自建docker私有仓库(Registry)

Docker Hub 存放着 Docker 及其组件的所有资源。它可以提供：

• Docker 镜像主机
• 用户认证
• 自动镜像构建和工作流程工具，如构建触发器和 web hooks
• 整合了 GitHub 和 BitBucket

但，有些场景我们需要一个私有仓库来管理自己的镜像，可以通过Registry来实现此目的。Registry作为Docker的核心组件之一负责镜像内容的存储与分发，客户端的docker pull以及push命令都将直接与registry进行交互。

环境：
　　Docker 17.12.0-ce-rc4
　　Centos 7.3

部署Docker

# yum remove docker docker-common docker-selinux docker-engine -y
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum-config-manager --enable docker-ce-edge
# yum-config-manager --enable docker-ce-test
# yum install docker-ce -y

自建证书

# mkdir -p conf
# openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=localhost" -nodes -x509 -keyout conf/auth.key -out conf/auth.cert

registry容器配置文件

# 启动registry容器需要用到
# cat registry-srv.yml
version: 0.1
log:
  fields:
    service: registry

storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry

http:
  addr: 0.0.0.0:5000   
  headers:
    X-Content-Type-Options: [nosniff]

health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

auth:
  token:
    # external url to docker-web authentication endpoint
    realm: http://registry-web:8080/api/auth
    # should be same as registry.name of registry-web
    service: registry-srv:5000
    # should be same as registry.auth.issuer of registry-web
    issuer: 'my issuer'
    # path to auth certificate
    rootcertbundle: /etc/docker/registry/auth.cert
#

registry-web容器配置文件

# 启动registry-web容器需要用到
# cat registry-web.yml 
registry:
  # Docker registry url
  url: http://registry-srv:5000/v2
  # Docker registry fqdn
  name: registry-srv:5000
  # To allow image delete, should be false
  readonly: false
  auth:
    # Enable authentication
    enabled: true
    # Token issuer
    # should equals to auth.token.issuer of docker registry
    issuer: 'my issuer'
    # Private key for token signing
    # certificate used on auth.token.rootcertbundle should signed by this key
    key: /conf/auth.key
#

# tree docker-registry-web/
docker-registry-web/
└── conf
    ├── auth.cert
    ├── auth.key
    ├── registry-srv.yml
    └── registry-web.yml

1 directory, 4 files

启动registry

# /root/docker-registry-web/conf需要有上述四个文件(auth.cert,auth.key,registry-srv.yml,registry-web.yml)，文件内容见上面
# 如果配置文件改成了域名，在创建容器时CONTAINER NAME最好与配置文件一致
docker run -v /root/docker-registry-web/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro -v /root/docker-registry-web/conf/auth.cert:/etc/docker/registry/auth.cert:ro -v /data:/var/lib/registry/ -p 5000:5000 --restart=always --name registry-srv -d registry:2.6.2

启动registry-web

# /root/docker-registry-web/conf需要有上述四个文件(auth.cert,auth.key,registry-srv.yml,registry-web.yml)，文件内容见上面
# 如果配置文件改成了域名，在创建容器时CONTAINER NAME最好与配置文件一致
docker run -d -v /root/docker-registry-web/conf/registry-web.yml:/conf/config.yml:ro -v /root/docker-registry-web/conf/auth.key:/conf/auth.key -v /root/docker-registry-web/db:/data -it -p 8080:8080 --link registry-srv --restart=always --name registry-web hyper/docker-registry-web

# docker images
REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE
docker.io/registry                    2.6.2               177391bcf802        2 weeks ago         33.26 MB
docker.io/hyper/docker-registry-web   latest              0db5683824d8        14 months ago       598.6 MB
#

# docker ps -a
CONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS              PORTS                    NAMES
1b4c0efd8465        hyper/docker-registry-web   "start.sh"               58 minutes ago      Up 58 minutes       0.0.0.0:8080->8080/tcp   registry-web
2d475b4d0603        registry:2.6.2              "/entrypoint.sh /etc/"   58 minutes ago      Up 17 minutes       0.0.0.0:5000->5000/tcp   registry-srv
#

hosts解析

# tail -2 /etc/hosts
192.168.1.61 registry-srv
192.168.1.61 registry-web

忽略认证

Question：如果报下面的错误

# docker login http://registry-srv:5000
Username (admin): admin
Password: 
Error response from daemon: Get https://registry-srv:5000/v2/: http: server gave HTTP response to HTTPS client

Answer：

# docker 1.12.6需要在这里修改
# grep -iv '^#' /etc/sysconfig/docker | grep -iv '^$'
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry registry-srv:5000'
if [ -z "${DOCKER_CERT_PATH}" ]; then
    DOCKER_CERT_PATH=/etc/docker
fi

#docker 17.12.0-ce-rc4需要这里修改
# cat /etc/docker/daemon.json 
{ "insecure-registries":["registry-srv:5000"] }
#

# systemctl restart docker

上传镜像到docker registry

Question：在docker 17.12.0-ce-rc4中登陆成功后，如果报下面的错误

# docker push registry-srv:5000/mysql:5.6
The push refers to a repository [registry-srv:5000/mysql]

67ab9337620e: Preparing 
388e5e8563d4: Preparing 
000529f48f17: Preparing 
07d0b57bb93e: Preparing 
d59453e8d7bb: Waiting 
19aa284e9bf3: Waiting 
889744378e18: Waiting 
ae12d30e1dfc: Waiting 
4bcdffd70da2: Waiting 
unauthorized: authentication required
#

Answer：需要登陆registry-web给当前登陆的用户授权


然后再登陆docker login http://registry-srv:5000即可成功上传

# docker login registry-srv:5000
Username (admin): admin
Password: 
Login Succeeded
# docker tag docker.io/mysql:5.6 registry-srv:5000/mysql:5.6
# docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
registry-srv:5000/mysql   5.6                 1c7972822e0c        8 days ago          299 MB
docker push registry-srv:5000/mysql:5.6
The push refers to a repository [registry-srv:5000/mysql]
67ab9337620e: Pushed 
388e5e8563d4: Pushed 
000529f48f17: Pushed 
07d0b57bb93e: Pushed 
324a3796c59a: Pushed 
d59453e8d7bb: Pushed 
19aa284e9bf3: Pushed 
889744378e18: Pushed 
ae12d30e1dfc: Pushed 
4bcdffd70da2: Pushed 
5.6: digest: sha256:92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd size: 2409
#

# ls /data/
docker
# du -sh /data/
101M	/data/
# tree docker/
docker/
└── registry
    └── v2
        ├── blobs
        │   └── sha256
        │       ├── 1c
        │       │   └── 1c7972822e0cfe7af284610af68fd23ab1c6e36566070199a2ecae0c540a6213
        │       │       └── data
        │       ├── 28
        │       │   └── 28dd7bab809dc36871733509f298775d6e7e9a7b48411969fd40bbc5d42d4872
        │       │       └── data
        │       ├── 60
        │       │   └── 60b597896d30e83b6451b5d287503c6ad5b966afcfe983beaac073cd14d3327e
        │       │       └── data
        │       ├── 67
        │       │   └── 67ee8c6f60b5ee191862ae0beee2e27fc242c1548e724d42491aff9599783f14
        │       │       └── data
        │       ├── 74
        │       │   └── 74616d0d8b72cce832e728b721a055ee94112f55d9152ea75c0c11df9255e5fe
        │       │       └── data
        │       ├── 78
        │       │   └── 78032de49d65ab1151d278821068401fa7a8964c16b2f4441a3ef9ac8dd02229
        │       │       └── data
        │       ├── 83
        │       │   └── 837546b20bc4af04c4cd0b34ac6cb74418f0400fa80045d02d341aecbc70f928
        │       │       └── data
        │       ├── 8b
        │       │   └── 8b95be8b8d363b4fd0d3de912d206a4a83f9f445e7a0761c61e4225b55aa3f6a
        │       │       └── data
        │       ├── 92
        │       │   └── 92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd
        │       │       └── data
        │       ├── 9b
        │       │   ├── 9b7ad7dfbf08cb21ae35a041aeceb634a80f6145d371fb793e18c9be75b491ce
        │       │   │   └── data
        │       │   └── 9b8316af6cc601a268bccfd58f93c2598e4a5f8a6b101cb9ffe365bcd467cb8e
        │       │       └── data
        │       └── f4
        │           └── f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa
        │               └── data
        └── repositories
            └── mysql
                ├── _layers
                │   └── sha256
                │       ├── 1c7972822e0cfe7af284610af68fd23ab1c6e36566070199a2ecae0c540a6213
                │       │   └── link
                │       ├── 28dd7bab809dc36871733509f298775d6e7e9a7b48411969fd40bbc5d42d4872
                │       │   └── link
                │       ├── 60b597896d30e83b6451b5d287503c6ad5b966afcfe983beaac073cd14d3327e
                │       │   └── link
                │       ├── 67ee8c6f60b5ee191862ae0beee2e27fc242c1548e724d42491aff9599783f14
                │       │   └── link
                │       ├── 74616d0d8b72cce832e728b721a055ee94112f55d9152ea75c0c11df9255e5fe
                │       │   └── link
                │       ├── 78032de49d65ab1151d278821068401fa7a8964c16b2f4441a3ef9ac8dd02229
                │       │   └── link
                │       ├── 837546b20bc4af04c4cd0b34ac6cb74418f0400fa80045d02d341aecbc70f928
                │       │   └── link
                │       ├── 8b95be8b8d363b4fd0d3de912d206a4a83f9f445e7a0761c61e4225b55aa3f6a
                │       │   └── link
                │       ├── 9b7ad7dfbf08cb21ae35a041aeceb634a80f6145d371fb793e18c9be75b491ce
                │       │   └── link
                │       ├── 9b8316af6cc601a268bccfd58f93c2598e4a5f8a6b101cb9ffe365bcd467cb8e
                │       │   └── link
                │       └── f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa
                │           └── link
                ├── _manifests
                │   ├── revisions
                │   │   └── sha256
                │   │       └── 92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd
                │   │           └── link
                │   └── tags
                │       └── 5.6
                │           ├── current
                │           │   └── link
                │           └── index
                │               └── sha256
                │                   └── 92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd
                │                       └── link
                └── _uploads

53 directories, 26 files
#

从docker registry下载镜像

# docker pull registry-srv:5000/mysql:5.6
Trying to pull repository registry-srv:5000/mysql ... 
Get http://registry-srv:5000/v2/mysql/manifests/5.6: unauthorized: authentication required
# docker login registry-srv:5000 -uadmin -padmin
Login Succeeded
# docker pull registry-srv:5000/mysql:5.6
Trying to pull repository registry-srv:5000/mysql ... 
5.6: Pulling from registry-srv:5000/mysql
f49cf87b52c1: Pull complete 
78032de49d65: Pull complete 
837546b20bc4: Pull complete 
9b8316af6cc6: Pull complete 
28dd7bab809d: Pull complete 
8b95be8b8d36: Pull complete 
67ee8c6f60b5: Pull complete 
74616d0d8b72: Pull complete 
9b7ad7dfbf08: Pull complete 
60b597896d30: Pull complete 
Digest: sha256:92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd
#
# docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
registry-srv:5000/mysql                               5.6                 1c7972822e0c        8 days ago          299 MB

删除docker registry仓库镜像

在2.4版本中对这一问题进行了解决，增加了一个垃圾回收命令，删除未被引用的层数据，操作如下：

• 在启动仓库时，需在配置文件中的storage配置中增加delete=true配置项，允许删除镜像

  #完整配置文件请参考 registry-srv.yml
  storage:
    delete:
      enabled: true

先在registry-web上执行删除操作

这时数据并未完全删除，需要执行垃圾回收
命令：registry garbage-collect config.yml

# 垃圾回收前
# du -sh *
101M	docker
#

# docker exec -it registry-srv registry garbage-collect /etc/docker/registry/config.yml
mysql

0 blobs marked, 13 blobs eligible for deletion
blob eligible for deletion: sha256:9b8316af6cc601a268bccfd58f93c2598e4a5f8a6b101cb9ffe365bcd467cb8e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/9b/9b8316af6cc601a268bccfd58f93c2598e4a5f8a6b101cb9ffe365bcd467cb8e  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:67ee8c6f60b5ee191862ae0beee2e27fc242c1548e724d42491aff9599783f14
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/67/67ee8c6f60b5ee191862ae0beee2e27fc242c1548e724d42491aff9599783f14  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:78032de49d65ab1151d278821068401fa7a8964c16b2f4441a3ef9ac8dd02229
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/78/78032de49d65ab1151d278821068401fa7a8964c16b2f4441a3ef9ac8dd02229  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:60b597896d30e83b6451b5d287503c6ad5b966afcfe983beaac073cd14d3327e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/60/60b597896d30e83b6451b5d287503c6ad5b966afcfe983beaac073cd14d3327e  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:74616d0d8b72cce832e728b721a055ee94112f55d9152ea75c0c11df9255e5fe
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/74/74616d0d8b72cce832e728b721a055ee94112f55d9152ea75c0c11df9255e5fe  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:837546b20bc4af04c4cd0b34ac6cb74418f0400fa80045d02d341aecbc70f928
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/83/837546b20bc4af04c4cd0b34ac6cb74418f0400fa80045d02d341aecbc70f928  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:8b95be8b8d363b4fd0d3de912d206a4a83f9f445e7a0761c61e4225b55aa3f6a
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/8b/8b95be8b8d363b4fd0d3de912d206a4a83f9f445e7a0761c61e4225b55aa3f6a  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/92/92cd157a4d73a00a56993bce76d467ae170a86b264d24536648834d7f7501cdd  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:9b7ad7dfbf08cb21ae35a041aeceb634a80f6145d371fb793e18c9be75b491ce
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/9b/9b7ad7dfbf08cb21ae35a041aeceb634a80f6145d371fb793e18c9be75b491ce  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:1c7972822e0cfe7af284610af68fd23ab1c6e36566070199a2ecae0c540a6213
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/1c/1c7972822e0cfe7af284610af68fd23ab1c6e36566070199a2ecae0c540a6213  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:28dd7bab809dc36871733509f298775d6e7e9a7b48411969fd40bbc5d42d4872
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/28/28dd7bab809dc36871733509f298775d6e7e9a7b48411969fd40bbc5d42d4872  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430blob eligible for deletion: sha256:f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/f4/f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa  go.version=go1.7.6 instance.id=1cb0944e-c80c
-4111-9758-df3ed7b72430
#

# 垃圾回收后
# du -sh *
204K	docker
#

注：在执行垃圾回收后，需要重启registry-srv，否则当再次上传相同IMAGE时，将无法成功上传

# docker restart registry-srv

效果图

参考：
https://hub.docker.com/r/library/registry/
https://github.com/mkuchin/docker-registry-web
https://hub.docker.com/r/hyper/docker-registry-web/
http://www.widuu.com/chinese_docker/index.html

附件：
docker-registry-web.tar.gz

---

本文出自”Jack Wang Blog”：http://www.yfshare.vip/2017/12/20/自建docker私有仓库-Registry/