Docker#
使用#
# 停止 docker
systemctl stop docker.socket
## 配置
sudo tee /etc/docker/daemon.json > /dev/null <<'EOF'
{
"registry-mirrors": ["https://hub.kingye.me"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
echo "207.246.111.213 ghcr.io" | sudo tee -a /etc/hosts安装#
# Add Docker's official GPG key:
sudo apt update
sudo apt install ca-certificates curl -y
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
EOF
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y安装指定版本 docker#
# List the available versions:
apt-cache madison docker-ce | awk '{ print $3 }'
# 5:20.10.16~3-0~ubuntu-jammy
# 5:20.10.15~3-0~ubuntu-jammy
# 5:20.10.14~3-0~ubuntu-jammy
# 5:20.10.13~3-0~ubuntu-jammy
VERSION_STRING=5:20.10.13~3-0~ubuntu-jammy
sudo apt-get install docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io docker-compose-plugin设置镜像源#
cat << 'EOF' > /etc/docker/daemon.json
{
"data-root": "/home/docker",
"registry-mirrors": [
"https://hub.kingye.me"
],
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Soft": 1048576,
"Hard": 1048576
}
}
}
EOF
systemctl restart docker
vim /etc/containerd/config.toml
# 修改 root 路径
root = "/home/containerd"docker compose#
安装#
# docker compose version
mkdir -p ~/.docker/cli-plugins/
curl -SL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose
docker compose versiondocker –privileged#
docker run –privileged=true 和 docker run –privileged 是完全等价的
Setting privileged should modify:
- capabilities: removing any capability restrictions
- devices: the host devices will be visible
- seccomp: removing restrictions on allowed syscalls
- apparmor/selinux: policies aren’t applied
- cgroups: I don’t believe the container is limited within a cgroup
参考:
- Difference between
--privilegedand--cap-add=allin docker - https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
docker proxy#
# ubuntu && debian
apt -y install curl
# 国外环境
bash -c "$(curl -fsSL https://raw.githubusercontent.com/dqzboy/Docker-Proxy/main/install/DockerProxy_Install.sh)"
# 安装所有 registry
# 安装 ACME 脚本
curl https://get.acme.sh | sh
# 设置acme.sh别名,方便后续使用
alias acme.sh=~/.acme.sh/acme.sh
# 设置 ACME 脚本自动更新
acme.sh --upgrade --auto-upgrade
# 由于默认CA为ZeroSSL,必须先注册帐户才能颁发新证书,这里更换为Letsencrypt
acme.sh --set-default-ca --server letsencrypt
# 换成自己的 cloudflare token
export CF_Token="xxxx"
export CF_Account_ID=""
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --set-accountemail "[email protected]"
~/.acme.sh/acme.sh --issue --dns dns_cf -d "*.kingye.me" -d "kingye.me"
sudo mkdir -p /ssl
~/.acme.sh/acme.sh --install-cert -d "*.kingye.me" \
--key-file /ssl/wildcard.kingye.me.key \
--fullchain-file /ssl/wildcard.kingye.me.crt \
--reloadcmd "systemctl reload nginx"
sudo chmod 600 /ssl/wildcard.kingye.me.key
sudo chmod 644 /ssl/wildcard.kingye.me.crt
# 验证证书是否包含通配域名
openssl x509 -in /ssl/wildcard.kingye.me.crt -noout -text | grep -A1 "Subject Alternative Name"
sudo mkdir -p /etc/nginx/snippets
sudo tee /etc/nginx/snippets/registry_proxy_common.conf > /dev/null <<'EOF'
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
EOF
cat << 'EOF' > /etc/nginx/conf.d/docker-proxy-registries.conf
# Docker Hub (docker.io)
server {
listen 443 ssl http2;
server_name hub.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:51000;
}
}
# GHCR (ghcr.io)
server {
listen 443 ssl http2;
server_name ghcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:52000;
}
}
# GCR (gcr.io)
server {
listen 443 ssl http2;
server_name gcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:53000;
}
}
# k8s.gcr.io (legacy)
server {
listen 443 ssl http2;
server_name k8sgcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:54000;
}
}
# registry.k8s.io
server {
listen 443 ssl http2;
server_name k8s.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:55000;
}
}
# Quay (quay.io)
server {
listen 443 ssl http2;
server_name quay.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:56000;
}
}
# MCR (mcr.microsoft.com)
server {
listen 443 ssl http2;
server_name mcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:57000;
}
}
# Elastic (docker.elastic.co)
server {
listen 443 ssl http2;
server_name elastic.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:58000;
}
}
# NVCR (nvcr.io)
server {
listen 443 ssl http2;
server_name nvcr.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
include /etc/nginx/snippets/registry_proxy_common.conf;
location / {
proxy_pass http://127.0.0.1:59000;
}
}
# HubCMD-UI (management UI)
server {
listen 443 ssl http2;
server_name ui.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
location / {
proxy_pass http://127.0.0.1:30080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# Optional: registry-ui (port 50000)
server {
listen 443 ssl http2;
server_name regui.kingye.me;
ssl_certificate /ssl/wildcard.kingye.me.crt;
ssl_certificate_key /ssl/wildcard.kingye.me.key;
location / {
proxy_pass http://127.0.0.1:50000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
EOF
systemctl restart nginx
# 1) 修改宿主机配置文件(把 ttl 改成 1m)
sed -ri 's#^([[:space:]]*ttl:)[[:space:]]*.*#\1 1m#' /data/registry-proxy/registry-hub.yml
# 2) 确认宿主机文件已改
grep -n 'ttl:' /data/registry-proxy/registry-hub.yml
# 3) 重启容器生效
docker restart reg-docker-hub
# 4) 再从容器里确认
docker exec -it reg-docker-hub sh -c "grep -n 'ttl:' /etc/distribution/config.yml"
docker exec -it reg-docker-hub sh -c 'ls -l /var/lib/registry && cat /etc/distribution/config.yml'
叶王 © 2013-2026 版权所有。如果本文档对你有所帮助,可以请作者喝饮料。