k8s镜像源-docker registry
原创大约 5 分钟
镜像地址
阿里云ingress
registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1kafka
wurstmeister/kafka:latestPush到本地仓库
easzlab.io.local:5000
# 拉取镜像
docker pull docker.elastic.co/elasticsearch/elasticsearch:8.11.3
# 给镜像打标签
docker tag docker.elastic.co/elasticsearch/elasticsearch:8.11.3 easzlab.io.local:5000/elasticsearch/elasticsearch:8.11.3
# 推送镜像到本地仓库
docker push easzlab.io.local:5000/elasticsearch/elasticsearch:8.11.3
# 确保你的本地仓库运行在 http://localhost:5000
docker run -d -p 5000:5000 --name registry registry:2curl http://easzlab.io.local:5000/v2/_catalog# find /etc -type f -exec grep -l "https://docker.nju.edu.cn" {} +
/etc/containerd/config.toml
/etc/kubeasz/ezdown
/etc/kubeasz/down/kubeasz_3.6.2.tar
/etc/kubeasz/roles/docker/templates/daemon.json.j2
/etc/kubeasz/roles/containerd/templates/config.toml.j2cp /etc/containerd/config.toml /etc/containerd/config.toml.back
"https://hub.uuuadc.top",root@node-1:~# kubectl -n ns-elastic delete pod log-pilot5-fflbt
pod "log-pilot5-wq6qx" deleted
root@node-1:~# kubectl -n ns-elastic get pod -o wide
kubectl -n ns-elastic describe pod log-pilot5-ttg6r
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 34s default-scheduler Successfully assigned ns-elastic/log-pilot5-ccrlv to 10.0.1.201
Normal Pulled 33s (x2 over 34s) kubelet Container image "williamguozi/log-pilot-filebeat:containerd" already present on machine
Warning Failed 33s (x2 over 34s) kubelet Error: couldn't find key kafka_username in ConfigMap ns-elastic/log-pilot5-configuration
Warning Evicted 30s kubelet The node was low on resource: memory. Threshold quantity: 300Mi, available: 244856Ki.k8s安装
# grep -rn "nju.edu" .
./kubeasz/tools/imgutils:94: HUB="docker.nju.edu.cn"
./kubeasz/tools/imgutils:102: HUB="gcr.nju.edu.cn"
./kubeasz/tools/imgutils:106: HUB="docker.nju.edu.cn"
./kubeasz/tools/imgutils:116: HUB="quay.nju.edu.cn"
./kubeasz/tools/imgutils:118: HUB="gcr.nju.edu.cn"
./kubeasz/ezdown:198: "https://docker.nju.edu.cn/",
./kubeasz/roles/containerd/templates/config.toml.j2:153: endpoint = ["https://docker.nju.edu.cn/", "https://kuamavit.mirror.aliyuncs.com"]
./kubeasz/roles/containerd/templates/config.toml.j2:155: endpoint = ["https://gcr.nju.edu.cn"]
./kubeasz/roles/containerd/templates/config.toml.j2:157: endpoint = ["https://gcr.nju.edu.cn/google-containers/"]
./kubeasz/roles/containerd/templates/config.toml.j2:159: endpoint = ["https://quay.nju.edu.cn"]
./kubeasz/roles/containerd/templates/config.toml.j2:161: endpoint = ["https://ghcr.nju.edu.cn"]
./kubeasz/roles/containerd/templates/config.toml.j2:163: endpoint = ["https://ngc.nju.edu.cn"]
./kubeasz/roles/docker/templates/daemon.json.j2:6: "https://docker.nju.edu.cn/",
./ezdown:198: "https://docker.nju.edu.cn/",# grep -rn "nju.edu" .
./kubeasz/tools/imgutils:94: HUB="docker.nju.edu.cn"
./kubeasz/tools/imgutils:106: HUB="docker.nju.edu.cn"
./kubeasz/ezdown:198: "https://docker.nju.edu.cn/",
./kubeasz/roles/containerd/templates/config.toml.j2:153: endpoint = ["https://docker.nju.edu.cn/", "https://kuamavit.mirror.aliyuncs.com"]
./kubeasz/roles/docker/templates/daemon.json.j2:6: "https://docker.nju.edu.cn/",
./ezdown:198: "https://docker.nju.edu.cn/",systemctl restart docker
docker info
api v2
echo -n "用户名:密码" | base64
# echo -n "admin:admin" | base64
YWRtaW46YWRtaW4=获得docker registry API版本
# curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" http://easzlab.io.local:5000/v2 -k -IL
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Location: /v2/
Date: Mon, 01 Jul 2024 12:49:28 GMT
Content-Length: 39
HTTP/1.1 200 OK
Content-Length: 2
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Mon, 01 Jul 2024 12:49:28 GMT获得当前仓库中的镜像
/v2/_catalog
# curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Accept: application/json" http://easzlab.io.local:5000/v2/_catalog
{
"repositories": [
"acs/aliyun-ingress-controller",
"bogeit/kafka",
"brancz/kube-rbac-proxy",
"calico/cni",
"calico/kube-controllers",
"calico/node",
"cloudnativelabs/kube-router",
"coredns/coredns",
"easzlab/k8s-dns-node-cache",
"easzlab/metrics-server",
"easzlab/pause",
"eck/eck-operator",
"elastic/filebeat",
"elasticsearch/elasticsearch",
"fabxc/prometheus_demo_service",
"falcosecurity/falco-driver-loader",
"falcosecurity/falco-no-driver",
"falcosecurity/falcoctl",
"falcosecurity/falcosidekick",
"falcosecurity/falcosidekick-ui",
"grafana/grafana",
"jimmidyson/configmap-reload",
"kibana/kibana",
"kube-state-metrics/kube-state-metrics",
"kubernetesui/dashboard",
"kubernetesui/metrics-scraper",
"prometheus/alertmanager",
"prometheus/blackbox-exporter",
"prometheus/node-exporter",
"prometheus/prometheus",
"prometheus-adapter/prometheus-adapter",
"prometheus-operator/prometheus-config-reloader",
"prometheus-operator/prometheus-operator",
"redis/redis-stack",
"registry.aliyuncs.com/acs/kube-eventer",
"williamguozi/log-pilot-filebeat"
]
}获得镜像标签
/v2/<name>/tags/listname为镜像名
# curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Accept: */*" http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/tags/list
{
"name": "falcosecurity/falco-driver-loader",
"tags": [
"0.36.2",
"latest"
]
}获得一个镜像的Manifest(显示)
Docker镜像清单(manifest)是每个镜像的一个内部组件,用于记录镜像的层次结构和配置信息
# curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/manifests/0.36.2
{
"schemaVersion": 1,
"name": "falcosecurity/falco-driver-loader",
"tag": "0.36.2",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:26d5993e766296c2adda85d78be84d7f2491ac34ab2a82cce4ac6da14ebfde6f"
}
],
"history": [
{
"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"VERSION_BUCKET=deb\",\"FALCO_VERSION=0.38.1\",\"HOST_ROOT=/host\",\"HOME=/root\"],\"Entrypoint\":[\"/docker-entrypoint.sh\"],\"Labels\":{\"maintainer\":\"cncf-falco-dev@lists.cncf.io\",\"org.opencontainers.image.source\":\"https://github.com/falcosecurity/falco\",\"usage\":\"docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE\"},\"ArgsEscaped\":true},\"created\":\"2024-06-19T08:51:39.02125067Z\",\"id\":\"e84f715cf78d7d1132e44ede8f3e99688f8f8ce45316efdcc5dbce7850311d7c\",\"os\":\"linux\",\"parent\":\"37211f0754b0614d716682a8e745a6d9f1430087f9bc5c37e5a1d9e1f0ad6051\",\"throwaway\":true}"
},
{
"v1Compatibility": "{\"id\":\"37211f0754b0614d716682a8e745a6d9f1430087f9bc5c37e5a1d9e1f0ad6051\",\"parent\":\"7712cdd221b0e904b8761d6695e7cc5b3eda77210e1e8fd33cce0da5c5c57a5a\",\"comment\":\"buildkit.dockerfile.v0\",\"created\":\"2024-06-19T08:51:39.02125067Z\",\"container_config\":{\"Cmd\":[\"COPY ./docker-entrypoint.sh / # buildkit\"]}}"
}
],
"signatures": [
{
"header": {
"jwk": {
"crv": "P-256",
"kid": "46RJ:GRB6:M7X4:653W:4HAN:YUNB:H22R:O3A7:7Q6Y:GKHP:3BM3:5V2H",
"kty": "EC",
"x": "L8b8gfMioQfPOft_KwZor62-jFWoQ8Y4EVg1ycH1nuQ",
"y": "AQHcCUxkW_SGMXj_aYbuQRGNY8xT5HRT1s51lkaKeyA"
},
"alg": "ES256"
},
"signature": "NAVJQQguFLDfph6ML_s4YmLYpq5AVFCnaXm5ZfowQm4XuT1AUMcp4P5UqkfF35IwuleTAPj36C7bCCL5ITSe_g",
"protected": "eyJmb3JtYXRMZW5ndGgiOjE1NjYwLCJmb3JtYXRUYWlsIjoiQ24wIiwidGltZSI6IjIwMjQtMDctMDFUMTM6MDA6NTdaIn0"
}
]
}或者:
# curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Basic YWRtaW46YWRtaW4=" -I -X GET http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/manifests/0.36.2
HTTP/1.1 200 OK
Content-Length: 1994
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Docker-Content-Digest: sha256:24dbe2cdbb82efa1222d97ac0ea32b58133cb9ccb763e603ea4a416769537f20
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:24dbe2cdbb82efa1222d97ac0ea32b58133cb9ccb763e603ea4a416769537f20"
X-Content-Type-Options: nosniff
Date: Mon, 01 Jul 2024 13:10:42 GMT删除镜像
Digest摘要
通过上面的方式,我们可以获得镜像的digest。例如上面的busybox镜像的digest为:
Docker-Content-Digest: sha256:24dbe2cdbb82efa1222d97ac0ea32b58133cb9ccb763e603ea4a416769537f20因此,我们可以用如下的命令来删除:
# curl -I -X DELETE http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/manifests/sha256:24dbe2cdbb82efa1222d97ac0ea32b58133cb9ccb763e603ea4a416769537f20 -H "Authorization: Basic YWRtaW46YWRtaW4="
//或者如下命令
# curl -X DELETE -H "Authorization: Basic YWRtaW46YWRtaW4=" http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/manifests/latest -I
HTTP/1.1 405 Method Not Allowed
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Mon, 01 Jul 2024 13:19:58 GMT
Content-Length: 78# curl -I -XDELETE -u admin:admin \
http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/manifests/sha256:24dbe2cdbb82efa1222d97ac0ea32b58133cb9ccb763e603ea4a416769537f20
HTTP/1.1 202 Accepted
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Mon, 01 Jul 2024 13:52:55 GMT
Content-Length: 0# curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Accept: */*" http://easzlab.io.local:5000/v2/falcosecurity/falco-no-driver/tags/list
{"name":"falcosecurity/falco-no-driver","tags":["latest"]}
# curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Basic YWRtaW46YWRtaW4=" -I -X GET http://easzlab.io.local:5000/v2/falcosecurity/falco-no-driver/manifests/latest
HTTP/1.1 200 OK
Content-Length: 952
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Docker-Content-Digest: sha256:fbd170fdb6b77f3f23d5564886cf551a66a309cbe3493a346bcb5ab8c1c2621e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:fbd170fdb6b77f3f23d5564886cf551a66a309cbe3493a346bcb5ab8c1c2621e"
X-Content-Type-Options: nosniff
Date: Mon, 01 Jul 2024 14:43:36 GMT
curl -I -XDELETE -u admin:admin \
http://easzlab.io.local:5000/v2/falcosecurity/falco-no-driver/manifests/sha256:fbd170fdb6b77f3f23d5564886cf551a66a309cbe3493a346bcb5ab8c1c2621ecurl -X DELETE -u admin:admin http://easzlab.io.local:5000/v2/falcosecurity/falco-driver-loader/tags/listcurl -X DELETE -H "Authorization: Basic YWRtaW46YWRtaW4=" http://easzlab.io.local:5000/v2/falcosecurity/falco-no-driver/manifests/latest -I# docker exec -it local_registry /bin/sh
/ # vi /etc/docker/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true # 这一行是关键
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3 delete:
enabled: true重启
docker restart local_registry