpoints:
- name: alistener
disabled: false
url: https://my.listener.com/event
headers: <http.Header>
timeout: 1s
threshold: 10
backoff: 1s
ignoredmediatypes:
- application/octet-stream
ignore:
mediatypes:
- application/octet-stream
actions:
- pull
redis:
addr: localhost:6379
password: asecret
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
file:
- file: /path/to/checked/file
interval: 10s
http:
- uri: http://server.to.check/must/return/200
headers:
Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
statuscode: 200
timeout: 3s
interval: 10s
threshold: 3
tcp:
- addr: redis-server.domain.com:6379
timeout: 3s
interval: 10s
threshold: 3
proxy:
remoteurl: https://registry-1.docker.io
username: [username]
password: [password]
compatibility:
schema1:
signingkeyfile: /etc/registry/key.json
enabled: true
validation:
manifests:
urls:
allow:
- ^https?://([^/]+\.)*example\.com/
deny:
- ^https?://www\.example\.com/

和 proxy cache 相关的参数是 proxy 。

搭建 docker registry

okay,下面我们通过原始dockerfile构建一个缓存私有仓库:

1.修改config-example.conf文件

由于本机是intel的64位系统,因此选择amd64,修改里面的config-example.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
proxy:
remoteurl: https://registry-1.docker.io

2.构建registry镜像

构建registry镜像:

1
docker build -t docker-registry:v0.1 .

3.运行registry容器

运行registry容器:

1
2
3
docker run -d -p 5000:5000 --restart=always --name docker-registry \ 
-v /home/registry:/var/lib/registry \
docker-registry:v0.1

或者可以直接将配置文件挂载进去:

1
2
3
4
docker run -d -p 5000:5000 --restart=always --name docker-registry \
-v `pwd`/config-example.yml:/etc/docker/registry/config.yml \
-v /home/registry:/var/lib/registry \
docker-registry:v0.1

4.测试缓存是否生效

在测试的daemon.json配置目标地址:

1
2
3
4
5
6
cat > /etc/docker/daemon.json << EOF 
{
"insecure-registries": ["10.10.6.111:5000"],
"registry-mirrors":["http://10.10.6.111:5000"]
}
EOF

重启容器服务service docker restart

测试:

1
docker pull node:8.4.0-onbuild

用docker logs 查看 registry 容器:

docker logs -f docker-registry

1
2
3
4
5
6
time="2019-10-31T07:48:33.210442036Z" level=info msg="Adding new scheduler entry for library/node@sha256:0485a8f7251f7823455cb5efb010ee034e7b44b13414d11080c4daae8af1acb3 with ttl=167h59m59.999996323s" go.version=go1.11.2 instance.id=154296c5-33a6-44cc-bc25-9cb74eb2fc47 service=registry version=v2.7.1 
time="2019-10-31T07:48:33.210850287Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="10.10.6.111:5000" http.request.id=05a32ff6-54f1-4b70-b86e-1802959c0ff2 http.request.method=GET http.request.remoteaddr="10.10.6.19:60562" http.request.uri="/v2/library/node/manifests/8.4.0-onbuild" http.request.useragent="docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \(linux\))" http.response.contenttype="application/vnd.docker.distribution.manifest.v2+json" http.response.duration=3.632741932s http.response.status=200 http.response.written=2213
10.10.6.19 - - [31/Oct/2019:07:48:29 +0000] "GET /v2/library/node/manifests/8.4.0-onbuild HTTP/1.1" 200 2213 "" "docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \\(linux\\))"
time="2019-10-31T07:48:35.734990871Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="10.10.6.111:5000" http.request.id=76e0c7e6-b6e2-4d48-8baf-bcd296996e69 http.request.method=GET http.request.remoteaddr="10.10.6.19:60564" http.request.uri="/v2/library/node/blobs/sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704" http.request.useragent="docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \(linux\))" http.response.contenttype="application/octet-stream" http.response.duration=2.522583499s http.response.status=200 http.response.written=8639
10.10.6.19 - - [31/Oct/2019:07:48:33 +0000] "GET /v2/library/node/blobs/sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704 HTTP/1.1" 200 8639 "" "docker/19.03.3 go/go1.12.10 git-commit/a872fc2f86 kernel/3.10.0-1062.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.3 \\(linux\\))"
time="2019-10-31T07:48:36.375234583Z" level=info msg="Adding new scheduler entry for library/node@sha256:d24de6795fb1d44f2ecd12ab0768fefb45c3a31674824961512f71fbf234a704 with ttl=167h59m59.999996974s" go.version=go1.11.2 instance.id=154296c5-33a6-44cc-bc25-9cb74eb2fc47 service=registry version=v2.7.1

从日志可以看出缓存成功了~

PS: 镜像第一次拉取还比较慢,第二次拉取速度立刻飞起~大家可以试试

shikanon wechat
欢迎您扫一扫,订阅我滴↑↑↑的微信公众号!