1. Setup a private docker registry

1.1. Setup Server

• Init environment

mkdir /u/devops/docker_repo
cd /u/devops/docker_repo
mkdir certs auth registry

• Generating a 2048 bit RSA private key

Confirm Common Name should be domain name, such as myrepo.com

openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/myrepo.com.key -x509 -days 365 -out certs/myrepo.com.crt

• Create htpasswd file

htpasswd -Bbn test 123123 > ./auth/htpasswd

• Create ./docker-compose.yml

version: "2.3"
services:
  my-repo:
    container_name: my-repo
    restart: always
    image: registry:2.7
    ports:
      - 5443:443
    environment:
      - REGISTRY_HTTP_ADDR=0.0.0.0:443
      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.com.crt
      - REGISTRY_HTTP_TLS_KEY=/certs/myrepo.com.key
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
    volumes:
      - ./registry:/var/lib/registry
      - ./certs:/certs
      - ./auth:/auth

• Start Service

docker-compose up -d

1.2. Setup Node

1.2.1. 准备环境，并登陆registry

• 创建docker tls证书目录

cd /etc/docker && sudo mkdir -p certs.d/myrepo.com:5443

• 复制./certs/myrepo.com.crt到node:/etc/docker/certs.d/myrepo.com:5443/ca.crt

• 追加一个host记录

echo "10.10.72.189 myrepo.com" >> /etc/hosts

• 登陆registry

docker login myrepo.com:5443 -u test -p 123123

1.2.2. pull images from private registry

docker pull myrepo.com:5443/project/mongo:4.2.0
docker pull myrepo.com:5443/project/redis:5.0

1.2.3. ansible palybook for #1.2.1 and #1.2.2

• 可以批量完成node的setup，并批量login

ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"

• playbook-setup-node.yml

# ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"

- hosts: "{{ remotehost }}"
  gather_facts: False
  vars:
    repo_host: "myrepo.com:5443"
  tasks:
    - name: Add mappings to /etc/hosts
      blockinfile:
        path: /etc/hosts
        block: |
          {{ item.ip }} {{ item.name }}
        marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.name }}"
      loop:
        - { name: myrepo.com, ip: 10.10.72.189 }
      become: yes

    - name: Create docker certs folder
      file:
        path: "/etc/docker/certs.d/{{repo_host}}"
        state: directory
        mode: '0755'
      become: yes

    - name: Copy ca.crt to docker daemon config path
      copy:
        src: /u/devops/docker_repo/certs/myrepo.com.crt
        dest: "/etc/docker/certs.d/{{repo_host}}/ca.crt"
        mode: 0644
      become: yes

    - name: Login docker registry and pull some images
      shell: |
        docker login {{repo_host}} -u test -p 123123
        docker pull {{repo_host}}/project/mongo:4.2.0
        docker pull {{repo_host}}/project/redis:5.0

2. 常用操作和规范建议

2.1. 查看私有仓库内image列表和所有tag

$ curl -u 'test:123123' localhost:5443/v2/_catalog
{"repositories":["redis","ubuntu"]}
$ curl -u 'test:123123' localhost:5443/v2/redis/tags/list
{"name":"redis","tags":["5.0"]}

2.2. 镜像命名规范

• 建议：<registry-host>/<project-name>/<image-name>:<image-tag>
• 例如：

myrepo.com:5443/project-a/service-xxx:0.12.0
myrepo.com:5443/project-b/prom/prometheus:v2.23.0
myrepo.com:5443/project-b/nginx:1.19.5

3. 总结

• 加入domain访问功能，提高服务隐蔽性，且为加入tls证书做前提
• 加入tls证书，可通过https协议login，不用配置insecure-registries，避免重启node端docker daemon，减少对服务的影响
• 加入basic auth，进一步提高registry的安全性