background

DockerHub provides many official images for us. We can upload or download images from DockerHub, but:

  • Due to network limitations, the image upload and download speed is slow.

  • The image used in production contains a lot of private information, which can be easily accessed by outsiders if placed on DockerHub.

    In order to solve the above problems, the official registry image is provided to build a local private image warehouse. Building a private Docker warehouse on the Intranet can make the image only allow Intranet personnel to download, and the upload and download speed is also faster.

advantages

  • External access can be restricted
  • The upload and download speed is fast and is not affected by the Internet bandwidth
  • Support warehouse certification
  • .

The environment

  • 10.0.95.63 Host (temporarily using a PC as a private mirror warehouse server) KFDockerRegistry

  • Use port 5566

Pay attention to

Upload:

  • To log in to the private repository:Docker login 10.0.95.63:5566And then enter the account password.
  • The name of the image to be uploaded must be preceded by the private warehouse identifier:10.0.95.63:5566, such as10.0.95.63:5566 / nginx: the latest;
  • Log out after uploading:docker logout.

Download:

  • The downloaded image name must be preceded by the private repository identifier:10.0.95.63:5566, such as10.0.95.63:5566 / nginx: the latest.

Set up a private warehouse

  1. Pull private warehouse image

    docker pull registry
    Copy the code
  2. Modify the Docker configuration

    Json file: vi /etc/docker/daemon.json, add the following content to make Docker trust the private repository address (== All Docker clients that need to access private repositories need to configure the following content ==) :

    {
        "insecure-registries": [
            "10.0.95.63:5566"]}Copy the code

    If no, the following errors may occur:

    X509: cannot validate certificate for 10.0.95.63 because it does not contain any IP SANs
    Get https://10.0.95.63:5566/v2/: http: server gave HTTP response to HTTPS client
    Copy the code
  3. Reload the configuration and restart the Docker service

    sudo systemctl daemon-reload
    sudo systemctl restart docker
    Copy the code
  4. After the restart is complete, you can run the private repository container

    docker run -id -p 5566:5000 --name registry -v /media/mes/file2/docker_registry:/var/lib/registry registry
    Copy the code

    Among them:

    -d: background running container.

    –name: indicates the container name.

    -p: indicates port mapping. Port 5566 is mapped to port 5000 of the container.

    -v: Mount the /var/lib/registry directory to the /media/mes/file2/docker_registry directory.

  5. Use the browser access path: http://10.0.95.63:5566/v2/_catalog, the browser display {” repositories: “[the]} is set up successfully

  6. Push an image to a private repository

    Use the tag command to tag the image:

    Docker tag nginx: latest 10.0.95.63:5566 / nginx: the latestCopy the code

    It is then pushed to the private repository using the push command

    Docker push 10.0.95.63:5566 / nginx: the latestCopy the code

    And then through the browser to access path: http://10.0.95.63:5566/v2/_catalog, can see:

    You can also view the uploaded image information in the mounted directory:

Configure private warehouse authentication

To improve private warehouse security, set up a security certificate

  1. Create a certificate store directory

    sudo mkdir -p /usr/local/registry/certs
    Copy the code
  2. Generate a certificate

    sudo openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt
    Copy the code

    Among them:

    Openssl REq: create certificate signature request and other functions;

    -newkey: creates a CSR certificate signature file and an RSA private key file.

    Rsa :2048: The length of the created RSA private key is 2048 bytes.

    -Nodes: does not encrypt the private key.

    -sha256: uses the SHA256 algorithm.

    -keyout: indicates the name and location of the created private key file.

    -x509: indicates the self-issued certificate format.

    -days: indicates the certificate validity period.

    -out: specifies the name and location of the CSR output file.

  3. Generate an authentication password file

    Create a directory for storing authentication password files
    sudo mkdir -p /usr/local/registry/auth
    # Install HTTPD, here select Apache2
    sudo apt-get install apache2
    Create a user and password
    sudo chmod -R 777 /usr/local/registry/auth
    sudo htpasswd -Bbn root mes_2020 > /usr/bin/registry/auth/htpasswd
    Copy the code
  4. Run the private repository container

    docker run -id --name registry -p 5566:5000 \
       -v /mydata/docker_registry:/var/lib/registry \
       -v /usr/local/registry/certs:/certs \
       -v /usr/local/registry/auth:/auth \
       -e "REGISTRY_AUTH=htpasswd" \
       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
       registry
    Copy the code
  5. Push 10.0.95.63:5566 / nginx: latest you will be prompted to private warehouse no basic auth credentials.

  6. Log in and upload

    Login to the private repository using the docker login command:

    Docker login 10.0.95.63:5566Copy the code

    Then push the image to the private repository:

    Docker push 10.0.95.63:5566 / nginx: the latestCopy the code
  7. Withdraw from the account

    docker logout 10.0.95.63:5566
    Copy the code

Reference Documents:

  • Docker private image warehouse construction and certification