自建docker镜像加速
• 为什么需要自建镜像加速,因为2024年07月04日现在为止,我发现只有华为云的镜像加速可以使用,其余全部都无法使用了,华为云估计也用不了多久了
• cloudflare现在也开始封账户了,所以无法使用cloudflare的方式了
1.准备工作
1. 准备一台海外linux服务器(可以使用亚马逊云、微软云、oracle云,前两个可以免费用1年,oracle永久免费)
2. 买个域名(阿里云便宜,一年7元,当然海外也有些免费的域名也可以)
2.申请ssl证书(acme方式)
# 安装 ACME 脚本
curl https://get.acme.sh | sh
# 设置acme.sh别名,方便后续使用
alias acme.sh=~/.acme.sh/acme.sh
# 设置 ACME 脚本自动更新
acme.sh --upgrade --auto-upgrade
# 由于默认CA为ZeroSSL,必须先注册帐户才能颁发新证书,所以这里更换为Letsencrypt
acme.sh --set-default-ca --server letsencrypt
3.获取域名厂商的API
• 腾讯域名为例:账户中心---API密钥---DNSPod Token---创建密钥
4.颁发证书
export DP_Id="<id>" #第3步创建密钥的id值
export DP_Key="<key>" #第3步创建密钥的key值
acme.sh --issue --dns dns_dp -d "*.example.com" -d "example.com"
# 将example.com替换为自己的域名
5.安装证书
acme.sh --install-cert -d "*.example.com" -d "example.com" \
--cert-file /etc/nginx/cert.pem \
--key-file /etc/nginx/key.pem \
--fullchain-file /etc/nginx/fullchain.pem \
--reloadcmd "systemctl force-reload nginx"
6.安装nginx
$ apt install nginx
$ vim /etc/nginx/sites-enabled/default
server {
listen 443 ssl;
server_name docker.example.com;
ssl_certificate ssl/fullchain1.pem;
ssl_certificate_key ssl/privkey1.pem;
ssl_session_timeout 24h;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_protocols TLSv1TLSv1.1TLSv1.2TLSv1.3;
location /{
proxy_pass https://registry-1.docker.io;
proxy_set_header Host registry-1.docker.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_buffering off;
proxy_set_header Authorization$http_authorization;
proxy_pass_header Authorization;
proxy_intercept_errors on;
recursive_error_pages on;
error_page 301302307=@handle_redirect;
}
location @handle_redirect{
resolver 1.1.1.1;
set$saved_redirect_location'$upstream_http_location';
proxy_pass $saved_redirect_location;
}
}
7.加速别的镜像仓库镜像
• 加速多少个镜像仓库就写多少个server内容
• 只需要配置server_name 和server_name的ssl证书,还有 proxy_pass https://ghcr.io;改为需要加速仓库地址即可;
server {
listen 443 ssl;
server_name ghcr.example.com;
ssl_certificate ssl/fullchain2.pem;
ssl_certificate_key ssl/privkey2.pem;
proxy_ssl_server_name on;
ssl_protocols TLSv1.1TLSv1.2TLSv1.3;
#error_log /home/ubuntuago/proxy_docker.log debug;
if($blocked_agent){
return403;
}
location /{
proxy_pass https://ghcr.io;
proxy_set_header Host ghcr.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_buffering off;
proxy_set_header Authorization$http_authorization;
proxy_pass_header Authorization;
proxy_intercept_errors on;
recursive_error_pages on;
error_page 301302307=@handle_redirect;
#error_page 429 = @handle_too_many_requests;
}
location @handle_redirect{
resolver 1.1.1.1;
set$saved_redirect_location'$upstream_http_location';
proxy_pass $saved_redirect_location;
}
}
8.docker配置镜像加速
$ docker pull docker.example.com/library/busybox:latest
# 嫌麻烦将地址配置为镜像加速即可
$ vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://docker.example.com"
],
}
$ systemctl restart docker
9.代理
• 如果有钱就使用最简单的方式即可,那就是直接给容器引擎配置代理即可
• 下面列出了docker和containerd配置代理的配置文件
# docker配置方法一
$ sudo mkdir -p /etc/docker
$ sudo tee /etc/docker/daemon.json <<-EOF
{
"proxies":{
"http-proxy":"http://<proxy-ip>:7890",
"https-proxy":"http://<proxy-ip>:7890",
"no-proxy":"*.cn,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"
}
}
EOF
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
# docker配置方法二
$ cat > /etc/systemd/system/docker.service.d/http-proxy.conf <<EOF
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80"
Environment="HTTPS_PROXY=https://proxy.example.com:443"
Environment="NO_PROXY=your-registry.com,10.10.10.10,*.example.com"
EOF
$ sudo systemctl daemon-reload && systemctl restart docker
# containerd配置
$ sed -i '/\[Service\]/a Environment=HTTP_PROXY="http://10.10.50.2:7890"' /lib/systemd/system/containerd.service
$ sed -i '/\[Service\]/a Environment=HTTPS_PROXY="http://10.10.50.2:7890"' /lib/systemd/system/containerd.service
$ sed -i '/\[Service\]/a Environment="NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local"' /lib/systemd/system/containerd.service
上一条:如何缩小docker容器镜像
下一条:Docker系列之Docker Compose