说明
本文给出了一个具体的使用docker registry和nginx配置docker私有注册表的方案。
创建和配置
docker compose
使用docker compose的方式运行registry容器,配置如下:
# cat docker-compose.yml
services:
registry:
image: registry:2
ports:
- "6565:5000"
restart: always
volumes:
- /usr/local/docker_registry:/var/lib/registry
外部端口使用6565。这样我们就在 127.0.0.1:6565上运行了一个registry。这个注册表是公开的,所以我们还需要加上https和密码。其实registry本身是支持配置ssl和密码文件的,可以在这个compose.yml中配置。但是我们这台主机不仅仅运行了一个https服务。所以这儿就不使用registry自己的https功能了。而是使用nginx的虚拟主机/反向代理,通过nginx去配置https和密码。
nginx配置
使用nginx的虚拟主机功能,根据我们的域名 registry.happyfire.com , 以下是配置文件
:/etc/nginx/conf.d# cat docker.conf
server {
listen 443 ssl http2;
listen [::]:443 http2;
#这儿放 registry.happyfire.com域名对应的ssl证书和私钥
ssl_certificate /etc/ssl/certs/happyfire.com_bundle.pem;
ssl_certificate_key /etc/ssl/private/happyfire.com.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
server_name registry.happyfire.com; #私有注册表使用的域名
# disable any limits to avoid HTTP 413 for large image upload
client_max_body_size 0;
chunked_transfer_encoding on;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
# Config for 0-RTT in TLSv1.3
ssl_early_data on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000";
location /
{
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/auth/htpasswd.txt; #密码文件的位置
proxy_redirect off;
proxy_read_timeout 1200s;
proxy_pass http://127.0.0.1:6565; #本地运行的registry地址和端口
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
# Config for 0-RTT in TLSv1.3
proxy_set_header Early-Data $ssl_early_data;
}
location /_ping {
auth_basic off;
proxy_pass http://127.0.0.1:6565;
}
location /v2/_ping {
auth_basic off;
proxy_pass http://127.0.0.1:6565;
}
location /_catalog {
auth_basic off;
proxy_pass http://127.0.0.1:6565;
}
}
server {
listen 80;
listen [::]:80;
server_name registry.happyfire.com;
return 301 https://registry.happyfire.com$request_uri;
}
htpwd设置密码
首先,确保已经安装了htpasswd。
# which htpasswd
/usr/bin/htpasswd
如果没有,对于ubuntu可以这么安装:
sudo apt install apache2-utils
根据上面的nginx配置,密码文件放在/etc/nginx/auth中,如果目录不存在则先创建。然后在这个目录中,运行htpasswd
/etc/nginx/auth# htpasswd -Bc htpasswd.txt docker
New password:
这儿指定了用户名docker,并输入密码。这样就会生成一个加密的密码文件 htpasswd.txt。这个文件中存放的是加密后的密码,所以请记住自己的用户名和密码。
镜像上传
docker image tag my_image:latest registry.happyfire.com/my_image
docker push registry.happyfire.com/my_image
镜像拉取
docker login
查看已login的注册表
sudo cat /root/.docker/config.json
{
"auths": {
"registry.happyfire.com": {
"auth": "xxxxa2VxxxdtxxxxZGxxxxF5dXA="
}
}
docker pull
sudo docker pull registry.happyfire.com/my_image