Use Registry image to build Docker local private image repository

background

DockerHub provides many official images for us. We can upload or download images from DockerHub, but:

• Due to network limitations, the image upload and download speed is slow.

• The image used in production contains a lot of private information, which can be easily accessed by outsiders if placed on DockerHub.

  In order to solve the above problems, the official registry image is provided to build a local private image warehouse. Building a private Docker warehouse on the Intranet can make the image only allow Intranet personnel to download, and the upload and download speed is also faster.

advantages

• External access can be restricted
• The upload and download speed is fast and is not affected by the Internet bandwidth
• Support warehouse certification
• .

The environment

• 10.0.95.63 Host (temporarily using a PC as a private mirror warehouse server) KFDockerRegistry

• Use port 5566

Pay attention to

Upload:

• To log in to the private repository:Docker login 10.0.95.63:5566And then enter the account password.
• The name of the image to be uploaded must be preceded by the private warehouse identifier:10.0.95.63:5566, such as10.0.95.63:5566 / nginx: the latest;
• Log out after uploading:docker logout.

Download:

• The downloaded image name must be preceded by the private repository identifier:10.0.95.63:5566, such as10.0.95.63:5566 / nginx: the latest.

Set up a private warehouse

1. Pull private warehouse image

   docker pull registry
   Copy the code

2. Modify the Docker configuration

   Json file: vi /etc/docker/daemon.json, add the following content to make Docker trust the private repository address (== All Docker clients that need to access private repositories need to configure the following content ==) :

   {
       "insecure-registries": [
           "10.0.95.63:5566"]}Copy the code

   If no, the following errors may occur:

   X509: cannot validate certificate for 10.0.95.63 because it does not contain any IP SANs
   Get https://10.0.95.63:5566/v2/: http: server gave HTTP response to HTTPS client
   Copy the code

3. Reload the configuration and restart the Docker service

   sudo systemctl daemon-reload
   sudo systemctl restart docker
   Copy the code

4. After the restart is complete, you can run the private repository container

   docker run -id -p 5566:5000 --name registry -v /media/mes/file2/docker_registry:/var/lib/registry registry
   Copy the code

   Among them:

   -d: background running container.

   –name: indicates the container name.

   -p: indicates port mapping. Port 5566 is mapped to port 5000 of the container.

   -v: Mount the /var/lib/registry directory to the /media/mes/file2/docker_registry directory.

5. Use the browser access path: http://10.0.95.63:5566/v2/_catalog, the browser display {” repositories: “[the]} is set up successfully

6. Push an image to a private repository

   Use the tag command to tag the image:

   Docker tag nginx: latest 10.0.95.63:5566 / nginx: the latestCopy the code

   It is then pushed to the private repository using the push command

   Docker push 10.0.95.63:5566 / nginx: the latestCopy the code

   And then through the browser to access path: http://10.0.95.63:5566/v2/_catalog, can see:

   

   You can also view the uploaded image information in the mounted directory:

   

Configure private warehouse authentication

To improve private warehouse security, set up a security certificate

1. Create a certificate store directory

   sudo mkdir -p /usr/local/registry/certs
   Copy the code

2. Generate a certificate

   sudo openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt
   Copy the code

   Among them:

   Openssl REq: create certificate signature request and other functions;

   -newkey: creates a CSR certificate signature file and an RSA private key file.

   Rsa :2048: The length of the created RSA private key is 2048 bytes.

   -Nodes: does not encrypt the private key.

   -sha256: uses the SHA256 algorithm.

   -keyout: indicates the name and location of the created private key file.

   -x509: indicates the self-issued certificate format.

   -days: indicates the certificate validity period.

   -out: specifies the name and location of the CSR output file.

   

3. Generate an authentication password file

   Create a directory for storing authentication password files
   sudo mkdir -p /usr/local/registry/auth
   # Install HTTPD, here select Apache2
   sudo apt-get install apache2
   Create a user and password
   sudo chmod -R 777 /usr/local/registry/auth
   sudo htpasswd -Bbn root mes_2020 > /usr/bin/registry/auth/htpasswd
   Copy the code

4. Run the private repository container

   docker run -id --name registry -p 5566:5000 \
      -v /mydata/docker_registry:/var/lib/registry \
      -v /usr/local/registry/certs:/certs \
      -v /usr/local/registry/auth:/auth \
      -e "REGISTRY_AUTH=htpasswd" \
      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
      registry
   Copy the code

5. Push 10.0.95.63:5566 / nginx: latest you will be prompted to private warehouse no basic auth credentials.

   

6. Log in and upload

   Login to the private repository using the docker login command:

   Docker login 10.0.95.63:5566Copy the code

   Then push the image to the private repository:

   Docker push 10.0.95.63:5566 / nginx: the latestCopy the code

7. Withdraw from the account

   docker logout 10.0.95.63:5566
   Copy the code

Reference Documents:

• Docker private image warehouse construction and certification