Docker private repository deployment

0 demand

  • Building Docker private warehouse can avoid network problems that may occur during development and production.

  • Use Docker Registry private repository deployment and use Docker Auth for authentication

  • Consider the following scenarios: Publishing an image requires authentication, but pulling an image does not. Different environments require different access policies. Simple HTTP authentication extension capability is limited, docker_Auth provides token-based Docker Registry authentication implementation, which can better support actual scenarios:

    • Third-party user authentication is supported
    • Supports diversified ACL policy configurations
    • Configuration and deployment are easy to get started

This article has been verified by the author himself. If you make mistakes in your practice, please feel free to point them out in the comments section

1. The Docker installation

1.1 Remove old Docker installation traces

If this is the first installation, skip this step

sudo apt-get remove docker docker-engine docker.io containerd runc

sudo apt-get purge docker-ce docker-ce-cli containerd.io
sudo rm -rf /var/lib/docker
Copy the code

1.2 installation Docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker
Copy the code

For more installation methods, see Install Docker Engine on Ubuntu

1.3 Docker configuration

  • Configure Ali Cloud mirroring

    sudo tee /etc/docker/daemon.json << eof { "registry-mirrors": ["https://jioksect.mirror.aliyuncs.com"] } eof 
    sudo systemctl daemon-reload
    sudo systemctl restart docker
    Copy the code

2 Docker Auth installation and deployment

mkdir -p /opt/docker_auth/config /opt/docker_auth/log && touch /opt/docker_auth/config/auth_config.yml

echo ' server: addr: ":5001" certificate: "/root/cert.pem" key: "/root/cert.key" token: issuer: "Auth Service" expiration: 900 users: "root": password: "${passwd}" "": {} acl: - match: {account: "root"} actions: ["*"] - match: {account: "} # anonymous user can only pull mirror actions: ["pull"]' > /opt/docker_auth/config/auth_config.yml
Copy the code
  1. ${passwd}generation
    1. User password generation method:htpasswd -nB root
      1. htpasswd -nB rootThe password required for execution isdocker loginWhen the inputrootThe user password
  2. For more configuration methods, see Docker_auth configuration example

The deployment of the container

docker run -d  \
--name=docker_auth \ 
-p ${port}:5001 \ 
--restart=always \  
-v /opt/docker_auth/config:/config:ro \  
-v /root/cert.pem:/root/cert.pem:ro \  
-v /root/cert.key:/root/cert.key:ro \  
-v /opt/docker_auth/log/logs \ cesanta/docker_auth:1.6.0 --v=2 --alsologtostderr /config/auth_config.ymlCopy the code
  • Note: If the Docker image service is to be made into a public network service, the service port of Docker Auth should also be exposed to the public network (FRP can be used to expose it), because when the Docker login command is executed, a verification request will be sent to Docker Auth

Docker Registry image installation and container configuration

3.1 Pull the Docker Registry image

Docker pull Registry :2.7.0 mkdir -p /opt/docker_registry/config /opt/docker_registry/data && touch /opt/docker_registry/config/config.ymlCopy the code

3.2 Setting the Configuration File

echo 'Version: 0.1 log: fields: service: Registry storage: delete: enabled: true Cache: Blobdescriptor: inmemory Filesystem: rootdirectory: /var/lib/registry auth: token: autoredirect: true realm: ${docker_auth_url}/auth service: Docker registry issuer: Auth Service rootcertbundle: /root/cert.pem http: addr: :5000 tls: certificate: /root/cert.pem key: /root/cert.key headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3' > /opt/docker_registry/config/config.yml
Copy the code
  • ${docker_auth_URL} is the public address of the Docker Auth service.

    • **${docker_AUTH_URL}** if Docker Auth uses the same certificate as Docker Registry Nginx, use the domain name of the certificate instead of the public IP addressdocker loginA signature error occurs
  • Docker Auth provides HTTPS by default, so **${docker_auth_URL}** should use HTTPS

  • Certificates can be applied for free from Aliyun

3.3 Starting the Service

docker run -d \ 
-p ${port}:5000 \ --restart=always \ --name=registry \ -v /opt/docker_registry/config/:/etc/docker/registry/ \ -v /opt/docker_registry/data:/var/lib/registry \ -v /root/cert.pem:/root/cert.pem:ro \ -v /root/cert.key:/root/cert.key:ro \ registry: 2.3Copy the code
  • The Docker Registry service can be exposed using FRP

3.4 Using Nginx to Provide HTTPS Services

echo 'server { listen 443 ssl; server_name ${host_name}; Ssl_certificate /etc/nginx/ SSL /registry-cert.pem ssl_certificate /etc/nginx/ SSL /registry-cert.pem Ssl_certificate_key /etc/nginx/ssl/registrie-cert. key; ssl_session_timeout 10m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $host; proxy_set_header X-Real-IP $remote_addr; Use FRP to expose Intranet services proxy_pass https://${host_name}; }} ' >> /opt/nginx/dockerRegistry.conf
Copy the code
  • Use the Docker container to deploy the Nginx service

  • The certificates used by HTTPS services in Nginx services can be the same set of certificates used by Docker Auth services

  • Add client_max_body_size 0 to the HTTP module of the nginx.conf configuration file; Otherwise, a Request Entity Too Large error occurs when the mirror is large

4 (Optional) Use Docker-compose to deploy the Docker private repository service in one click

echo 'version: '3.7'Services: auth: image: cesanta/docker_auth: - /opt/docker_auth/config:/config:ro - /opt/docker_auth/log:/logs - /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro - /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro container_name: docker_auth restart: always command: --v=2 --alsologtostderr /config/auth_config.yml ports: - ${auth_port}:5001 docker_registry: image: registry:2.3 Container_name: Registry depends_on: - auth ports: ${auth_port}:5001 docker_registry: image: registry:2.3 Container_name: Registry depends_on: - auth ports: - ${registry_port}:5000 volumes: - /opt/docker_registry/config:/etc/docker/registry - /opt/docker_registry/data:/var/lib/registry - /opt/docker_auth/ssl/registry-cert.pem:/root/cert.pem:ro - /opt/docker_auth/ssl/registry-cert.key:/root/cert.key:ro restart: always' >> /opt/docker_registry/registry.yaml

cd /opt/docker_registry && docker-compose -f registry.yaml up -d

Copy the code

5 use the Docker private repository service

5.1 Enabling HTTP Access to a Private Warehouse

vim /etc/docker/daemon.json

Add the following nodes to the JSON structure

{ 
  "insecure-registries":
    [ "${registry_hostname}:${port}"]}Copy the code

Restart the Docker service

systemctl daemon-reload
systemctl restart docker
Copy the code

5.2 Try using a private warehouse service

5.2.1 Pushing an Image

  1. Log in to your own private repository

docker login ${registry_hostname}:${port}

  1. Tag the image with the correct tag (if not, it will be committed to DockerHub by default)

docker tag [OPTIONS] IMAGE[:TAG] [REGISTRYHOST/][USERNAME/]NAME[:TAG]

Eg: the docker tag myApp: v1 localhost: 8080 / myname/myApp: v1

  1. Push the mirror

docker push [OPTIONS] NAME[:TAG]

Eg: the docker push localhost: 8080 / myname/myApp: v1

  1. If you’re using a DockerHub repository service
    1. docker login --username username
    2. docker tag my-image username/my-repo
    3. docker push username/my-repo

5.2.2 Pulling a Mirror

docker pull [OPTIONS] NAME[:TAG]

6 Reference Links

  • docker local registry exec htpasswd executable file not found in $PATH
  • Private registry push fail: server gave HTTP response to HTTPS client
  • Docker private repository
  • Docker push and pull using separate credentials
  • The docker_authを the プ ramport ート is the fusioncloud fusioncloud. They’re more than the 20000 20000
  • Docker Registry V2 + Token Auth Server (Registry V2 Authentication) instance
  • Docker private Registry and Auth-Server authentication setup
  • Configuring a registry
  • github.com/SUSE/Portus

7 TODO

  • Use Keycloak for user authentication
    • Manage Docker-Registry auth with Keycloak
    • Docker Authentication with Keycloak