简单搭建私有库

docker run -d -p 5000:5000 --name registry registry:2

一条命令之后私有库就搭建起来了。

# 检测私有库的镜像
http://127.0.0.1:5000/v2/_catalog
# 检测镜像registry的tag列表
http://127.0.0.1:5000/v2/registry/tags/list

127.0.0.1改成ip或者域名可以在其他主机上远程访问。

# push
docker pull ubuntu
docker image tag ubuntu localhost:5000/myfirstimage
docker push localhost:5000/myfirstimage
# pull 
docker pull localhost:5000/myfirstimage

私有库

实验环境：ubuntu16.04,两台服务器

修改/etc/hosts

192.168.207.122 rthh.com rt.com

生成自签名证书

# 创建文件夹存放证书
mkdir -p certs
# 生成证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/rt.com.key -x509 -days 365 -out certs/rt.com.crt 
# 需要注意的是在填写的时候Common Name和你的域名是一至的

certs文件夹下生成两个文件

启动私有库的容器

docker run -d -p 5000:5000 --restart=always --name registry_https -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key registry:2

客户端添加认证

容器运行后，直接使用命令查看私有库镜像，报错

curl https://rt.com:5000/v2/_catalog

报错

# curl https://rt.com:5000/v2/_catalog
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

需要添加认证，网上有很多方式，这里只记录在ubuntu 16.04实践成功的方式
将rt.com.crt放到/usr/local/share/ca-certificates文件夹下

omnisky@omnisky:/usr/local/share/ca-certificates$ ls
rt.com.crt  rthh.com.crt

执行update-ca-certificates

# update-ca-certificates 
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:rt.com.pem
done.
done.

然后可以使用命令查询，可以看到镜像为空

curl https://rt.com:5000/v2/_catalog
{"repositories":[]}

push pull

需要先重启docker服务

service docker restart

docker tag tensorflow/tensorflow:2.0.0a0-gpu-py3-jupyter rt.com/tensorflow:2.0.0a0-gpu-py3-jupyter
docker push rt.com:5000/tensorflow:2.0.0a0-gpu-py3-jupyter
# 先删除tensorflow镜像，包括tensorflow/tensorflow:2.0.0a0-gpu-py3-jupyter 
docker pull rt.com:5000/tensorflow:2.0.0a0-gpu-py3-jupyter

# curl https://rt.com:5000/v2/_catalog
{"repositories":["tensorflow","test"]}
# curl https://rt.com:5000/v2/tensorflow/tags/list
{"name":"tensorflow","tags":["2.0.0a0-gpu-py3-jupyter"]}

可以挂载目录，存储私有库镜像

docker run -d -p 5000:5000 --restart=always --name registry_https -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key 
-v /mnt/registry:/var/lib/registry registry:2

root@master:/mnt/registry/docker/registry/v2/repositories/tensorflow# ls
_layers  _manifests  _uploads

docker登录认证

testuser和testpassword改成自己的

docker run \
--entrypoint htpasswd \
registry:2 -Bbn testuser testpassword > auth/htpasswd

docker run -d -p 5000:5000 --restart=always --name registry_https -v "$(pwd)"/auth:/auth 
 -e "REGISTRY_AUTH=htpasswd"
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 
 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
 -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key 
-v /mnt/registry:/var/lib/registry registry:2

docker login rt.com:5000
输入用户名和密码
curl获取私有库信息

# curl -u user:passwd https://rt.com:5000/v2/_catalog
{"repositories":["tensorflow","test"]}