摘要:默認(rèn)運(yùn)行獲取鏡像時(shí)��,其倉(cāng)庫(kù)地址為��,執(zhí)行有完整鏡像名稱格式為���。由于主機(jī)沒法訪問外網(wǎng),則報(bào)錯(cuò)退出����。
默認(rèn)運(yùn)行docker pull獲取鏡像時(shí),其倉(cāng)庫(kù)地址為docker.io���,執(zhí)行docker info有:
% docker info
...
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Registries: docker.io (secure)
完整鏡像名稱格式為//:�����。
鏡像提供了完整主機(jī)名稱��,則docker從此鏡像庫(kù)下載鏡像����,如從quay.io鏡像庫(kù)的coreos項(xiàng)目下載etcd:latest鏡像:
% docker pull quay.io/coreos/etcd
若省略了hostname��,則默認(rèn)從docker.io下載鏡像,而若省略project����,其會(huì)補(bǔ)充project為library:
% docker pull library/debian
Using default tag: latest
Trying to pull repository docker.io/library/debian
% docker pull debian # 未明確指定project,從docker.io下載時(shí)默認(rèn)補(bǔ)充library/
Using default tag: latest
Trying to pull repository docker.io/library/debian
若沒有提供hostname���,則下載鏡像順序從Registries列表獲取���,但默認(rèn)只有docker.io,可調(diào)整順序���,如:
% vi /etc/sysconfig/docker
ADD_REGISTRY="--add-registry okd-lr.zyl.io:5000 --add-registry quay.io"
INSECURE_REGISTRY="--insecure-registry okd-lr.zyl.io:5000" # 鏡像庫(kù)若是非TLS��,則必須添加此參數(shù)
此時(shí)docker info顯示如下:
Registry: https://okd-lr.zyl.io:5000/v1/ # 這里沒啥用
Experimental: false
Insecure Registries:
okd-lr.zyl.io:5000 # 非安全鏡像庫(kù)
127.0.0.0/8
Live Restore Enabled: false # 由ADD_REGISTRY添加了2個(gè)鏡像庫(kù)
Registries: okd-lr.zyl.io:5000 (insecure), quay.io (secure), docker.io (secure)
若此時(shí)下載鏡像��,則順序遍歷Registries列出的鏡像庫(kù):
% docker pull etcd
Using default tag: latest
Trying to pull repository okd-lr.zyl.io:5000/etcd ...
Trying to pull repository quay.io/etcd ...
Trying to pull repository docker.io/library/etcd ...
Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 134.194.18.2:53: read udp 134.194.18.3:45004->134.194.18.2:53: i/o timeout
如上所示�����,docker順序遍歷了3個(gè)鏡像庫(kù)��,而在前兩個(gè)鏡像庫(kù)沒找到后���,從docker.io鏡像庫(kù)查找�����,此時(shí)其會(huì)添加library項(xiàng)目�,而其他的鏡像庫(kù)地址不會(huì)添加���。由于主機(jī)沒法訪問外網(wǎng),則報(bào)錯(cuò)退出�。
若okd-lr.zyl.io:5000私有鏡像庫(kù)配置為docker.io的mirror,如配置了REGISTRY_PROXY_REMOTEURL:
% cat /etc/systemd/system/local-registry.service
[Unit]
Description=Local Docker Mirror registry cache
Requires=docker.service
After=docker.service
# HTTP_PROXY��、HTTPS_PROXY替換為實(shí)際代理
# NO_PROXY配置不走代理的IP地址����,如示例192.168.10.x為宿主機(jī)IP地址
[Service]
ExecStartPre=-/usr/bin/docker rm -f local-registry
ExecStart=/usr/bin/docker run --name %p
-v /data/local-registry:/var/lib/registry
-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
-e REGISTRY_PROXY_REMOTEURL=https://registry.docker-cn.com
-e HTTP_PROXY=http://:
-e HTTPS_PROXY=http://:
-e NO_PROXY="localhost,127.0.0.1,.cluster.local,.svc,.zyl.io,172.30.0.1,192.168.10.3,192.168.10.4"
-p 5000:5000 registry
ExecStop=-/usr/bin/docker stop -t 2 %p
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
此時(shí)配置--registry-mirror,如:
vi /etc/sysconfig/docker
OPTIONS="--registry-mirror=http://okd-lr.zyl.io:5000 --selinux-enabled --log-driver=journald --signature-verification=false"
ADD_REGISTRY="--add-registry okd-lr.zyl.io:5000 --add-registry quay.io"
INSECURE_REGISTRY="--insecure-registry okd-lr.zyl.io:5000"
此時(shí)執(zhí)行docker pull debian下載鏡像����,有:
搜索okd-lr.zyl.io:5000/debian,若上面有則返回��,否則搜索下一個(gè)鏡像庫(kù)�����;
搜索quay.io/debian,若成功則返回���,否則繼續(xù)搜索���;
搜索docker.io/library/debian,因配置了registry-mirror�����,其將從此代理鏡像庫(kù)獲取鏡像�,若代理鏡像庫(kù)中有,則直接返回����,否則其先抓取鏡像后再返回;
注意:
registry-mirror只會(huì)代理docker.io默認(rèn)鏡像庫(kù)的鏡像��,其他鏡像庫(kù)不會(huì)代理�;
mirror鏡像庫(kù)支持的代理操作,即push/pull均會(huì)代理到docker.io上��;
mirror鏡像庫(kù)若是非TLS配置�����,若要通過此mirror push到docker.io,需配置INSECURE_REGISTRY����;
文章版權(quán)歸作者所有,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為����,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/27937.html
