使用 Docker Compose + Docker machine 配置一個 Docker 私有倉庫。

GitHub：https://github.com/khs1994-docker/registry

官方 GitHub：https://github.com/docker/distribution/releases

一種是使用 Docker Compose

一種是基於 registry 映象 ，新增配置檔案之後構建自己的映象。具體檢視 GitHub

準備

申請 SSL 證書放到 ssl 資料夾，這裡不進行詳細說明。

編輯 config.yml

version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/auth/nginx.htpasswd
http:
  addr: :443
  host: https://docker.domain.com
  headers:
    X-Content-Type-Options: [nosniff]
  http2:
    disabled: false
  tls:
    certificate: /etc/docker/registry/ssl/docker.domain.com.crt
    key: /etc/docker/registry/ssl/docker.domain.com.key
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
 

新增登陸使用者

將以下命令中的 username password 替換為 使用者名稱 和 密碼 ，也可以新增多個使用者更多內容請搜尋 htpasswd

$ docker run --rm 
    --entrypoint htpasswd 
    registry 
    # 部分 nginx 可能不能解密，你可以替換為下面的命令
    # -mbn username password > auth/nginx.htpasswd 
    -Bbn username password > auth/nginx.htpasswd

編輯 docker-compose.yml

version: '3'

services:
  registry:
    image: registry
#    restart: always
    ports:
      - "443:443"
      # - "5000:443"
    volumes:
      - ./:/etc/docker/registry
      - registry-data:/var/lib/registry
    depends_on:
      # - nginx  

volumes:
  registry-data:

啟動

Swarm mode

由於 Docker Machine 不包含 Compose，這裡使用 Swarm mode

$ docker-machine create 
      --driver virtualbox 
      --engine-opt dns=114.114.114.114 
      --engine-registry-mirror https://registry.docker-cn.com 
      --virtualbox-memory 2048 
      --virtualbox-cpu-count 2 
      registry

$ docker-machine ip registry

$ docker-machine ssh registry

$ docker swarm init --advertise-addr=192.168.99.100

$ git clone --depth=1 https://github.com/khs1994-docker/registry.git

$ cd registry

# 修改配置之後

$ docker stack deploy -c docker-compose.yml registry

自定義映象並執行

配置好所需檔案，構建映象，執行容器

$ docker build -t username/registry .

$ docker run -dit 
    --mount src=registry-data,target=/var/lib/registry 
    -p 443:443 
    username/registry

Docker Compose

$ docker-compose up -d

Nginx 代理配置

https://docs.docker.com/registry/recipes/nginx/

若使用外部 Nginx，在 docker-compose.yml 將埠配置為 5000:443。

upstream docker-registry {
    # 修改 IP
    server 127.0.0.1:5000;
}

  ## Set a variable to help us decide if we need to add the
  ## 'Docker-Distribution-Api-Version' header.
  ## The registry always sets this header.
  ## In the case of nginx performing auth, the header will be unset
  ## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
}

server {
    listen 443 ssl;
    # 修改域名
    server_name docker.domain.com;

    # SSL
    # 修改 SSL 路徑
    ssl_certificate conf.d/ssl/docker.domain.com.crt;
    ssl_certificate_key conf.d/ssl/docker.domain.com.key;

    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:1m;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
    chunked_transfer_encoding on;

    location /v2/ {
      # Do not allow connections from docker 1.5 and earlier
      # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
      if ($http_user_agent ~ "^(docker/1.(3|4|5(?!.[0-9]-dev))|Go ).*$" ) {
        return 404;
      }

      # To add basic authentication to v2 use auth_basic setting.
      # nginx not support bcrypt.
      auth_basic "Registry realm";
      auth_basic_user_file conf.d/auth/nginx.htpasswd;

      ## If $docker_distribution_api_version is empty, the header will not be added.
      ## See the map directive above where this variable is defined.
      add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

      proxy_pass                          http://docker-registry;
      proxy_set_header  Host              $http_host;   # required for docker client's sake
      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_read_timeout                  900;
    }
}

測試私有倉庫功能

修改 /etc/hosts，替換為對應 IP

127.0.0.1 docker.domain.com

網頁檢視

https://docker.domain.com/v2/_catalog

命令列登入

$ docker login docker.domain.com
#接下來輸入使用者名稱、密碼

命令列操作

$ docker pull nginx:alpine
$ docker tag nginx docker.khs1994.com/nginx:alpine
$ docker push docker.khs1994.com/nginx:alpine
$ docker rm docker.domain.com/nginx:alpine
$ docker pull docker.domain.com/nginx:alpine

命令參考

$ docker exec {docker-registry id} registry [command]

垃圾回收

https://docs.docker.com/registry/garbage-collection/

$ docker exec -it {docker-registry id} 
    bin/registry garbage-collect [--dry-run] /etc/docker/registry/config.yml

搜尋

參考 API：https://docs.docker.com/registry/spec/api/

檢視版本

$ docker exec {docker-registry id} registry --version

registry github.com/docker/distribution v2.6.0

幫助資訊

$ docker exec [docker-registry id] registry help