Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to provide proxy / cache function for Docker image". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Required softwar

Sonatype Nexus OSS 3.15.0 (or later)

Docker 17.09 (or later)

I set up two Ubuntu LTS-based virtual machines, one running Sonatype Nexus 3.14.0 Docker container (this machine is called docker-host) and the other running only Docker (called docker-client).

Please note that some network configurations may not be the same as yours (such as IP), but the method is the same. Again, note that the machine running Nexus OSS (docker-host) needs to have access to the Internet.

[update, October 2018] Please use Nexus 3.15 or later because multiple CVE vulnerabilities have been fixed between 3.14 and 3.15.

Configure Nexus OSS

We configure at least three things in Nexus, naming the warehouse, and some security configurations. Remember not to follow these methods in your company, as you may consider some performance issues, such as modifying the Blobstore configuration.

Add Docker Proxy Repository to Docker Hub

Log in to your Nexus instance using an account with administrator privileges and go to the Admin page. Click Repository-> Repositories, and then click 'Create repository'.

Select 'docker (proxy)' and start the configuration.

You need to add a unique name to the Proxy to make sure it is in the 'Oneline' status'.

To prevent us from sounding on the brink of danger, we will not provide V1 API for this Repository (check the 'Enable Docker V1 API' option), but we do allow anonymous access.

This is very important, so emphasize it again:

Tick off 'Force Basic Authentication'.

This allows our Docker Clients to access our Repository without providing credentials. This is the easiest way!

Enter the following information under 'Proxy':

Remote storage: https://registry-1.docker.io/

* * Docker Index:**Use Docker Hub

All the configuration information is shown below.

Add Docker Proxy Repository for Private Repository (optional)

This section is optional, depending on how you access your private repository in Docker Cloud.

Still create a unique name, set to 'oneline', disables V1 API, allow anonymous access, and enter the following information under' Proxy':

Remote storage: https://registry-1.docker.io

* * Docker Index:**Use proxy registry

The difference is in the Authentication- section at the bottom of the page, where you need to enter a user name and password that can access the Docker Cloud private repository.

All configurations are shown below.

Add Group to Docker Repository

Groups can provide a single permission for multiple repositories. This is a feature that Docker does not have, and when Docker Client tries to access Docker Hub, this is the only entry.

When we don't want it to include only Docker Hub but also other repositories we want (such as private Docker Cloud repositories, our internal LAN hosted Docker repositories, etc.), all retrieved Docker images can be transmitted through Nexus, without the need for Client to know where to view which images.

Repository Group is just a collection of Repositories, but we need Docker Client to be able to communicate with it.

Add a unique name, set to 'oneline', to disable V1 API, and allow anonymous access.

We need to configure a Repository Connector that provides an accessible port for the contents of the Repository Group storage. I chose to use 8181 (the default port for Nexus is 8081) and only configure HTTP because I was too lazy to configure HTTPS. :)

You need to select Docker Repository (a hosted repository or an agent or another group) as the required Members for this Group, and then save the configuration.

All the configurations are shown below.

Configure security settings

To ensure that anonymous permissions can properly access our repository, we need to add 'Docker Bearer Token Realm' to the Active Realms in the Nexus.

Switch to Administrator-> Scurity-> Realms and select Realm from the Available' Realms list. Click the arrow button on the right and save.

Let's get to work!

Configure Docker Client

Now that our Nexus instance has been successfully configured, we need to make sure that our Docker Client can get all Docker images from this place, not the Internet.

This requires us to configure Docker Client Daemon so that they can use Nexus as the mirror source. Also, because it uses HTTP instead of HTTPS, we need Docker to understand that the protocol is possible and that images can be viewed through Nexus.

Using the root user, create or edit the following file: / etc/docker/daemon.json

{"insecure-registries": ["10.0.2.2 8181"], "registry-mirrors": ["http://10.0.2.2:8181"]}"

It is important to note that this will be quite different from what you have configured, because I am running a virtual machine. This IP is an IP mapped by VM1 on my host to solve problems on VM2.

You can safely replace your hostname or IP with 10.0.2.2 if necessary. Please make a full replacement.

After the file is saved, Docker needs to restart. If successful: the docker info command message is shown in the following figure:

Insecure Registries: 10.0.2.2 127.0.0.0/8Registry Mirrors 8181 127.0.0.0/8Registry Mirrors: http://10.0.2.2:8181/ is done!

Now you can get the Docker image from Nexus without having to access the Internet for Docker Client.

Docker pull mysql

It will be displayed in Nexus's Docker Group Repository, and you will see the cached blobs, tags, and lists.

This is the end of "how to provide proxy / caching capabilities for Docker images". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.