registry pull-through cache

This act as a pull-through cache for Docker Hub, after staring up container, use nginx to reverse proxy the 127.0.0.1:5000 port, and make sure there is SSL on the server block.

Nginx Example

  1. server {
  2.     listen 80;
  3.     server_name registry-mirror.nova.moe;
  4.     return 301 https://$host$request_uri;
  5. }
  6. server {
  7.     listen 443 ssl http2;
  8.     listen [::]:443 ssl http2;
  9.     server_name  registry-mirror.nova.moe;
  10.     location / {
  11.     proxy_set_header        Host $host;
  12.     proxy_set_header        X-Real-IP $remote_addr;
  13.     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  14.     proxy_set_header        X-Forwarded-Proto $scheme;
  15.     proxy_pass http://localhost:5000/;
  16.     }
  17.     ssl_certificate /etc/nginx/ssl/xxx.crt;
  18.     ssl_certificate_key /etc/nginx/ssl/xxx.key;
  19.     ssl_session_timeout 1d;
  20.     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  21.     ssl_session_tickets off;
  22. }

Usage

Temporary Usage

  1. docker pull registry-mirror.nova.moe/pingcap/tidb:v4.0.5
  2. docker image tag registry-mirror.nova.moe/pingcap/tidb:v4.0.5 pingcap/tidb:v4.0.5

Persistent Usage

Edit docker‘s systemd start up script(Use systemctl status docker to locate the .service file, in Ubuntu it’s at /usr/lib/systemd/system/docker.service), add --registry-mirror=https://registry-mirror.nova.moe, examples as below:

  1. ...
  2. [Service]
  3. Type=notify
  4. # the default is not to use systemd for cgroups because the delegate issues still
  5. # exists and systemd currently does not support the cgroup feature set required
  6. # for containers run by docker
  7. ExecStart=/usr/bin/dockerd --registry-mirror=https://registry-mirror.nova.moe  -H fd:// --containerd=/run/containerd/containerd.sock
  8. ExecReload=/bin/kill -s HUP $MAINPID
  9. ...