====== Gerenciar Registro Privado com Docker Registry ======
O Docker Registry é um servidor que armazena imagens Docker. Ele fornece uma API para que os clientes possam enviar e baixar imagens. O servidor também pode ser configurado para sincronizar imagens com outros servidores de registro.
**Você deve usar o Registro para**:
* Ter um controle rigoroso onde suas imagens estão sendo armazenadas;
* Possuir totalmente seu pipeline de distribuição de imagens;
* Integrar o armazenamento
===== Instalação do Docker Registry =====
FIXME A instalação do Docker Registry será fito na VM //dca-registry// - [[wiki:docker:infra_docker_dca|Infraestrutura KVM DCA com Terraform]]
**Inicie o Docker Registry na porta 5000**:
docker container run -d -p 5000:5000 --restart=always --name registry registry:2
**Testando o Docker Registry**:
docker image pull busybox:latest
latest: Pulling from library/busybox
a46fbb00284b: Pull complete
Digest: sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
**Defina uma TAG da imagem do Busybox no Registry**:
docker image tag busybox:latest localhost:5000/busybox
**Envie a imagem para o servidor local Registry**:
docker image push localhost:5000/busybox
Using default tag: latest
The push refers to repository [localhost:5000/busybox]
58f32e9504c8: Pushed
latest: digest: sha256:ff0b2bbabd0147f23a4b4b499175a2aadf4b775285ea4cfdeb7b30fa3af4bdb8 size: 527
**Verifique se a imagem está armazenada no servidor**:
docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 27a71e19c956 10 days ago 4.27MB
localhost:5000/busybox latest 27a71e19c956 10 days ago 4.27MB
registry 2 75ef5b734af4 12 months ago 25.4MB
**Remova a imagem local**:
docker image rm busybox:latest
Untagged: busybox:latest
Untagged: busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83
**E para testar execute um container utilizando a imagem do Docker Registry**:
docker container run -dit --name busybox localhost:5000/busybox
821618b29e23630a3a85d955083e6a17e108ce0930152c04c5e1ea3dcf2912b0
docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
821618b29e23 localhost:5000/busybox "sh" 21 seconds ago Up 20 seconds busybox
a09921d6b689 registry:2 "/entrypoint.sh /etc…" 7 minutes ago Up 7 minutes 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry
docker container rm -f busybox
busybox
==== Configurar certificados e autenticação básica ====
**Crie a pasta certs para armazenar o arquivo de certificado e chave**:
sudo mkdir /opt/certs
**Instale os pacotes do openssl**:
sudo dnf install sudo dnf install openssl openssl-devel
**Gere os certificados**:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/certs/registry.key -out /opt/certs/registry.crt -subj "/CN=registry/O=DCA/OU=Docker" -addext "subjectAltName = DNS:registry"
...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+............+....+..+...+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.......+.+.........+..+.+.........+...+....................+.......+...+..+...+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+.+.....+...+......+.+..............+.+.........+..............+.......+.....+............+......+.+........+.+......+.....................+.....+.............+..+....+...+......+..+...+.......+........+......+.........+......+.........+.+......+..+...+.........+.+.................+.......+..................+.....+...+..........+.........+........+.+..+....+...+..+...+.............+........+....+..+....+...........+....+.....+.+...+.....+.+............+...+......+.....+...+..........+.....+...+....+...+...........+.......+.....+....+...+........+..........+..+.+..+...+......+.+...+............+..+.+...........+.........+............+...+.......+...+......+.....+...+...+..................+......+.+...+.....+.........+......+....+...+..+......+......+...............+.+...+...............+..+...+.........+......+....+..+.+...+............+...+......+......+........+....+..+......+.......+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
**Crie a pasta auth para armazenar o arquivo de autenticação htpasswd**:
sudo mkdir /opt/auth
**Instale o pacote httpd-tools e gere o arquivo htpasswd contendo o nome de usuário e senha**:
sudo dnf install httpd-tools
sudo bash -c 'htpasswd -Bbn dca docker > /opt/auth/htpasswd'
**Crie a pasta onde iremos armazenar as imagens em nosso servidor de registro**:
sudo mkdir /opt/data
**Inicie o servidor do Docker Registry com certificado, sistema de autenticação e pasta local para armazenar imagens do Docker**:
docker container rm -f registry
registry
sudo docker container run -d --restart=always --name registry \
-v /opt/data:/var/lib/registry -v /opt/auth:/auth -e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /opt/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key -p 5000:5000 registry:2
803ab18d0f773cb6f4a086583e8c72512c0dc2e229b6447e7c9b38e559d4c61e
ocker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
803ab18d0f77 registry:2 "/entrypoint.sh /etc…" 24 seconds ago Up 23 seconds 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry
==== Configurar acesso aos clientes ====
Adicione uma entrada no arquivo ''/etc/hosts'' em todas as instâncias, apontando o hostname ''registry'' para o IP interno da instância ''dca-registry''.
sudo vim /etc/hosts +$
10.4.5.13 registry
**Crie a subpasta ''/etc/docker/certs.d/registry:5000'' nas instâncias**:
sudo mkdir -p /etc/docker/certs.d/registry:5000
**Copie da máquina dca-registry o arquivo de certificado**:
scp registry:/opt/certs/registry.crt .
**Nas instâncias mova para a pasta ''/etc/docker/certs.d/registry:5000'' o arquivo ''registry.crt'', renomeando para ca.crt**:
sudo mv registry.crt /etc/docker/certs.d/registry\:5000/ca.crt
**Logue no servidor Docker Registry**:
docker login -u dca registry:5000
Password:
WARNING! Your password will be stored unencrypted in /home/gean/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
==== Enviar imagens para o Docker Registry ====
docker image tag httpd:latest registry:5000/httpd:latest
docker image push registry:5000/httpd:latest
The push refers to repository [registry:5000/httpd]
85d0eb049481: Pushed
53a350bcb78a: Pushed
db9328cd0153: Pushed
5f70bf18a086: Pushed
3bbc250aae52: Pushed
8d853c8add5d: Pushed
latest: digest: sha256:f432c26db81bdb6eb2c60c61d5d607615398f2e983eaaaff87ade6bbb2fec875 size: 1572
**Confirme se as imagens estão presentes no servidor de Registro Docker através do seguinte comando**:
curl -ik --user dca:docker https://registry:5000/v2/_catalog
HTTP/2 200
content-type: application/json; charset=utf-8
docker-distribution-api-version: registry/2.0
x-content-type-options: nosniff
content-length: 27
date: Mon, 07 Oct 2024 14:47:16 GMT
{"repositories":["httpd"]}
FIXME As imagens do Docker estão armazenadas na instância docker-registry, na pasta ''/opt/data/docker/registry/v2/repositories/''.