图1:架构示意图

1. 可拉取镜像主机配置

// 创建镜像库

$ docker run -d -p 5000:5000 --restart always --name registry registry:2.8.3

// 创建脚本

$ vim /usr/local/script/push_img.sh
#!/bin/bash

img=$1
PUSH_IMG=""

IFS='/' read -r -a PARTS <<< "$img"
PART_COUNT=${#PARTS[@]}

if [ "$PART_COUNT" -eq 2 ]; then
    echo "镜像为 Docker Hub 官网"
    PUSH_IMG=$img
elif [ "$PART_COUNT" -eq 3 ]; then
    echo "镜像为 非 Docker Hub 官网"
    PUSH_IMG="${PARTS[1]}/${PARTS[2]}"
else
    echo "字符串有 $PART_COUNT 部分,不执行任何命令。"
fi

docker pull $img
docker tag $img localhost:5000/$PUSH_IMG
docker push localhost:5000/$PUSH_IMG

// 添加执行权限

$ chmod +x /usr/local/script/push_img.sh

2. 内网主机配置

// 创建私有镜像库

$ docker run -d -p 5000:5000 --restart always -v /data2/registry:/var/lib/registry --name registry registry:2.8.3

// 创建 nginx 代理

$ docker run --name nginx -p 80:80 -p 443:443 -v /data/etc/nginx/conf.d:/etc/nginx/conf.d -v /data/nginx/www:/data/nginx/www -d  nginx:1.27.0-perl

$ cat > /data/etc/nginx/conf.d/registry.aishangwei.net.conf <<EOF
server {
    listen     80;
    server_name   registry.aishangwei.net.;
    return 301 https://$server_name$request_uri;
}
server {
        listen       443 ssl;
        server_name  registry.aishangwei.net;
        access_log  /var/log/nginx/registry-access.log main;
        error_log  /var/log/nginx/registry-error.log;
        ssl_protocols TLSv1.2;
        ssl_session_timeout  5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-   SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_prefer_server_ciphers on;
        ssl_certificate   ./conf.d/ssl/registry.aishangwei.net.pem;
        ssl_certificate_key  ./conf.d/ssl/registry.aishangwei.net.key;
        location / {
        client_max_body_size 50m;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://192.168.10.230:5000;
        }
}
EOF

// 上传证书,请自行申请证书

$ mkdir /data/etc/nginx/conf.d/ssl
## 上传证书到 ssl 目录

// 重启服务

$ docker restart nginx

// 创建脚本

$ vim /usr/local/script/pull-push-img.sh
#!/bin/bash

img=$1
PUSH_IMG=""

IFS='/' read -r -a PARTS <<< "$img"
PART_COUNT=${#PARTS[@]}

if [ "$PART_COUNT" -eq 2 ]; then
    echo "镜像为 Docker Hub 官网"
    PUSH_IMG=$img
elif [ "$PART_COUNT" -eq 3 ]; then
    echo "镜像为 非 Docker Hub 官网"
    PUSH_IMG="${PARTS[1]}/${PARTS[2]}"
else
    echo "字符串有 $PART_COUNT 部分,不执行任何命令。"
fi

ssh -i "/root/.ssh/19216810204-id_rsa" "ubuntu@43.135.69.62" "sudo /usr/local/script/push_img.sh $img"
sleep 3
docker pull 4.4.4.4:5000/$PUSH_IMG
docker tag 4.4.4.4:5000/$PUSH_IMG localhost:5000/$PUSH_IMG
docker push localhost:5000/$PUSH_IMG

4.4.4.4 为可拉取镜像主机的IP地址。

// 拉取镜像

$ chmod +x /usr/local/script/pull-push-img.sh
## 注意,如果是官方镜像,必须加 library
$ /usr/local/script/pull-push-img.sh library/registry:2.8.3
$ /usr/local/script/pull-push-img.sh calico/node:v3.27.3

3. containerd 配置

$ cat /etc/containerd/config.toml |grep -A 2 -B 5 config_path

    [plugins."io.containerd.grpc.v1.cri".image_decryption]
      key_model = "node"

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"      // 重点是这个,阿里云的默认是 /etc/containerd/cert.d

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

$ mkdir -pv /etc/containerd/certs.d/docker.io
$ cat > /etc/containerd/certs.d/docker.io/hosts.toml <<EOF
server = "https://docker.io"
[host."https://registry.aishangwei.net"]
  capabilities = ["pull", "resolve"]
EOF

$ systemctl daemon-reload
$ systemctl restart containerd

4. 测试

$ crictl pull registry:2.8.3
$ crictl pull calico/node:v3.27.3