簡單搭建私有庫

docker run -d -p 5000:5000 --name registry registry:2

一條命令之后私有庫就搭建起來了。

# 檢測私有庫的鏡像
http://127.0.0.1:5000/v2/_catalog
# 檢測鏡像registry的tag列表
http://127.0.0.1:5000/v2/registry/tags/list

127.0.0.1改成ip或者域名可以在其他主機上遠程訪問。

# push
docker pull ubuntu
docker image tag ubuntu localhost:5000/myfirstimage
docker push localhost:5000/myfirstimage
# pull 
docker pull localhost:5000/myfirstimage

私有庫

實驗環境：ubuntu16.04,兩臺服務器

修改/etc/hosts

192.168.207.122 rthh.com rt.com

生成自簽名證書

# 創建文件夾存放證書
mkdir -p certs
# 生成證書
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/rt.com.key -x509 -days 365 -out certs/rt.com.crt 
# 需要注意的是在填寫的時候Common Name和你的域名是一至的

certs文件夾下生成兩個文件

啟動私有庫的容器

docker run -d -p 5000:5000 --restart=always --name registry_https -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key registry:2

客戶端添加認證

容器運行后，直接使用命令查看私有庫鏡像，報錯

curl https://rt.com:5000/v2/_catalog

報錯

# curl https://rt.com:5000/v2/_catalog
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

需要添加認證，網上有很多方式，這里只記錄在ubuntu 16.04實踐成功的方式
將rt.com.crt放到/usr/local/share/ca-certificates文件夾下

omnisky@omnisky:/usr/local/share/ca-certificates$ ls
rt.com.crt  rthh.com.crt

執行update-ca-certificates

# update-ca-certificates 
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:rt.com.pem
done.
done.

然后可以使用命令查詢，可以看到鏡像為空

curl https://rt.com:5000/v2/_catalog
{"repositories":[]}

push pull

需要先重啟docker服務

service docker restart

docker tag tensorflow/tensorflow:2.0.0a0-gpu-py3-jupyter rt.com/tensorflow:2.0.0a0-gpu-py3-jupyter
docker push rt.com:5000/tensorflow:2.0.0a0-gpu-py3-jupyter
# 先刪除tensorflow鏡像，包括tensorflow/tensorflow:2.0.0a0-gpu-py3-jupyter 
docker pull rt.com:5000/tensorflow:2.0.0a0-gpu-py3-jupyter

# curl https://rt.com:5000/v2/_catalog
{"repositories":["tensorflow","test"]}
# curl https://rt.com:5000/v2/tensorflow/tags/list
{"name":"tensorflow","tags":["2.0.0a0-gpu-py3-jupyter"]}

可以掛載目錄，存儲私有庫鏡像

docker run -d -p 5000:5000 --restart=always --name registry_https -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key 
-v /mnt/registry:/var/lib/registry registry:2

root@master:/mnt/registry/docker/registry/v2/repositories/tensorflow# ls
_layers  _manifests  _uploads

docker登錄認證

testuser和testpassword改成自己的

docker run \
--entrypoint htpasswd \
registry:2 -Bbn testuser testpassword > auth/htpasswd

docker run -d -p 5000:5000 --restart=always --name registry_https -v "$(pwd)"/auth:/auth 
 -e "REGISTRY_AUTH=htpasswd"
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 
 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
 -v `pwd`/certs:/home/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/rt.com.crt -e REGISTRY_HTTP_TLS_KEY=/home/certs/rt.com.key 
-v /mnt/registry:/var/lib/registry registry:2

docker login rt.com:5000
輸入用戶名和密碼
curl獲取私有庫信息

# curl -u user:passwd https://rt.com:5000/v2/_catalog
{"repositories":["tensorflow","test"]}