我的书签
添加书签
移除书签18.4 配置Registry
Docker Registry提供了一些样例配置,用户可以直接使用它们来进行开发或生产部署。
笔者将以下面的示例配置来介绍如何使用配置文件来管理私有仓库。
18.4.1 示例配置
代码如下:
- version: 0.1
- log:
- level: debug
- fields:
- service: registry
- environment: development
- hooks:
- - type: mail
- disabled: true
- levels:
- - panic
- options:
- smtp:
- addr: mail.example.com:25
- username: mailuser
- password: password
- insecure: true
- from: sender@example.com
- to:
- - errors@example.com
- storage:
- delete:
- enabled: true
- cache:
- blobdescriptor: redis
- filesystem:
- rootdirectory: /var/lib/registry
- maintenance:
- uploadpurging:
- enabled: false
- http:
- addr: :5000
- debug:
- addr: localhost:5001
- headers:
- X-Content-Type-Options: [nosniff]
- redis:
- addr: localhost:6379
- pool:
- maxidle: 16
- maxactive: 64
- idletimeout: 300s
- dialtimeout: 10ms
- readtimeout: 10ms
- writetimeout: 10ms
- notifications:
- endpoints:
- - name: local-5003
- url: http://localhost:5003/callback
- headers:
- Authorization: [Bearer <an example token>]
- timeout: 1s
- threshold: 10
- backoff: 1s
- disabled: true
- - name: local-8083
- url: http://localhost:8083/callback
- timeout: 1s
- threshold: 10
- backoff: 1s
- disabled: true
- health:
- storagedriver:
- enabled: true
- interval: 10s
- threshold: 3
18.4.2 选项
这些选项以yaml文件格式提供,用户可以直接进行修改,也可以添加自定义的模板段。
默认情况下,变量可以从环境变量中读取,例如log.level:debug可以配置为:
- export LOG_LEVEL=debug
比较重要的选项包括版本信息、log选项、hooks选项、存储选项、认证选项、HTTP选项、通知选项、redis选项、健康监控选项、代理选项和验证选项等。下面分别介绍这些选项。
1.版本信息
- version:0.1
2.log选项
日志相关:
- log:
- level: debug
- formatter: text
- fields:
- service: registry
- environment: staging
参数说明:
·level:字符串类型,标注输出调试信息的级别,包括debug、info、warn、error。
·fomatter:字符串类型,日志输出的格式,包括text、json、logstash等。
·fields:增加到日志输出消息中的键值对,可以用于过滤日志。
3.hooks选项
配置当仓库发生异常时,通过邮件发送日志时的参数:
- hooks:
- - type: mail
- levels:
- - panic
- options:
- smtp:
- addr: smtp.sendhost.com:25
- username: sendername
- password: password
- insecure: true
- from: name@sendhost.com
- to:
- - name@receivehost.com
4.存储选项
storage选项将配置存储的引擎,默认支持包括本地文件系统、Google云存储、AWS S3云存储和OpenStack Swift分布式存储等,如下所示:
- storage:
- filesystem:
- rootdirectory: /var/lib/registry
- azure:
- accountname: accountname
- accountkey: base64encodedaccountkey
- container: containername
- gcs:
- bucket: bucketname
- keyfile: /path/to/keyfile
- rootdirectory: /gcs/object/name/prefix
- s3:
- accesskey: awsaccesskey
- secretkey: awssecretkey
- region: us-west-1
- regionendpoint: http://myobjects.local
- bucket: bucketname
- encrypt: true
- keyid: mykeyid
- secure: true
- v4auth: true
- chunksize: 5242880
- multipartcopychunksize: 33554432
- multipartcopymaxconcurrency: 100
- multipartcopythresholdsize: 33554432
- rootdirectory: /s3/object/name/prefix
- swift:
- username: username
- password: password
- authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.
- myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
- tenant: tenantname
- tenantid: tenantid
- domain: domain name for Openstack Identity v3 API
- domainid: domain id for Openstack Identity v3 API
- insecureskipverify: true
- region: fr
- container: containername
- rootdirectory: /swift/object/name/prefix
- oss:
- accesskeyid: accesskeyid
- accesskeysecret: accesskeysecret
- region: OSS region name
- endpoint: optional endpoints
- internal: optional internal endpoint
- bucket: OSS bucket
- encrypt: optional data encryption setting
- secure: optional ssl setting
- chunksize: optional size valye
- rootdirectory: optional root directory
- inmemory:
- delete:
- enabled: false
- cache:
- blobdescriptor: inmemory
- maintenance:
- uploadpurging:
- enabled: true
- age: 168h
- interval: 24h
- dryrun: false
- redirect:
- disable: false
比较重要的选项如下:
·maintenance:配置维护相关的功能,包括对孤立旧文件的清理、开启只读模式等;
·delete:是否允许删除镜像功能,默认关闭;
·cache:开启对镜像层元数据的缓存功能,默认开启;
5.认证选项
对认证类型的配置,如下所示:
- auth:
- silly:
- realm: silly-realm
- service: silly-service
- token:
- realm: token-realm
- service: token-service
- issuer: registry-token-issuer
- rootcertbundle: /root/certs/bundle
- htpasswd:
- realm: basic-realm
- path: /path/to/htpasswd
比较重要的选项如下:
·silly:仅供测试使用,只要请求头带有认证域即可,不做内容检查;
·token:基于token的用户认证,适用于生产环境,需要额外的token服务来支持;
·htpasswd:基于Apache htpasswd密码文件的权限检查。
6.HTTP选项
跟HTTP服务相关的配置,如下所示:
- http:
- addr: localhost:5000
- net: tcp
- prefix: /my/nested/registry/
- host: https://myregistryaddress.org:5000
- secret: asecretforlocaldevelopment
- relativeurls: false
- tls:
- certificate: /path/to/x509/public
- key: /path/to/x509/private
- clientcas:
- - /path/to/ca.pem
- - /path/to/another/ca.pem
- letsencrypt:
- cachefile: /path/to/cache-file
- email: emailused@letsencrypt.com
- debug:
- addr: localhost:5001
- headers:
- X-Content-Type-Options: [nosniff]
- http2:
- disabled: false
其中的参数如下:
·addr:必选,服务监听地址;
·secret:必选,跟安全相关的随机字符串,用户可以自己定义;
·tls:证书相关的文件路径信息;
·http2:是否开启http2支持,默认关闭。
7.通知选项
有事件发生时候的通知系统。
- notifications:
- endpoints:
- - name: alistener
- disabled: false
- url: https://my.listener.com/event
- headers: <http.Header>
- timeout: 500
- threshold: 5
- backoff: 1000
8.redis选项
Registry可以用Redis来缓存文件块,这里可以配置相关选项:
- redis:
- addr: localhost:6379
- password: asecret
- db: 0
- dialtimeout: 10ms
- readtimeout: 10ms
- writetimeout: 10ms
- pool:
- maxidle: 16
- maxactive: 64
- idletimeout: 300s
9.健康监控选项
跟健康监控相关,主要是对配置服务进行检测判断系统状态,如下所示:
- health:
- storagedriver:
- enabled: true
- interval: 10s
- threshold: 3
- file:
- - file: /path/to/checked/file
- interval: 10s
- http:
- - uri: http://server.to.check/must/return/200
- headers:
- Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
- statuscode: 200
- timeout: 3s
- interval: 10s
- threshold: 3
- tcp:
- - addr: redis-server.domain.com:6379
- timeout: 3s
- interval: 10s
- threshold: 3
默认并未启用。
10.代理选项
配置Registry作为一个pull代理,从远端(目前仅支持官方仓库)下拉Docker镜像,如下所示:
- proxy:
- remoteurl: https://registry-1.docker.io
- username: [username]
- password: [password]
之后,用户可以通过如下命令来配置Docker使用代理:
- $ docker --registry-mirror=https://myrepo.com:5000 daemon
11.验证选项
限定来自指定地址的客户端才可以执行push操作:
- validation:
- enabled: true
- manifests:
- urls:
- allow:
- - ^https?://([^/]+\.)*example\.com/
- deny:
- - ^https?://www\.example\.com/
