图1:架构示意图
1. 可拉取镜像主机配置
// 创建镜像库
$ docker run -d -p 5000:5000 --restart always --name registry registry:2.8.3
// 创建脚本
$ vim /usr/local/script/push_img.sh
#!/bin/bash
img=$1
PUSH_IMG=""
IFS='/' read -r -a PARTS <<< "$img"
PART_COUNT=${#PARTS[@]}
if [ "$PART_COUNT" -eq 2 ]; then
echo "镜像为 Docker Hub 官网"
PUSH_IMG=$img
elif [ "$PART_COUNT" -eq 3 ]; then
echo "镜像为 非 Docker Hub 官网"
PUSH_IMG="${PARTS[1]}/${PARTS[2]}"
else
echo "字符串有 $PART_COUNT 部分,不执行任何命令。"
fi
docker pull $img
docker tag $img localhost:5000/$PUSH_IMG
docker push localhost:5000/$PUSH_IMG
// 添加执行权限
$ chmod +x /usr/local/script/push_img.sh
2. 内网主机配置
// 创建私有镜像库
$ docker run -d -p 5000:5000 --restart always -v /data2/registry:/var/lib/registry --name registry registry:2.8.3
// 创建 nginx 代理
$ docker run --name nginx -p 80:80 -p 443:443 -v /data/etc/nginx/conf.d:/etc/nginx/conf.d -v /data/nginx/www:/data/nginx/www -d nginx:1.27.0-perl
$ cat > /data/etc/nginx/conf.d/registry.aishangwei.net.conf <<EOF
server {
listen 80;
server_name registry.aishangwei.net.;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name registry.aishangwei.net;
access_log /var/log/nginx/registry-access.log main;
error_log /var/log/nginx/registry-error.log;
ssl_protocols TLSv1.2;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
ssl_certificate ./conf.d/ssl/registry.aishangwei.net.pem;
ssl_certificate_key ./conf.d/ssl/registry.aishangwei.net.key;
location / {
client_max_body_size 50m;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.10.230:5000;
}
}
EOF
// 上传证书,请自行申请证书
$ mkdir /data/etc/nginx/conf.d/ssl
## 上传证书到 ssl 目录
// 重启服务
$ docker restart nginx
// 创建脚本
$ vim /usr/local/script/pull-push-img.sh
#!/bin/bash
img=$1
PUSH_IMG=""
IFS='/' read -r -a PARTS <<< "$img"
PART_COUNT=${#PARTS[@]}
if [ "$PART_COUNT" -eq 2 ]; then
echo "镜像为 Docker Hub 官网"
PUSH_IMG=$img
elif [ "$PART_COUNT" -eq 3 ]; then
echo "镜像为 非 Docker Hub 官网"
PUSH_IMG="${PARTS[1]}/${PARTS[2]}"
else
echo "字符串有 $PART_COUNT 部分,不执行任何命令。"
fi
ssh -i "/root/.ssh/19216810204-id_rsa" "ubuntu@43.135.69.62" "sudo /usr/local/script/push_img.sh $img"
sleep 3
docker pull 4.4.4.4:5000/$PUSH_IMG
docker tag 4.4.4.4:5000/$PUSH_IMG localhost:5000/$PUSH_IMG
docker push localhost:5000/$PUSH_IMG
4.4.4.4 为可拉取镜像主机的IP地址。
// 拉取镜像
$ chmod +x /usr/local/script/pull-push-img.sh
## 注意,如果是官方镜像,必须加 library
$ /usr/local/script/pull-push-img.sh library/registry:2.8.3
$ /usr/local/script/pull-push-img.sh calico/node:v3.27.3
3. containerd 配置
$ cat /etc/containerd/config.toml |grep -A 2 -B 5 config_path
[plugins."io.containerd.grpc.v1.cri".image_decryption]
key_model = "node"
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d" // 重点是这个,阿里云的默认是 /etc/containerd/cert.d
[plugins."io.containerd.grpc.v1.cri".registry.auths]
$ mkdir -pv /etc/containerd/certs.d/docker.io
$ cat > /etc/containerd/certs.d/docker.io/hosts.toml <<EOF
server = "https://docker.io"
[host."https://registry.aishangwei.net"]
capabilities = ["pull", "resolve"]
EOF
$ systemctl daemon-reload
$ systemctl restart containerd
4. 测试
$ crictl pull registry:2.8.3
$ crictl pull calico/node:v3.27.3