二丫讲梵 二丫讲梵
首页
  • 最佳实践
  • 迎刃而解
  • Nginx
  • Php
  • Zabbix
  • AWS
  • Prometheus
  • Grafana
  • CentOS
  • Systemd
  • Docker
  • Rancher
  • Ansible
  • Ldap
  • Gitlab
  • GitHub
  • Etcd
  • Consul
  • RabbitMQ
  • Kafka
  • MySql
  • MongoDB
  • OpenVPN
  • KVM
  • VMware
  • Other
  • ELK
  • K8S
  • LLM
  • Nexus
  • Jenkins
  • 随写编年
  • 家人物语
  • 追忆青春
  • 父亲的朋友圈
  • 电影音乐
  • 效率工具
  • 博客相关
  • Shell
  • 前端实践
  • Vue学习笔记
  • Golang学习笔记
  • Golang编程技巧
  • 学习周刊
  • Obsidian插件周刊
关于
友链
  • 本站索引

    • 分类
    • 标签
    • 归档
  • 本站页面

    • 导航
    • 打赏
  • 我的工具

    • 备忘录清单 (opens new window)
    • json2go (opens new window)
    • gopher (opens new window)
    • 微信MD编辑 (opens new window)
    • 国内镜像 (opens new window)
    • 出口IP查询 (opens new window)
    • 代码高亮工具 (opens new window)
  • 外站页面

    • 开往 (opens new window)
    • ldapdoc (opens new window)
    • HowToStartOpenSource (opens new window)
    • vdoing-template (opens new window)
GitHub (opens new window)

二丫讲梵

行者常至,为者常成
首页
  • 最佳实践
  • 迎刃而解
  • Nginx
  • Php
  • Zabbix
  • AWS
  • Prometheus
  • Grafana
  • CentOS
  • Systemd
  • Docker
  • Rancher
  • Ansible
  • Ldap
  • Gitlab
  • GitHub
  • Etcd
  • Consul
  • RabbitMQ
  • Kafka
  • MySql
  • MongoDB
  • OpenVPN
  • KVM
  • VMware
  • Other
  • ELK
  • K8S
  • LLM
  • Nexus
  • Jenkins
  • 随写编年
  • 家人物语
  • 追忆青春
  • 父亲的朋友圈
  • 电影音乐
  • 效率工具
  • 博客相关
  • Shell
  • 前端实践
  • Vue学习笔记
  • Golang学习笔记
  • Golang编程技巧
  • 学习周刊
  • Obsidian插件周刊
关于
友链
  • 本站索引

    • 分类
    • 标签
    • 归档
  • 本站页面

    • 导航
    • 打赏
  • 我的工具

    • 备忘录清单 (opens new window)
    • json2go (opens new window)
    • gopher (opens new window)
    • 微信MD编辑 (opens new window)
    • 国内镜像 (opens new window)
    • 出口IP查询 (opens new window)
    • 代码高亮工具 (opens new window)
  • 外站页面

    • 开往 (opens new window)
    • ldapdoc (opens new window)
    • HowToStartOpenSource (opens new window)
    • vdoing-template (opens new window)
GitHub (opens new window)
  • 最佳实践

  • 迎刃而解

  • Nginx

  • Php

  • Zabbix

  • AWS

    • AWS运维部署实践--网络环境规划
    • AWS运维部署实践--route53私有域跨账号共享
    • AWS运维部署实践--使用sigma自建镜像仓库代替ECR
      • 前言
      • 准备
      • 部署
      • 测试验证
    • AWS运维部署实践--快速拉起生产可用的EKS集群
    • AWS运维部署实践--给EKS集群安装Ingress-Controller
    • AWS运维部署实践--配置跨账号通过kubectl管理EKS集群
    • AWS运维部署实践--内外网Ingress配置验证实践
    • AWS运维部署实践--EKS集群结合metrics-server配置HPA的功能
    • AWS运维部署实践--EKS多集群监控指标集中采集到集群外一个Prometheus的实践
    • AWS运维部署实践--EKS集群事件采集
  • Prometheus

  • Grafana

  • Loki

  • CentOS

  • Supervisord

  • Systemd

  • Docker

  • Docker-Compose

  • Rancher

  • Ansible

  • OpenLdap

  • GitLab

  • GitHub

  • Etcd

  • Consul

  • RabbitMQ

  • Kafka

  • Mysql

  • MongoDB

  • OpenVPN

  • Kvm

  • VMware

  • 配置文件详解

  • Other

  • 运维观止
  • AWS
二丫讲梵
2024-10-18
目录

AWS运维部署实践--使用sigma自建镜像仓库代替ECR

文章发布较早,内容可能过时,阅读注意甄别。

# 前言

aws 的 ecr 存在一定的问题,这里准备使用自建的镜像服务。

补充说明

这里简单说下问题在哪里,首先镜像的路径只支持单层,无法做到 image.test.com/daily/a 或 image.test.com/gray/a 这样的层级,所以在实际应用时,我们可能会把第一层作为环境,第二层作为应用,便于区分与管理,但 ecr 不支持。(当然你会说可以在 tag 上做做文章,的确可以,但总感觉比较别扭)。第二个问题,貌似在我测试的时候,仓库是不支持 push 时自动创建的,看了下网上资料,说需借助 lamda 实现的,算了,不跟你计较了。

针对于简单的使用场景,harbor 太重了,这里选择轻量的平替 sigma (opens new window)

# 准备

说明:

  • 镜像:ghcr.io/go-sigma/sigma
  • 监听端口:3000
  • 存储:使用 s3
  • 服务器:不富裕的情况下,1C2G 足够用,富裕的情况下,可以给个 2C4G 的设备。

先创建一个 s3,并且准备好一个秘钥对儿,这个不多说了。

# 部署

配置目录如下:

tree
.
├── config
│   └── config.yaml
├── start.sh
└── storage
1
2
3
4
5
6

配置文件内容为:

# this file used as default config in the container.

log:
  level: debug
  proxyLevel: info

database:
  # The database type to use. Supported types are: sqlite3, mysql, postgresql
  type: sqlite3
  sqlite3:
    path: /var/lib/sigma/sigma.db
  mysql:
    host: localhost
    port: 3306
    user: sigma
    password: sigma
    dbname: sigma
  postgresql:
    host: localhost
    port: 5432
    user: sigma
    password: sigma
    dbname: sigma
    sslmode: disable

redis:
  # redis type available: none, external. Following all of redis config just use reference here.
  # none: means never use redis
  # external: means use the specific redis instance
  type: none
  url: redis://:sigma@localhost:6379/0

badger:
  # badger is used to implement lock and cache in a single-node mode.
  enabled: true
  path: /var/lib/sigma/badger/

cache:
  # the cache type available is: redis, inmemory, badger
  # please attention in multi-node mode, you should use redis
  type: badger
  inmemory:
    prefix: sigma-cache
    size: 10240
  redis:
    prefix: sigma-cache
    ttl: 72h
  badger:
    prefix: sigma-cache
    ttl: 72h

workqueue:
  # the workqueue type available: redis, kafka, database, inmemory
  type: inmemory
  redis:
    concurrency: 10
  kafka: {}
  database: {}
  inmemory:
    concurrency: 1024

locker:
  # the locker type available: redis, badger
  type: badger
  badger:
    prefix: sigma-locker
  redis:
    prefix: sigma-locker

namespace:
  # push image to registry, if namespace not exist, it will be created automatically
  autoCreate: false
  # the automatic created namespace visibility, available: public, private
  visibility: public

http:
  # endpoint can be a domain or domain with port, eg: http://sigma.test.io, https://sigma.test.io:30080, http://127.0.0.1:3000
  # this endpoint will be used to generate the token service url in auth middleware,
  # you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default,
  # because the front page need show this endpoint.
  endpoint: https://hub.eryajf.net
  # in some cases, daemon may pull image and scan it, but we don't want to pull image from public registry domain,
  # so use this internal domain to pull image from registry.
  # you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default.
  # in k8s cluster, it will be set to the distribution service which is used to pull image from registry, eg: http://registry.default.svc.cluster.local:3000
  # in docker-compose, it will be set to the registry service which is used to pull image from registry, eg: http://registry:3000
  # if http.tls.enabled is true, internalEndpoint should start with https://
  # eg: http://sigma.test.io, http://sigma.test.io:3000, https://sigma.test.io:30080
  internalEndpoint:
  # eg: http://sigma-distribution:3000
  internalDistributionEndpoint:
  tls:
    enabled: true
    certificate: /etc/sigma/eryajf.net_bundle.pem
    key: /etc/sigma/eryajf.net_bundle.pem

storage:
  rootdirectory: ./storage
  redirect: true
  type: s3
  filesystem:
    path: /var/lib/sigma/
  s3:
    ak: xxxxx
    sk: xxxxxxxxx
    endpoint: https://s3.ap-southeast-1.amazonaws.com
    region: ap-southeast-1
    bucket: aws3-dockerhub
    forcePathStyle: true
  cos:
    ak: sigma
    sk: sigma-sigma
    endpoint: https://hack-1251887554.cos.na-toronto.myqcloud.com
  oss:
    ak: sigma
    sk: sigma-sigma
    endpoint: http://127.0.0.1:9000
    forcePathStyle: true

# Notice: the tag never update after the first pulled from remote registry, unless you delete the image and pull again.
proxy:
  enabled: false
  endpoint: https://registry-1.docker.io
  tlsVerify: true
  username: ""
  password: ""

# daemon task config
daemon:
  builder:
    enabled: false
    image: sigma-builder:latest
    type: docker
    docker:
      sock:
      network: sigma
    kubernetes:
      kubeconfig:
      namespace: default
    podman:
      uri: unix:///run/podman/podman.sock

auth:
  anonymous:
    # anonymous will disabled if auth.anonymous.enabled set false
    enabled: true
  admin:
    username: sigma
    password: Admin@123
  token:
    realm: ""
    service: ""
  jwt:
    ttl: 6h
    refreshTtl: 72h
    # generate the key with: openssl genrsa 4096 | base64
    privateKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBcHNISUFnRUpZSnFRcWRyZDNBWlhiVmROTFBQRklQcndKdEVoZ0JyVmV4MlY1UVRZCkVETnBHWkhwbUxrekpqbTJCOEd6blJEdDNaOGNlRnFFU3RxdU9CdUQ5VlYyYisvZS9ZSzcrVlF6aFpuQUhNZGgKbk5UUklxRFJqckF1UmhDN3U5MmR1b0w0S2s0a0JZNTRBa2JxQnRJZytZUXd1ODBnbDJrTjR0L3hqcWFveXl1VApDSGV3OXlwa3BONFFQTGZ1TU1OYjhYUktSdFV2cGlVekZkRmpGTkQ4eS9haVBkVlRYdVRNbGhUNjcvOXphbXlRCmtUU1V5c1l3aUtLSlRxb0N5SkFMTXRtekNrVHNTY0cxeURhcjh2cldWWDdtMnpVR0pRaW5QTllpV1JSS3IySWMKbUVTRXM3ZkROWm8zbnNka05sWEZNUWorZWVVa25Ebmk1VmtENFV1aVpBTmNXTHE4ckpBV0hTTEFtcUltK1BGUgpJVmZvcDZ0d3M5dXlUNWR2d0s2cldJcE9RRG5iZWhSM2FmU2ljY2YzQXVGNldLTFVJd05hanBhaThPdWZmYkFkClpSVTBBa2pFb2h5a1JxZnBqTEFGelBtaXdlYmo3OVdZaktlbXhIaVMxTlNEZFhnVHFRd2d0emFtQmlSbTkwYncKNk54VVRadU5hN1NQVnhvYWNZTHdSWnY4RUR0VFZyVEtMbEhZMEVCS0xPWGpLUEdUWXV0S2RDK3ZHWXhwTC9vVwoxVm5qWXpkYlhsR1VGQkRaczh5K2FsMEFRYVNDejVNUXVaYjdYVW9oTWRYRm1YT2FETnEyK3hsMU9DdFkrWlp1CnFnWEJKcE9BQlhOWjZKNlY4Ly9kaGViVUV3aWo5TlZ4YkJFRjZjWGJZdlJDODdwSzFvVEdHbi84bWtFQ0F3RUEKQVFLQ0FnRUFpR3FzWVI5UitZcFlYK3VoWlhaMm5RYzNKbGdCWXRxR0RXczErYU42RXU2QUNrdHRLY3UwNWVzYwo2d2hPbEszUGdRYndGY1Njb3BtZ1k4REF5cStjcUYreUVzZ29US2d4aHJnbGFIRitlSVB2eWxzOU9seEsvZ1lMCmlLd09IdGxmaXU5Z01nMGtVUTk5bm1JUFFPV2NXNW9ZeWFaZmE3TUNQM3I4bGlYWGFYaGpTMW5KUGJzVXRRNGsKS1U5VWZ5ZUVucldpaUtNMmhEMndiajJ1VGVIdUtVQlNIZFVVb25yYWFoM0lVOXF6OGhQSzZqd0lCQkc4eXlsWQoyTjRHYjZqYkFCSCtaMG42a3FNUm5jRHZJZXUvdk5XQTg0NE44ek9zWkMxeENtNnV5S3ExOGtYVDJLanMya3l4ClVDOXA0dVdBMElaWCs2WTg3NkVKMHhmenl1V0lLcnQwNmRIeDdGOFdkNGpiQXJmMW1ZSlFRblgwNTBpMXBVcDEKdmlhT3AvSnhXcUZtRWRCcE1lc214S0NRRTM0OHoxZkRUUUdSVnRHNWZyZ00wS2dMRkJLL25kVDhQdkNzMWx1NQpwc2JzLzRSRm40SCtPQk9JZTFIb3B5dDlGNklXbi9Cc2gySWN5TWs4dnMzMkd3Mm1WSkVBMUR6RVVhU2JSakxxCm1NYnMyMkJ3WGxHUURCT1JFSG1UUi9uRHloRVlib0RhNWlCcUhSV0c5QUlEaXBKODNYNEI5L29QVDRuOElPeGsKSmJQNDAvL3pJSnJLSHZWL3lNUldpN2F5cjVSamtWNWpPbTdxKzFpeUhXMytBcWhEZnVoakxIT3RJUWppYjB0Rwo2WUREbjZaNXo1WVo0d2l3TCtBUWtRb3dRYmU2NHJYbXBYWFVBNzhBQlRTV21wWGFWZkVDZ2dFQkFNN3NQMnNGCjdZYXdVRmQxeks4K3cyYXp1WHZFWHBBbE5ubWF4N1F1Z1VBRTgwRjlPRi82Wkx4cHNRenB5OW40bzNubWhaVnUKRzFFcmtFeEhnU09HSHNsRjJyU1lqbDg5SkVoOGNuaGFWeXVkMUFNby96SWt5YmpGdWxBTHpLWXJhKy9FcjF5WQp4b2lNYS9DakpURkhLR095RFpHMC9rNXRCdVIycTZVa3ZwaHFFSTBPc1R0Sk1sTWhpb1c0T0l1dHBUVGVmM3FWCk9oR2luNWgwK2hMNWFqMkpIMlpCemNvUSs4T0kwaDYwWlg0MTdHQld2a1M3TmtOY0p4cGpSTzBrbXF2Y3ZYWVMKTnc5aEZLM2pPR2V2ZTBvcFpDcTJoaHBGUGlvTVEyTk83NEJWeFM1dGxlZWluazFmcVAvZjZ3TitJL2d0MG42egpQYU9iczhHT3hzMVVROVVDZ2dFQkFNNU94eTJyd3BnMzIyOG1Ic2wyNncyeWxyMWFuaXJ6QTkzYzdlQnVVakVuCmJEQzdDS01HTTF0eGgwcUJISmlkcENyK2VFZDUvWHR5akEwc2liUlNHcVNPSmg2Qk1oNUdRRElMN0hiLzF4NGIKNSs0YXAxQTRiWGh1VEpNVGRlMFozcUVnYmU0Zjk3WHpBbWFRR09CcEdSSU5FUzRCSmhreThQSkkrRS9CaHZpMQovRmZDNkM5VzJTMC9GRE1aOGREeXR6ZU52TUFFRCtQOEZQVGE4a0U3TmovR1RjMUllY2NJRmF5SXlkTGsvZWV6ClI5aXdKZGJLdVJaVXBUOUVLOWhNYjM3MGcxWitHOXl4VHJKbmxlQVZneVF3RDlzMUJEZ0ZCbGozME1DQ3NHQTkKRE5xdklQRTJCeGVwQVNMTUZEb04wcVR5SS92eUU5aExyQ0F3dDdLZGJyMENnZ0VBV3RGZDFEODV6USs5YzJXRQpmTFh6VlRRMGlKbmJWekMrQkFsbTlUSWtFRkViNHZadXM5RldQVXUySlpESG85ZDVDSnVncmNFeHhDSjJwc1FMCmJlZ0R3eHNocm5uMm90NVcrbW1FWkVaaVZBWmxjeTJmTkFicGNtdDJKb1BIUW5kMFhEdmJLNnp5RmlScmk2WlAKUUoyV29Jc1pZWVlxeDRrYXFWTmNhcE1DQkNzcE1IL3VVYk1DbjNIdE5sdHdsZjJVc091bXo4cUhQZzQrTmMvQgpvbXBOc3N4b041MVNFUW43TmdyckRnYm5OTW0rQVZxUkQrR0xJMjFpekRZZG5tZWVheWZyRDlOV3p5MHd3bEVrCkJINEVncncvOW04OTFISG5vdFRYRHRNcVV3MVNDZHFYSEo5SEUzYVUyaGtSTU90QUprRVdUZjJsWkJXR2c4R0MKaDhRZ01RS0NBUUVBeDJVU1VzellGZUNlb0ExNjRnS2lhYW02MFNZOUNvdTNwLzM0bHRwcGJBS0xLWW9MYmV6MwpSQ0UwdmtpTlI5L01wSlV2MFAxUmhiZVBMc2htQ3piemN5bkVJK1dBZUF3enpXc0N6M3l6Ly9DK3Q3MWhDa0tQCll6OVBtVExNM2kwTHBEVkFxazZSVG5TaFZGbGZBYjN5TWlVWS9wcXpwTlU4VlI4N2gzSW5Ma2hOck5DL01jbkIKdTE1aytvTFAyY0JNWGxBS0pwZUdlRFhTVjFrcG5PeEtvVmJiS1ZZc0JMYUdwQ3ZNekp6djNibkQ3ZVZKblJCdgoxT3BZa0E0bVJqYVI2R1VRYjA4UlJMckZzZDQxMTg5UzRXM21WVm9uU3JGb2tpSnB5elpFbTY5RnRqSmZKMkt0CmRpdXM0bUhXQnNvSFZjNkdBdUxVVlUvRis1SzZhTktLRFFLQ0FRRUF2VHRzZmNlVFE1cjRTTFlUMTlnMU5GMVgKckFPaUhzVHQ5TFNZUXNZUmpEcGZqR0t1b29jN091Q1ZGdGYwa1ArUkliODJIK05QRVNPMXlpclNzMTVaWnFobAorTXpmY1YrL1dHOVovZlAyUG5ZYVFCeWFOWkNMK3dSTW5nbXJycnF1RjZSRXk1UHQ5Z2pkaU1heXhSSzlVODVKCkY4WFVqcmhuVTJYMUxHTFAzaEoxV0lUbTh6V2RlcytyZU1JR2RNL3grajRBbW80R3FuMzd1U05WRkR4QVhuV2gKRzhPejBaa0dXb25Xai9CRVhnR2RiVk5uVldLQWpodUlRbkZwbHR4R3VpNzhyS09lSEhHVElEUDNZK1h5ZW9ZbAoxVTNtYWVrUGxEaURlUlBmemhjRFBJc0h2b3VoUVZCSlAxRTh2d1VpZkJ1bTEzSDZ5SjdKajcrR29Rb2diZz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
  oauth2:
    github:
      # github login will disable if auth.oauth.github.enabled set false
      enabled: false
      clientId: "e5f9fa9e372dfac66aed"
      clientSecret: "49ab83f4d0665f8579516f7a3f2f753a6a57189b"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

申明

原创文章eryajf,未经授权,严禁转载,侵权必究!此乃文中随机水印,敬请读者谅解。

Copyright 二丫讲梵 (opens new window) 版权所有

启动脚本为:

$ cat start.sh
docker run -itd --name sigma -v /data/sigma/config:/etc/sigma \
  -v /data/sigma/storage:/var/lib/sigma \
  -v /var/run/docker.sock:/var/run/docker.sock -p 443:3000 \
  ghcr.io/go-sigma/sigma
1
2
3
4
5

启动之后,把 hub.eryajf.net 解析到该服务器,即可在浏览器进行访问。

默认用户名密码为:sigma / Admin@123

# 测试验证

$ docker pull redis:7
$ docker tag redis:7 hub.eryajf.net/library/redis:7
$ docker login hub.eryajf.net -u sigma
$ docker push hub.eryajf.net/library/redis:7
1
2
3
4

push 成功之后,再去 s3 那里看,发现已经存储过去了。

这个组件轻量,且够用,目前我在生产已经稳定运行半年,很不错,值得推荐。

微信 支付宝
上次更新: 2024/10/19, 10:36:50
AWS运维部署实践--route53私有域跨账号共享
AWS运维部署实践--快速拉起生产可用的EKS集群

← AWS运维部署实践--route53私有域跨账号共享 AWS运维部署实践--快速拉起生产可用的EKS集群→

最近更新
01
记录二五年五一之短暂回归家庭
05-09
02
学习周刊-总第210期-2025年第19周
05-09
03
学习周刊-总第209期-2025年第18周
05-03
更多文章>
Theme by Vdoing | Copyright © 2017-2025 | 点击查看十年之约 | 浙ICP备18057030号
  • 跟随系统
  • 浅色模式
  • 深色模式
  • 阅读模式