如何在Docker中将私有注册表与docker swarm和traefik一起使用 [英] How to use a private registry with docker swarm and traefik in docker

问题描述

我正在运行一个单节点群集，正在使用traefik管理所有外部连接，并且我想运行一个注册表，以便可以在Registry.myhost.com上连接到它

I am running a single node swarm, I am using traefik to manage all my external connections, and I want to run a registry such that I can connect to it at registry.myhost.com

现在我看到的所有示例都建议将注册表创建为普通容器而不是服务，但是，当我这样做时，我无法将其添加到我的traefik网络中，因此无法在外部找到它

Now all the examples I can see suggest creating a registry as a normal container rather than a service, however when I do this, I do not have the ability to add it to my traefik network and thus enable it to be found externally.

我是否需要创建另一个内部网络并将traefik和它都连接到它，如果是，是什么类型的.还是我需要将注册表作为服务运行(我仅在单个节点上，因此卷不成问题).

Do I need to create another internal network and connect both traefik and it to it, and if so, what type. Or do I need to run the registry as a service (I'm only on a single node so volume shouldnt be much of an issue).

关于奖励积分，谁能给我一些关于如何将s3设置为存储后端的建议吗?

And for bonus points, can anyone give me some pointers on how to set it up with s3 as a storage backend?

推荐答案

概述

您有两台机器:

Overview

You have two machines:

• 服务器:您的(单个)Docker Swarm管理器节点，该节点运行traefik和其他Docker容器(如注册表).
• 客户端:应该能够连接到注册表并将Docker映像推送到其中的另一台计算机.

• Server: Your (single) Docker Swarm manager node that runs traefik and other Docker containers like the registry.
• Client: Another machine that should be able to connect to the registry and push Docker images to it.

我假设您有两个证书文件:

I assume you have two certificate files:

• registry.myhost.com.crt
• registry.myhost.com.key

• registry.myhost.com.crt
• registry.myhost.com.key

您的服务器设置可能如下所示:

Your server setup might look like this:

~/certs/registry.myhost.com.crt
~/certs/registry.myhost.com.key
~/docker-compose.yml
~/traefik.toml

docker-compose.yml

version: '3'

services:
  frontproxy:
    image: traefik
    command: --api --docker --docker.swarmmode
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./certs:/etc/ssl:ro
      - ./traefik.toml:/etc/traefik/traefik.toml:ro
      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
  docker-registry:
    image: registry:2
    deploy:
      labels:
        - traefik.port=5000 # default port exposed by the registry
        - traefik.frontend.rule=Host:registry.myhost.com
        - traefik.frontend.auth.basic=user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers

traefik.toml

defaultEntryPoints = ["http", "https"]

# Redirect HTTP to HTTPS and use certificate, see https://docs.traefik.io/configuration/entrypoints/
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ssl/registry.myhost.com.crt"
      keyFile = "/etc/ssl/registry.myhost.com.key"

# Docker Swarm Mode Provider, see https://docs.traefik.io/configuration/backends/docker/#docker-swarm-mode
[docker]
endpoint = "tcp://127.0.0.1:2375"
domain = "docker.localhost"
watch = true
swarmMode = true

要部署注册表，请运行:

To deploy your registry run:

docker stack deploy myregistry -c ~/docker-compose.yml

添加另一个堆栈

如果您的服务未在与traefik相同的 docker-compose.yml 中定义，则可以使用traefik服务的(外部)网络:

Add Another Stack

If your service is not defined in the same docker-compose.yml as traefik you can use the (external) network of the traefik service:

version: '3'
services:
  whoami:
    image: emilevauge/whoami # A container that exposes an API to show its IP address
    networks:
      - frontproxy_default # add network of traefik service "frontproxy"
      - default
    deploy:
      labels:
        traefik.docker.network: frontproxy_default
        traefik.frontend.rule: Host:whoami.myhost.com
        traefik.frontend.auth.basic: user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers
networks:
  frontproxy_default:
    external: true # network of traefik service "frontproxy" is defined in another stack

确保将whoami.myhost.com的证书文件添加到 traefik.toml :

Make sure you add the certificate files of whoami.myhost.com to traefik.toml:

      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ssl/registry.myhost.com.crt"
      keyFile = "/etc/ssl/registry.myhost.com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ssl/whoami.myhost.com.crt"
      keyFile = "/etc/ssl/whoami.myhost.com.key"

或使用(单个)通配符证书*.myhost.com

or use a (single) wildcard certificate *.myhost.com

      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ssl/myhost.com.crt"
      keyFile = "/etc/ssl/myhost.com.key"

请参阅 https://docs.traefik.io/configuration/entrypoints/进一步的信息.

将客户端计算机上的registry.myhost.com.crt复制到Linux上的/etc/docker/certs.d/registry.myhost.com/ca.crt或 在Mac上为~/.docker/certs.d/registry.myhost.com/ca.crt.现在您应该可以从客户端登录了:

Copy registry.myhost.com.crt on your client machine to /etc/docker/certs.d/registry.myhost.com/ca.crt on Linux or ~/.docker/certs.d/registry.myhost.com/ca.crt on Mac. Now you should be able to login from the client:

docker login -u user -p password registry.myhost.com

复制一个从Docker Hub镜像到您的注册表

在您的客户端上运行:

Copy an image from Docker Hub to your registry

On your client run:

docker pull hello-world:latest
docker tag hello-world:latest registry.myhost.com/hello-world:latest
docker push registry.myhost.com/hello-world:latest

现在您可以将该图像拉到另一台机器上(例如在服务器上):

Now you can pull this image on another machine (for example on the server):

docker pull registry.myhost.com/hello-world:latest

也不要忘记在该客户端计算机上添加registry.myhost.com.crt.

Don't forget to add registry.myhost.com.crt on that client machine, too.

这篇关于如何在Docker中将私有注册表与docker swarm和traefik一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！