This document discusses deploying a private Docker registry using Docker registry. It provides instructions on installing Docker registry using both Python and Go versions, configuring it as a service, setting up authentication and SSL, connecting Docker hosts to the registry, and running the Docker registry frontend tool.

1. 青云虚机部署私有Docker Registry
Felix.Liang

2. 软件安装包
Docker公司提供的docker-registry有两个版本：python版本和go版本
Python版本在0.9.1版本后已不再更新，实现了docker-registry的V0和V1版本
API，Github地址为https://github.com/docker/docker-registry
Go版本实现了docker-registry的V2版本API，最新版本为2.0.1，只能用于
docker 1.6+，Github地址为https://github.com/docker/distribution
基于docker-registry API构建的第三方UI工具：docker-registry-ui和docker-
registry-frontend
Python版本 + docker-registry-frontend

3. Docker Registry安装
软件包安装(Ubuntu 14.04)
# sudo apt-get update
# sudo apt-get install -y build-essential python-dev libevent-dev python-pip liblzma-dev
# sudo apt-get install swig
# sudo apt-get install libssl-dev
# sudo pip install docker-registry
修改配置文件
# cd /usr/local/lib/python2.7/dist-packages/config/
# cp config_sample.yml config.yml
修改镜像存储目录，默认配置在/tmp目录下
local: &local
<<: *common
storage: local
storage_path: _env:STORAGE_PATH:/var/lib/docker-registry/registry
修改数据库文件存储目录，默认配置在/tmp目录下
sqlalchemy_index_database: _env:SQLALCHEMY_INDEX_DATABASE:sqlite:////var/lib/docker-registry/docker-
registry.db

4. Docker Registry安装
封装docker registry为服务
# sudo mkdir -p /var/log/docker-registry
# touch /etc/init/docker-registry.conf
配置Upstart脚本
description "Docker Registry"
start on runlevel [2345]
stop on runlevel [016]
respawn
respawn limit 10 5
script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-
registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w
8 docker_registry.wsgi:application
end script
启动docker registry
# sudo service docker-registry start
docker-registry start/running, process 25303

5. Authentication & SSL
安装配置nginx
# sudo apt-get -y install nginx apache2-utils
创建docker用户，设置密码
# sudo htpasswd -c /etc/nginx/docker-registry.htpasswd felix.liang
New password: 123456
Re-type new password:123456
Adding password for user felix.liang
生成自签名SSL证书
# mkdir ~/certs && cd ~/certs
# openssl genrsa -out devdockerCA.key 2048
# openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt (直接输入回车即可)
# openssl genrsa -out dev-docker-registry.com.key 2048
# openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr (Common Name需设置)
Common Name (e.g. server FQDN or YOUR name) []: registry.22gi5d.gd1.qingcloud.com (建议使用青云内部域名别名)
# openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial
-out dev-docker-registry.com.crt -days 10000
# sudo cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry
# sudo cp dev-docker-registry.com.key /etc/ssl/private/docker-registry

6. upstream docker-registry {
server localhost:5000;
}
server {
listen 8080;
server_name registry.22gi5d.gd1.qingcloud.com ;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
chunked_transfer_encoding on;
location / {
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
创建nginx配置文件/etc/nginx/sites-available/
docker-registry
# sudo ln -s /etc/nginx/sites-available/docker-
registry /etc/nginx/sites-enabled/docker-registry
# sudo service nginx restart
需要通过青云console创建防火墙规则打开8080端口，
否则docker无法连接registry

7. Docker连接Registry
更新docker主机的证书
# sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
# sudo touch /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
将registry主机上生成的devdockerCA.crt中证书内容拷贝到docker主机的证书中
# sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
# sudo service docker restart
连接registry
# docker login registry.22gi5d.gd1.qingcloud.com:8080
Username: felix.liang
Password: 123456
Email:
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

8. Docker连接Registry
从docker主机上传镜像到registry
从公共registry下载mysql镜像
# sudo docker pull mysql:5.5
# sudo docker tag mysql:5.5 registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5
# sudo docker push registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5
从registry下载镜像到docker主机
清空本地所有镜像，然后从registry查询和下载镜像
# sudo docker search registry.22gi5d.gd1.qingcloud.com:8080/mysql
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
library/mysql
# sudo docker pull registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5
…
Status: Downloaded newer image for registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5

9. 运行Registry前端工具
直接以容器方式启动docker-registry-frontend
# sudo docker run -d -e ENV_DOCKER_REGISTRY_HOST=registry.22gi5d.gd1.qingcloud.com -e
ENV_DOCKER_REGISTRY_PORT=8080 -e ENV_DOCKER_REGISTRY_USE_SSL=1 -p 8090:80 konradkleine/docker-
registry-frontend
查看容器是否启动成功
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
NAMES
d953be033dfd konradkleine/docker-registry-frontend "/bin/sh -c $START_S 14 seconds ago Up 13
seconds 443/tcp, 0.0.0.0:8090->80/tcp condescending_leakey

10. 运行Registry前端工具

11. 运行Registry前端工具

12. 运行Registry前端工具

13. 运行Registry前端工具