一、服务端
registry docker部署
创建私服过程
官方地址:
github地址 https://hub.docker.com/_/registry
拉取最后2.x.x最后一个版本
$ docker run -d -p 5000:5000 --restart always --name registry registry:2
运行2.7.1版本
$ docker run -d -p 5000:5000 --restart always --name registry registry:2.7.1
挂载目录
$ docker run -d -p 5000:5000 --restart always --name registry -v /data/registry:/var/lib/registry registry:2.7.1
harbor安装
https://mp.csdn.net/mdeditor/86716304#
Docker镜像仓库Harbor主从镜像同步 https://blog.csdn.net/hiyun9/article/details/79655385
harbor github地址 https://github.com/goharbor/harbor
其他例子
docker run -d -p 5000:5000 --restart=always --name fcsp_registry2.3.1 -v /data/registry_500G/registry/tmp/registry:/tmp/registry -v /data/registry_500G/registry/lib/registry:/var/lib/registry -v /data/registry_500G/registry/config.yml:/etc/docker/registry/config.yml 192.168.14.172:10000/registry:2.7.1
例子2
docker run -d -p 5080:5000 -v /data/registry_500G/registry_release/tmp/registry:/tmp/registry -v /data/registry_500G/registry_release/lib/registry:/var/lib/registry --restart always --name fcsp_registry_release5080 192.168.14.172:10000/registry:2.7.1
二、客户端设置
如下为官方客户端配置私服的参数说明
Insecure registries
Docker considers a private registry either secure or insecure. In the rest of this section, registry is used for private registry, and myregistry:5000 is a placeholder example for a private registry.
A secure registry uses TLS and a copy of its CA certificate is placed on the Docker host at /etc/docker/certs.d/myregistry:5000/ca.crt. An insecure registry is either not using TLS (i.e., listening on plain text HTTP), or is using TLS with a CA certificate not known by the Docker daemon. The latter can happen when the certificate was not found under /etc/docker/certs.d/myregistry:5000/, or if the certificate verification failed (i.e., wrong CA).
By default, Docker assumes all, but local (see local registries below), registries are secure. Communicating with an insecure registry is not possible if Docker assumes that registry is secure. In order to communicate with an insecure registry, the Docker daemon requires --insecure-registry in one of the following two forms:
--insecure-registry myregistry:5000 tells the Docker daemon that myregistry:5000 should be considered insecure.
--insecure-registry 10.1.0.0/16 tells the Docker daemon that all registries whose domain resolve to an IP address is part of the subnet described by the CIDR syntax, should be considered insecure.
The flag can be used multiple times to allow multiple registries to be marked as insecure.
If an insecure registry is not marked as insecure, docker pull, docker push, and docker search will result in an error message prompting the user to either secure or pass the --insecure-registry flag to the Docker daemon as described above.
Local registries, whose IP address falls in the 127.0.0.0/8 range, are automatically marked as insecure as of Docker 1.3.2. It is not recommended to rely on this, as it may change in the future.
Enabling --insecure-registry, i.e., allowing un-encrypted and/or untrusted communication, can be useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system’s list of trusted CAs instead of enabling --insecure-registry.
配置指定私服
# 单台
--insecure-registry myregistry:5000
# 多台
--insecure-registry myregistry:5000 --insecure-registry myregistry1:5000 --insecure-registry 192.168.1.110:5000
配置ip段使用http方式
--insecure-registry 10.1.0.0/16 --insecure-registry 192.168.14.0/24 --insecure-registry 192.168.0.0/16
docker 1.12.x
配置 文件中 /usr/lib/systemd/system/docker.service
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS
配置对应的私服
docker 1.17
在”/etc/docker/“目录下,创建”daemon.json“文件。在文件中写入:
{ "insecure-registries":["192.168.1.100:5000"] }
#多个
{ "insecure-registries":["192.168.1.100:5000", "192.168.1.101:5000"] }
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
