本文在《学习distribution》之后,梳理一份基础的用于代理远端仓库的基础配置。
配置需求
- 镜像地址在远端
- 定期清理缓存
- 优先没有任何中间件服务
- 需要健康检查
- 需要暴露prometheus指标
- 优先外部正式的HTTPS证书
配置明细
version:0.1
log:
level: debug
fields:
service: registry
environment: development
storage:
filesystem:
rootdirectory: /opt/registry
delete:
enabled: true
cache:
blobdescriptor: inmemory
blobdescriptorsize: 10000
# 如果用外部redis,inmemory -> redis ,删除blobdescriptorsize
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
# 如果用外部redis
# redis:
# addr: redis—ip:redis-port
# password: pw
# pool:
# maxidle: 16
# maxactive: 64
# idletimeout: 300s
# dialtimeout: 10ms
# readtimeout: 10ms
# writetimeout: 10ms
proxy:
remoteurl: https://registry-1.docker.io
username: username
password: password
ttl: 48h
http:
addr: 80
host: http://mirror-registry-1.docker.io
secret: mirror-registry-1.docker.io
debug:
addr: 5001
prometheus:
enabled: true
path: /metrics
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
# 需要配置用户认证,否则容器运行时需要配置忽略权限验证
# auth:
# htpasswd:
# realm: basic-realm
# path: /opt/htpasswd
htpaasswd配置密钥
mkdir /opt/auth/htpasswd
docker run \
--entrypoint htpasswd \
httpd:2 -Bbn testuser testpassword > /opt/auth/htpasswd
运行服务
docker
docker run -itd -p 80:80 -p 5001:5001 \
--restart=always --name registry \
-v /opt/registry:/opt/registry \
-v /opt/auth/htpasswd:/opt/auth/htpasswd \
-v /opt/docker/registry/config.yml:/etc/docker/registry/config.yml \
registry:2
docker compose
registry:
restart: always
image: registry:2
ports:
- 80:80
- 5001:5001
volumes:
- /opt/auth/htpasswd:/opt/auth/htpasswd
- /opt/registry:/opt/registry
- /opt/docker/registry/config.yml:/etc/docker/registry/config.yml
docker compose up -d
垃圾清理
清理过程中会阻碍上传镜像,理论上作为代理仓库不会有上传情况
docker exec registry /bin/registry garbage-collect /etc/docker/registry/config.yml
指定清理镜像
该步骤需要调用registry的http API
参考链接:
https://distribution.github.io/distribution/spec/api/#deleting-a-layer
https://www.yoyoask.com/?p=2843
镜像加速配置
containerd
# /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."mirror-registry-1".auth]
username = "testuser"
password = "testpassword"
# /etc/containerd/certs.d/mirror-registry-1/hosts.toml
server = "https://registry-1.docker.io"
[host."https://mirror-registry-1.docker.io"]
capabilities = ["pull", "resolve"]
skip_verify = true
systemctl restart containerd
标签:opt,缓存,auth,htpasswd,registry,io,镜像,distribution,docker
From: https://www.cnblogs.com/yulinor/p/18188705