docker私有registry配置nginx反向代理

2017-04-25 20:11:13
准备工作

生成证书,注意要和使用域名一致

Registry的部署

  • 获取镜像

    1
    2
    3
    4
    docker search registry
    docker pull registry
    #如果无法获取 添加镜像 
    /usr/bin/dockerd --registry-mirror=https://docker.mirrors.ustc.edu.cn

  • 启动一个容器

    1
    2
    #registry证书和nginx使用一致
    docker run -d -v /opt/registry:/var/lib/registry -p 5000:5000 -v /usr/local/nginx/conf:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.top.com.cn.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.top.com.cn.key --restart=always --name registry registry

    在浏览器中访问 http://192.168.1.106:5000/v2 看页面是否正常

  • 进行nginx配置

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    upstream my_docker_registry  {
        server 192.168.1.106:5000; # 
    }

    ## START registry.top.com.cn ##
    server {
        server_name registry.top.com.cn;

        listen 80;
        listen 443 ssl;

        # 使用私有registry的ssl证书
        ssl_certificate /usr/local/nginx/conf/registry.top.com.cn.crt;
        ssl_certificate_key /usr/local/nginx/conf/registry.top.com.cn.key;
        access_log logs/registry.access.log main;
        error_log  logs/registry.error.log;

        root        /usr/local/webapps;
        index       index.html;
        client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;

        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
        location / {
            proxy_pass  https://my_docker_registry;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_redirect off;
            proxy_buffering off;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Docker-Distribution-Api-Version registry/2.0;
        }
    }
验证
1
2
3
4
5
6
7
8
9
10
docker pull hello-world
docker tag hello-world registry.top.com.cn/hello-world
docker push registry.top.com.cn/hello-world

#因为我们启动的registry服务不是安全可信赖的,需要
添加 /usr/bin/dockerd --insecure-registry=registry.top.com.cn 
systemctl daemon-reload
systemctl restart docker

再次执行docker push registry.top.com.cn/hello-world

在浏览器中访问 http://registry.top.com.cn/v2/_catalog ,应该会看到
{“repositories”:[“hello-world”]}

ref
为docker私有registry配置nginx反向代理
access private registry: x509
Docker私有仓库Registry的搭建验证
Docker Registry V2(distribution) & Proxy(nginx) 的搭建经历

您的鼓励是我写作最大的动力

俗话说,投资效率是最好的投资。 如果您感觉我的文章质量不错,读后收获很大,预计能为您提高 10% 的工作效率,不妨小额捐助我一下,让我有动力继续写出更多好文章。