# Private Docker Registry Private Docker Registry 1. Docker registry Images 가져오기``` docker pull registry:latest ``` 2. docker images 3. hyunsu@kubemaster:/etc/docker/registry$ sudo mv ./config.yml ./config.yml.20201022 4. config ``` version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: redis filesystem: rootdirectory: /data/registry redis: addr: redis:6379 http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3 ``` 5. docker run -d -p 9002:5000 -e REGISTRY\_STORAGE\_DELETE\_ENABLED=true --restart=always --name [JoangPrivateDocker](http://web.joang.com:9000/jcook/JoangPrivateDocker) -v /home/hyunsu/config.yml:/home/hyunsu/config.yml registry:2 : -e REGISTRY\_STORAGE\_DELETE\_ENABLED=true 옵션은 이미지를 삭제를 할 수 있다는 의미로 아래 DELETE 명령이 동작한다. 안하면 {"errors":\[{"code":"UNSUPPORTED","message":"The operation is unsupported."}\]} 오류가 발생 6. docker ps -a 7. docker ps -l (최근) 8. netstat -an | grep 9002 (확인) --- Private Docker 사용 1. docker build -t tomcat-meta:0.1 . 2. docker tag tomcat-meta:0.1 web.joang.com:9002/tomcat-meta:0.1 3. docker tag를 이용하여 docker registry에 push``` cat /etc/docker/daemon.json { "insecure-registries" : ["192.168.0.130:9002"] } ``` systemctl restart docker 4. docker push web.joang.com:9002/tomcat-meta:0.1 5. 확인 [http://192.168.0.100:9002/v2/\_catalog](http://192.168.0.100:9002/v2/_catalog) 6. [http://192.168.0.100:9002/v2/meta-meta/tags/list](http://192.168.0.100:9002/v2/meta-meta/tags/list) 주의 : 기본적으로 https를 사용해야 하는데 https를 쓰는 걍우 push 에서 오류가 난다. The push refers to repository \[192.168.0.100:9002/tomcat-meta-batch\] Get https://192.168.0.100:9002/v2/: http: server gave HTTP response to HTTPS client The push refers to repository \[192.168.0.100:9002/tomcat-meta-batch\] Get https://192.168.0.100:9002/v2/: http: server gave HTTP response to HTTPS client \---> 따라서 보안을 http접근을 하용 해야 한다. sudo vi /etc/docker/daemon.json 를 아래와 같이 수정 ```dart { "insecure-registries" : ["web.joang.com:9002"] } ``` IP로 하니까 오류 발생 !!!!! **127.0.1.1 web.joang.com 추가 !** ```dart 127.0.0.1 localhost 127.0.1.1 kubemaster 127.0.1.1 web.joang.com # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` 20231003 오류 발생 \[Docker\] private registry http: server gave HTTP response to HTTPS client 해결 방법 - 상기한 sudo vi /etc/docker/daemon.json 조치 - /etc/containerd/config.toml에 아래 내용 추가 ```yaml ... ... [plugins."io.containerd.grpc.v1.cri".registry] config_path = "" [plugins."io.containerd.grpc.v1.cri".registry.auths] [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."web.joang.com:9002".tls] insecure_skip_verify = true [plugins."io.containerd.grpc.v1.cri".registry.headers] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."web.joang.com:9002"] endpoint = ["http://web.joang.com:9002"] ... ``` - 작업 순서 hyunsu@2-kworker1:/etc/containerd$ sudo vi /etc/hosts : 192.168.0.130 reg.joang.com hyunsu@2-kworker1:/etc/containerd$ sudo vi /etc/containerd/config.toml hyunsu@2-kworker1:/etc/containerd$ sudo vi /etc/docker/daemon.json hyunsu@2-kworker1:/etc/containerd$ sudo systemctl restart containerd hyunsu@2-kworker1:/etc/containerd$ sudo systemctl restart docker - yaml에서 이미지 full 시 아래와 같이 표시 --- #### **1.** 리포지토리 조회 \- Usage : curl -X GET <Repository URL/v2/\_catalog> [http://web.joang.com:9002/v2/\_catalog](http://web.joang.com:9002/v2/_catalog) #### **2.** 삭제할 리포지토리의 Tag 조회 \- Usage : curl -X GET <Repository URL/v2/<repository 이름>/tag/list [http://web.joang.com:9002/v2/tomcat-meta/tags/list](http://web.joang.com:9002/v2/tomcat-meta/tags/list) #### **3.** content digest(hash) 조회(registry 컨테이너가 작동중인 노드에서 실행) \- Usage : curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET <Repository URL>/v2/**<Repository 이름>**/manifests/**<Tag>** 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}' 예) curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET http://192.168.0.100:9002/v2/joang-mediawiki/manifests/1 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}' \--> 결과 sha256:e9c342dfa34bf2c3cf58503db8bc9a1298e233fadfbd6551ecea83aca80d701a 예) curl -XGET -v -H "Accept: application/vnd.docker.distribution.manifest.v2+json" [https://registry.hoya.com/v2/ubuntu/manifests/17.04](https://registry.hoya.com/v2/ubuntu/manifests/17.04) #### **4.** manifest 삭제 \- Usage 1 : curl -X DELETE <Repository URL>/v2/**<Repository 이름>**/manifests/<content digest> 예) curl -X DELETE [https://registry.hoya.com/v2/ubuntu/manifests/sha256:213e05583a7cb8756a3f998e6dd65204ddb6b4c128e2175dcdf174cdf1877459](https://registry.hoya.com/v2/ubuntu/manifests/sha256:213e05583a7cb8756a3f998e6dd65204ddb6b4c128e2175dcdf174cdf1877459) #### **5.** GC(Garbage Collection) 실행 : Garbage 이미지 삭제 \- Usage : docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml docker exec -it JoangPrivateDocker registry garbage-collect /etc/docker/registry/config.yml #### **6.** 레지스트리 서버 재시작 docker stop registry docker start registry #### 예) Registry 파일시스템내에서 파일 삭제 ```bash shell> curl -X GET https://registry.hoya.com/v2/_catalog {"repositories":["debian","ubuntu"]} shell> curl -X GET https://registry.hoya.com/v2/ubuntu/tags/list {"name":"ubuntu","tags":["17.04","18.04"]} shell> curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://registry.hoya.com/v2/ubuntu/manifests/17.04 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}' sha256:213e05583a7cb8756a3f998e6dd65204ddb6b4c128e2175dcdf174cdf1877459 shell> docker exec -it registry sh => registry container에 shell로 접속 / # cd /var/lib/registry/docker/registry/v2 /var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/_manifests/tags/17.04 /var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/_manifests/revisions/sha256/ shell> docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml shell> docker stop registry shell> docker start registry ``` #### 리포지토리 삭제 예시) ubuntu 리파지토리 삭제 ```bash shell> curl -X GET https://registry.hoya.com/v2/_catalog {"repositories":["debian","ubuntu"]} shell> docker exec -it registry sh => registry container에 shell로 접속 / # cd /var/lib/registry/docker/registry/v2 /var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/ => 레파지토리 삭제 /var/lib/registry/docker/registry/v2 # exit shell> docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml shell> docker stop registry shell> docker start registry ``` #### **TroubleShooting** **증상 )** curl 명령어를 이용하여 삭제시 아래(붉은 글씨) 와 오류가 발생할 경우

> DELETE /v2/ubuntu/manifests/sha256:e5dd9dbb37df5b731a6688fa49f4003359f6f126958............... > User-Agent: curl/7.29.0 > Host: registry.hoya.com > Accept: application/vnd.docker.distribution.manifest.v2+json > < **HTTP/1.1 405 Method Not Allowed** < Content-Type: application/json; charset=utf-8 < Docker-Distribution-Api-Version: registry/2.0 < X-Content-Type-Options: nosniff < Date: Thu, 02 Apr 2020 03:24:55 GMT < Content-Length: 78 < **{"errors":\[{"code":"UNSUPPORTED","message":"The operation is unsupported."}\]}** \* Connection #0 to host registry.hoya.com left intact

**원인)** registry 시작시 환경변수 -e REGISTRY\_STORAGE\_DELETE\_ENABLED=true 를 지정하지 않았을 경우 DELETE 메소드가 허용되지 않는다. **조치)** Registry 시작시 "-e REGISTRY\_STORAGE\_DELETE\_ENABLED=true" 환경변수를 추가해서 서비스를 시작한다. **- TroubleShooting** **증상)** curl 명령어 실행시 아래와 같은 오류 발생 \- 데비안, 우분투

shell> curl -X GET https://registry.hoya.com/v2/\_catalog curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. shell>

\- CentOS

shell> curl -X GET https://registry.hoya.com/v2/\_catalog curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. shell>

**원인)** registry 컨터이너가 사설 인증서를 사용해서 서비스를 할경우 curl 에서 인증서 오류 발생 **조치)** **1.** 데비안, 우분투 /usr/local/share/ca-certificates 디렉토리에 사설 rootca 인증서를 등록후 update-ca-certificates 명령어 실행

shell> cp rootca.crt /usr/local/share/ca-certificates shell> update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. shell>

**2.** CentOS /etc/pki/ca-trust/source/anchors/ 디렉토리에 사설 rootca 인증서를 등록후 update-ca-trust명령어 실행

shell> cp rootca.crt /etc/pki/ca-trust/source/anchors/ shell> update-ca-trust

3. curl 명령어에 **-k** 또는 **--inscure** 옵션 사용

shell> curl -k https://www.domain.com *OR* shell> curl --insecure https://www.domain.com

Private image delete 1. curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET [http://192.168.56.3:9002/v2/tomcat-synapse/manifests/0.1](http://192.168.56.3:9002/v2/tomcat-synapse/manifests/0.1) 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}' 2. curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE [http://192.168.56.3:9002/v2/tomcat-synapse/manifests/sha256:65336b7ee5a56dc2a7294c02fbb515542e5212a7ea193943160d9ecbb4ca0f62](http://192.168.56.3:9002/v2/tomcat-synapse/manifests/sha256:65336b7ee5a56dc2a7294c02fbb515542e5212a7ea193943160d9ecbb4ca0f62) 3. GC(Garbage Collection)``` docker exec -it JoangPrivateDocker registry garbage-collect /etc/docker/registry/config.yml ``` 4. Image 정리``` docker image prune -f ```