Private Docker Registry

Private Docker Registry

1. Docker registry Images 가져오기

    docker pull registry:latest

2. docker images
3. hyunsu@kubemaster:/etc/docker/registry$ sudo mv ./config.yml ./config.yml.20201022

4. config

   version: 0.1
   log:
     fields:
       service: registry
   storage:
     cache:
       blobdescriptor: redis
     filesystem:
       rootdirectory: /data/registry
   redis:
     addr: redis:6379
   http:
     addr: :5000
     headers:
       X-Content-Type-Options: [nosniff]
   health:
     storagedriver:
       enabled: true
       interval: 10s
       threshold: 3

5. docker run -d -p 9002:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true  --restart=always --name JoangPrivateDocker -v /etc/docker/registry/config.yml:/etc/docker/registry/config.yml registry:2
   : -e REGISTRY_STORAGE_DELETE_ENABLED=true 옵션은 이미지를 삭제를 할 수 있다는 의미로 아래 DELETE 명령이 동작한다. 
   안하면 {"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]} 오류가 발생 

6. docker ps -a
7. docker ps -l (최근)
8. netstat -an | grep 9002 (확인)

---

Private Docker 사용

1. docker build -t tomcat-meta:0.1 .
2. docker tag tomcat-meta:0.1 web.joang.com:9002/tomcat-meta:0.1
3. docker tag를 이용하여 docker registry에 push

   cat /etc/docker/daemon.json
   {
    "insecure-registries" : ["web.joang.com:9002"]
   }

   systemctl restart docker
4. docker push web.joang.com:9002/tomcat-meta:0.1

5. 확인 http://web.joang.com:9002/v2/_catalog

6. http://web.joang.com:9002/v2/tomcat-meta/tags/list

---

1. 리포지토리 조회

 - Usage : curl -X GET <Repository URL/v2/_catalog>

http://web.joang.com:9002/v2/_catalog

2. 삭제할 리포지토리의 Tag 조회

 - Usage : curl -X GET <Repository URL/v2/<repository 이름>/tag/list

http://web.joang.com:9002/v2/tomcat-meta/tags/list

3. content digest(hash) 조회(registry 컨테이너가 작동중인 노드에서 실행)

 - Usage : curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET <Repository URL>/v2/<Repository 이름>/manifests/<Tag> 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}' 

예) curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET http://192.168.0.100:9002/v2/joang-mediawiki/manifests/1 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

--> 결과 sha256:e9c342dfa34bf2c3cf58503db8bc9a1298e233fadfbd6551ecea83aca80d701a

예) curl -XGET -v -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://registry.hoya.com/v2/ubuntu/manifests/17.04

4. manifest 삭제

 - Usage 1 : curl -X DELETE <Repository URL>/v2/<Repository 이름>/manifests/<content digest>

예) curl -X DELETE https://registry.hoya.com/v2/ubuntu/manifests/sha256:213e05583a7cb8756a3f998e6dd65204ddb6b4c128e2175dcdf174cdf1877459

5. GC(Garbage Collection) 실행 : Garbage 이미지 삭제

 - Usage : docker exec -it registry  bin/registry garbage-collect  /etc/docker/registry/config.yml 

docker exec -it JoangPrivateDocker registry garbage-collect /etc/docker/registry/config.yml

6. 레지스트리 서버 재시작

docker stop registry

docker start registry

예) Registry 파일시스템내에서 파일 삭제

shell> curl -X GET https://registry.hoya.com/v2/_catalog 
{"repositories":["debian","ubuntu"]}

shell> curl -X GET https://registry.hoya.com/v2/ubuntu/tags/list 
{"name":"ubuntu","tags":["17.04","18.04"]}

shell> curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://registry.hoya.com/v2/ubuntu/manifests/17.04 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'
sha256:213e05583a7cb8756a3f998e6dd65204ddb6b4c128e2175dcdf174cdf1877459

shell> docker exec -it registry sh      => registry container에 shell로 접속
/ # cd /var/lib/registry/docker/registry/v2
/var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/_manifests/tags/17.04  
/var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/_manifests/revisions/sha256/<content-digest>

shell> docker exec -it registry  bin/registry garbage-collect  /etc/docker/registry/config.yml 

shell> docker stop registry 
shell> docker start registry

리포지토리 삭제

예시) ubuntu 리파지토리 삭제

shell> curl -X GET https://registry.hoya.com/v2/_catalog
{"repositories":["debian","ubuntu"]}

shell> docker exec -it registry sh      => registry container에 shell로 접속
/ # cd /var/lib/registry/docker/registry/v2
/var/lib/registry/docker/registry/v2 # rm -rf ./repositories/ubuntu/   => 레파지토리 삭제
/var/lib/registry/docker/registry/v2 # exit

shell> docker exec -it registry  bin/registry garbage-collect  /etc/docker/registry/config.yml 

shell> docker stop registry
shell> docker start registry

 

TroubleShooting

증상 ) curl 명령어를 이용하여  삭제시 아래(붉은 글씨) 와 오류가 발생할 경우

> DELETE /v2/ubuntu/manifests/sha256:e5dd9dbb37df5b731a6688fa49f4003359f6f126958...............                                            > User-Agent: curl/7.29.0 > Host: registry.hoya.com > Accept: application/vnd.docker.distribution.manifest.v2+json > < HTTP/1.1 405 Method Not Allowed < Content-Type: application/json; charset=utf-8 < Docker-Distribution-Api-Version: registry/2.0 < X-Content-Type-Options: nosniff < Date: Thu, 02 Apr 2020 03:24:55 GMT < Content-Length: 78 < {"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]} * Connection #0 to host registry.hoya.com left intact

원인) 

registry 시작시 환경변수   -e REGISTRY_STORAGE_DELETE_ENABLED=true 를 지정하지 않았을 경우 DELETE 메소드가 허용되지 않는다.

조치)

Registry 시작시  "-e REGISTRY_STORAGE_DELETE_ENABLED=true" 환경변수를 추가해서 서비스를 시작한다. 

 

- TroubleShooting

증상) curl 명령어 실행시 아래와 같은 오류 발생

 - 데비안, 우분투

shell> curl -X GET https://registry.hoya.com/v2/_catalog  curl: (60) SSL certificate problem: self signed certificate in certificate chain  More details here: https://curl.haxx.se/docs/sslcerts.html  curl failed to verify the legitimacy of the server and therefore could not  establish a secure connection to it. To learn more about this situation and  how to fix it, please visit the web page mentioned above.  shell>

 - CentOS

shell> curl -X GET https://registry.hoya.com/v2/_catalog  curl: (60) Peer's certificate issuer has been marked as not trusted by the user.  More details here: http://curl.haxx.se/docs/sslcerts.html  curl performs SSL certificate verification by default, using a "bundle"   of Certificate Authority (CA) public keys (CA certs). If the default   bundle file isn't adequate, you can specify an alternate file   using the --cacert option.  If this HTTPS server uses a certificate signed by a CA represented in   the bundle, the certificate verification probably failed due to a   problem with the certificate (it might be expired, or the name might   not match the domain name in the URL).  If you'd like to turn off curl's verification of the certificate, use   the -k (or --insecure) option.  shell>

원인)

registry 컨터이너가 사설 인증서를 사용해서 서비스를 할경우 curl 에서 인증서 오류 발생

조치)

 1. 데비안, 우분투

/usr/local/share/ca-certificates 디렉토리에 사설 rootca 인증서를 등록후 update-ca-certificates 명령어 실행

shell> cp rootca.crt /usr/local/share/ca-certificates shell>  update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. shell>

 2. CentOS 

/etc/pki/ca-trust/source/anchors/ 디렉토리에 사설 rootca 인증서를 등록후 update-ca-trust명령어 실행

shell> cp rootca.crt /etc/pki/ca-trust/source/anchors/ shell> update-ca-trust

 3. curl 명령어에 -k 또는 --inscure 옵션 사용

shell> curl -k https://www.domain.com  OR shell> curl --insecure https://www.domain.com

 

 

 

Private image delete

1. curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET http://192.168.56.3:9002/v2/tomcat-synapse/manifests/0.1 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

2. curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE http://192.168.56.3:9002/v2/tomcat-synapse/manifests/sha256:65336b7ee5a56dc2a7294c02fbb515542e5212a7ea193943160d9ecbb4ca0f62

3. GC(Garbage Collection)

   docker exec -it JoangPrivateDocker registry garbage-collect /etc/docker/registry/config.yml

4. Image 정리

   docker image prune -f