自建 Docker 镜像加速服务
准备工作
安装 Docker 和 docker-compose;
购买一台国外的云服务器,用来部署 Docker 仓库代理服务;
准备一个域名,申请一个免费的 SSL 证书;
安装 Nginx,反向代理到 Docker 仓库代理服务上
创建密码
代码语言:javascript复制mkdir /data/registry-proxy/auth -p
cd /data/registry-proxy
docker run --entrypoint htpasswd httpd:2 -Bbn 用户名 密码 > auth/htpasswd创建 docker-compose.yml 文件
代码语言:javascript复制vim /data/registry-proxy/docker-compose.yml
version: "3"
services:
# docker hub
dockerhub:
container_name: reg-docker-hub
image: registry:latest
restart: always
volumes:
- ./registry/data:/var/lib/registry
- ./registry-hub.yml:/etc/docker/registry/config.yml
- ./auth/htpasswd:/auth/htpasswd # 可选配置
ports:
- 51000:5000
networks:
- registry-net
# UI
registry-ui:
container_name: registry-ui
image: dqzboy/docker-registry-ui:latest
environment:
- DOCKER_REGISTRY_URL=http://reg-docker-hub:5000
# [必须]使用 openssl rand -hex 16 生成唯一值
- SECRET_KEY_BASE=9f18244a1e1179fa5aa4a06a335d01b2
# 启用Image TAG 的删除按钮
- ENABLE_DELETE_IMAGES=true
- NO_SSL_VERIFICATION=true
restart: always
ports:
- 50000:8080
networks:
- registry-net
networks:
registry-net:创建 Dockerhub config.yml 文件
代码语言:javascript复制vim vim /data/registry-proxy/registry-hub.yml
version: 0.1
log:
fields:
service: registry
storage:
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
cache:
blobdescriptor: inmemory
blobdescriptorsize: 10000
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
Access-Control-Max-Age: [1728000]
Access-Control-Allow-Credentials: [true]
Access-Control-Expose-Headers: ['Docker-Content-Digest']
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
proxy:
remoteurl: https://registry-1.docker.io
username:
password:
ttl:启动容器
代码语言:javascript复制docker-compose up -d配置 Nginx
代码语言:javascript复制vim /etc/nginx/conf.d/registry-hub.conf
# registry-ui
server {
listen 80;
listen 443 ssl;
server_name ui.chenji.org.cn;
ssl_certificate /etc/nginx/ssl/hub.chenji.org.cn.pem;
ssl_certificate_key /etc/nginx/ssl/hub.chenji.org.cn.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_buffer_size 8k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
location / {
proxy_pass http://localhost:50000;
proxy_set_header Host $host;
proxy_set_header Origin $scheme://$host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
}
}
## docker hub
server {
listen 80;
listen 443 ssl;
server_name hub.chenji.org.cn;
ssl_certificate /etc/nginx/ssl/hub.chenji.org.cn.pem;
ssl_certificate_key /etc/nginx/ssl/hub.chenji.org.cn.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_buffer_size 8k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
location / {
proxy_pass http://localhost:51000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Nginx-Proxy true;
proxy_buffering off;
proxy_redirect off;
}
}修改客户端本地的镜像仓库代理
代码语言:javascript复制vim /etc/docker/daemon.json
{
"registry-mirrors": [ "https://hub.chenji.org.cn" ],
"log-opts": {
"max-size": "100m",
"max-file": "5"
}
}
