安装docker
当前仅展示apt方式安装,离线安装方式不展示
清理历史残留
如果系统有预装docker或者先前安装过,先卸载干净在安装
1
2
3
4
5
6
|
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt remove $pkg; done
sudo rm -rf /var/lib/docker
sudo rm -rf /var/lib/containerd
|
apt安装
设置代理
由于docker被gfw屏蔽,访问时需要使用vpn,这里使用先前搭建的ss服务
新建apt.conf
1
| sudo vi /etc/apt/apt.conf
|
添加proxy配置,默认源地址配置直连,如此后续配置docker源后,使用apt update便可直接访问
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| Acquire::http::Proxy "http://127.0.0.1:8118";
Acquire::http::Proxy {
archive.ubuntu.com DIRECT;
security.ubuntu.com DIRECT;
cn.archive.ubuntu.com DIRECT;
mirrors.tuna.tsinghua.edu.cn DIRECT;
}
Acquire::https::Proxy "http://127.0.0.1:8118";
Acquire::https::Proxy {
archive.ubuntu.com DIRECT;
security.ubuntu.com DIRECT;
cn.archive.ubuntu.com DIRECT;
mirrors.tuna.tsinghua.edu.cn DIRECT;
}
|
配置源并安装
按照docker官方教材安装docker,其中,下载docker.asc的命令做了一些修改
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
export http_proxy=http://127.0.0.1:8118;export https_proxy=http://127.0.0.1:8118;
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o docker.asc && sudo mv docker.asc /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install containerd.io docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin
|
后续
将当前用户加入docker用户组
1
2
| sudo groupadd docker
sudo usermod -aG docker $USER
|
部署registry
配置代理
因为gfw的原因,docker hub的访问会时不时抽风,在使用docker pull前可以先配置代理,当前步骤可跳过
创建配置文件
1
2
| sudo mkdir -p /etc/systemd/system/docker.service.d
sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf
|
配置proxy
1
2
3
4
| [Service]
Environment="HTTP_PROXY=http://127.0.0.1:8118"
Environment="HTTPS_PROXY=http://127.0.0.1:8118"
Environment="NO_PROXY=localhost,127.0.0.1,registry.noname.io"
|
重启并验证docker环境变量
1
2
3
4
5
| sudo systemctl daemon-reload
sudo systemctl restart docker
sudo systemctl show --property=Environment docker
|
生成ssl证书
可以直接使用http,但后续k8s镜像的下载必须使用https,没有那么多耐心再去折腾,在这里先解决了,一劳永逸
/data/docker/是我用于专门存放与registry相关的数据,包括certs以及后续docker push上来的镜像数据
下面命令关键的域名registry.noname.io要填好
1
2
3
4
| openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /data/docker/certs/noname.io.key \
-addext "subjectAltName = DNS:registry.noname.io" \
-x509 -days 365 -out /data/docker/certs/noname.io.crt
|
由此,https所需要的证书也就准备好了
创建registry服务
注意
- 将
/data/docker/certs挂载到container的/data/certs目录
/data/docker/registry挂载到container的/var/lib/registry目录,后续删除重建container时就保留下了image数据
方法一
如果只是创建一个简单的可运行registry,直接运行docker run
1
2
3
4
5
6
| docker run -d -p 5000:5000 --restart always --name registry \
-v /data/docker/registry:/var/lib/registry \
-v /data/docker/certs:/data/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/data/certs/noname.io.crt \
-e REGISTRY_HTTP_TLS_KEY=/data/certs/noname.io.key \
registry:2.8.3
|
方法二
如果涉及比较复杂的配置,像权限管理、接入s3文件系统、缓存配置、中继配置等,则使用配置文件方式比较好
创建registry配置文件,参考配置文件:example YAML file,修改后如下
1
2
3
4
5
6
7
8
9
| version: 0.1
storage:
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
tls:
certificate: /data/certs/noname.io.crt
key: /data/certs/noname.io.key
|
运行docker run
1
2
3
4
5
| docker run -d -p 5000:5000 --restart always --name registry \
-v /data/docker/registry:/var/lib/registry \
-v /data/docker/certs:/data/certs \
-v /data/docker/config/config.yml:/etc/docker/registry/config.yml \
registry:2.8.3
|
修改系统配置
修改hosts
添加私有registry的域名
1
| 127.0.0.1 registry.noname.io
|
修改docker配置
1
2
| sudo mkdir /etc/docker
sudo vi /etc/docker/daemon.json
|
insecure-registries需要添加registry的域名端口
1
2
3
4
| {
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries" : ["registry.noname.io:5000"]
}
|
重启服务
1
| sudo systemctl restart docker
|
如果要开放局域网内的访问,配置防火墙
1
2
| sudo ufw allow 5000/tcp
sudo ufw reload
|
测试验证
访问registry接口,此时因为registry还没有任何image数据,输出为空
1
| curl -k https://registry.noname.io:5000/v2/_catalog | jq .
|
推送镜像测试
1
2
| docker tag alpine:3.20.1 registry.noname.io:5000/alpine:3.20.1
docker push registry.noname.io:5000/alpine:3.20.1
|
参考文档
Install Docker Engine on Ubuntu
Distribution Registry
Private Docker registry with HTTPS and a Nginx reverse proxy using Docker Compose