docker学习笔记之三：进阶实战--Registry创建镜像仓库私服

registry V2说明文档 ：https://docs.docker.com/registry/deploying/

 

【重要】registry v2安装参考资料：

http://www.open-open.com/lib/view/open1456539405281.html

 

下载registry镜像：

sudo docker pull registry

 

创建证书：

sudo mkdir -p /docker_registry_dir/certs

sudo vi /etc/hosts ：指定自定义的域名

 

1. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
2. ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
3. 10.211.55.8 docker.registry.server

 

 

 

sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout /docker_registry_dir/certs/domain.key -x509 -days 365 -out /docker_registry_dir/certs/domain.crt

 

1. Generating a 4096 bit RSA private key
2. .................................++
3. ...++
4. writing new private key to \'/docker_registry_dir/certs/domain.key\'
5. -----
6. You are about to be asked to enter information that will be incorporated
7. into your certificate request.
8. What you are about to enter is what is called a DistinguishedName or a DN.
9. There are quite a few fields but you can leave some blank
10. For some fields there will be a default value,
11. If you enter \'.\', the field will be left blank.
12. -----
13. CountryName(2 letter code)[XX]:CN
14. State or ProvinceName(full name)[]:beijing
15. LocalityName(eg, city)[DefaultCity]:beijing
16. OrganizationName(eg, company)[DefaultCompanyLtd]:NQ
17. OrganizationalUnitName(eg, section)[]:NQ
18. CommonName(eg, your name or your server\'s hostname) []:docker.registry.server
19. Email Address []:hanqf2008@163.com

 

 

sudo mkdir -p /etc/docker/certs.d/docker.registry.server:5000

sudo cp /docker_registry_dir/certs/domain.crt /etc/docker/certs.d/docker.registry.server:5000/ca.crt

说明：因为是自己制作的证书，所以注意保存/docker_registry_dir/certs/domain.crt，其它客户端也需要将该证书拷贝到/etc/docker/certs.d/docker.registry.server:5000/ca.crt下，如果是认证过的证书，则不需要执行该步骤。

 

创建认证帐号：

sudo mkdir -p /docker_registry_dir/auth

切换到root用户：

docker run --rm --entrypoint  htpasswd  docker.io/registry:latest -Bbn admin admin >> /docker_registry_dir/auth/htpasswd ：可以创建多个帐号

 

启动registry容器：

sudo mkdir /docker_registry_dir/registryDir

 

1. sudo docker run -d -p 5000:5000--restart=always --name registry \\
2. -v /docker_registry_dir/auth:/auth \\
3. -e "REGISTRY_AUTH=htpasswd" \\
4. -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \\
5. -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \\
6. -v /docker_registry_dir/registryDir:/var/lib/registry \\
7. -v /docker_registry_dir/certs:/certs \\
8. -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\
9. -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\
10. docker.io/registry:latest

 

 

 

上传镜像：

sudo docker login docker.registry.server:5000

 

1. Username: admin
2. Password:
3. Email: hanqf2008@163.com
4. WARNING: login credentials saved in/root/.docker/config.json
5. LoginSucceeded

 

 

sudo docker tag docker.io/swarm:latest docker.registry.server:5000/swarm:latest

sudo dcoker push docker.registry.server:5000/swarm:latest

 

1. The push refers to a repository [docker.registry.server:5000/swarm]
2. c54d433c22fe:Pushed
3. 2fe4d825a161:Pushed
4. 249a306ce89e:Pushed
5. latest: digest: sha256:c9e1b4d4e399946c0542accf30f9a73500d6b0b075e152ed1c792214d3509d70 size:923

 

下载镜像：

如果没有登录私服，要先登录。

这里先删除docker.registry.server:5000/swarm:latest，然后重新下载

sudo docker rmi docker.registry.server:5000/swarm:latest

sudo docker pull docker.registry.server:5000/swarm:latest

1. Trying to pull repository docker.registry.server:5000/swarm ...
2. latest:Pulling from docker.registry.server:5000/swarm
3. Digest: sha256:c9e1b4d4e399946c0542accf30f9a73500d6b0b075e152ed1c792214d3509d70
4. Status:Downloaded newer image for docker.registry.server:5000/swarm:latest

 

 

 

查看仓库镜像：

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

 

1. {"repositories":["swarm"]}

 

 

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/swarm/tags/list

 

1. {"name":"swarm","tags":["latest"]}

 

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/swarm/manifests/latest

 

删除仓库镜像：【目前不支持】

官方参考资料：https://docs.docker.com/registry/spec/api/

 sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

 

{"repositories":["mysql","swarm"]}

 

 

sudo curl  -X DELETE --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/manifests/latest

 

{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}

 

sudo curl  -X DELETE --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/manifests/sha256:bd446145a97e292a05e36f322ca06a82188608f7de107307e5a24ae775dc5a44

 

{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}

 

使用第三方删除工具：

参考资料：https://github.com/burnettk/delete-docker-registry-image

 

安装：

curl https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null

sudo chmod a+x /usr/local/bin/delete_docker_registry_image

 

指定本地仓库的路径，这里用环境变量没有起作用，所以使用了软连接方式

sudo ln -s /docker_registry_dir/registryDir /opt/registry_data

 

删除指定tag

sudo /usr/local/bin/delete_docker_registry_image --image mysql:latest

此时：

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["mysql","swarm"]}

 

看到mysql还在，但是其下面对应的tag已经不见了：

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/mysql/tags/list

{"name":"mysql","tags":null}

 

删除指定仓库

sudo /usr/local/bin/delete_docker_registry_image --image mysql

删除成功

sudo curl --cacert /docker_registry_dir/certs/domain.crt  --basic --user admin:admin https://docker.registry.server:5000/v2/_catalog

{"repositories":["swarm"]}

 

 

https://docs.docker.com/registry/spec/api/#deleting-an-image

 

 

Method	Path	Entity	Description
GET	/v2/	Base	Check that the endpoint implements Docker Registry API V2.
GET	/v2/<name>/tags/list	Tags	Fetch the tags under the repository identified by name.
GET	/v2/<name>/manifests/<reference>	Manifest	Fetch the manifest identified by name and reference where reference can be a tag or digest. A HEAD request can also be issued to this endpoint to obtain resource information without receiving all data.
PUT	/v2/<name>/manifests/<reference>	Manifest	Put the manifest identified by name and reference where reference can be a tag or digest.
DELETE	/v2/<name>/manifests/<reference>	Manifest	Delete the manifest identified by name and reference. Note that a manifest can only be deleted by digest.
GET	/v2/<name>/blobs/<digest>	Blob	Retrieve the blob from the registry identified by digest. A HEAD request can also be issued to this endpoint to obtain resource information without receiving all data.
DELETE	/v2/<name>/blobs/<digest>	Blob	Delete the blob identified by name and digest
POST	/v2/<name>/blobs/uploads/	Initiate Blob Upload	Initiate a resumable blob upload. If successful, an upload location will be provided to complete the upload. Optionally, if the digest parameter is present, the request body will be used to complete the upload in a single request.
GET	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Retrieve status of upload identified by uuid. The primary purpose of this endpoint is to resolve the current status of a resumable upload.
PATCH	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Upload a chunk of data for the specified upload.
PUT	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Complete the upload specified by uuid, optionally appending the body as the final chunk.
DELETE	/v2/<name>/blobs/uploads/<uuid>	Blob Upload	Cancel outstanding upload processes, releasing associated resources. If this is not called, the unfinished uploads will eventually timeout.
GET	/v2/_catalog	Catalog	Retrieve a sorted, json list of repositories available in the registry.