如何在Docker中将私有注册表与docker swarm和traefik一起使用 [英] How to use a private registry with docker swarm and traefik in docker
问题描述
我正在运行一个单节点群集,正在使用traefik管理所有外部连接,并且我想运行一个注册表,以便可以在Registry.myhost.com上连接到它
I am running a single node swarm, I am using traefik to manage all my external connections, and I want to run a registry such that I can connect to it at registry.myhost.com
现在我看到的所有示例都建议将注册表创建为普通容器而不是服务,但是,当我这样做时,我无法将其添加到我的traefik网络中,因此无法在外部找到它
Now all the examples I can see suggest creating a registry as a normal container rather than a service, however when I do this, I do not have the ability to add it to my traefik network and thus enable it to be found externally.
我是否需要创建另一个内部网络并将traefik和它都连接到它,如果是,是什么类型的.还是我需要将注册表作为服务运行(我仅在单个节点上,因此卷不成问题).
Do I need to create another internal network and connect both traefik and it to it, and if so, what type. Or do I need to run the registry as a service (I'm only on a single node so volume shouldnt be much of an issue).
关于奖励积分,谁能给我一些关于如何将s3设置为存储后端的建议吗?
And for bonus points, can anyone give me some pointers on how to set it up with s3 as a storage backend?
推荐答案
概述
您有两台机器:
Overview
You have two machines:
- 服务器:您的(单个)Docker Swarm管理器节点,该节点运行traefik和其他Docker容器(如注册表).
- 客户端:应该能够连接到注册表并将Docker映像推送到其中的另一台计算机.
- Server: Your (single) Docker Swarm manager node that runs traefik and other Docker containers like the registry.
- Client: Another machine that should be able to connect to the registry and push Docker images to it.
我假设您有两个证书文件:
I assume you have two certificate files:
-
registry.myhost.com.crt
-
registry.myhost.com.key
registry.myhost.com.crt
registry.myhost.com.key
您的服务器设置可能如下所示:
Your server setup might look like this:
~/certs/registry.myhost.com.crt
~/certs/registry.myhost.com.key
~/docker-compose.yml
~/traefik.toml
docker-compose.yml
version: '3'
services:
frontproxy:
image: traefik
command: --api --docker --docker.swarmmode
ports:
- "80:80"
- "443:443"
volumes:
- ./certs:/etc/ssl:ro
- ./traefik.toml:/etc/traefik/traefik.toml:ro
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
docker-registry:
image: registry:2
deploy:
labels:
- traefik.port=5000 # default port exposed by the registry
- traefik.frontend.rule=Host:registry.myhost.com
- traefik.frontend.auth.basic=user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers
traefik.toml
defaultEntryPoints = ["http", "https"]
# Redirect HTTP to HTTPS and use certificate, see https://docs.traefik.io/configuration/entrypoints/
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/registry.myhost.com.crt"
keyFile = "/etc/ssl/registry.myhost.com.key"
# Docker Swarm Mode Provider, see https://docs.traefik.io/configuration/backends/docker/#docker-swarm-mode
[docker]
endpoint = "tcp://127.0.0.1:2375"
domain = "docker.localhost"
watch = true
swarmMode = true
要部署注册表,请运行:
To deploy your registry run:
docker stack deploy myregistry -c ~/docker-compose.yml
添加另一个堆栈
如果您的服务未在与traefik相同的 docker-compose.yml 中定义,则可以使用traefik服务的(外部)网络:
Add Another Stack
If your service is not defined in the same docker-compose.yml as traefik you can use the (external) network of the traefik service:
version: '3'
services:
whoami:
image: emilevauge/whoami # A container that exposes an API to show its IP address
networks:
- frontproxy_default # add network of traefik service "frontproxy"
- default
deploy:
labels:
traefik.docker.network: frontproxy_default
traefik.frontend.rule: Host:whoami.myhost.com
traefik.frontend.auth.basic: user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers
networks:
frontproxy_default:
external: true # network of traefik service "frontproxy" is defined in another stack
确保将whoami.myhost.com
的证书文件添加到 traefik.toml :
Make sure you add the certificate files of whoami.myhost.com
to traefik.toml:
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/registry.myhost.com.crt"
keyFile = "/etc/ssl/registry.myhost.com.key"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/whoami.myhost.com.crt"
keyFile = "/etc/ssl/whoami.myhost.com.key"
或使用(单个)通配符证书*.myhost.com
or use a (single) wildcard certificate *.myhost.com
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/myhost.com.crt"
keyFile = "/etc/ssl/myhost.com.key"
请参阅 https://docs.traefik.io/configuration/entrypoints/进一步的信息.
将客户端计算机上的registry.myhost.com.crt
复制到Linux上的/etc/docker/certs.d/registry.myhost.com/ca.crt
或
在Mac上为~/.docker/certs.d/registry.myhost.com/ca.crt
.现在您应该可以从客户端登录了:
Copy registry.myhost.com.crt
on your client machine to /etc/docker/certs.d/registry.myhost.com/ca.crt
on Linux or
~/.docker/certs.d/registry.myhost.com/ca.crt
on Mac. Now you should be able to login from the client:
docker login -u user -p password registry.myhost.com
复制一个从Docker Hub镜像到您的注册表
在您的客户端上运行:
Copy an image from Docker Hub to your registry
On your client run:
docker pull hello-world:latest
docker tag hello-world:latest registry.myhost.com/hello-world:latest
docker push registry.myhost.com/hello-world:latest
现在您可以将该图像拉到另一台机器上(例如在服务器上):
Now you can pull this image on another machine (for example on the server):
docker pull registry.myhost.com/hello-world:latest
也不要忘记在该客户端计算机上添加registry.myhost.com.crt
.
Don't forget to add registry.myhost.com.crt
on that client machine, too.
这篇关于如何在Docker中将私有注册表与docker swarm和traefik一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!