rigistry docker-compose部署
部署目錄
$ ll
drwxr-xr-x 2 root root 60 Aug 9 18:49 config
-rwxr-x--- 1 root root 7970401 Aug 9 18:49 docker-compose
-rw-r----- 1 root root 311 Aug 9 18:49 docker-compose.yml
-rw------- 1 root root 35680768 Aug 9 18:49 image-registry-2.6.2.tar
-rw-r----- 1 root root 677 Aug 9 18:49 README.md
$
$cat README
前置要求
- node機器配置DNS: 域名hub.cloud.pub指向registry所在機器。
- Docker安裝:確保registry所在機器的docker已經安裝。
- 盤符掛載:掛載到registry所在機器的/Docker目錄。
- 鏡像文件放置:將image.tar解壓到上述掛載目錄。
加壓後的v2文件夾拷貝至 /Docker/registry/docker/registry
安裝步驟
- 解壓registry_chongqing.tar.gz。
- docker load -i registry_chongqing/registry.tar
- cp registry_chongqing/docker-compose /usr/local/bin/
- docker-compose up -d
- (可選)如果盤符掛載不是/Docker,修改registry_chongqing/docker-compose.yml第10行":"左邊部分爲相應目錄。
$ cat docker-compose.yml
version: '2'
services:
registry:
ports:
- 80:80
- 443:80
image: registry:2.6.2
restart: always
volumes:
- /Docker/registry:/var/lib/registry
- ./config/:/etc/registry/
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
cat config/config.yml
version: 0.1
log:
level: debug
formatter: json
fields:
service: registry
accesslog:
disabled: true
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
http:
addr: :80
host: https://hub.cloud.pub
secret: placeholder
debug:
addr: :5001
tls:
certificate: /etc/registry/domain.crt
key: /etc/registry/domain.key
cat domain.crt
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIJAILSreXM0r8hMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxFjAUBgNVBAMMDWh1Yi5jbG91ZC5wdWIwHhcNMTcxMTA4MDc1
NjA0WhcNMjcxMTA2MDc1NjA0WjBaMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVm
YXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRYwFAYDVQQD
DA1odWIuY2xvdWQucHViMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
wZqcDfVmHH4SNcHxEsWQV0wSONpe6pSM6/cBYhErLJe8fVXH8DM/YlgNO0bHyb5O
RlYLESGSUIe4K27AIVWuD/N9vHXVyWkv0/EeTuW8qP7yA8FHLvygDvMl6rkhe6h8
wst1Zd6Al4PaFFs5M/P/+RwlydkNBBtcSbzoJAVkUIpiogVJ/vE70v/kVit3dTi2
Z243JE/bvEFZSX0NeMQP4n5znTYO8OAYqpHlGSxZMz+FimannVlyxqYzUV/0ZmoZ
1n96247/vFlMGduNGa1nGmfWZMNUy5D/1Oad+JY4ucGAaHLde/uFOrENvt5xZU75
O1L+eWrLA4h43ddHR8UiOwAJH5vZlx5zIiOARiAkHN9lHj6SPAIz10hb6C2qqhMh
jz8uf2OIm9ESO3yB86JX2p+DLf8mR66sPYV5J+fXMh7pePU3FXCHMIw7Bwr6q4Dn
LvrDpLBA3eBCETdRHu8xaTS5QfsmaTQkgJmE99DRuT+SWkUvMcQFmJti3m3HyB+X
mD+vOD/QFKdzPDwX+8r493ARKbLu5Cbh/uIuCRk43nZhYFI0/FhonbMpkhgbpFzn
Ws4xh2T7DfTC8krWr6GT1efcsD7Gc0HEX7xz5b2IkdQ2TT0oiTJ+1Fo+zNDDZVCW
Hj3ihv8kW1J8iFJgkplbqp5ARf4HtwQCJeZFhuaaFY0CAwEAAaNQME4wHQYDVR0O
BBYEFP+szb509E4cH8H2RRoh4eNMwl15MB8GA1UdIwQYMBaAFP+szb509E4cH8H2
RRoh4eNMwl15MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAExI5ek8
5VWZG7JbrXFRSCxfynj7OH6ZZOEZUZtVDv9RURUbKzSb6cqcm+/0bnhTtk1dVRRc
iXLwls7rLVGEGQjswVNFbX064bp+IJL31q3Ga2VAYUMnd+Fq7Ggp4wNuWN2Ke1rc
lWr8ViKwKWAxnrQmuDQAmDgEch3I0509gkcZElRSoh/pfTjN97GeTkkQyQsB94Ni
rDhv/lFxDB9Tt2IbmR/ihlBcaxBCUHx1GUBQNUKKQFnCYUtGYS0pCrZUJnpGwmYr
TgCOgRWjq/ZWxSDeP2WLaJpVl96ZS+rnCO74XYKBtA487trzmLPzj1TFTbYS1rjl
lYmOoGlVd7v7V8/E12DcXGVjCKRrGguhbHfNSna9mOieol7f8HQCJk59p47OS3k/
qbYWmfU8Hauvgm6jRWXsR9UMGqo/8zadxhdLOKvyHSo9aM/1DiF29mxS+/1poB9H
k9PbRQy3aIAE+/kuIOjezGh/p45qrSfN0bYwtoA8ahqG4VcxMbYyg7+99F+Lo96V
KpsoFY6C1VLsIlY6GA59BFA8AjUPeDvsICdlyWgkPYXKFo81s5+101J4ZjBGIGjo
+pRx7+WEpXV7Js2a5/Qs2QQ4SG37SeYBaRfFAJLpe5Q0pkVIPJNwjHrDgONP61Si
qMRrW2+TWgALHKl2tCS1PdrQpxOHlJ1L8Wrz
-----END CERTIFICATE-----
cat domain.crt
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIJAILSreXM0r8hMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxFjAUBgNVBAMMDWh1Yi5jbG91ZC5wdWIwHhcNMTcxMTA4MDc1
NjA0WhcNMjcxMTA2MDc1NjA0WjBaMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVm
YXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRYwFAYDVQQD
DA1odWIuY2xvdWQucHViMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
wZqcDfVmHH4SNcHxEsWQV0wSONpe6pSM6/cBYhErLJe8fVXH8DM/YlgNO0bHyb5O
RlYLESGSUIe4K27AIVWuD/N9vHXVyWkv0/EeTuW8qP7yA8FHLvygDvMl6rkhe6h8
wst1Zd6Al4PaFFs5M/P/+RwlydkNBBtcSbzoJAVkUIpiogVJ/vE70v/kVit3dTi2
Z243JE/bvEFZSX0NeMQP4n5znTYO8OAYqpHlGSxZMz+FimannVlyxqYzUV/0ZmoZ
1n96247/vFlMGduNGa1nGmfWZMNUy5D/1Oad+JY4ucGAaHLde/uFOrENvt5xZU75
O1L+eWrLA4h43ddHR8UiOwAJH5vZlx5zIiOARiAkHN9lHj6SPAIz10hb6C2qqhMh
jz8uf2OIm9ESO3yB86JX2p+DLf8mR66sPYV5J+fXMh7pePU3FXCHMIw7Bwr6q4Dn
LvrDpLBA3eBCETdRHu8xaTS5QfsmaTQkgJmE99DRuT+SWkUvMcQFmJti3m3HyB+X
mD+vOD/QFKdzPDwX+8r493ARKbLu5Cbh/uIuCRk43nZhYFI0/FhonbMpkhgbpFzn
Ws4xh2T7DfTC8krWr6GT1efcsD7Gc0HEX7xz5b2IkdQ2TT0oiTJ+1Fo+zNDDZVCW
Hj3ihv8kW1J8iFJgkplbqp5ARf4HtwQCJeZFhuaaFY0CAwEAAaNQME4wHQYDVR0O
BBYEFP+szb509E4cH8H2RRoh4eNMwl15MB8GA1UdIwQYMBaAFP+szb509E4cH8H2
RRoh4eNMwl15MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAExI5ek8
5VWZG7JbrXFRSCxfynj7OH6ZZOEZUZtVDv9RURUbKzSb6cqcm+/0bnhTtk1dVRRc
iXLwls7rLVGEGQjswVNFbX064bp+IJL31q3Ga2VAYUMnd+Fq7Ggp4wNuWN2Ke1rc
lWr8ViKwKWAxnrQmuDQAmDgEch3I0509gkcZElRSoh/pfTjN97GeTkkQyQsB94Ni
rDhv/lFxDB9Tt2IbmR/ihlBcaxBCUHx1GUBQNUKKQFnCYUtGYS0pCrZUJnpGwmYr
TgCOgRWjq/ZWxSDeP2WLaJpVl96ZS+rnCO74XYKBtA487trzmLPzj1TFTbYS1rjl
lYmOoGlVd7v7V8/E12DcXGVjCKRrGguhbHfNSna9mOieol7f8HQCJk59p47OS3k/
qbYWmfU8Hauvgm6jRWXsR9UMGqo/8zadxhdLOKvyHSo9aM/1DiF29mxS+/1poB9H
k9PbRQy3aIAE+/kuIOjezGh/p45qrSfN0bYwtoA8ahqG4VcxMbYyg7+99F+Lo96V
KpsoFY6C1VLsIlY6GA59BFA8AjUPeDvsICdlyWgkPYXKFo81s5+101J4ZjBGIGjo
+pRx7+WEpXV7Js2a5/Qs2QQ4SG37SeYBaRfFAJLpe5Q0pkVIPJNwjHrDgONP61Si
qMRrW2+TWgALHKl2tCS1PdrQpxOHlJ1L8Wrz
-----END CERTIFICATE-----
證書生成方式參考
$ cat install_registry.sh
!/bin/bash
namespace="kube-system"
account="caas"
password="Pacc$3@1"
生成證書文件;ca證書可以直接使用k8s的自簽名ca證書,如果使用k8s的證書則這一步可以省略
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=docker docker-csr.json | cfssljson -bare docker
生成密碼文件
htpasswd -Bbc authfile $account $password
將文件內容配置到configmap
domainkey=sed ':a;N;$!ba;s/\n/\\\\r\\\\n/g' docker-key.pem
domaincrt=sed ':a;N;$!ba;s/\n/\\\\r\\\\n/g' docker.pem
htpasswd=sed ':a;N;$!ba;s/\n/\\\\r\\\\n/g' authfile
echo "htpasswd=" $htpasswd
cd /etc/pki/tls/certs/ && cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
cp -i docker-registry-internal.yaml.template docker-registry-internal.yaml
echo "
apiVersion: v1
kind: ConfigMap
data:
domain.crt: "$domaincrt"
domain.key: "$domainkey"
htpasswd: "$htpasswd"
metadata:
name: tls
namespace: kube-system
" >> docker-registry-internal.yaml
kubectl delete -f docker-registry-internal.yaml
while [ $? -ne 0 ]
do
sleep 3
kubectl get pod -n $namespace|grep registry
done
kubectl create -f docker-registry-internal.yaml