自建Docker加速镜像服务

博主： Yang2635
发布时间：2024 年 06 月 12 日
965 次浏览
暂无评论
24300字数
分类：教程 Linux

AI 摘要（由 ChatGPT 总结生成）：

文章介绍了在国内提供镜像站和镜像加速服务被禁止的情况下，如何自建Docker镜像加速服务。全文详细描述了搭建流程，包括准备环境、安装Docker和Nginx、配置镜像仓库和Nginx反代等步骤。此外，还提供了如何通过修改Docker配置来使用新的Registry地址，并介绍了如何通过UI查看缓存的镜像。这为需要绕过官方限制的开发者提供了一种解决方案。

前言

因截止到 2024 年 06 月 07 日，国内已要求所有提供镜像站和镜像加速服务的机构停止其服务。这对国内一众开发者及安全从业者造成了相当的困扰，正好自己这几天晚上折腾了一下镜像站的部署，故简单水个文。

搭建流程

本文借鉴了另一位博主浅时光的教程，同时本文也同样适用内网自建，方便大家使用。

有的文章是使用 CloudFlare Works 搭建的，但 CloudFlare 在当下的国内环境下不知道啥时候会出幺蛾子，故本文不讨论使用 CloudFlare Works 方式部署。

操作流程

拥有一台国外未被墙的主机。国内主机也可，但需会使用科学上网工具（此需自行解决，本文不提供相应教程）。
一个域名，国外主机、内网自建不需备案，国内公网主机部署且对外提供则需备案。
部署 Nginx，用于配置域名和 SSL 证书来反代 Registry 容器服务。
部署 Docker 和 Docker Compose。

基础环境安装

添加 Docker YUM 源：

[root@localhost ~]# yum update
[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@localhost ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

安装 Docker ：

#可以查看所有仓库中所有docker版本，并选择特定版本安装
[root@localhost ~]# yum list docker-ce --showduplicates | sort -r
[root@localhost ~]# yum install -y docker-ce

启动 Docker ：

[root@localhost ~]# systemctl enable docker && systemctl start docker

部署镜像仓库代理

下文涉及浅时光博主的 GitHub 项目：Docker-Proxy
下述文件皆存放于 /var/registry-proxy 目录中，若需指定其它目录请自行创建并使用。

创建账号密码【可选】：

[root@localhost ~]# mkdir -p /var/registry-proxy &&  cd $_
[root@localhost registry-proxy]# mkdir auth && mkdir -p registry/data
[root@localhost registry-proxy]# docker run --entrypoint htpasswd httpd:2 -Bbn TEST TESTPASSWD > auth/htpasswd

添加 docker-compose.yml 文件：

下述配置若需使用密码，则请将 volumes 处的 ./auth:/auth 注释取消。
若内网、国内主机部署，请自行部署好科学上网代理，并将 environment 处的 HTTP_PROXY、HTTPS_PROXY、NO_PROXY 注释取消，并配置其正确的代理地址。

services:
  ## docker hub
  docker-hub:
    container_name: reg-docker-hub
    image: registry:latest
    restart: always
    #environment:
      #HTTP_PROXY: "http://172.17.0.1:7890"
      #HTTPS_PROXY: "http://172.17.0.1:7890"
      #NO_PROXY: "localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*"
    volumes:
      - ./registry/data:/var/lib/registry
      - ./docker-hub.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 51000:5000
    networks:
      - registry-net

  ## ghcr.io
  ghcr:
    container_name: reg-ghcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: "http://172.17.0.1:7890"
      #HTTPS_PROXY: "http://172.17.0.1:7890"
      #NO_PROXY: "localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*"
    volumes:
      - ./registry/data:/var/lib/registry
      - ./ghcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 52000:5000
    networks:
      - registry-net

  ## gcr.io
  gcr:
    container_name: reg-gcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: "http://172.17.0.1:7890"
      #HTTPS_PROXY: "http://172.17.0.1:7890"
      #NO_PROXY: "localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*"
    volumes:
      - ./registry/data:/var/lib/registry
      - ./gcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 53000:5000
    networks:
      - registry-net

  ## k8s.gcr.io
  k8s-gcr:
    container_name: reg-k8s-gcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: "http://172.17.0.1:7890"
      #HTTPS_PROXY: "http://172.17.0.1:7890"
      #NO_PROXY: "localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*"
    volumes:
      - ./registry/data:/var/lib/registry
      - ./k8s-ghcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 54000:5000
    networks:
      - registry-net

  ## quay.io
  quay:
    container_name: reg-quay
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: "http://172.17.0.1:7890"
      #HTTPS_PROXY: "http://172.17.0.1:7890"
      #NO_PROXY: "localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*"
    volumes:
      - ./registry/data:/var/lib/registry
      - ./quay.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 55000:5000
    networks:
      - registry-net
      
  ## UI
  registry-ui:
    container_name: registry-ui
    image: dqzboy/docker-registry-ui:latest
    restart: always
    ports:
      - 50000:8080
    environment:
      - DOCKER_REGISTRY_URL=http://reg-docker-hub:5000
      # [必须]使用 openssl rand -hex 16 生成唯一值
      - SECRET_KEY_BASE=4de431e51588e2050648ba63e3084fff
      # 启用Image TAG 的删除按钮
      - ENABLE_DELETE_IMAGES=true
      - NO_SSL_VERIFICATION=true
    networks:
      - registry-net

networks:
  registry-net:

添加 config.yml 文件：

注意：每个容器挂载对应的 config.yml ，这里名称与上面 docker-compose.yml 文件内定义的挂载名称保持一致；下面只是其中一个示例配置，其他的配置也一样，只需要更改 remoteurl 代理的地址即可。也可从 GitHub 项目内自行下载对应文件放入同目录下。

version: 0.1
log:
  fields:
    service: registry
storage:
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory   
    blobdescriptorsize: 10000
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    readonly:
      enabled: false
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['*']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
    Access-Control-Max-Age: [1728000]
    Access-Control-Allow-Credentials: [true]
    Access-Control-Expose-Headers: ['Docker-Content-Digest']
#auth:
#  htpasswd:
#    realm: basic-realm
#    path: /auth/htpasswd
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

proxy:
  remoteurl: https://registry-1.docker.io
  username: 
  password:

启动容器服务：

[root@localhost registry-proxy]# ls
docker-compose.yaml  docker-hub.yml  gcr.yml  ghcr.yml  k8s-ghcr.yml  quay.yml  registry
[root@localhost registry-proxy]# docker compose up -d
[+] Running 7/7
 ✔ Network registry-docker_registry-net  Created                                                                                                                                   0.1s 
 ✔ Container reg-gcr                     Started                                                                                                                                   1.5s 
 ✔ Container reg-k8s-gcr                 Started                                                                                                                                   1.4s 
 ✔ Container reg-docker-hub              Started                                                                                                                                   1.4s 
 ✔ Container registry-ui                 Started                                                                                                                                   1.5s 
 ✔ Container reg-ghcr                    Started                                                                                                                                   1.5s 
 ✔ Container reg-quay                    Started                                                                                                                                   1.5s 
[root@localhost registry-proxy]#
# 检查启动容器状态
[root@localhost registry-proxy]# docker ps

配置 Nginx 反代：

此处需自备对应域名的 SSL 证书（最好申请一张通配符证书），并建议使用 acme.sh 等工具自动化管理申请部署证书。
实际配置时请将下述的 example.com 换成自己的域名，以及自行修改证书的路径和 WEB 存放日志的路径。

[root@localhost ~]# cd /etc/nginx/conf.d/
[root@localhost conf.d]# vim reverse_registry-proxy.conf
## Google Container Registry (gcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        ##  填写绑定证书的域名（下同）
        server_name gcr.example.com;

        # SSL配置，证书文件名称（填写你证书存放的路径和名称，下同）
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:53000;
                proxy_redirect off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }

        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/gcr-access.log;
        error_log /xxx/gcr-error.log;
}

# hub mirror
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name hub.example.com;

        #SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
        ssl_buffer_size 8k;

        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:51000;
                proxy_redirect off;
                proxy_buffering off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Nginx-Proxy           true;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }
        
        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/hub-access.log;
        error_log /xxx/hub-error.log;
}

## GitHub Container Registry (ghcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name ghcr.example.com;

        #SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
        
        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:52000;
                proxy_redirect off;
                proxy_buffering off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Nginx-Proxy           true;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }

        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/ghcr-access.log;
        error_log /xxx/ghcr-error.log;
}

## Kubernetes Container Registry (k8s.gcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name k8s-gcr.example.com;

        #SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:54000;
                proxy_redirect off;
                proxy_buffering off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Nginx-Proxy           true;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }

        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/k8s_gcr-access.log;
        error_log /xxx/k8s_gcr-error.log;
}

## Quay Container Registry (quay.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name quay.example.com;

        #SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:55000;
                proxy_redirect off;
                proxy_buffering off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Nginx-Proxy           true;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }

        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/quay-access.log;
        error_log /xxx/quay-error.log;
}

## Hub UI
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name ui.example.com;

        #SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
        
        error_page 497  https://$host$request_uri;

        location / {
                proxy_pass http://localhost:50000;
                proxy_redirect off;
                proxy_buffering off;

                proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Nginx-Proxy           true;

                send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

        # . files
        location ~ /\.(?!well-known) {
                deny all;
        }

        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type "text/plain; charset=UTF-8";
                return 200 "User-Agent: *\nDisallow: /";
        }

        access_log /xxx/images-access.log;
        error_log /xxx/images-error.log;
}

# 重载Nginx配置
[root@localhost ~]#  nginx -t
[root@localhost ~]#  nginx -s reload

解析域名：

将我们在 Nginx 配置的域名，在 DNS 服务商商进行解析，解析到部署镜像代理仓库的服务器上（若部署用于内网使用，则 DNS 服务商处可直接解析内网地址，也无需备案；也或内网的 DNS 服务器手动指定下地址的解析）；
通过访问 UI 地址可以查看镜像仓库缓存的镜像；
通过使用对应的代理域名即可来下载之前无法下载的镜像。

上述流程完成后，即可使用自建的 Registry 地址替换官方的 Registry 地址拉取镜像，示例如下：

# docker hub Registry
## 源：nginx:latest
## 替换
docker pull hub.example.com/library/nginx:latest

# K8s Registry
## 源：gcr.io/google-containers/pause:3.1
## 替换：
docker pull gcr.example.com/google-containers/pause:3.1

镜像成功拉取后，访问 UI 页面就可以看到上面下载的镜像已经被缓存了：

接下来修改 Docker 的 daemon.json 配置，配置自建的 Registry-proxy 地址，然后重启 Docker 即可，后续拉取镜像即可直接拉取：

[root@localhost registry-proxy]# vim /etc/docker/daemon.json 
{ 
  "registry-mirrors" : 
    [ 
      "https://hub.example.com"
    ] 
}
[root@localhost registry-proxy]# systemctl restart docker

镜像仓库映射

前缀替换的 Registry 参考：

源站	替换为	平台
docker.io	hub.example.com	Docker hub
gcr.io	gcr.example.com	Google Container Registry
ghcr.io	ghcr.example.com	GitHub Container Registry
k8s.gcr.io	k8s-gcr.example.com	Kubernetes Container Registry
quay.io	quay.example.com	Quay Container Registry

参考

自建Docker镜像加速服务：加速与优化镜像管理

Docker-Proxy

End

本文标题：自建Docker加速镜像服务

本文链接：https://www.isisy.com/1548.html

除非另有说明，本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议。

声明：转载请注明文章来源。

如果觉得我的文章对你有用，请随意赞赏

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款。

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

jt
该评论仅登录用户及评论双方可见
www
真正需要隐藏的是 /dns-query 路径
玖珈
我编译出了so文件，python3.12.1的版本，使用的是a...
爱好者博客
能否分享一下python转换脚本
JIeJaitt
大佬，像那种网页上登陆才能查看的会员文档，或者是那种要关注公众...

今日已经过去小时

这周已经过去天

本月已经过去天

今年已经过去个月

自建Docker加速镜像服务

Yang2635 • 2024 年 06 月 12 日

<div class="aisummary"><strong>AI 摘要（由 ChatGPT 总结生成）：</br></strong><div class="indented-text">文章介绍了在国内提供镜像站和镜像加速服务被禁止的情况下，如何自建Docker镜像加速服务。全文详细描述了搭建流程，包括准备环境、安装Docker和Nginx、配置镜像仓库和Nginx反代等步骤。此外，还提供了如何通过修改Docker配置来使用新的Registry地址，并介绍了如何通过UI查看缓存的镜像。这为需要绕过官方限制的开发者提供了一种解决方案。</div></div><h2>前言</h2><p>因截止到 2024 年 06 月 07 日，国内已要求所有提供镜像站和镜像加速服务的机构停止其服务。这对国内一众开发者及安全从业者造成了相当的困扰，正好自己这几天晚上折腾了一下镜像站的部署，故简单水个文。</p><h2>搭建流程</h2><p>本文借鉴了另一位博主浅时光的教程，同时本文也同样适用内网自建，方便大家使用。</p><blockquote>有的文章是使用 CloudFlare Works 搭建的，但 CloudFlare 在当下的国内环境下不知道啥时候会出幺蛾子，故本文不讨论使用 CloudFlare Works 方式部署。</blockquote><h3>操作流程</h3><ul><li>拥有一台国外未被墙的主机。国内主机也可，但需会使用科学上网工具（此需自行解决，本文不提供相应教程）。</li><li>一个域名，国外主机、内网自建不需备案，国内公网主机部署且对外提供则需备案。</li><li>部署 Nginx，用于配置域名和 SSL 证书来反代 Registry 容器服务。</li><li>部署 Docker 和 Docker Compose。</li></ul><h3>基础环境安装</h3><ol><li>添加 Docker YUM 源：</li></ol><pre><code class="lang-bash">[root@localhost ~]# yum update
[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@localhost ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo</code></pre><ol start="2"><li>安装 Docker ：</li></ol><pre><code class="lang-bash">#可以查看所有仓库中所有docker版本，并选择特定版本安装
[root@localhost ~]# yum list docker-ce --showduplicates | sort -r
[root@localhost ~]# yum install -y docker-ce</code></pre><ol start="3"><li>启动 Docker ：</li></ol><pre><code class="lang-bash">[root@localhost ~]# systemctl enable docker &amp;&amp; systemctl start docker</code></pre><h3>部署镜像仓库代理</h3><blockquote><p>下文涉及浅时光博主的 GitHub 项目：<span class="external-link"><a class="no-external-link" href="https://github.com/dqzboy/Docker-Proxy" target="_blank"><i data-feather="external-link"></i>Docker-Proxy</a></span></p><p>下述文件皆存放于 <code>/var/registry-proxy</code> 目录中，若需指定其它目录请自行创建并使用。</p></blockquote><ol><li>创建账号密码【可选】：</li></ol><pre><code class="lang-bash">[root@localhost ~]# mkdir -p /var/registry-proxy &amp;&amp;  cd $_
[root@localhost registry-proxy]# mkdir auth &amp;&amp; mkdir -p registry/data
[root@localhost registry-proxy]# docker run --entrypoint htpasswd httpd:2 -Bbn TEST TESTPASSWD &gt; auth/htpasswd</code></pre><ol start="2"><li>添加 <code>docker-compose.yml</code> 文件：</li></ol><blockquote><ul><li>下述配置若需使用密码，则请将 <code>volumes</code> 处的 <code>./auth:/auth</code> 注释取消。</li><li>若内网、国内主机部署，请自行部署好科学上网代理，并将 <code>environment</code> 处的 <code>HTTP_PROXY</code>、<code>HTTPS_PROXY</code>、<code>NO_PROXY</code> 注释取消，并配置其正确的代理地址。</li></ul></blockquote><pre><code class="lang-yaml">services:
  ## docker hub
  docker-hub:
    container_name: reg-docker-hub
    image: registry:latest
    restart: always
    #environment:
      #HTTP_PROXY: &quot;http://172.17.0.1:7890&quot;
      #HTTPS_PROXY: &quot;http://172.17.0.1:7890&quot;
      #NO_PROXY: &quot;localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*&quot;
    volumes:
      - ./registry/data:/var/lib/registry
      - ./docker-hub.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 51000:5000
    networks:
      - registry-net

## ghcr.io
  ghcr:
    container_name: reg-ghcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: &quot;http://172.17.0.1:7890&quot;
      #HTTPS_PROXY: &quot;http://172.17.0.1:7890&quot;
      #NO_PROXY: &quot;localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*&quot;
    volumes:
      - ./registry/data:/var/lib/registry
      - ./ghcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 52000:5000
    networks:
      - registry-net

## gcr.io
  gcr:
    container_name: reg-gcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: &quot;http://172.17.0.1:7890&quot;
      #HTTPS_PROXY: &quot;http://172.17.0.1:7890&quot;
      #NO_PROXY: &quot;localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*&quot;
    volumes:
      - ./registry/data:/var/lib/registry
      - ./gcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 53000:5000
    networks:
      - registry-net

## k8s.gcr.io
  k8s-gcr:
    container_name: reg-k8s-gcr
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: &quot;http://172.17.0.1:7890&quot;
      #HTTPS_PROXY: &quot;http://172.17.0.1:7890&quot;
      #NO_PROXY: &quot;localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*&quot;
    volumes:
      - ./registry/data:/var/lib/registry
      - ./k8s-ghcr.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 54000:5000
    networks:
      - registry-net

## quay.io
  quay:
    container_name: reg-quay
    image: registry:latest
    restart: always
    environment:
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      #HTTP_PROXY: &quot;http://172.17.0.1:7890&quot;
      #HTTPS_PROXY: &quot;http://172.17.0.1:7890&quot;
      #NO_PROXY: &quot;localhost,127.*,10.*,172.16.*,172.17.*,172.18.*,172.19.*,172.20.*,172.21.*,172.22.*,172.23.*,172.24.*,172.25.*,172.26.*,172.27.*,172.28.*,172.29.*,172.30.*,172.31.*,192.168.*&quot;
    volumes:
      - ./registry/data:/var/lib/registry
      - ./quay.yml:/etc/docker/registry/config.yml
      #- ./auth:/auth
    ports:
      - 55000:5000
    networks:
      - registry-net
      
  ## UI
  registry-ui:
    container_name: registry-ui
    image: dqzboy/docker-registry-ui:latest
    restart: always
    ports:
      - 50000:8080
    environment:
      - DOCKER_REGISTRY_URL=http://reg-docker-hub:5000
      # [必须]使用 openssl rand -hex 16 生成唯一值
      - SECRET_KEY_BASE=4de431e51588e2050648ba63e3084fff
      # 启用Image TAG 的删除按钮
      - ENABLE_DELETE_IMAGES=true
      - NO_SSL_VERIFICATION=true
    networks:
      - registry-net

networks:
  registry-net:</code></pre><ol start="3"><li>添加 <code>config.yml</code> 文件：</li></ol><blockquote><strong>注意：</strong>每个容器挂载对应的 <code>config.yml</code> ，这里名称与上面 <code>docker-compose.yml</code> 文件内定义的挂载名称保持一致；下面只是其中一个示例配置，其他的配置也一样，只需要更改 <code>remoteurl</code> 代理的地址即可。也可从 GitHub 项目内自行下载对应文件放入同目录下。</blockquote><pre><code class="lang-yaml">version: 0.1
log:
  fields:
    service: registry
storage:
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory   
    blobdescriptorsize: 10000
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    readonly:
      enabled: false
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['*']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
    Access-Control-Max-Age: [1728000]
    Access-Control-Allow-Credentials: [true]
    Access-Control-Expose-Headers: ['Docker-Content-Digest']
#auth:
#  htpasswd:
#    realm: basic-realm
#    path: /auth/htpasswd
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

proxy:
  remoteurl: https://registry-1.docker.io
  username: 
  password: </code></pre><ol start="4"><li>启动容器服务：</li></ol><pre><code class="lang-bash">[root@localhost registry-proxy]# ls
docker-compose.yaml  docker-hub.yml  gcr.yml  ghcr.yml  k8s-ghcr.yml  quay.yml  registry
[root@localhost registry-proxy]# docker compose up -d
[+] Running 7/7
 ✔ Network registry-docker_registry-net  Created                                                                                                                                   0.1s 
 ✔ Container reg-gcr                     Started                                                                                                                                   1.5s 
 ✔ Container reg-k8s-gcr                 Started                                                                                                                                   1.4s 
 ✔ Container reg-docker-hub              Started                                                                                                                                   1.4s 
 ✔ Container registry-ui                 Started                                                                                                                                   1.5s 
 ✔ Container reg-ghcr                    Started                                                                                                                                   1.5s 
 ✔ Container reg-quay                    Started                                                                                                                                   1.5s 
[root@localhost registry-proxy]#
# 检查启动容器状态
[root@localhost registry-proxy]# docker ps</code></pre><ol start="5"><li>配置 Nginx 反代：</li></ol><blockquote><p>此处需自备对应域名的 SSL 证书（最好申请一张通配符证书），并建议使用 acme.sh 等工具自动化管理申请部署证书。</p><p>实际配置时请将下述的 <code>example.com</code> 换成自己的域名，以及自行修改证书的路径和 WEB 存放日志的路径。</p></blockquote><pre><code class="lang-bash">[root@localhost ~]# cd /etc/nginx/conf.d/
[root@localhost conf.d]# vim reverse_registry-proxy.conf
## Google Container Registry (gcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        ##  填写绑定证书的域名（下同）
        server_name gcr.example.com;

# SSL配置，证书文件名称（填写你证书存放的路径和名称，下同）
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384::!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

error_page 497  https://$host$request_uri;

location / {
                proxy_pass http://localhost:53000;
                proxy_redirect off;

proxy_ssl_server_name on;
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }

# robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type &quot;text/plain; charset=UTF-8&quot;;
                return 200 &quot;User-Agent: *\nDisallow: /&quot;;
        }

access_log /xxx/gcr-access.log;
        error_log /xxx/gcr-error.log;
}

# hub mirror
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name hub.example.com;

#SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

error_page 497  https://$host$request_uri;

location / {
                proxy_pass http://localhost:51000;
                proxy_redirect off;
                proxy_buffering off;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }
        
        # robots.txt
        location = /robots.txt {
                default_type text/html;
                add_header Content-Type &quot;text/plain; charset=UTF-8&quot;;
                return 200 &quot;User-Agent: *\nDisallow: /&quot;;
        }

access_log /xxx/hub-access.log;
        error_log /xxx/hub-error.log;
}

## GitHub Container Registry (ghcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name ghcr.example.com;

#SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

location / {
                proxy_pass http://localhost:52000;
                proxy_redirect off;
                proxy_buffering off;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }

access_log /xxx/ghcr-access.log;
        error_log /xxx/ghcr-error.log;
}

## Kubernetes Container Registry (k8s.gcr.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name k8s-gcr.example.com;

#SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

error_page 497  https://$host$request_uri;

location / {
                proxy_pass http://localhost:54000;
                proxy_redirect off;
                proxy_buffering off;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }

access_log /xxx/k8s_gcr-access.log;
        error_log /xxx/k8s_gcr-error.log;
}

## Quay Container Registry (quay.io)
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name quay.example.com;

#SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

error_page 497  https://$host$request_uri;

location / {
                proxy_pass http://localhost:55000;
                proxy_redirect off;
                proxy_buffering off;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }

access_log /xxx/quay-access.log;
        error_log /xxx/quay-error.log;
}

## Hub UI
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name ui.example.com;

#SSL配置
        # RSA Cert
        ssl_certificate /xxx/fullchain.pem;
        ssl_certificate_key /xxx/privkey.pem;

location / {
                proxy_pass http://localhost:50000;
                proxy_redirect off;
                proxy_buffering off;

send_timeout 600;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
        }

# . files
        location ~ /\.(?!well-known) {
                deny all;
        }

access_log /xxx/images-access.log;
        error_log /xxx/images-error.log;
}

# 重载Nginx配置
[root@localhost ~]#  nginx -t
[root@localhost ~]#  nginx -s reload</code></pre><ol start="6"><li>解析域名：</li></ol><ul><li>将我们在 Nginx 配置的域名，在 DNS 服务商商进行解析，解析到部署镜像代理仓库的服务器上（若部署用于内网使用，则 DNS 服务商处可直接解析内网地址，也无需备案；也或内网的 DNS 服务器手动指定下地址的解析）；</li><li>通过访问 UI 地址可以查看镜像仓库缓存的镜像；</li><li>通过使用对应的代理域名即可来下载之前无法下载的镜像。</li></ul><ol start="7"><li>上述流程完成后，即可使用自建的 Registry 地址替换官方的 Registry 地址拉取镜像，示例如下：</li></ol><pre><code class="lang-bash"># docker hub Registry
## 源：nginx:latest
## 替换
docker pull hub.example.com/library/nginx:latest

# K8s Registry
## 源：gcr.io/google-containers/pause:3.1
## 替换：
docker pull gcr.example.com/google-containers/pause:3.1</code></pre><p>镜像成功拉取后，访问 UI 页面就可以看到上面下载的镜像已经被缓存了：</p><p><img src="https://image.isisy.com/images/2024/06/12/image-20240612204206270.png" alt="image-20240612204206270.png" border="0" style="zoom:50%;"  style=""></p><ol start="8"><li>接下来修改 Docker 的 <code>daemon.json</code> 配置，配置自建的 <code>Registry-proxy</code> 地址，然后重启 Docker 即可，后续拉取镜像即可直接拉取：</li></ol><pre><code class="lang-bash">[root@localhost registry-proxy]# vim /etc/docker/daemon.json 
{ 
  &quot;registry-mirrors&quot; : 
    [ 
      &quot;https://hub.example.com&quot;
    ] 
}
[root@localhost registry-proxy]# systemctl restart docker</code></pre><h2>镜像仓库映射</h2><p>前缀替换的 Registry 参考：</p><table><thead><tr><th align="center">源站</th><th align="center">替换为</th><th align="center">平台</th></tr></thead><tbody><tr><td align="center">docker.io</td><td align="center"><strong>hub.example.com</strong></td><td align="center">Docker hub</td></tr><tr><td align="center">gcr.io</td><td align="center"><strong>gcr.example.com</strong></td><td align="center">Google Container Registry</td></tr><tr><td align="center">ghcr.io</td><td align="center"><strong>ghcr.example.com</strong></td><td align="center">GitHub Container Registry</td></tr><tr><td align="center">k8s.gcr.io</td><td align="center"><strong>k8s-gcr.example.com</strong></td><td align="center">Kubernetes Container Registry</td></tr><tr><td align="center">quay.io</td><td align="center"><strong>quay.example.com</strong></td><td align="center">Quay Container Registry</td></tr></tbody></table><h2>参考</h2><p><span class="external-link"><a class="no-external-link" href="https://www.dqzboy.com/8709.html" target="_blank"><i data-feather="external-link"></i>自建Docker镜像加速服务：加速与优化镜像管理</a></span></p><p><span class="external-link"><a class="no-external-link" href="https://github.com/dqzboy/Docker-Proxy" target="_blank"><i data-feather="external-link"></i>Docker-Proxy</a></span></p>

自建Docker加速镜像服务

前言

搭建流程

操作流程

基础环境安装

部署镜像仓库代理

镜像仓库映射

参考

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款。

UnblockNeteaseMusic——一键解锁网易云灰色音乐

CentOS内核版本升级

Magisk-FRPC 食用

何谓BL锁？

Kms激活你的Windows和Office

神奇的Magisk

2023 陇剑杯-IR_WP

SQL注入之二次注入

微信闪退的BUG：一张畸形二维码

记一次蜜罐捕获的“安全”样本文件分析

自建Docker加速镜像服务

前言

搭建流程

操作流程

基础环境安装

部署镜像仓库代理

镜像仓库映射

参考

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款。

自建Docker加速镜像服务

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款。