最近需要在学校内网使用docker,所以有一个Registry会比较方便。网上的教程不少过时了或者操作麻烦,经过踩坑无数之后总结了两个快速部署方法。
网上方法千奇百怪,长篇大论看得心累,所以我希望三步之内解决这件事,那么开始吧。
准备工作:
安装Docker
你需要安装1.6.0以上的版本的Docker。
sudo curl -sSL https://get.docker.com/ | sh
# 设置Docker以非Root用户运行,确保安全。
sudo usermod -aG docker your-user
# 安装Compose:
curl -L https://github.com/docker/compose/releases/download/1.7.0-rc1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
获取SSL证书
如果要使用域名绑定私有仓库,必须开启SSL。
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly -d docker.zuolan.me
选择第二个,自动生成证书
生成下面文字即为成功:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
.........
.........
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
方法一、自动搭建(强烈推荐)
第一步:配置
克隆仓库。
git clone https://github.com/vmware/harbor ~/harbor
编辑配置。
vim ~/harbor/Deploy/harbor.cfg
模板如下:
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
########################################
#下面输入你的仓库网址,比如“docker.zuolan.me”。
########################################
hostname = docker.zuolan.me
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
#Email account settings for sending out password resetting emails.
#####################################
#这里的设置可以无视,只有密码找回才会用到。
#####################################
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
##The password of Harbor admin, change this before any production use.
#####################
#下面输入你的管理员密码。
#####################
harbor_admin_password = password
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth
#The url for an ldap endpoint.
#########
#可以不填。
#########
ldap_url = ldaps://ldap.zuolan.me
#The basedn template to look up a user in LDAP and verify the user's password.
################################################
#我的的域名是zuolan.me,所以这里我填dc=zuolan,dc=me。
################################################
ldap_basedn = uid=%s,ou=people,dc=zuolan,dc=me
#The password for the root user of mysql db, change this before any production use.
#####################
#下面输入你的数据库密码。
#####################
db_password = password
#Turn on or off the self-registration feature
self_registration = on
#####
第二步:配置Nginx
cd ~/Deploy/config/nginx
移动你的证书到cert/目录。
cp yourdomain.com.crt cert/
cp yourdomain.com.key cert/
备份一下原文件,使用https配置。
mv nginx.conf nginx.conf.bak && cp nginx.https.conf nginx.conf
然后vim nginx.conf,要改的地方很少,如下:
server {
listen 443 ssl;
# 下面改成你的域名
server_name docker.zuolan.me;
# SSL
# 这里证书地址如果你是letsencrypt申请的不用修改这里
ssl_certificate /etc/nginx/cert/fullchain.pem;
ssl_certificate_key /etc/nginx/cert/privkey.pem;
...
server {
listen 80;
server_name docker.zuolan.me;
rewrite ^/(.*) https://$server_name$1 permanent;
第三步:构建运行
$ cd ~/harbor/Deploy
$ ./prepare
Generated configuration file: ./config/ui/env
Generated configuration file: ./config/ui/app.conf
Generated configuration file: ./config/registry/config.yml
Generated configuration file: ./config/db/env
$ docker-compose up
没有问题的话已经运行起来了~~
第四步:测试
现在你可以通过域名pull镜像了:
docker pull ubuntu
docker tag ubuntu docker.zuolan.me/ubuntu
docker push docker.zuolan.me/ubuntu
docker pull docker.zuolan.me/ubuntu
方法二、自己搭建(不推荐小白操作)
准备工作
新建一个文件夹以便管理。
mkdir ~/docker-registry && cd $_
mkdir data nginx && mkdir nginx/certs
vim docker-compose.yml
填写下面的内容到docker-compose.yml:
nginx:
image: "tutum/nginx"
ports:
- 80:80
- 443:443
links:
- registry:registry
volumes:
- ./nginx/:/etc/nginx/conf.d
- /root/app/:/app/
registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /etc/nginx/conf.d/certs/fullchain.pem
REGISTRY_HTTP_TLS_KEY: /etc/nginx/conf.d/certs/privkey.pem
REGISTRY_HTTP_SECRET: yourpassword
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- ./data:/data
- ./nginx/:/etc/nginx/conf.d
移动证书到自定义目录:
cat /etc/letsencrypt/live/docker.zuolan.me/fullchain.pem > ~/docker-registry/nginx/certs/fullchain.pem
cat /etc/letsencrypt/live/docker.zuolan.me/privkey.pem > ~/docker-registry/nginx/certs/privkey.pem
然后配置Nginx文件即可:
vim ~/docker-registry/nginx/registry.conf
域名修改一下,复制粘贴即可。
upstream docker-registry {
server registry:5000;
}
server {
listen 443;
server_name docker.zuolan.me;
# SSL
ssl on;
ssl_certificate /etc/nginx/conf.d/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/privkey.pem;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
# auth_basic "registry.localhost";
# auth_basic_user_file /etc/nginx/conf.d/registry.password;
# add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker.zuolan.me;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
启动仓库
cd ~/docker-registry
docker-compose up
测试:
现在你可以通过域名pull镜像了:
docker pull ubuntu
docker tag ubuntu docker.zuolan.me/ubuntu
docker push docker.zuolan.me/ubuntu
docker pull docker.zuolan.me/ubuntu
