基於OSS搭建私有(跨區域)Docker鏡像倉庫
repo(hangzhou) -- repo mirror(hongkong) -- usern |n oss n
示例如上,構建好的鏡像存儲在杭州的鏡像倉庫
- 首次拉取,mirror做中轉功能,並存儲一份到oss
- 二次拉取,直接從oss中讀取
一,配置
我們使用nginx做反向代理,並配置認證模塊,鏡像使用docker提供的registry2.x版本
編排模板:
registry:n restart: alwaysn image: "registry:2.6"n # ports:n # - 5000:5000 n # 關閉埠吧,只能使用認證賬號登錄n environment:n - REGISTRY_STORAGE=ossn - REGISTRY_STORAGE_OSS_ACCESSKEYID={AK}n - REGISTRY_STORAGE_OSS_ACCESSKEYSECRET={SK}n - REGISTRY_STORAGE_OSS_REGION=oss-cn-hongkongn - REGISTRY_STORAGE_OSS_BUCKET={BUCKER}n - REGISTRY_STORAGE_OSS_INTERNAL=falsen - REGISTRY_STORAGE_OSS_SECURE=falsen - REGISTRY_PROXY_REMOTEURL=https://registry.cn-hangzhou.aliyuncs.comn - REGISTRY_PROXY_USERNAME={USERNAME}n - REGISTRY_PROXY_PASSWORD={PASSWORD}n nnginx:n image: "nginx:1.9"n ports:n - 443:443n links:n - registry:registryn volumes:n - ./ext:/etc/nginx/conf.dn - ./ext/nginx.conf:/etc/nginx/nginx.conf:ron
生成密碼:
? htpasswd -bn testuser testpassword > ext/nginx.htpasswdntestuser:$apr1$SO5gw8Pp$Q1ILVkpcYzURmvt.G3/xy0n
複製證書:
cp ~/ssl/insta360.com/insta360.com.chained.crt ext/insta360.com.crtncp ~/ssl/insta360.com/insta360.com.key ext/insta360.com.keyn
nginx配置:
events {n worker_connections 1024;n}nnhttp {nn upstream docker-registry {n server registry:5000;n }nn ## Set a variable to help us decide if we need to add then ## Docker-Distribution-Api-Version header.n ## The registry always sets this header.n ## In the case of nginx performing auth, the header will be unsetn ## since nginx is auth-ing before proxying.n map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {n registry/2.0;n }nn server {n listen 443 ssl;n server_name registry-cn-hk.insta360.com;nn # SSLn ssl_certificate /etc/nginx/conf.d/insta360.com.crt;n ssl_certificate_key /etc/nginx/conf.d/insta360.com.key;nn # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.htmln ssl_protocols TLSv1.1 TLSv1.2;n ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;n ssl_prefer_server_ciphers on;n ssl_session_cache shared:SSL:10m;nn # disable any limits to avoid HTTP 413 for large image uploadsn client_max_body_size 0;nn # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)n chunked_transfer_encoding on;nn location /v2/ {n # Do not allow connections from docker 1.5 and earliern # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agentsn if ($http_user_agent ~ "^(docker/1.(3|4|5(?!.[0-9]-dev))|Go ).*$" ) {n return 404;n }nn # To add basic authentication to v2 use auth_basic setting.n auth_basic "Registry realm";n auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;nn ## If $docker_distribution_api_version is empty, the header will not be added.n ## See the map directive above where this variable is defined.n add_header Docker-Distribution-Api-Version $docker_distribution_api_version always;nn proxy_pass http://docker-registry;n proxy_set_header Host $http_host; # required for docker clients saken proxy_set_header X-Real-IP $remote_addr; # pass on real clients IPn proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;n proxy_set_header X-Forwarded-Proto $scheme;n proxy_read_timeout 900;n }n }n}n
太懶了直接複製了docker官網的文檔,改了一下域名,有需要的自行配置吧。
目錄結構:
? treen.n├── extn│ ├── insta360.com.crtn│ ├── insta360.com.keyn│ ├── nginx.confn│ └── nginx.htpasswdn└── docker-compose.ymlnn1 directory, 5 filesn
二,運行
? docker-compose up -d n
這樣一個鏡像站就配好了,但是使用之前記得登錄,比如像下面這樣:
? docker login registry-cn-hk.insta360.comnUsername: nPassword:n
接下來直接拉取你在杭州鏡像倉庫的鏡像吧,除了域名其他都一樣了~
三,其他
Docker Registry : Authenticate proxy with nginxDocker Registry: Configuration基於OSS搭建跨區域部署的分散式Docker鏡像倉庫-博客-雲棲社區-阿里雲
參考過阿里的方案,不過我司的Global服務,由於眾所周知的原因以及服務上線區域的差異,並不能很好的使用OSS的跨區域同步功能,目前的方案可以適當提高集群內應用二次拉取的速度,極大縮短鏡像的更新速度。
推薦閱讀:
※把docker鏡像當作桌面系統來用
※Docker 重要更新: 原生支持多階段構建(multi-stage build)
※Docker Remote API 開發(一)
※docker的幾點疑問?
※什麼是docker鏡像?
TAG:Docker |