最近在NAS上折腾Docker 以前各种应用是用虚拟机部署的,在玩Docker后感觉这个更好。便开始了榨干NAS计划
最开始为了访问仓库是参考的这个项目:
部署好后的确解决了镜像拉取问题,但是速度感人还不稳定,时不时拉取失败。所以想本地部署个仓库把常用的好玩的镜像都拉到私有的仓库,以后要部署直接从私有仓库拉取那不起飞。
常见的Docker私有仓库有:Harbor、Portus、Docker Registry 下面使用官方的Docker Registry搭建试试
1. 下载registry镜像
[root@iZf8zd6gjqmdx9d7mygs00Z ~]# docker pull registry2. 创建registry容器
#其中本地端口和本地挂载目录根据自己实际修改
[root@iZf8zd6gjqmdx9d7mygs00Z ~]# docker run -d -p 5522:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry3. 推送镜像至仓库
#查看本地下载的镜像
root@Mario:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cloudflare/cloudflared latest 1cf4e794afa4 7 days ago 59.6MB
privoce/vocechat-server latest 37412d70853b 8 days ago 62.5MB
halohub/halo 2.20.15 c0787117a504 12 days ago 445MB
xhofe/alist latest cebc24353a2b 5 weeks ago 180MB
phpmyadmin 5.2.2 72f5bcc2915b 6 weeks ago 570MB
baiduapp 1.0 c252cd2d44fb 7 weeks ago 660MB
btpanel/baota latest 919b4bf29592 8 weeks ago 1.69GB
ubuntu 25.04 aaaffc146c5b 2 months ago 82.1MB
mysql 8.0.35 77f16659c129 14 months ago 591MB
#给镜像打上私有仓库标签
root@Mario:~# docker tag mysql:5.7.9 10.16.1.3:5522/mysql:5.7.9
#尝试推送到私有仓库
root@Mario:~# docker push 10.16.1.3:5522/mysql:5.7.9
The push refers to repository [10.16.1.3:5522/mysql]
Get "https://10.16.1.3:5522/v2/": http: server gave HTTP response to HTTPS client这里推送会失败报错:http: server gave HTTP response to HTTPS client
因为刚才部署的仓库是http协议不被Docker信任
网上的解决办法:
# 打开要修改的文件
vi /etc/docker/daemon.json
# 添加内容:
# 需要将 10.16.1.3:5522 替换为你自己的 ip
"insecure-registries":["http://10.16.1.3:5522"]
# 重启docker
systemctl restart docker由于正式部署是通过NAS docker管理软件,也通过SSH改了 daemon.json 但是有没用。
既然Docker要求https协议那就把仓库部署成https的不就行了,从根源解决
这里参考官方文档: https://distribution.github.io/distribution/about/deploying/
还要准备SSL证书,那就用 openssl 生成一个私有证书
#创建一个目录存放证书
root@Mario:/volume2/Temp# mkdir -p cert
#在刚才创建的目录生成证书
root@Mario:/volume2/Temp# openssl req -newkey rsa:4096 -nodes -sha256 -keyout cert/ssl.key -x509 -days 365 -out cert/ssl.crt
#除了倒数第二项需要填写域名外,其它都随便填即可
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [Synology Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address [product@synology.com]:
# -d 后台静默运行容器
# --restart 设置容器重启策略
# -name 容器名称
# -v 设置挂载宿主目录到容器目录
# -e REGISTRY_HTTP_ADDR 设置仓库主机地址和端口
# -e REGISTRY_HTTP_TLS_CERTIFICATE 证书路径
# -e REGISTRY_HTTP_TLS_KEY 私钥路径
# -p 映射端口到宿主机
docker run -d \
--name registry \
-v "$(pwd)"/cert:/cert \
-v /opt/data/registry:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/data/cert/ssl.crt \
-e REGISTRY_HTTP_TLS_KEY=/data/cert/ssl.key \
-p 443:443\
--restart=always \
registry到这里以为就可以了结果又报错了
root@Mario:~# docker push 10.16.1.3:6633/mysql:5.7.9
The push refers to repository [10.16.1.3:6633/mysql]
Get "https://10.16.1.3:6633/v2/": tls: failed to verify certificate: x509: cannot validate certificate for 10.16.1.3 because it doesn't contain any IP SANs私有证书还是不认啊.................................................. 没办法还要把生成的私有证书添加信任
4. 查看仓库镜像
在浏览器访问
http://10.16.1.3:6633:5000/v2/_catalog
http://10.16.1.3:6633:5000/v2/nginx/tags/list
终端访问
wget -O- -q --user=oldboy --password=123456 http://x.x.x.x:5000/v2/_catalog
curl -XGET http://x.x.x.x:5000/v2/_catalog5. compose部署
最终在群晖通过 compose 配置部署
version: '3.3'
services:
zfile:
image: registry
container_name: registry
restart: always
ports:
- '6633:6633'
volumes:
- '/volume2/Dockers/registry/reg:/var/lib/registry'
- '/volume2/Dockers/registry/cert:/cert'
environment:
REGISTRY_HTTP_ADDR: 0.0.0.0:6633
REGISTRY_HTTP_TLS_CERTIFICATE: '/cert/harbor.crt'
REGISTRY_HTTP_TLS_KEY: '/cert/harbor.key'
networks:
- mario-default
networks:
mario-default:
external: true
评论区