distribution镜像仓库代理缓存

本文在《学习distribution》之后，梳理一份基础的用于代理远端仓库的基础配置。

配置需求

• 镜像地址在远端
• 定期清理缓存
• 优先没有任何中间件服务
• 需要健康检查
• 需要暴露prometheus指标
• 优先外部正式的HTTPS证书

配置明细

version:0.1
log:
  level: debug
  fields:
    service: registry
    environment: development
storage:
  filesystem:
    rootdirectory: /opt/registry
  delete:
    enabled: true    
  cache:
    blobdescriptor: inmemory
    blobdescriptorsize: 10000
    # 如果用外部redis，inmemory -> redis ，删除blobdescriptorsize
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false  
    readonly:
      enabled: false    
# 如果用外部redis      
# redis:
#   addr: redis—ip:redis-port
#   password: pw
#   pool:
#     maxidle: 16
#     maxactive: 64
#     idletimeout: 300s
#   dialtimeout: 10ms
#   readtimeout: 10ms
#   writetimeout: 10ms  
proxy:
  remoteurl: https://registry-1.docker.io
  username: username
  password: password    
  ttl: 48h  
http:
  addr: 80
  host: http://mirror-registry-1.docker.io
  secret: mirror-registry-1.docker.io
  debug:
    addr: 5001
    prometheus:
        enabled: true
        path: /metrics  
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3    
# 需要配置用户认证，否则容器运行时需要配置忽略权限验证
# auth:
#   htpasswd:
#     realm: basic-realm
#     path: /opt/htpasswd

htpaasswd配置密钥

mkdir /opt/auth/htpasswd
docker run \
  --entrypoint htpasswd \
  httpd:2 -Bbn testuser testpassword > /opt/auth/htpasswd

运行服务

docker

docker run -itd -p 80:80 -p 5001:5001 \
 --restart=always --name registry \
 -v /opt/registry:/opt/registry \
 -v /opt/auth/htpasswd:/opt/auth/htpasswd \
 -v /opt/docker/registry/config.yml:/etc/docker/registry/config.yml \
 registry:2 

docker compose

registry:
  restart: always
  image: registry:2
  ports:
    - 80:80
    - 5001:5001
  volumes:
    - /opt/auth/htpasswd:/opt/auth/htpasswd
    - /opt/registry:/opt/registry
    - /opt/docker/registry/config.yml:/etc/docker/registry/config.yml

docker compose up -d

垃圾清理

清理过程中会阻碍上传镜像，理论上作为代理仓库不会有上传情况

docker exec registry /bin/registry garbage-collect /etc/docker/registry/config.yml

指定清理镜像

该步骤需要调用registry的http API
参考链接：
https://distribution.github.io/distribution/spec/api/#deleting-a-layer
https://www.yoyoask.com/?p=2843

镜像加速配置

containerd

# /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."mirror-registry-1".auth]
            username = "testuser"
            password = "testpassword"

# /etc/containerd/certs.d/mirror-registry-1/hosts.toml
server = "https://registry-1.docker.io"

[host."https://mirror-registry-1.docker.io"]
  capabilities = ["pull", "resolve"]
  skip_verify = true

systemctl restart containerd