三步搭建私有Docker Registry(V2)服務(wù)器

最近需要在學(xué)校內(nèi)網(wǎng)使用docker，所以有一個Registry會比較方便。網(wǎng)上的教程不少過時了或者操作麻煩梭冠，經(jīng)過踩坑無數(shù)之后總結(jié)了兩個快速部署方法。

網(wǎng)上方法千奇百怪，長篇大論看得心累，所以我希望三步之內(nèi)解決這件事疲憋，那么開始吧。

準(zhǔn)備工作：

安裝Docker

你需要安裝1.6.0以上的版本的Docker梁只。

sudo curl -sSL https://get.docker.com/ | sh
# 設(shè)置Docker以非Root用戶運(yùn)行缚柳，確保安全埃脏。
sudo usermod -aG docker your-user
# 安裝Compose：
curl -L https://github.com/docker/compose/releases/download/1.7.0-rc1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

獲取SSL證書

如果要使用域名綁定私有倉庫，必須開啟SSL喂击。

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly -d docker.zuolan.me

選擇第二個剂癌，自動生成證書

生成下面文字即為成功：

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
.........
.........
 - If you like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

方法一、自動搭建（強(qiáng)烈推薦）

第一步：配置

克隆倉庫翰绊。

git clone https://github.com/vmware/harbor ~/harbor

編輯配置佩谷。

vim ~/harbor/Deploy/harbor.cfg

模板如下：

## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
########################################
#下面輸入你的倉庫網(wǎng)址，比如“docker.zuolan.me”监嗜。
########################################
hostname = docker.zuolan.me


#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https

#Email account settings for sending out password resetting emails.
#####################################
#這里的設(shè)置可以無視谐檀，只有密碼找回才會用到。
#####################################
email_server = smtp.mydomain.com 
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>

##The password of Harbor admin, change this before any production use.
#####################
#下面輸入你的管理員密碼裁奇。
#####################
harbor_admin_password = password

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth

#The url for an ldap endpoint.
#########
#可以不填桐猬。
#########
ldap_url = ldaps://ldap.zuolan.me

#The basedn template to look up a user in LDAP and verify the user's password.
################################################
#我的的域名是zuolan.me，所以這里我填dc=zuolan,dc=me刽肠。
################################################
ldap_basedn = uid=%s,ou=people,dc=zuolan,dc=me

#The password for the root user of mysql db, change this before any production use.
#####################
#下面輸入你的數(shù)據(jù)庫密碼溃肪。
#####################
db_password = password

#Turn on or off the self-registration feature
self_registration = on
#####

第二步：配置Nginx

 cd ~/Deploy/config/nginx

移動你的證書到cert/目錄。

cp yourdomain.com.crt cert/
cp yourdomain.com.key cert/

備份一下原文件音五，使用https配置惫撰。

mv nginx.conf nginx.conf.bak && cp nginx.https.conf nginx.conf

然后vim nginx.conf，要改的地方很少躺涝，如下：

  server {
    listen 443 ssl;
    # 下面改成你的域名
    server_name docker.zuolan.me;

    # SSL
    # 這里證書地址如果你是letsencrypt申請的不用修改這里
    ssl_certificate /etc/nginx/cert/fullchain.pem;
    ssl_certificate_key /etc/nginx/cert/privkey.pem;

    ...

  server {
    listen 80;
    server_name docker.zuolan.me;
    rewrite ^/(.*) https://$server_name$1 permanent;

第三步：構(gòu)建運(yùn)行

$ cd ~/harbor/Deploy
$ ./prepare
Generated configuration file: ./config/ui/env
Generated configuration file: ./config/ui/app.conf
Generated configuration file: ./config/registry/config.yml
Generated configuration file: ./config/db/env
$ docker-compose up

沒有問題的話已經(jīng)運(yùn)行起來了～～

第四步：測試

現(xiàn)在你可以通過域名pull鏡像了：

docker pull ubuntu
docker tag ubuntu docker.zuolan.me/ubuntu
docker push docker.zuolan.me/ubuntu
docker pull docker.zuolan.me/ubuntu

方法二厨钻、自己搭建（不推薦小白操作）

準(zhǔn)備工作

新建一個文件夾以便管理。

mkdir ~/docker-registry && cd $_
mkdir data nginx && mkdir nginx/certs
vim docker-compose.yml

填寫下面的內(nèi)容到docker-compose.yml：

nginx:
  image: "tutum/nginx"
  ports:
    - 80:80
    - 443:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
    - /root/app/:/app/
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  environment:
    REGISTRY_HTTP_TLS_CERTIFICATE: /etc/nginx/conf.d/certs/fullchain.pem
    REGISTRY_HTTP_TLS_KEY: /etc/nginx/conf.d/certs/privkey.pem
    REGISTRY_HTTP_SECRET: yourpassword
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - ./data:/data
    - ./nginx/:/etc/nginx/conf.d

移動證書到自定義目錄：

cat /etc/letsencrypt/live/docker.zuolan.me/fullchain.pem > ~/docker-registry/nginx/certs/fullchain.pem
cat /etc/letsencrypt/live/docker.zuolan.me/privkey.pem > ~/docker-registry/nginx/certs/privkey.pem

然后配置Nginx文件即可：

vim ~/docker-registry/nginx/registry.conf

域名修改一下坚嗜，復(fù)制粘貼即可夯膀。

upstream docker-registry {
  server registry:5000;
}

server {
  listen 443;
  server_name docker.zuolan.me;

  # SSL
  ssl on;
  ssl_certificate /etc/nginx/conf.d/certs/fullchain.pem;
  ssl_certificate_key /etc/nginx/conf.d/certs/privkey.pem;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    # auth_basic "registry.localhost";
    # auth_basic_user_file /etc/nginx/conf.d/registry.password;
    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker.zuolan.me;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

啟動倉庫

cd ~/docker-registry
docker-compose up

測試：