docker registry private mirror warehouse

foreword

Environment: centos 7.9 docker 20
Docker warehouses generally include: docker hub on the public network, and docker’s private warehouses generally have two types, docker registry and harbor. The former is docker’s official private warehouse, which is relatively small and suitable for use in some small business scenarios, and there is no The web page, the latter harbor is an open source project of VMware's Chinese team. It has a web page, which is more user-friendly and widely used by enterprises. This article first explains the registry image warehouse of docker company. The construction of the harbor warehouse can refer tohttps://blog.csdn.net/MssGuo/article/details/126210184
挺好的文章：http://events.jianshu.io/p/de8969f17b53

The new project distribution (the new docker register is called Distribution) replaces the registry, and the two actually have the same meaning. The image of docker official website is still registry.
Two installation methods of docker-distribution:

yum install docker-distribution   			#使用yum安装，systemd管理
systemctl enable docker-distribution.service
systemctl start docker-distribution.service
docker run 									#docker安装

We will use docker to install the mirror warehouse.

Build registry warehouse

官网文档：https://docs.docker.com/registry/

#下载镜像
docker pull registry:latest
#使用docker安装并持久化（这里留了个坑，还没有给registry仓库设置账号密码）
docker run -d -p 5000:5000 --restart always --name registry  -v /opt/registry:/var/lib/registry registry:latest 

Access registry image (no account password)

The registry mirror warehouse is not graphical, and the access is as follows:

#浏览器web页面访问方式
http://192.168.158.130:5000/v2/_catalog
{
    
    "repositories":[]}				#[]显示为空，因为没有任何镜像
#或者Linux命令行curl一下
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
    
    "repositories":[]}				#[]显示为空，因为没有任何镜像

Push the image to the registry mirror warehouse (no account password)

#推送镜像到registry镜像仓库
vim /etc/docker/daemon.json								#编辑docker配置文件，追加下面这行
"insecure-registries": ["192.168.158.130:5000"]
systemctl  restart docker								#重启docker
docker tag nginx:1.18 192.168.158.130:5000/nginx:1.18	#为镜像打一个tag
docker push 192.168.158.130:5000/nginx:1.18				#推送镜像到registry镜像仓库
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
    
    "repositories":["nginx"]}

Set account password for registry mirror warehouse

Earlier, we installed the registry mirror warehouse without setting an account password. Anyone can upload images to the mirror warehouse, which is very unsafe. Now set the account password:

#安装httpd-tools工具
yum install  httpd-tools -y
#创建目录
mkdir -p /etc/registry/auth
touch /etc/registry/auth/passwd
#使用htpasswd工具生成秘钥，并存放于/etc/registry/auth/passwd文件。账号是admin，密码是admin123456
htpasswd -Bbn admin admin123456 > /etc/registry/auth/passwd	
# 
docker stop registry && docker rm registry
docker run -d -p 5000:5000 --restart always --name registry \
-v /opt/registry:/var/lib/registry \
-v /etc/registry/auth:/etc/registry/auth  \						#将auth目录挂载到容器
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd" \	#指定passwd文件
 registry:latest 

Account password - access registry image

#浏览器页面访问
http://192.168.158.130:5000/v2/_catalog  #弹出一个框显示要输入密码，admin/admin123456
#Linux命令行访问
[root@docker ~]# curl -XGET http://192.168.158.130:5000/v2/_catalog							#没有账号密码访问失败
{
    
    "errors":[{
    
    "code":"UNAUTHORIZED","message":"authentication required","detail":[{
    
    "Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
[root@docker ~]# curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog	#账号密码访问
{
    
    "repositories":["nginx"]}

Account password - push the image to the registry mirror warehouse

docker login -u admin -p admin123456 192.168.158.130:5000
docker tag coredns/coredns:latest 192.168.158.130:5000/coredns/coredns:latest
docker push 192.168.158.130:5000/coredns/coredns:latest
curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog

k8s build registry

[root@master ~]# vim deploy-registy.yaml 
---
#passwd这个key的内容就是使用htpasswd -Bbn admin admin123456 命令生成的
apiVersion: v1
data:
  passwd: |+
    admin:$2y$05$XmcyIRU8D7w2jUCYHskSZ.dcwFDS0SlYP4xMUBj1QZJIvgGSPlTAq
kind: ConfigMap
metadata:
  name: registry-cm
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: registry-pvc
  labels:
    release: registry
spec:
  accessModes: 
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: nfs-storageclass
---
apiVersion: v1
kind: Service
metadata:
  name: "registry-svc"
  labels:
    release: registry
spec:
  ports:
    - name: http-registry
      port: 5000
      nodePort: 5000
      targetPort: 5000
  type: NodePort
  selector:
    release: registry
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: "registry-deployment"
  labels:
    release: registry
spec:
  replicas: 1
  selector:
    matchLabels:
      release: registry
  template:
    metadata:
      labels:
        release: registry
    spec:
      containers:
      - name: registry
        image: registry:latest
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /
            scheme: HTTP
            port: 5000
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
            scheme: HTTP
            port: 5000
          initialDelaySeconds: 2
          periodSeconds: 10
        env:                                    #容器环境变量，传递3个环境变量
        - name: REGISTRY_AUTH
          value: htpasswd
        - name: REGISTRY_AUTH_HTPASSWD_REALM
          value: "Registry Realm"
        - name: REGISTRY_AUTH_HTPASSWD_PATH
          value: "/etc/registry/auth/passwd"
        ports:
        - containerPort: 5000
        volumeMounts:
        - name: registry-data				#使用pvc持久化
          mountPath: /var/lib/registry
        - name: registry-cm					#挂载configmap进去
          mountPath: /etc/registry/auth/passwd
          subPath: passwd
      volumes:
      - name: registry-cm
        configMap:
          name: registry-cm
          items:
            - key: passwd
              path: passwd
      - name: registry-data					#pvc
        persistentVolumeClaim:
          claimName: registry-pvc			#pvc
---

Verify that the mirror warehouse is available

vim  /etc/docker/daemon.json 						#每个k8s节点都要配置镜像仓库地址
"insecure-registries": ["192.168.158.128:5000"]		#添加这一条
systemctl restart docker							#重启docker

#登录镜像仓库
[root@master ~]# docker login -u admin -p admin123456 192.168.158.128:5000
Login Succeeded
#为镜像打个tag
[root@master ~]# docker tag busybox:1.24.1 192.168.158.128:5000/busybox:1.24.1
#推送镜像到镜像仓库，成功
[root@master ~]# docker push 192.168.158.128:5000/busybox:1.24.1
The push refers to repository [192.168.158.128:5000/busybox]
5f70bf18a086: Pushed 
61e469647daa: Pushed 
1.24.1: digest: sha256:458b359b8cb329f54e965bafee7b41d7557e62ba8d4c061f3dc57c7aaf9c048b size: 733

#查看后端存储，已经持久化了
[root@node2 ~]# ls /k8s_data/default-registry-pvc-pvc-d336e2f7-7bcc-4a79-8e3f-3ccff46c78c9/docker/registry/v2/repositories/
busybox
[root@node2 ~]#