乐趣区

关于docker:如何搭建代理镜像仓库

背景:

不晓得各位有没有我这种难堪:kubernetes 搭建过程中须要拉取到一些镜像,比方:dockerhub 的镜像,这个还好。毕竟有加速器。but k8s.gcr.io,quay.io. 这些怎么搞?刚巧搭建 kubeadm 1.25,helm 装置 cilium 的时候悲摧了。下载不动怎么搞?docker 时代的时候我还能够间接导入,然而 containerd 时代了 导入了还是要麻烦一些阿?搜索引擎搜了一下,找到上面三个文章,借鉴一下!
参照:搭建 Docker 镜像仓库代理
搭建容器仓库的镜像服务器 (gcr, ghcr, quay, k8s-gcr)
真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!

搭建镜像代理仓库

其中米开朗基杨大佬写的真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!搭建一个 k3s 集群搞比拟全国,然而我国外服务器就一台,还是轻量级的服务器 …. 开始就是下载镜像而后上传到国内 harbor 仓库的 …… 这里就用搭建 Docker 镜像仓库代理的形式去操作了!

前提条件

服务器在国外
四个域名 以及 ssl 证书

装置 Docker

留神:我这台服务器为轻量服务器,ubuntu 操作系统(docker 我之前其实早装置了 ……)

apt-get update
apt-get upgrade
apt-get install docker*

如果是 centos 请参照:

yum update
 
yum install -y yum-utils device-mapper-persistent-data lvm2
 
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce

配置 Docker

  1. 设置 Docker 的日志格局为 json,日志文件大小为 100M,最多保留 3 个日志;
  2. 设置 Docker 镜像公有仓库和官网镜像减速地址;
  3. 设置 Docker 的数据目录到 /data/docker;
  4. 设置 Docker 的 Storage Driver 为 overlay2。

    [root@dqzboy ~]# mkdir /etc/docker
    [root@dqzboy ~]# cat << EOF > /etc/docker/daemon.json
    {
      "log-driver": "json-file",
     "log-opts": {
       "max-size": "100m",
       "max-file": "3"
     },
      "insecure-registry": ["hub.dqzboy.com"],
      "registry-mirror": "https://a7ye1cuu.mirror.aliyuncs.com",
      "data-root": "/data/docker",
      "exec-opts": ["native.cgroupdriver=systemd"],
      "storage-driver": "overlay2",
      "storage-opts": ["overlay2.override_kernel_check=true"]
    }
    EOF

    启动 Docker

    systemctl enable docker && systemctl start docker

    装置 Docker Compose

    看版本吧,我没有装置什么最新的,毕竟能跑起来就能够对我来说

    curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    chmod +x /usr/local/bin/docker-compose
    ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
    docker-compose --version

    启动镜像仓库代理

    git clone 相干 registry-proxy 仓库配置文件

     git clone https://github.com/findsec-cn/registry-proxy.git
     cd registry-proxy

    自定义批改配置文件

  5. 将域名的证书搁置到 cert 目录下,并把证书文件名称命名为该目录下的 server 名称;
  6. 其中 server.crt 为 ssl 证书文件,server.key 为 ssl 私钥。
  7. 留神:证书肯定要是对应域名的,不然进行下载镜像会提醒 x509
  8. 批改 nginx.conf 配置文件,将配置文件中的域名替换成本人的域名(xxx.com)

    docker-compose.yaml 批改

    我这里先批改以下 docker-compose.yaml, 原 github 我的项目只代理了gcr.io,k8s.gcr.io,恩我这里次要是应用代理quay.io 仓库,如果代理其余仓库可相似办法!

    version: '2'
    services:
      local:
     container_name: reg-local
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - DELETE_ENABLED=true
     volumes:
       - ~/data/registry:/var/lib/registry
     ports:
       - 5000:5000
     networks:
       - registry-net
      quay:
     container_name: reg-quay
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://quay.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      gcr:
     container_name: reg-gcr
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://gcr.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      k8s-gcr:
     container_name: reg-k8s-gcr
     image: findsec/registry-proxy:latest
     restart: always
     environment:
       - PROXY_REMOTE_URL=https://k8s.gcr.io
     volumes:
       - ~/data/registry:/var/lib/registry
     networks:
       - registry-net
      ui:
     container_name: reg-ui
     image: findsec/registry-ui:latest
     restart: always
     links:
       - local:reg-local
     environment:
       - REGISTRY_TITLE=My Private Docker Registry
       - REGISTRY_URL=http://reg-local:5000
       - DELETE_IMAGES=true
     networks:
       - registry-net
      nginx:
     container_name: reg-nginx
     image: nginx:alpine
     restart: always
     ports:
       - 80:80
       - 443:443
     links:
       - ui:reg-ui
       - gcr:reg-gcr
       - quay:reg-quay
       - k8s-gcr:reg-k8s-gcr
        
     volumes:
       - ./nginx.conf:/etc/nginx/conf.d/default.conf
       - ./cert:/etc/nginx/ssl
     networks:
       - registry-net
    
    networks:
      registry-net:

    依着葫芦画瓢。依据仓库中 yaml 文件中 gcr 配置 生成一个 quay 的配置:

    nginx 相干配置中 link 也增加上 quay 配置:

    批改 nginx.conf 中域名:
     sed -i 's/xxx.com/zhangpeng.com/g' nginx.conf

    增加 quay 域名相干配置:

    最终配置文件如下:

    server {
     listen       80;
     listen       443 ssl;
    
     server_name  hub.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-ui:80;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  gcr.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-gcr:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  k8s-gcr.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-k8s-gcr:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    server {
     listen       80;
     listen       443 ssl;
    
     server_name  quay.zhangpeng.com;
    
     proxy_connect_timeout 600;
     proxy_send_timeout    600;
     proxy_read_timeout    600;
     send_timeout          600;
    
     ssl_certificate /etc/nginx/ssl/server.crt;
     ssl_certificate_key /etc/nginx/ssl/server.key;
    
     location / {
         proxy_pass   http://reg-quay:5000;
    
         proxy_buffering off;
         proxy_request_buffering off;
     }
    }
    ssl 证书

    肯定记得要上传 ssl 证书到 cert 目录下:

    当然了你也能够批改 docker-compose.yaml. 批改 nginx 中 volumes 中挂载门路

    也能够批改 nginx.conf 文件中 ssl_certificate ssl_certificate_key 文件名:

    启动镜像仓库代理

    docker-compose up -d
    docker-compose logs -f

    可能会呈现证书配置不对的报错,哈哈哈本人解决以下 …..

    解析域名

    我的域名用的 dnspod

    应用镜像仓库代理

    本地工作环境为 rocky 8.5 装置了 podman 应用 podman 进行测试:

    ### 要下载镜像
    [root@zhangpeng ~]# podman pull k8s.gcr.io/pause:3.6
    ### 通过镜像仓库代理形式下载:[root@zhangpeng ~]# podman pull k8s-gcr.zhangpeng.com/pause:3.6
    

    拜访 hub.zhangpeng.com。能够看到咱们下载的镜像被缓存了

    接下来能够进阶的:

    image 的清理

    不能始终缓存吧,空间写满了怎么办,最苯的办法写一个 crontab:

    • /2 /usr/bin/rm -rf /var/lib/registry/ &>/dev/null

      ## 防白嫖认证
      服务器镜像代理被白嫖怎么办?最简略的搞一个 htpasswd 搞一下:

      apt-get install apache2-utils

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663215731715-0400026f-de42-4e02-bb84-ee07e2582eb8.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=613&id=u6ea56dcf&margin=%5Bobject%20Object%5D&name=image.png&originHeight=552&originWidth=1558&originalType=binary&ratio=1&rotation=0&showTitle=false&size=165037&status=done&style=none&taskId=u12cbfe81-8e65-42f1-a55c-7ef08d1fc0f&title=&width=1731.1111569698958)

    htpasswd -c passwd zhangpeng

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216091653-bca81c8d-5e5a-40cc-bbce-ffcc40ab5288.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=362&id=u19bf4674&margin=%5Bobject%20Object%5D&name=image.png&originHeight=326&originWidth=1030&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75803&status=done&style=none&taskId=u5b34d78f-ceaa-4093-9f8a-ba43c839947&title=&width=1144.4444747618695)
    而后批改 nginx.conf 文件, 我这里为了演示只批改了 k8s-gcr 这一个的相干配置,其余的都如此就能够:

    server {
    listen 80;
    listen 443 ssl;

    server_name k8s-gcr.zhangpeng.com;

    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    auth_basic “ 请输出用户和明码 ”; # 验证时的提示信息
    auth_basic_user_file /etc/nginx/passwd; # 认证文件
    location / {

     proxy_pass   http://reg-k8s-gcr:5000;
    
     proxy_buffering off;
     proxy_request_buffering off;

    }
    }

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223421666-9b74a6d3-6550-4c75-b61f-9559c071f32b.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=452&id=ub4a6ba27&margin=%5Bobject%20Object%5D&name=image.png&originHeight=407&originWidth=784&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62319&status=done&style=none&taskId=u35803e53-44c0-4f33-807c-abc0f4aa46b&title=&width=871.1111341876755)
    重启 docker-compose 服务:
    注:以后 registry 目录下

    docker-compose down
    docker-compose up -d

    本地测试:还拿 pause 镜像为例,恩显示认证失败了

    podman pull k8s-gcr.zhangpeng.com/pause:3.5

    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216471176-42b0a7cb-ab51-4d3e-9684-8454658ba38c.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=87&id=u5cf5f600&margin=%5Bobject%20Object%5D&name=image.png&originHeight=78&originWidth=1515&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23494&status=done&style=none&taskId=ud8147e18-4bee-4668-b5dc-647e6d21077&title=&width=1683.3333779264392)

    podman login k8s-gcr.zhangpeng.com
    podman pull k8s-gcr.zhangpeng.com/pause:3.5

    如下图,pull 胜利:![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216534534-88291b53-a02d-478b-ac06-5836315f2e17.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=ude8b7067&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=1639&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70759&status=done&style=none&taskId=u3cb41aab-9547-497c-8ed7-6b3934e724e&title=&width=1821.1111593540816)
    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223726340-5a5d7c8c-4e8a-4765-9ada-f3402cb8966c.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=794&id=u898d4747&margin=%5Bobject%20Object%5D&name=image.png&originHeight=715&originWidth=1620&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88829&status=done&style=none&taskId=u87b13877-eb9d-4338-8e5a-ba0d4e9b8a1&title=&width=1800.0000476837172)
    ## 其余的?容器运行时配置的配置,参照米开朗基杨大佬:[https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10](https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10)
    ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663224003069-1475caa7-1633-4422-b21d-b7e0aeca9dbf.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=513&id=u1c52a7ec&margin=%5Bobject%20Object%5D&name=image.png&originHeight=462&originWidth=1011&originalType=binary&ratio=1&rotation=0&showTitle=false&size=107943&status=done&style=none&taskId=ud60903dd-3662-432f-af03-30ff64dbf2d&title=&width=1123.333363091505)
退出移动版