docker-registry部署实践

1. docker-registry：docker官方出品的开源容器注册表服务（容器仓库）

2. docker-registry-browser：第三方适配的容器仓库前端页面

docker-registry使用最新版本3.x，支持镜像查询api支持分页

部署distribution-docker

创建文件夹

mkdir -p auth lib 

使用 Apache 的 htpasswd 来创建加密文件

htpasswd -Bbn admin admin > $PWD/auth/htpasswd

配置registry配置文件config

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
  tag:
    concurrencylimit: 8
  delete:
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
auth:
  htpasswd:
    realm: basic-realm
    path: /auth/htpasswd
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://docker.io
  username:
  password:

编写docker-compose

version: "3.8"
services:
  registry:
    restart: always
    image: distribution/distribution:edge
    ports:
      - 5000:5000
    environment:
#      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
#      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: basic-realm
    volumes:
      - $PWD/data:/var/lib/registry
#      - /path/certs:/certs
      - $PWD/config.yml:/etc/distribution/config.yml
      - $PWD/auth:/auth

  docker-registry-browser:
    restart: always
    image: klausmeyer/docker-registry-browser:latest
    environment:
      # Note: The value for SECRET_KEY_BASE can be generated via "openssl rand -hex 64"
      - SECRET_KEY_BASE=611fdd40d0b03f79c6ac816c4e4784693c833b39c2c3d84e28fc0703f0c65a76b7ba95c166f6bf3e974d60551a7a97d3b52a152224c967eac894fcb2f3b79376
      - DOCKER_REGISTRY_URL=http://registry:5000
      - ENABLE_DELETE_IMAGES=true
      - PUBLIC_REGISTRY_URL=localhost:5000
    ports:
      - 8085:8080

启动

docker-compose up -d

访问localhost:8085

ps：docker-registry api https://github.com/distribution/distribution/blob/main/docs/content/spec/api.md

垃圾清理

调用api删除后，需要在容器中执行命令才能释放空间，执行垃圾清理命令后需要重启容器才能重新推送相同的tab，否则会显示推送成功，但是实际用不了，猜测和缓存有关

registry garbage-collect /etc/docker/registry/config.yml --delete-untagged=true

外网代理

代理https://registry-1.docker.io

外网vps编写compose.yml文件

version: "3.8"
services:
  registry:
    restart: always
    image: distribution/distribution:edge
    ports:
      - 5001:5000
    environment:
      REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io

启动即可

docker配置文件修改

{
  "registry-mirrors" : [
    "https://vps域名"
  ]
}

代理和仓库需要分开，不能既作为私有仓库和代理仓库

镜像加速缓存功能需要实时比对官方镜像仓库的版本,所以当私有镜像docker push到该仓库时由于无法和官方仓库中比对,会导致一直Retrying无法上传.