最近由于研究 GitLab CI,需要使用 Windows server core docker image,但是该镜像占用空间很大,修改后基本做不到重新上传到 docker hub,因此尝试在本地搭建一个 docker registry。
简单来说,我们最少只需要使用如下指令即可在本地构建 docker registry:
docker run -d -p 5000:5000 --name registry registry:2
但是这个命令只能让你通过 localhost:5000/myimage 访问 docker 镜像。docker 镜像的远程存取默认需要启用 HTTPS 加密。因此接下来的内容主要是说明如何快速设置 HTTPS 加密以及简单的缓存优化。
Contents
准备 Nginx 配置文件
新建文件夹,并进入,运行如下指令即可获得 nginx 的默认配置文件
docker run --name tmp-nginx-container -d nginx:1.23 docker cp tmp-nginx-container:/etc/nginx/ ./nginx docker rm -f tmp-nginx-container
添加 nginx/docker-registry.conf :
proxy_pass http://docker-registry; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Authorization ""; # see https://github.com/docker/docker-registry/issues/170 proxy_read_timeout 900;
随后添加 nginx/conf.d/registry.conf :
upstream docker-registry {
server app:5000;
}
server {
listen 5000;
server_name localhost;
ssl on;
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# auth_basic "Docker Registry";
# auth_basic_user_file docker-registry.htpasswd;
include docker-registry.conf;
}
location /v1/_ping {
auth_basic off;
include docker-registry.conf;
}
location /v1/users {
auth_basic off;
include docker-registry.conf;
}
}
准备 Cloudflare 令牌
在 Cloudflare API 令牌页面 可以创建一个 api token,选择合适的区域并创建,即可获得一串字符。将他们填入 cloudflare.ini :
dns_cloudflare_api_token =
准备 docker compose 配置
在文件夹中, 写入 docker-compose.yml
networks: {}
services:
certbot:
image: certbot/dns-cloudflare
volumes:
- ./certbot/certs:/etc/letsencrypt
- ./certbot/cloudflare.ini:/cloudflare.ini
command: >-
certonly --dns-cloudflare
--dns-cloudflare-credentials /cloudflare.ini
--dns-cloudflare-propagation-seconds 15
--email [email protected]
--agree-tos --no-eff-email
--force-renewal
-d domain1.com
app:
environment:
REGISTRY_HTTP_SECRET: my-docker-registry
REGISTRY_REDIS_ADDR: cache:6379
REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR: redis
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data/registry
image: registry:2.6.2
volumes:
- registry-data:/data/registry
cache:
image: redis:4.0
web:
image: nginx:1.23
ports:
- 443:5000
restart: "always"
volumes:
- ./nginx:/etc/nginx
- ./certbot/certs:/etc/letsencrypt
version: '2'
volumes:
registry-data: null
运行 docker compose up -d 即可以 daemon 方式启动 docker registry。
推送/拉取本地镜像
我们只需要为镜像添加相应的 TAG 即可向本地 registry 推送或者拉取镜像
docker pull ubuntu docker image tag ubuntu domain1.com/myfirstimage docker push domain1.com/myfirstimage
参考文档
https://docs.docker.com/registry/
https://gist.github.com/sergiks/4c1ccddc097e61e6fe5e45c53072a944