我正在运行单节点群,我正在使用traefik管理所有外部连接,我想运行一个注册表,以便我可以在registry.myhost.com上连接它
现在我可以看到的所有示例都建议将注册表创建为普通容器而不是服务,但是当我这样做时,我无法将其添加到我的traefik网络,从而使其能够在外部找到
我是否需要创建另一个内部网络并将traefik和它连接到它,如果是,那么是什么类型。或者我是否需要将注册表作为服务运行(我只在单个节点上运行,因此卷不是问题)。
对于奖励积分,有人可以给我一些关于如何将s3设置为存储后端的指示吗?
答案 0 :(得分:1)
您有两台机器:
我假设您有两个证书文件:
registry.myhost.com.crt
registry.myhost.com.key
您的服务器设置可能如下所示:
~/certs/registry.myhost.com.crt
~/certs/registry.myhost.com.key
~/docker-compose.yml
~/traefik.toml
docker-compose.yml
version: '3'
services:
frontproxy:
image: traefik
command: --api --docker --docker.swarmmode
ports:
- "80:80"
- "443:443"
volumes:
- ./certs:/etc/ssl:ro
- ./traefik.toml:/etc/traefik/traefik.toml:ro
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
docker-registry:
image: registry:2
deploy:
labels:
- traefik.port=5000 # default port exposed by the registry
- traefik.frontend.rule=Host:registry.myhost.com
- traefik.frontend.auth.basic=user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers
traefik.toml
defaultEntryPoints = ["http", "https"]
# Redirect HTTP to HTTPS and use certificate, see https://docs.traefik.io/configuration/entrypoints/
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/registry.myhost.com.crt"
keyFile = "/etc/ssl/registry.myhost.com.key"
# Docker Swarm Mode Provider, see https://docs.traefik.io/configuration/backends/docker/#docker-swarm-mode
[docker]
endpoint = "tcp://127.0.0.1:2375"
domain = "docker.localhost"
watch = true
swarmMode = true
要部署注册表,请运行:
docker stack deploy myregistry -c ~/docker-compose.yml
如果未在与traefik相同的 docker-compose.yml 中定义您的服务,则可以使用traefik服务的(外部)网络:
version: '3'
services:
whoami:
image: emilevauge/whoami # A container that exposes an API to show its IP address
networks:
- frontproxy_default # add network of traefik service "frontproxy"
- default
deploy:
labels:
traefik.docker.network: frontproxy_default
traefik.frontend.rule: Host:whoami.myhost.com
traefik.frontend.auth.basic: user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/ # user:password, see https://docs.traefik.io/configuration/backends/docker/#on-containers
networks:
frontproxy_default:
external: true # network of traefik service "frontproxy" is defined in another stack
确保将whoami.myhost.com
的证书文件添加到 traefik.toml :
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/registry.myhost.com.crt"
keyFile = "/etc/ssl/registry.myhost.com.key"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/whoami.myhost.com.crt"
keyFile = "/etc/ssl/whoami.myhost.com.key"
或使用(单个)通配符证书*.myhost.com
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/myhost.com.crt"
keyFile = "/etc/ssl/myhost.com.key"
有关更多信息,请参见https://docs.traefik.io/configuration/entrypoints/。
将客户端计算机上的registry.myhost.com.crt
复制到Linux上的/etc/docker/certs.d/registry.myhost.com/ca.crt
或
在Mac上为~/.docker/certs.d/registry.myhost.com/ca.crt
。现在您应该可以从客户端登录了:
docker login -u user -p password registry.myhost.com
在您的客户端上运行:
docker pull hello-world:latest
docker tag hello-world:latest registry.myhost.com/hello-world:latest
docker push registry.myhost.com/hello-world:latest
现在您可以在另一台计算机上(例如在服务器上)拉取该映像:
docker pull registry.myhost.com/hello-world:latest
也不要忘记在该客户端计算机上添加registry.myhost.com.crt
。