程式扎記: [ Doc ] Docker Registry - Deploying a registry server

標籤

2015年9月6日 星期日

[ Doc ] Docker Registry - Deploying a registry server

Source From Here 
Preface 
You need to install Docker version 1.6.0 or newer. 

Running on localhost 
Start your registry: 
# docker run -d -p 5000:5000 --restart=always --name registry registry:2

You can now use it with docker. Get any image from the hub and tag it to point to your registry: 
# docker pull ubuntu && docker tag ubuntu localhost:5000/ubuntu
# docker images | grep localhost
localhost:5000/ubuntu latest 91e54dfb1179 2 weeks ago 188.4 MB

… then push it to your registry: 
# docker push localhost:5000/ubuntu
The push refers to a repository [localhost:5000/ubuntu] (len: 1)
91e54dfb1179: Image successfully pushed
d74508fb6632: Image successfully pushed
...
latest: digest: sha256:0bf3461984f2fb18d237995e81faa657aff260a52a795367e6725f0617f7a56c size: 7719

… then pull it back from your registry: 
# docker images | grep localhost
localhost:5000/ubuntu latest 91e54dfb1179 2 weeks ago 188.4 MB
# docker rmi -f 91e54dfb1179 // Remove local image
Untagged: localhost:5000/ubuntu:latest
Untagged: ubuntu:latest

# docker pull localhost:5000/ubuntu // Pull from local registry
Using default tag: latest
latest: Pulling from ubuntu
d3a1f33e8a5a: Already exists
c22013c84729: Already exists
d74508fb6632: Already exists
91e54dfb1179: Already exists
Digest: sha256:0bf3461984f2fb18d237995e81faa657aff260a52a795367e6725f0617f7a56c
Status: Downloaded newer image for localhost:5000/ubuntu:latest

# docker images | grep localhost:5000/ubuntu | wc -l // Make sure pull success
1

To stop your registry, you would: 
# docker stop registry && docker rm -v registry

Storage 
By default, your registry data is persisted as a docker volume on the host filesystem. Properly understanding volumes is essential if you want to stick with a local filesystem storage. Specifically, you might want to point your volume location to a specific place in order to more easily access your registry data
// --restart: Restart policy to apply when a container exits
// -v, --volume=[]: Bind mount a volume
// -p, --publish=[]: Publish a container's port(s) to the host

# docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/data:/var/lib/registry \
registry:2

Alternatives 
You should usually consider using another storage backend instead of the local filesystem. Use the storage configuration options to configure an alternate storage backend. Using one of these will allow you to more easily scale your registry, and leverage your storage redundancy and availability features. 

Running a domain registry 
While running on localhost has its uses, most people want their registry to be more widely available. To do so, the Docker engine requires you to secure it using TLS, which is conceptually very similar to configuring your web server with SSL. 

Get a certificate 
Assuming that you own the domain myregistrydomain.com, and that its DNS record points to the host where you are running your registry, you first need to get a certificate from a CA. Move and/or rename your crt file to: certs/domain.crt - and your key file to: certs/domain.key. 

Make sure you stopped your registry from the previous steps, then start your registry again with TLS enabled: 
# docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2

You should now be able to access your registry from another docker host: 
# docker pull ubuntu
# docker tag ubuntu myregistrydomain.com:5000/ubuntu
# docker push myregistrydomain.com:5000/ubuntu
# docker pull myregistrydomain.com:5000/ubuntu

Gotcha 
A certificate issuer may supply you with an intermediate certificate. In this case, you must combine your certificate with the intermediate’s to form a certificate bundle. You can do this using the cat command: 
# cat server.crt intermediate-certificates.pem > certs/domain.crt

Alternatives 
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions here

Restricting access 
Except for registries running on secure local networks, registries should always implement access restrictions. 

Native basic auth 
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers’ basic authentication mechanism). :warning: You cannot use authentication with an insecure registry. You have to configure TLS first for this to work. 

First create a password file with one entry for the user “testuser”, with password “testpassword”: 
# mkdir auth
# docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd
# cat auth/htpasswd
testuser:$2y$05$nhrxs/qBMVuUo0MvwOfvAuZAIzzbpulQyqGEHXmeAfp6ih5B9VVLu

Make sure you stopped your registry from the previous step, then start it again: 
# docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2

You should now be able to: 
# docker login myregistrydomain.com:5000

And then push and pull images as an authenticated user. 

Alternatives 
1. You may want to leverage more advanced basic auth implementations through a proxy design, in front of the registry. You will find an example of such design in the nginx proxy documentation

2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only make sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems. 

You will find background information here, and configuration information here. Beware that you will have to implement your own authentication service for this to work. 

Managing with Compose 
As your registry configuration grows more complex, dealing with it can quickly become tedious. It’s highly recommended to use Docker Compose to facilitate operating your registry. Here is a simple docker-compose.yml example that condenses everything explained so far: 
  1. registry:  
  2.   restart: always  
  3.   image: registry:2  
  4.   ports:  
  5.     - 5000:5000  
  6.   environment:  
  7.     REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt  
  8.     REGISTRY_HTTP_TLS_KEY: /certs/domain.key  
  9.     REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry  
  10.     REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd  
  11.     REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm  
  12.   volumes:  
  13.     - /path/data:/var/lib/registry  
  14.     - /path/certs:/certs  
  15.     - /path/auth:/auth  
:warning: replace /path by whatever directory that holds your certs and auth folder from above. You can then start your registry with a simple 
# docker-compose up -d

Next 
You will find more specific and advanced informations in the following sections: 
Configuration reference 
Working with notifications 
Registry API 
Storage driver model

沒有留言:

張貼留言

網誌存檔

關於我自己

我的相片
Where there is a will, there is a way!