docker学习笔记之三：进阶实战--Registry创建镜像仓库私服

师向文

2023-12-01

registry V2说明文档 ：https://docs.docker.com/registry/deploying/

【重要】registry v2安装参考资料：

http://www.open-open.com/lib/view/open1456539405281.html

下载registry镜像：

sudo docker pull registry

创建证书：

sudo mkdir -p /docker_registry_dir/certs

sudo vi /etc/hosts ：指定自定义的域名

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.211.55.8 docker.registry.server

sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout /docker_registry_dir/certs/domain.key -x509 -days 365 -out /docker_registry_dir/certs/domain.crt

Generating a 4096 bit RSA private key
.................................++
...++
writing new private key to \'/docker_registry_dir/certs/domain.key\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a DistinguishedName or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \'.\', the field will be left blank.
-----
CountryName(2 letter code)[XX]:CN
State or ProvinceName(full name)[]:beijing
LocalityName(eg, city)[DefaultCity]:beijing
OrganizationName(eg, company)[DefaultCompanyLtd]:NQ
OrganizationalUnitName(eg, section)[]:NQ
CommonName(eg, your name or your server\'s hostname) []:docker.registry.server
Email Address []:hanqf2008@163.com

sudo mkdir -p /etc/docker/certs.d/docker.registry.server:5000

sudo cp /docker_registry_dir/certs/domain.crt /etc/docker/certs.d/docker.registry.server:5000/ca.crt

说明：因为是自己制作的证书，所以注意保存/docker_registry_dir/certs/domain.crt，其它客户端也需要将该证书拷贝到/etc/docker/certs.d/docker.registry.server:5000/ca.crt下，如果是认证过的证书，则不需要执行该步骤。

创建认证帐号：

sudo mkdir -p /docker_registry_dir/auth

切换到root用户：

docker run --rm --entrypoint htpasswd docker.io/registry:latest -Bbn admin admin >> /docker_registry_dir/auth/htpasswd ：可以创建多个帐号

启动registry容器：

sudo mkdir /docker_registry_dir/registryDir

sudo docker run -d -p 5000:5000--restart=always --name registry \\
-v /docker_registry_dir/auth:/auth \\
-e "REGISTRY_AUTH=htpasswd" \\
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \\
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \\
-v /docker_registry_dir/registryDir:/var/lib/registry \\
-v /docker_registry_dir/certs:/certs \\
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\
docker.io/registry:latest

上传镜像：

sudo docker login docker.registry.server:5000

Username: admin
Password:
Email: hanqf2008@163.com
WARNING: login credentials saved in/root/.docker/config.json
LoginSucceeded

sudo docker tag docker.io/swarm:latest docker.registry.server:5000/swarm:latest

sudo dcoker push docker.registry.server:5000/swarm:latest

The push refers to a repository [docker.registry.server:5000/swarm]
c54d433c22fe:Pushed
2fe4d825a161:Pushed
249a306ce89e:Pushed
latest: digest: sha256:c9e1b4d4e399946c0542accf30f9a73500d6b0b075e152ed1c792214d3509d70 size:923

下载镜像：

如果没有登录私服，要先登录。

这里先删除 docker.registry.server:5000/swarm:latest，然后重新下载

sudo docker rmi docker.registry.server:5000/swarm:latest

sudo docker pull docker.registry.server:5000/swarm:latest

Trying to pull repository docker.registry.server:5000/swarm ...
latest:Pulling from docker.registry.server:5000/swarm
Digest: sha256:c9e1b4d4e399946c0542accf30f9a73500d6b0b075e152ed1c792214d3509d70
Status:Downloaded newer image for docker.registry.server:5000/swarm:latest

查看仓库镜像：

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["swarm"]}

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/swarm/tags/list

{"name":"swarm","tags":["latest"]}

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/swarm/manifests/latest

删除仓库镜像：【目前不支持】

官方参考资料：https://docs.docker.com/registry/spec/api/

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["mysql","swarm"]}

sudo curl -X DELETE --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/manifests/latest

{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}

sudo curl -X DELETE --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/manifests/sha256:bd446145a97e292a05e36f322ca06a82188608f7de107307e5a24ae775dc5a44

{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}

使用第三方删除工具：

参考资料： https://github.com/burnettk/delete-docker-registry-image

安装：

curl https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null

sudo chmod a+x /usr/local/bin/delete_docker_registry_image

指定本地仓库的路径，这里用环境变量没有起作用，所以使用了软连接方式

sudo ln -s /docker_registry_dir/registryDir /opt/registry_data

删除指定tag

sudo /usr/local/bin/delete_docker_registry_image --image mysql:latest

此时：

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["mysql","swarm"]}

看到mysql还在，但是其下面对应的tag已经不见了：

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/tags/list

{"name":"mysql","tags":null}

删除指定仓库

sudo /usr/local/bin/delete_docker_registry_image --image mysql

删除成功

sudo curl --cacert /docker_registry_dir/certs/domain.crt --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["swarm"]}

https://docs.docker.com/registry/spec/api/#deleting-an-image

Method	Path	Entity	Description
GET	/v2/	Base	Check that the endpoint implements Docker Registry API V2.
GET	/v2/<name>/tags/list	Tags	Fetch the tags under the repository identified by name.
GET	/v2/<name>/manifests/<reference>	Manifest	Fetch the manifest identified by name and reference where reference can be a tag or digest. A HEAD request can also be issued to this endpoint to obtain resource information without receiving all data.
PUT	/v2/<name>/manifests/<reference>	Manifest	Put the manifest identified by name and reference where reference can be a tag or digest.
DELETE	/v2/<name>/manifests/<reference>	Manifest	Delete the manifest identified by name and reference. Note that a manifest can only be deleted by digest.
GET	/v2/<name>/blobs/<digest>	Blob	Retrieve the blob from the registry identified by digest. A HEAD request can also be issued to this endpoint to obtain resource information without receiving all data.
DELETE	/v2/<name>/blobs/<digest>	Blob	Delete the blob identified by name and digest
POST	/v2/<name>/blobs/uploads/	Initiate Blob Upload	Initiate a resumable blob upload. If successful, an upload location will be provided to complete the upload. Optionally, if the digest parameter is present, the request body will be used to complete the upload in a single request.
GET	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Retrieve status of upload identified by uuid. The primary purpose of this endpoint is to resolve the current status of a resumable upload.
PATCH	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Upload a chunk of data for the specified upload.
PUT	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Complete the upload specified by uuid, optionally appending the body as the final chunk.
DELETE	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Cancel outstanding upload processes, releasing associated resources. If this is not called, the unfinished uploads will eventually timeout.
GET	/v2/_catalog	Catalog	Retrieve a sorted, json list of repositories available in the registry.

docker学习笔记之三：进阶实战--Registry创建镜像仓库私服

相关阅读

相关文章

相关问答

相关文档