@zhsj 存在用户上传的数据，感觉有些安全风险
link. ustclug/discussions#53

可考虑只读，能pull image即可

@gaoyifan 这可以用docker registry（现在镜像docker hub那个）来镜像吗？

@zhsj 估计不行，gcr.io是私有镜像
应该是Google自己造了一种格式。原先是兼容docker的，然而后来全换成了私有格式。

@gaoyifan 应该可以，docker可以直接pull gcr 上的 image。当然只要网络允许。

@NickCao 我搭建了一个测试站，试试能用吗？ http://gcr.rrr.rs/

@gaoyifan
Error response from daemon: Get https://gcr.rrr.rs/v1/_ping: x509: certificate is valid for any.ustclug.org, ustclug.org, *.ustclug.org, not gcr.rrr.rs

@NickCao 唔.... docker默认用https访问啊....
试试这个：gcr-test.ustclug.org

@gaoyifan 似乎可用了

Accepted.
Try gcr.mirrors.ustc.edu.cn like

docker pull gcr.mirrors.ustc.edu.cn/google_containers/echoserver:1.4

Same mirror method like docker hub :)

@zhsj How about providing a url of sub-directory style, i.e. mirrors.ustc.edu.cn/gcr/... ?

@knight42 docker doesn't support. Maybe I configure wrong..

@knight42
You can never use docker pull mirrors.ustc.edu.cn/gcr/google_containers/echoserver as @zhsj said before.
Subpath is only supported by --registry-mirror flag at this time.

got it.

BTW, it occurs to me that we already have a reverse proxy server: proxy.ustclug.org.
Could we just rewrite the url? e.g.
rewrite /gcr(/.*) $scheme://gcr.proxy.ustclug.org$1 permanent;

@knight42 docker registry is more than a reverse proxy though

@wkjun 似乎不是公开镜像？

$ docker pull gcr.io/google_containers/kubernetes-dashboard-amd64:1.7.1                                                   
Pulling repository gcr.io/google_containers/kubernetes-dashboard-amd64
unauthorized: authentication required

sorry , tag 缺少了个v docker pull gcr.mirrors.ustc.edu.cn/google_containers/kubernetes-dashboard-amd64:v1.7.1
现在正常，O(∩_∩)O谢谢：

docker pull gcr.mirrors.ustc.edu.cn/google_containers/kubernetes-dashboard-amd64:v1.7.1
v1.7.1: Pulling from google_containers/kubernetes-dashboard-amd64
fb18e0636263: Downloading [=========================>                         ]  20.91MB/41.71MB

经测试，docker 的 registry 工具可以镜像gcr.
registry proxy配置段

proxy:
  #remoteurl: https://registry-1.docker.io
  remoteurl: https://gcr.io

测试结果如下: (这是自己的vps，带宽有限，请大家测试的时候悠着点流量)

$ sudo docker pull registry.u17.io/google_containers/kubernetes-dashboard-amd64:v1.7.1
v1.7.1: Pulling from google_containers/kubernetes-dashboard-amd64
fb18e0636263: Pull complete 
Digest: sha256:327cfef378e88ffbc327f98dd24adacf6c9363c042db78e922d050f2bdcf6f78
Status: Downloaded newer image for registry.u17.io/google_containers/kubernetes-dashboard-amd64:v1.7.1
$ sudo docker pull registry.u17.io/google_containers/kubedns-amd64:1.9
1.9: Pulling from google_containers/kubedns-amd64
8ddc19f16526: Pull complete 
a3ed95caeb02: Pull complete 
acc68ed00435: Pull complete 
Digest: sha256:3d3d67f519300af646e00adcf860b2f380d35ed4364e550d74002dadace20ead
Status: Downloaded newer image for registry.u17.io/google_containers/kubedns-amd64:1.9

@gaoyifan , can I use gcr.mirrors.ustc.edu.cn as a simple registry mirror, set "registry-mirrors": ["https://gcr.mirrors.ustc.edu.cn"] in deamon.json ?

It looks it doesn't work this way.

@gaoyifan Can add k8s.gcr.io mirror?

@khs1994 k8s.gcr.io -> gcr.io/google_containers

some mirror seems not working:

~ % docker pull gcr.mirrors.ustc.edu.cn/kaniko-project/executor
Using default tag: latest
Error response from daemon: Get https://gcr.mirrors.ustc.edu.cn/v2/: net/http: TLS handshake timeout
 ~ % curl https://gcr.mirrors.ustc.edu.cn/v2/
{}% 

curl works means the network is not the problem

docker pull gcr.mirrors.ustc.edu.cn/kubernetes-helm/tiller:v2.9.1

Error response from daemon: received unexpected HTTP status: 504 Gateway Time-out

is gcr.mirrors.ustc.edu.cn still usable?

docker pull gcr.mirrors.ustc.edu.cn/kubernetes-helm/tiller:v2.16.8
Trying to pull repository gcr.mirrors.ustc.edu.cn/kubernetes-helm/tiller ...
received unexpected HTTP status: 504 Gateway Time-out

gcr.mirrors.ustc.edu.cn 返回403

gcr.mirrors.ustc.edu.cn 返回403

见 https://mirrors.ustc.edu.cn/help/dockerhub.html。我们正在考虑使用 #276 中的方案构建 registry，但是在此之前科大校外用户需要考虑使用其他替代方案（例如阿里云提供的公开镜像服务）。