-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
提供常见docker镜像 #276
Comments
另外,skopeo 是 Go 写的,可以方便地用 socks5 代理,配置为:
|
不过有个问题是,怎么界定哪些是常见镜像呢…… |
和我们界定哪些软件/系统源需要镜像一样。 |
这是个问题 |
可以投票,某人想要某个image,在这里创建一个issue,超过50人点赞就认为是常见的。 |
近期 Docker Hub 会开始限制 docker pull 的频率,而很多常见镜像都有许多版本,例如说 Debian 的官方 Docker 镜像就有 6 个架构的几十个不同版本,Docker Hub 的这个限制很可能使得我们无法及时同步所有的镜像。 |
https://github.com/docker-library/official-images 对于 Docker Hub 来说,可以优先同步 Official images。 |
我今天试了一下, 而如果 sync 目标设置为 dir,下载得到的文件也不能直接用于 registry,并且不支持断点续传(如果文件夹存在,就会直接退出),所以只能通过 sync 到 registry 来做同步。 |
这个建议做成一个分布式的工具软件, |
感谢大佬提供的思路。 以下是按照思路所做的实现
服务启动配置version: "3"
services:
docker-registry:
image: registry:2
container_name: registry-01
restart: always
ports:
- "5001:5000"
expose:
- "5000"
volumes:
- /data/tls:/tls
# - /data/data-box/docker-registry:/data # 数据目录
environment:
- REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
# - REGISTRY_PROXY_USERNAME=username
# - REGISTRY_PROXY_PASSWORD=password
- REGISTRY_HTTP_TLS_CERTIFICATE=/tls/wildcard.xiaoshuogeng.com.fullchain.pem
- REGISTRY_HTTP_TLS_KEY=/tls/wildcard.xiaoshuogeng.com.key.pem
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
nginx-proxy:
image: nginx:alpine
container_name: nginx-proxy-docker-registry
restart: always
depends_on:
- docker-registry
ports:
- "5000:443"
volumes:
- /data/tls:/tls
- ./default.conf:/etc/nginx/conf.d/default.conf
nginx 配置信息# 只允许docker-library/official-images通过,其他允许的自己添加路径
map $uri $allow_uri_flag {
default 0 ;
~^\/v2\/library\/.*? 1;
}
server {
listen 443 ssl http2;
server_name docker.xiaoshuogeng.com;
charset utf-8;
ssl_certificate /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer";
# 判断请求方法是否是GET HEAD ,其他方法不允许
set $allow_allow_request_method_flag 0;
if ( $request_method = "GET" ) {
set $allow_allow_request_method_flag 1;
}
if ( $request_method = "HEAD" ) {
set $allow_allow_request_method_flag 1;
}
if ( $allow_allow_request_method_flag != 1 ) {
return 405 '{"status":"405","result":"请求方法不允许","message":"405"}';
}
if ( $allow_uri_flag != 1 ) {
return 403 '{"status":"403","result":"请求URI不允许","message":"403"}';
}
location / {
proxy_pass https://docker-registry:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
return 444;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
配置文档也写到这里了:
|
由于 gcr, quay 等上游链接很有问题,目前也取消了反代。我觉得可以换个方式,对于一些常见镜像,在本地镜像一份。镜像的工具可以使用 skopeo https://github.com/containers/skopeo/blob/master/docs/skopeo-sync.1.md
具体是:
我本地的一个的 skopeo sync 的配置文件:
然后同步脚本:
The text was updated successfully, but these errors were encountered: