作者：刘宾， thomas_liub@hotmail.com
转载请注明出处，谢谢！

1. Registry单独配置

参考：
https://docs.docker.com/registry/
http://blog.csdn.net/ztsinghua/article/details/51496658

1.1 无TLS, 无用户认证本地启动

只能用于localhost访问，非localhost主机无法访问该registry.

启动：

docker run -d -p 5000:5000 --restart=always --name registry registry:2

验证：

docker push localhost:5000/my-ubuntu

1.2 加载本地卷

启动：

docker run -d -p 5000:5000 --restart=always --name registry -v /docker/registry/data:/var/lib/registry registry:2

1.3 TLS方式， 无用户认证启动

制作根证书和私钥，制作服务证书和私钥，用根证书签字服务证书。最后，设置客户端OS信任根证书。

1. 服务器制作根证书和私钥

   1. 根私钥：

   openssl genrsa -out devdockerCA.key 2048

   2. 根证书：
      CN设置为MYDOMAIN

   openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

2. 服务器制作服务证书和私钥

   1. 服务私钥

   openssl genrsa -out domain.key 2048
   2. 服务证书签名请求
   CN设置为MYDOMAIN
   > openssl req -new -key domain.key -out iot-registry.csr
   3. 根证书签字服务证书
   如果MYDOMAIN为IP需要 -extfile
   > echo subjectAltName = IP:192.168.32.28 > extfile.cnf
   > openssl x509 -req -in iot-registry.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extfile extfile.cnf

3. 客户端设置OS信任服务器根证书
   在Docker客户端机器上，设置

sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
sudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
sudo update-ca-certificates
/etc/ca-certificates.conf

4. 客户端重启docker

sudo service docker restart

5. 服务器启动registry

   1. mkdir certs
   2. 将step 2 中制作的domain.key和domain.crt拷贝到certs目录，供registry使用
   3. 启动registry

   docker run -d --restart=always --name registry -v pwd/certs:/certs -p 443:443 \
   -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   registry:2

   验证：

   docker push MYDOMAIN/my-ubuntu

1.4 TLS方式， 带用户认证启动

步骤同1.3， 修改Registry启动参数，如下：

1. 创建用户文件, htpasswd

htpasswd -Bbc certs/htpasswd username1 password1
htpasswd -Bb certs/htpasswd username2 password2

2. 启动registry

docker run -d --restart=always --name registry -v pwd/certs:/certs -p 443:443 \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd \
registry:2

验证：

curl -k https://username:password@MYDOMAIN
docker login https://MYDOMAIN
user: xxx
password: xxx
Success.
docker push MYDOMAIN/my-ubuntu

docker-compose.yml

registry:
  restart: always
  image: registry:2
  ports:
    - 192.168.32.28:443:443
  environment:
    - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
    - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
    - REGISTRY_HTTP_ADDR=0.0.0.0:443
    - REGISTRY_AUTH=htpasswd
    - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
    - REGISTRY_AUTH_HTPASSWD_PATH=/certs/htpasswd
    - REGISTRY_STORAGE_DELETE_ENABLED=true
  volumes:
    - /srv/docker/registry/registry:/var/lib/registry
    - /home/liub/project/registry/certs:/certs

2. Nginx + Registry模式启动

参考: http://blog.csdn.net/zstack_org/article/details/53301211?locationNum=12&fps=1

2.1 无用户认证，无TLS启动

1. docker-compose.yml文件, ./docker-compose.yml

nginx:
  image: "nginx:1.9"
  ports:
    - 5043:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  volumes:
    - ./data:/var/lib/registry

2. registry.conf文件, ./nginx/registry.conf

upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;
  # SSL
  # ssl on;
  # ssl_certificate /etc/nginx/conf.d/domain.crt;
  # ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)  
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    # auth_basic "registry.localhost";
    # auth_basic_user_file /etc/nginx/conf.d/registry.password;
    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

3. 启动registry

docker-compose up

验证：

curl http://localhost:5043/v2/
{}

2.2 用户登陆认证支持

1. 用户创建

sudo apt-get -y install apache2-utils
htpasswd -c registry.password USERNAME1
htpasswd registry.password USERNAME2

2. 修改registry.conf
   打开auth_basic， auth_basic_user_file和add_header参数，如下：

upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;
  # SSL
  # ssl on;
  # ssl_certificate /etc/nginx/conf.d/domain.crt;
  # ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    auth_basic "registry.localhost";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

3. 启动registry

docker-compose up

验证：

curl http://localhost:5043/v2/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>

---

<center>nginx/1.9.7</center>
</body>
</html>
curl http://user:password@localhost:5043/v2/
{}

2.3 TLS方式启动

通过配置nginx使用TLS，nginx使用1.3章节中创建的证书和私钥。

1. 修改registry.conf
   打开ssl， ssl_certificate和ssl_certificate_key参数，如下：

upstream docker-registry {
  server registry:5000;
}
server {
  listen 443;
  server_name myregistrydomain.com;

  # SSL
  ssl on;
  ssl_certificate /etc/nginx/conf.d/domain.crt;
  ssl_certificate_key /etc/nginx/conf.d/domain.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;
  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    auth_basic "registry.localhost";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

2. 修改docker-compose.yml文件
   开启443 HTTPS接口

nginx:
  image: "nginx:1.9"
  ports:
    - 443:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - ./data:/data

2. 启动registry
   443端口需要root权限。

sudo docker-compose up

验证：

curl https://USERNAME:PASSWORD@MYDOMAIN/v2/
curl: (60) SSL certificate problem: self signed certificate
curl -k https://USERNAME:PASSWORD@MYDOMAIN/v2/
{}
docker login https://MYDOMAIN
user: xxx
password: xxx
success!
docker push MYDOMAIN/hello

3. registry使用

首先需要docker login.

3.1 查询registry image列表

curl -k https://username:password@MYDOMAIN/v2/_catalog

3.2 查询image标签列表

curl -k https://username:password@MYDOMAIN/v2/image_name/tags/list

3.3 拉取image

docker pull image:tag

3.4 上传image

docker push image:tag

3.5 删除image

修改config.yml, delete enable = true.参见之前。

curl -k -X DELETE https://username:password@MYDOMAIN/v2/image_name/manifests/image 摘要
登陆到registry
registry garbage-collect /etc/docker/registry/config.yml

4. python开发包

4.1 docker操作

https://github.com/docker/docker-py
https://docker-py.readthedocs.io/en/stable/

4.2 registry操作

REST接口