use (distribution)[https://distribution.github.io/distribution/about/configuration/#proxy] build registry mirror
+-------------------+ +-------------------+ +-------------------+
| Docker Client | | Docker Mirror | | Docker Hub |
| (docker pull) | | (Registry) | | (Upstream) |
+-------------------+ +-------------------+ +-------------------+
| | |
| 1. pull alpine:latest | |
|-------------------------->| |
| | |
| | 2. check local cache |
| |<------------------------->|
| | |
| | 3. cache miss, upstream |
| |-------------------------->|
| | |
| | 4. pull upstream & cache |
| |<------------------------->|
| | |
| 5. return to the client | |
|<--------------------------| |
| | |
| 6. finish image pull | |
| | |
+-------------------+ +-------------------+ +-------------------+
step 1.
use generate-sign.sh generate certs:
$ ./generae-sign.sh mirror.domain.cc 192.168.10.12move generated files to certs folder.
step2. start serivces by docker compose
$ docker compose up -dpls check the output log, make sure 'Registry configured as a proxy cache to xxx' is ready
step 3. (on the machine who will pull images)
3.1 upload crt file,
$ mkdir -p /etc/docker/certs.d/mirror.domain.cc/
# upload mirror.domain.cc.crt to ca.crt3.2 config daemon mirror in /etc/docker/daemon.json
"registry-mirrors":["https://mirror.domain.cc"]
notes:
-
should pull without registry domain
eg: our-private-registry.domain.cc/foo/bar:latest
pull with
docker pull foo/bar:latest, this will passthrough via mirror and cached after pulled from upstream private registry. -
the service only mirror, can not used as a private registry.
other:
- cat generated certs file
$ openssl x509 -text -noout -in ca.crt