Docker私有仓库
Posted 礁之
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker私有仓库相关的知识,希望对你有一定的参考价值。
文章目录
一、Docker搭建Registry
- Docker 官方提供了一个搭建私有仓库的镜像 registry ,只需把镜像下载下来,运行容器并暴露5000端口,就可以使用了。
- 步骤:
[root@docker ~]# docker pull registry:2 #下载镜像
2: Pulling from library/registry
ddad3d7c1e96: Pull complete
6eda6749503f: Pull complete
363ab70c2143: Pull complete
5b94580856e6: Pull complete
12008541203a: Pull complete
Digest: sha256:aba2bfe9f0cff1ac0618ec4a54bfefb2e685bbac67c8ebaf3b6405929b3e616f
Status: Downloaded newer image for registry:2
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
registry 2 1fd8e1b0bb7e 3 months ago 26.2MB
[root@docker ~]# docker run -d -v /opt/registry:/var/lib/registry -p 5000:5000 --name myregistry registry:2
731047396a0a9f7fa6896f770a1e86a72f8183ab273842107eed8b46742226fb #创建容器,挂载目录,指定端口
[root@docker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
731047396a0a registry:2 "/entrypoint.sh /etc…" 8 seconds ago Up 8 seconds 0.0.0.0:5000->5000/tcp myregistry
#Registry服务默认会将上传的镜像保存在容器的/var/lib/registry,我们将主机的/opt/registry目录挂载到该目录,即可实现将镜像保存到主机的/opt/registry目录了。
浏览器访问http://192.168.100.202:5000/v2,出现下面情况说明registry运行正常。
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
registry 2 1fd8e1b0bb7e 3 months ago 26.2MB
[root@docker ~]# docker tag registry:2 localhost:5000/cangku:lastest #需要先修改标签,修改成仓库ip加端口然后/镜像名称
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
registry 2 1fd8e1b0bb7e 3 months ago 26.2MB
localhost:5000/cangku lastest 1fd8e1b0bb7e 3 months ago 26.2MB
[root@docker ~]# docker push localhost:5000/cangku:lastest
The push refers to repository [localhost:5000/cangku]
7b9a3910f3c3: Pushed
3764c3e89288: Pushed
b4592cba0628: Pushed
de9819405bcf: Pushed
9a5d14f9f550: Pushed
lastest: digest: sha256:42043edfae481178f07aa077fa872fcc242e276d302f4ac2026d9d2eb65b955f size: 1363
[root@docker ~]# docker tag nginx:latest localhost:5000/nginx:latest #同样把nginx镜像也传上去
[root@docker ~]# docker push localhost:5000/nginx:latest
The push refers to repository [localhost:5000/nginx]
9d1af766c818: Pushed
d97733c0a3b6: Pushed
c553c6ba5f13: Pushed
48b4a40de359: Pushed
ace9ed9bcfaf: Pushed
764055ebc9a7: Pushed
latest: digest: sha256:1c70a669bbf07f9862f269162d776c35144b116938d1becb4e4676270cff8f75 size: 1570
#使用浏览器访问http://192.168.100.202:5000/v2/_catalog,可以看到多了一个仓库
#使用另一台docker主机拉取仓库镜像
#安装并启动docker(略)
[root@Centos7 ~]# hostnamectl set-hostname test
[root@Centos7 ~]# su
[root@test ~]# docker images #现在在本地是没有镜像的
REPOSITORY TAG IMAGE ID CREATED SIZE
#两台docker主机的daemon文件都需要修改
[root@test ~]# vim /etc/docker/daemon.json #在下载镜像时,是不支持http的需要https,所以需要修改配置文件指定镜像仓库
"registry-mirrors": ["https://w4uieobw.mirror.aliyuncs.com"], #要记住后面的逗号
"insecure-registries": ["192.168.100.202:5000"] #这里写仓库服务器的ip
#保存退出
[root@Centos7 ~]# systemctl restart docker
#在test主机去推送镜像
[root@test ~]# ll
总用量 138524
-rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg
drwxr-xr-x 3 root root 4096 7月 28 21:47 docker
-rw-r--r-- 1 root root 141838848 7月 28 21:47 httpd
[root@test ~]# docker load -i httpd
764055ebc9a7: Loading layer [==================================================>] 72.53MB/72.53MB
9fbbeddcc4e4: Loading layer [==================================================>] 3.072kB/3.072kB
61172cb5065c: Loading layer [==================================================>] 7.483MB/7.483MB
9262f7dd1498: Loading layer [==================================================>] 61.79MB/61.79MB
239871c4cac5: Loading layer [==================================================>] 3.584kB/3.584kB
Loaded image: httpd:latest
[root@test ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest bd29370f84ea 2 weeks ago 138MB
[root@test ~]# docker tag httpd:latest 192.168.100.202:5000/httpd:latest
[root@test ~]# docker push 192.168.100.202:5000/httpd:latest #同样的修改镜像名称进行推送
The push refers to repository [192.168.100.202:5000/httpd]
239871c4cac5: Pushed
9262f7dd1498: Pushed
61172cb5065c: Pushed
9fbbeddcc4e4: Pushed
764055ebc9a7: Pushed
latest: digest: sha256:51dabee6ad1cca2ae3a80e974224f30e7121dab1da9edf62e11179f8c652b09e size: 1366
成功推送到了镜像仓库!
二、Docker搭建Harbor
(1)Harbor简介
-
这是VMware的开源项目https://github.com/vmware/harbor
-
harbor可帮助用户迅速搭建企业级的注册服务。它提供了管理图形界面,基于角色的访问控制(Role Based Access Control),镜像远程复制同步,AD/lDAP集成,以及审计日志等企业用户需求的功能,同时还原生支持中文,该项目自推出以来,在GitHub获得了超过3300多个star和900多个forks
-
Harbor的优点
- 基于角色的访问控制
用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限
- 图像化用户界面
用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间
- 审计管理
所有针对镜像仓库的操作都可以被记录追溯,用户审计管理
- 国际化
基于英文与中文语言进行了本地化,可以增加更多的语言支持
- RESTful API:
提供给管理员对于Harbor更多的操控,使得与其他管理软件集成变得更容易。
- 镜像复制
基于策略的Docker镜像复制功能,可在不同的数据中心,不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作。
- 与Clair集成
与Clair集成,添加漏洞扫描功能,Clair是coreos开源的容器漏洞扫描工具,在容器逐渐普及的今天,容器镜像安全问题日益严重,Clair是目前少数的开源安全扫描工具
- Notary签名工具
Notary是Docker镜像的签名工具,用来保证镜像在pull,push和传输工程中的一致性和完整性,避免中间人攻击,避免非法的镜像更新,运行
(2)搭建Harbor
-安装Harbor
******(1)安装并且启动Docker(略)
#最好提前修改两台docker主机的配置文件
[root@Centos7 ~]# vim /etc/docker/daemon.json
"registry-mirrors": ["https://w4uieobw.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.100.202"] #镜像仓库地址,如果是https需要把登录镜像仓库的主机的这个选项改为域名
#保存退出
[root@Centos7 harbor]# systemctl restart docker
******(2)上传harbor压缩包,解压并安装
[root@Centos7 ~]# ll
总用量 775232
-rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg
drwxr-xr-x 3 root root 4096 7月 28 21:46 docker
-rw-r--r-- 1 root root 629571428 7月 29 02:50 harbor-offline-installer-v2.3.1.tgz
-rw-r--r-- 1 root root 137441280 7月 28 21:47 nginx
-rw-r--r-- 1 root root 26815488 7月 28 21:46 registry
[root@Centos7 ~]# tar xf harbor-offline-installer-v2.3.1.tgz -C /usr/local/
******(3)上传docker-compose,使用harbor的install.sh脚本需要使用compose命令
[root@Centos7 ~]# cd /usr/bin/
[root@Centos7 bin]# ll | grep docker-compose
-rw-r--r-- 1 root root 11748168 7月 29 02:54 docker-compose
[root@Centos7 bin]# chmod a+x docker-compose
#Harbor在上传和下载时,也是有http协议和https协议的区分的
-搭建HTTP协议的Harbor
******(1)修改配置文件
[root@Centos7 ~]# vim /usr/local/harbor/harbor.yml.tmpl #修改配置文件,修改完之后复制一份harbor.yml
1 # Configuration file of Harbor
2
3 # The IP address or hostname to access admin UI and registry service.
4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 hostname: 192.168.100.202 #修改host地址
6
7 # http related config
8 http:
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 port: 80 #可以看到是80端口,所以在浏览器访问harbor时使用80端口
11
12 # https related config
13 #https: #把https的选项全部注释
14 # https port for harbor, default is 443
15 #port: 443
16 # The path of cert and key files for nginx
17 #certificate: /your/certificate/path
18 #private_key: /your/private/key/path
19
。。。。。。
#保存退出
[root@Centos7 harbor]# ./prepare #在第一次安装后,之后修改配置文件需要先执行这个命令然后再重启
******(2)开启harbor
[root@Centos7 bin]# cd /usr/local/harbor/
[root@Centos7 harbor]# cp harbor.yml.tmpl harbor.yml
[root@Centos7 harbor]# sh install.sh
#首次安装启动可使用/usr/local/harbor/install.sh 脚本,后续可使用“docker-compose up -d”命令启动 Harbor,使用“docker-compose stop”命令关闭 Harbor
[root@Centos7 harbor]# echo $?
0
[root@Centos7 harbor]# ps aux | grep docker-compose #查看是否启动
root 17466 0.0 0.0 112676 988 pts/0 R+ 02:59 0:00 grep --color=auto docker-compose
[root@Centos7 harbor]# docker images #查看镜像,发现自动创建了很多镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.1 719fd825651e 9 days ago 81MB
goharbor/chartmuseum-photon v2.3.1 3aba4510af16 9 days ago 178MB
goharbor/redis-photon v2.3.1 4a0d49a4ece0 9 days ago 191MB
goharbor/trivy-adapter-photon v2.3.1 a285847f857a 9 days ago 164MB
goharbor/notary-server-photon v2.3.1 87a2dbfd122e 9 days ago 110MB
goharbor/notary-signer-photon v2.3.1 7e29ff33ec85 9 days ago 107MB
goharbor/harbor-registryctl v2.3.1 91e798004920 9 days ago 132MB
goharbor/registry-photon v2.3.1 972ce19b1882 9 days ago 81.2MB
goharbor/nginx-photon v2.3.1 3b3ede1db494 9 days ago 44.3MB
goharbor/harbor-log v2.3.1 40a54594fe22 9 days ago 194MB
goharbor/harbor-jobservice v2.3.1 d6e174ae0a00 9 days ago 171MB
goharbor/harbor-core v2.3.1 f05acc3947d6 9 days ago 158MB
goharbor/harbor-portal v2.3.1 4a15c5622fda 9 days ago 57.6MB
goharbor/harbor-db v2.3.1 b16a9c81ef03 9 days ago 263MB
goharbor/prepare v2.3.1 4ce629d59c20 9 days ago 288MB
nginx latest 4cdc5dd7eaad 3 weeks ago 133MB
localhost:5000/nginx latest 4cdc5dd7eaad 3 weeks ago 133MB
registry 2 1fd8e1b0bb7e 3 months ago 26.2MB
localhost:5000/cangku lastest 1fd8e1b0bb7e 3 months ago 26.2MB
[root@Centos7 harbor]# docker ps #自动创建了容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
26a93947a33b goharbor/harbor-jobservice:v2.3.1 "/harbor/entrypoint.…" 38 seconds ago Up 36 seconds (healthy) harbor-jobservice
78446210fa0f goharbor/nginx-photon:v2.3.1 "nginx -g 'daemon of…" 38 seconds ago Up 36 seconds (healthy) 0.0.0.0:80->8080/tcp nginx
c0960ed77baa goharbor/harbor-core:v2.3.1 "/harbor/entrypoint.…" 39 seconds ago Up 38 seconds (healthy) harbor-core
96cbc954ba82 goharbor/harbor-registryctl:v2.3.1 "/home/harbor/start.…" 40 seconds ago Up 38 seconds (healthy) registryctl
b13ff2d09aff goharbor/registry-photon:v2.3.1 "/home/harbor/entryp…" 40 seconds ago Up 38 seconds (healthy) registry
f74c86c3f2af goharbor/harbor-portal:v2.3.1 "nginx -g 'daemon of…" 40 seconds ago Up 38 seconds (healthy) harbor-portal
bff785ec0b21 goharbor/harbor-db:v2.3.1 "/docker-entrypoint.…" 40 seconds ago Up 39 seconds (healthy) harbor-db
53169511a567 goharbor/redis-photon:v2.3.1 "redis-server /etc/r…" 41 seconds ago Up 39 seconds (healthy) redis
1a18a7fc38a3 goharbor/harbor-log:v2.3.1 "/bin/sh -c /usr/loc…" 41 seconds ago Up 40 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
使用浏览器进行访问192.168.100.202的80端口,因为harbor使用的web是nginx,用户名admin密码Harbor12345
******(3)从另一台docker主机往搭建镜像仓库的主机上传镜像,要提前装好并开启docker,记得修改daemon.json配置文件
[root@test ~]# ll
总用量 138524
-rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg
drwxr-xr-x 3 root root 4096 7月 29 03:52 docker
-rw-r--r-- 1 root root 141838848 7月 29 03:59 httpd
[root@test ~]# docker load -i httpd
764055ebc9a7: Loading layer [==================================================>] 72.53MB/72.53MB
9fbbeddcc4e4: Loading layer [==================================================>] 3.072kB/3.072kB
61172cb5065c: Loading layer [==================================================>] 7.483MB/7.483MB
9262f7dd1498: Loading layer [==================================================>] 61.79MB/61.79MB
239871c4cac5: Loading layer [==================================================>] 3.584kB/3.584kB
Loaded image: httpd:latest
[root@test ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest bd29370f84ea 2 weeks ago 138MB
[root@test ~]# docker tag httpd:latest 192.168.100.202/library/httpd:latest #修改镜像名称,格式为仓库地址/项目名称
[root@test ~]# docker push 192.168.100.202/library/httpd:latest #开启推送镜像发现无法推送
The push refers to repository [192.168.100.202/library/httpd]
239871c4cac5: Preparing
9262f7dd1498: Preparing
61172cb5065c: Preparing
9fbbeddcc4e4: Preparing
764055ebc9a7: Preparing
unauthorized: unauthorized to access repository: library/httpd, action: push: unauthorized to access repository: library/httpd, action: push
[root@test ~]# docker login -u admin -p Harbor12345 192.168.100.202 #需要先登录镜像仓库才可以进行推送
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@test ~]# docker push 192.168.100.202/library/httpd:latest #再次推送,推送成功
The push refers to repository [192.168.100.202/library/httpd]
239871c4cac5: Pushed
9262f7dd1498: Pushed
61172cb5065c: Pushed
9fbbeddcc4e4: Pushed
764055ebc9a7: Pushed
latest: digest: sha256:51dabee6ad1cca2ae3a80e974224f30e7121dab1da9edf62e11179f8c652b09e size: 1366
去浏览器验证,发现成功推送
******(4)使用Docker从镜像仓库下载镜像
[root@test ~]# docker rmi httpd:latest
Untagged: httpd:latest
[root@test ~]# docker rmi 192.168.100.202/library/httpd:latest
Untagged: 192.168.100.202/library/httpd:latest
Untagged: 192.168.100.202/library/httpd@sha256:51dabee6ad1cca2ae3a80e974224f30e7121dab1da9edf62e11179f8c652b09e
Deleted: sha256:bd29370f84eac6a9fa5373f8ed702f66820e784e5f680b62670af9f851017c96
Deleted: sha256:91fe878e1dedb23768919989d6123dc6cf22bda8f052b891876f71b92bf38803
Deleted: sha256:764b68edcbc2938e3d53f4977145d094fcc321aed11d2a254740966b826dd30c
Deleted: sha256:356e3acf71a1a4ccc94a250fa7e6351f7b1691b7dc0ee48be96c97709cd1b7b8
Deleted: sha256:43c41c92588e603f75963bab3a334a02109a6381002f784223bdeec5f46ba7a3
Deleted: sha256:764055ebc9a7a290b64d17cf9ea550f1099c202d83795aa967428ebdf335c9f7
[root@test ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@test ~]# docker pull 192.168.100.202/library/httpd:latest #下载镜像
latest: Pulling from library/httpd
b4d181a07f80: Pull complete
4b72f5187e6e: Pull complete
12b2c44d04b2: Pull complete
35c238b46d30: Pull complete
1adcec05f52b: Pull complete
Digest: sha256:51dabee6ad1cca2ae3a80e974224f30e7121dab1da9edf62e11179f8c652b09e
Status: Downloaded newer image for 192.168.100.202/library/httpd:latest
[root@test ~]# docker images #成功下载!
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.100.202/library/httpd latest bd29370f84ea 2 weeks ago 138MB
至此,HTTP协议的Harbor仓库搭建并测试完成!!!!
-搭建HTTPS协议的Harbor
******(1)生成CA证书私钥
[root@Centos7 ~]# mkdir /CA
[root@Centos7 ~]# cd /CA/
[root@Centos7 CA]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................++
................................++
e is 65537 (0x10001)
******(2)生成CA证书
[root@Centos7 CA]# openssl req -x509 -new -nodes -sha512 -days 3650 \\
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.rzy.com" \\
-key ca.key \\
-out ca.crt
******(3)生成域名私钥
[root@Centos7 CA]# openssl genrsa -out www.rzy.com.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................................................................++
...........................................................................................................................................++
e is 65537 (0x10001)
******(4)生成证书签名请求(CSR)
[root@Centos7 CA]# openssl req -sha512 -new \\
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.rzy.com" \\
-key www.rzy.com.key \\
-out www.rzy.com.csr
******(5)生成一个x509 v3扩展文件
[root@Centos7 CA]# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.rzy.com
EOF
******(6)使用该v3.ext文件为您的Harbor主机生成证书
[root@Centos7 CA]# openssl x509 -req -sha512 -days 3650 \\
-extfile v3.ext \\
-CA ca.crt -CAkey ca.key -CAcreateserial \\
-in www.rzy.com.csr \\
-out www.rzy.com.crt
Signature ok #提示ok
subject=/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.rzy.com
Getting CA Private Key
******(7)提供证书给Harbor和Docker
[root@Centos7 CA]# mkdir -p /data/cert/
[root@Centos7 CA]# cp www.rzy.com.crt www.rzy.com.key /data/cert/
******(8)docker客户端证书文件转换
转换ww.rzy.com.crt为www.rzy.com.cert,供Docker使用。
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。
[root@Centos7 CA]# openssl x509 -inform PEM -in www.rzy.com.crt -out www.rzy.com.cert
******(9)服务器证书拷贝
将服务器证书,密钥和CA文件复制到Harbor主机上的Docker certificate文件夹中。您必须首先创建适当的文件夹。
[root@Centos7 CA]# mkdir -p /etc/docker/certs.d/www.rzy.com/
[root@Centos7 CA]# cp www.rzy.com.cert /etc/docker/certs.d/www.rzy.com/
[root@Centos7 CA]# cp www.rzy.com.key /etc/docker/certs.d/www.rzy.com/
[root@Centos7 CA]# cp ca.crt /etc/docker/certs.d/www.rzy.com/
******(10)修改配置文件harbor.yml
[root@Centos7 CA]# vim /usr/local/harbor/harbor.yml
。。。。。。
4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 hostname: www.rzy.com
6
7 # http related config
8 #http: #注释http相关选项
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 #port: 80
11
12 # https related config
13 https:
14 # https port for harbor, default is 443
15 port: 443
16 # The pa以上是关于Docker私有仓库的主要内容,如果未能解决你的问题,请参考以下文章