Docker#
使用#
# 停止 docker
systemctl stop docker.socket
## 配置
sudo tee /etc/docker/daemon.json > /dev/null <<'EOF'
{
"registry-mirrors": ["https://hub.kingye.me"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
echo "207.246.111.213 ghcr.io" | sudo tee -a /etc/hosts安装#
# Add Docker's official GPG key:
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
EOF
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y安装指定版本 docker#
# List the available versions:
apt-cache madison docker-ce | awk '{ print $3 }'
# 5:20.10.16~3-0~ubuntu-jammy
# 5:20.10.15~3-0~ubuntu-jammy
# 5:20.10.14~3-0~ubuntu-jammy
# 5:20.10.13~3-0~ubuntu-jammy
VERSION_STRING=5:20.10.13~3-0~ubuntu-jammy
sudo apt-get install docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io docker-compose-plugin设置镜像源#
cat << 'EOF' > /etc/docker/daemon.json
{
"experimental": false,
"debug": true,
"registry-mirrors": [
"https://docker.1panel.live",
"https://hub.rat.dev",
"https://docker.anyhub.us.kg",
"https://docker.chenby.cn",
"https://dockerhub.jobcher.com",
"https://docker.awsl9527.cn",
"https://docker.m.daocloud.io"
]
}
EOF
systemctl restart dockerdocker compose#
安装#
# docker compose version
mkdir -p ~/.docker/cli-plugins/
curl -SL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose
docker compose versiondocker –privileged#
docker run –privileged=true 和 docker run –privileged 是完全等价的
Setting privileged should modify:
- capabilities: removing any capability restrictions
- devices: the host devices will be visible
- seccomp: removing restrictions on allowed syscalls
- apparmor/selinux: policies aren’t applied
- cgroups: I don’t believe the container is limited within a cgroup
参考:
- Difference between
--privilegedand--cap-add=allin docker - https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
docker proxy#
# ubuntu && debian
apt -y install curl
# 国外环境
bash -c "$(curl -fsSL https://raw.githubusercontent.com/dqzboy/Docker-Proxy/main/install/DockerProxy_Install.sh)"
# 安装所有 registry
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --set-accountemail "[email protected]"
~/.acme.sh/acme.sh --issue --dns dns_cf -d "*.kingye.me" -d "kingye.me"
sudo mkdir -p /ssl
~/.acme.sh/acme.sh --install-cert -d "*.kingye.me" \
--key-file /ssl/wildcard.kingye.me.key \
--fullchain-file /ssl/wildcard.kingye.me.crt \
--reloadcmd "systemctl reload nginx"
sudo chmod 600 /ssl/wildcard.kingye.me.key
sudo chmod 644 /ssl/wildcard.kingye.me.crt
# 验证证书是否包含通配域名
openssl x509 -in /ssl/wildcard.kingye.me.crt -noout -text | grep -A1 "Subject Alternative Name"
sudo mkdir -p /etc/nginx/snippets
sudo tee /etc/nginx/snippets/registry_proxy_common.conf > /dev/null <<'EOF'
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
EOF
cat << 'EOF' > /etc/nginx/conf.d/docker-proxy-registries.conf
# Docker Hub (docker.io)
server {
listen 443 ssl http2;
server_name hub.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:51000;
}
}
# GHCR (ghcr.io)
server {
listen 443 ssl http2;
server_name ghcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:52000;
}
}
# GCR (gcr.io)
server {
listen 443 ssl http2;
server_name gcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:53000;
}
}
# k8s.gcr.io (legacy)
server {
listen 443 ssl http2;
server_name k8sgcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:54000;
}
}
# registry.k8s.io
server {
listen 443 ssl http2;
server_name k8s.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:55000;
}
}
# Quay (quay.io)
server {
listen 443 ssl http2;
server_name quay.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:56000;
}
}
# MCR (mcr.microsoft.com)
server {
listen 443 ssl http2;
server_name mcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:57000;
}
}
# Elastic (docker.elastic.co)
server {
listen 443 ssl http2;
server_name elastic.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:58000;
}
}
# NVCR (nvcr.io)
server {
listen 443 ssl http2;
server_name nvcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:59000;
}
}
# HubCMD-UI (management UI)
server {
listen 443 ssl http2;
server_name ui.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
location / {
proxy_pass http://127.0.0.1:30080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# Optional: registry-ui (port 50000)
server {
listen 443 ssl http2;
server_name regui.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
location / {
proxy_pass http://127.0.0.1:50000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
EOF
systemctl restart nginx
叶王 © 2013-2026 版权所有。如果本文档对你有所帮助,可以请作者喝饮料。