搭建私有仓库
为什么需要私有仓库
- 安全性:镜像存储在内部网络,不经过公网
- 速度:局域网传输,拉取速度快
- 控制:管理谁可以推送和拉取镜像
- 合规:满足数据本地化要求
- 成本:避免 Docker Hub 的拉取限制
搭建简易私有仓库
使用 Docker Registry 镜像
# 一行命令启动
docker run -d \
-p 5000:5000 \
--name registry \
-v /var/lib/registry:/var/lib/registry \
registry:2
验证仓库
# 推送测试
docker pull nginx:alpine
docker tag nginx:alpine localhost:5000/nginx:alpine
docker push localhost:5000/nginx:alpine
# 拉取测试
docker pull localhost:5000/nginx:alpine
# 查看仓库内容
curl http://localhost:5000/v2/_catalog
# {"repositories":["nginx"]}
curl http://localhost:5000/v2/nginx/tags/list
# {"name":"nginx","tags":["alpine"]}
生产级私有仓库
带 TLS 证书的 Registry
# 1. 生成自签名证书
mkdir -p certs
openssl req -newkey rsa:4096 -nodes -sha256 \
-keyout certs/domain.key \
-x509 -days 365 \
-out certs/domain.crt \
-subj "/CN=myregistry.example.com"
# 2. 启动 TLS 支持的 Registry
docker run -d \
-p 443:443 \
--name registry \
-v $(pwd)/certs:/certs \
-v $(pwd)/registry-data:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
# 3. 配置 Docker 信任自签名证书
# 将 domain.crt 复制到 /etc/docker/certs.d/myregistry.example.com:443/ca.crt
mkdir -p /etc/docker/certs.d/myregistry.example.com:443
cp certs/domain.crt /etc/docker/certs.d/myregistry.example.com:443/ca.crt
systemctl restart docker
# 4. Tag 并推送
docker tag nginx:alpine myregistry.example.com:443/nginx:alpine
docker push myregistry.example.com:443/nginx:alpine
带认证的 Registry
# 1. 创建 htpasswd 文件
mkdir -p auth
docker run --rm \
httpd:alpine htpasswd -Bbn admin mypassword > auth/htpasswd
# 2. 启动带认证的 Registry
docker run -d \
-p 5000:5000 \
--name registry \
-v $(pwd)/auth:/auth \
-v $(pwd)/registry-data:/var/lib/registry \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-v $(pwd)/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
# 3. 登录并推送
docker login myregistry.example.com:5000
# Username: admin
# Password: mypassword
docker tag nginx:alpine myregistry.example.com:5000/nginx:alpine
docker push myregistry.example.com:5000/nginx:alpine
Docker Compose 部署 Registry
version: "3.8"
services:
registry:
image: registry:2
restart: always
ports:
- "443:443"
volumes:
- registry-data:/var/lib/registry
- ./certs:/certs:ro
- ./auth:/auth:ro
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_STORAGE_DELETE_ENABLED: "true"
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
volumes:
registry-data:
Registry 配置详解
完整配置
version: 0.1
log:
level: debug
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :443
host: https://myregistry.example.com
headers:
X-Content-Type-Options: [nosniff]
tls:
certificate: /certs/domain.crt
key: /certs/domain.key
auth:
htpasswd:
realm: basic-realm
path: /auth/htpasswd
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
使用 Harbor 搭建企业级仓库
# 1. 下载
wget https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz
# 2. 解压并配置
tar xzf harbor-offline-installer-v2.8.0.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
# 3. 配置 harbor.yml
# hostname: harbor.example.com
# certificate: /data/cert/server.crt
# private_key: /data/cert/server.key
# harbor_admin_password: admin123
# 4. 安装
./install.sh
# 5. 访问
# https://harbor.example.com
# 登录 → 创建项目 → 推送镜像
Harbor 推送镜像
# 登录
docker login harbor.example.com
# Username: admin
# Password: admin123
# 推送
docker tag nginx:alpine harbor.example.com/library/nginx:1.24
docker push harbor.example.com/library/nginx:1.24
仓库监控和维护
# 监控状态
curl http://localhost:5000/v2/
curl http://localhost:5000/v2/_catalog
# 存储统计
du -sh /var/lib/registry/
# 垃圾回收(释放已删除镜像的存储)
docker exec registry /bin/registry garbage-collect /etc/docker/registry/config.yml
# 清理日志
docker logs --tail 100 registry
常见问题
# 问题:推送 HTTP 仓库失败(非 TLS)
# 解决:配置 Docker 允许不安全的仓库
echo '{ "insecure-registries": ["192.168.1.100:5000"] }' >> /etc/docker/daemon.json
systemctl restart docker
# 问题:存储空间满了
# 解决:配置存储驱动自动清理
docker exec registry /bin/registry garbage-collect /etc/docker/registry/config.yml
# 问题:认证失败
# 解决:重新生成 htpasswd
htpasswd -Bbn admin newpassword > auth/htpasswd
搭建私有仓库是管理自建镜像、保障分发安全和提高部署速度的基础工作。
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容