【DevOps】基于Nexus3部署Docker内网私有代理仓库docker proxy

nexus3权限配置

请参照上面的流程图，按照以下步骤进行检查：

1. 确认 Docker Bearer Token Realm 已激活

   • 路径：Nexus 控制台 → Security → Realms
   • 检查：确保 Docker Bearer Token Realm 出现在右侧的 Active 栏中。这是实现Docker仓库认证的关键安全模块，即使勾选了“Allow anonymous docker pull”，如果此项未激活，匿名访问也会失败。

2. 检查匿名用户访问权限

   • 路径：Nexus 控制台 → Security → Anonymous Access
   • 检查：确保选择了 Allow anonymous users to access the server。这样，未登录的客户端才被允许与仓库交互。

3. 特别注意Podman客户端的差异

   • 你已经在使用 --tls-verify=false 来绕过HTTPS验证，这是正确的。因为Nexus仓库默认使用HTTP，而Podman对安全性的要求可能比Docker更严格。

创建docker(proxy)仓库

Name: docker-proxy

Repository Connectors:

​ HTTP: 8090

​ 勾选：Allow anonymous docker pull ( Docker Bearer Token Realm required )

​ 勾选：Allow clients to use the V1 API to interact with this repository

Proxy

​ Remote Storage：https://docker.1ms.run

​ Docker Index: Use proxy registry(specified above)

客户端使用(HTTP协议)

podman客户端

[root@10-2-0-4 ~]# podman pull --tls-verify=false 10.2.0.100:8090/library/nginx:latest
Trying to pull 10.2.0.100:8090/library/nginx:latest...
Getting image source signatures
Copying blob 8da8ed3552af done
Copying blob b459da543435 done
Copying blob 5d8ea9f4c626 done
Copying blob 58d144c4badd done
Copying blob 54e822d8ee0c done
Copying blob 250b90fb2b9a done
Copying blob 8c7716127147 done
Copying config 07ccdb7838 done
Writing manifest to image destination
Storing signatures
07ccdb7838758e758a4d52a9761636c385125a327355c0c94a6acff9babff938

Docker客户端

配置/etc/docker/daemon.json

参考以下registry-mirrors、insecure-registries两项配置。

{"exec-opts": ["native.cgroupdriver=systemd"],"registry-mirrors": ["http://10.2.0.100:8090"],"insecure-registries": ["http://10.2.0.100:8090"],"max-concurrent-downloads": 10,"log-driver": "json-file","log-level": "warn","log-opts": {"max-size": "10m","max-file": "3"},"data-root": "/var/lib/docker"
}

重启

 systemctl restart docker

查看dockerinfo

[root@10-2-0-4 ~]# docker info
Containers: 0Running: 0Paused: 0Stopped: 0
Images: 1
Server Version: 18.09.0
Storage Driver: overlay2Backing Filesystem: extfsSupports d_type: trueNative Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: systemd
Hugetlb Pagesize: 2MB, 2MB (default is 2MB)
Plugins:Volume: localNetwork: bridge host macvlan null overlayLog: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 871075eb7cc979944ba2d987719cb534bbb87e5c
runc version: N/A
init version: N/A (expected: )
Security Options:seccompProfile: default
Kernel Version: 5.10.0-216.0.0.115.oe2203sp4.x86_64
Operating System: openEuler 22.03 (LTS-SP4)
OSType: linux
Architecture: x86_64
CPUs: 20
Total Memory: 14.8GiB
Name: 10-2-0-4
ID: 4DKE:4SMB:KYOE:DA4F:7QCU:CBK5:FL7D:WJFC:BIIA:EVBG:ZGI2:GQWR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:10.2.0.100:8090127.0.0.0/8
Registry Mirrors:http://10.2.0.100:8090/
Live Restore Enabled: true

拉取镜像

[root@10-2-0-4 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
8c7716127147: Pull complete
250b90fb2b9a: Pull complete
5d8ea9f4c626: Pull complete
58d144c4badd: Pull complete
b459da543435: Pull complete
8da8ed3552af: Pull complete
54e822d8ee0c: Pull complete
Digest: sha256:3b7732505933ca591ce4a6d860cb713ad96a3176b82f7979a8dfa9973486a0d6
Status: Downloaded newer image for nginx:latest