1、了解 Docker Registry
1.1 介绍
1.2 分类
1.3 Registry 组成( Repository 和 Index)
(1)Repository
(2)Index
1.4 拉取上传仓库镜像
(1)拉取镜像
docker pull <registry>[:<port>]/[<namespace>/]<name>:<tag>
(2)上传镜像
docker push [OPTIONS] NAME[:TAG]
1.5 知名三方 Docker 仓库
2、使用官方 Distribution 搭建私有仓库
2.1 Distribution 介绍
Docker 在 2015 年推出了 Distribution 项目,即 Docker Registry 2。相比于 Old Registry,Registry 2 使用 Go 实现,在安全性、性能方面均有大幅改进。Registry 设计了全新的 Rest API,并且在 Image 存储格式等方面不再兼容于 Old Registry。如果你要与Registry2 交互,你的 Docker 版本至少要是 Docker 1.6。
Registry 2 在镜像存储方面不仅支持本地盘,还支持诸多主流第三方存储方案。通过分布式存储系统你还可以实现一个分布式 Docker Registry 服务。
2.2 安装启动 Registry
Docker 的开发者也一直在致力于改善 Registry 安装和使用的体验,通过提供官方 Registry Image 以及 Docker Compose 工具等来简化 Registry 的配置。
在本文中,我们只是利用 Docker 以及 Registry 的官方 Image 来部署Registry。
2.2.1 方案1:使用 yum 安装(直接从 extras 源中下载安装)
[root@docker2 ~]# yum info docker-distribution已加载插件:fastestmirrorLoading mirror speeds from cached hostfile可安装的软件包名称 :docker-distribution架构 :x86_64版本 :2.6.2发布 :2.git48294d9.el7大小 :3.5 M源 :extras/7/x86_64简介 : Docker toolset to pack, ship, store, and deliver content网址 :https://github.com/docker/distribution协议 : ASL 2.0描述 : Docker toolset to pack, ship, store, and deliver content[root@docker2 ~]# yum -y install docker-distribution
2.2.2 方案2:以容器方式安装
(1)拉取镜像
[root@docker2 ~]# docker pull registry:2.6.22.6.2: Pulling from library/registryd6a5679aa3cf: Pull completead0eac849f8f: Pull complete2261ba058a15: Pull completef296fda86f10: Pull completebcd4a541795b: Pull completeDigest: sha256:5a156ff125e5a12ac7fdec2b90b7e2ae5120fa249cf62248337b6d04abc574c8Status: Downloaded newer image for registry:2.6.2
(2)启动 Registry 容器
[root@docker2 ~]# docker run --name registry -p 5000:5000 -v /data/registry:/var/lib/registry -d registry:2.6.2a43f802e737eba89879a4dc02562b38e0042db981f9bdb91782b453f0bac4119[root@docker2 ~]# docker port registry5000/tcp -> 0.0.0.0:5000[root@docker2 ~]# ss -nutlp |grep 5000tcp LISTEN 0 128 :::5000 :::* users:(("docker-proxy",pid=4901,fd=4))[root@docker2 ~]# docker inspect -f {{."Mounts"}} registry[{bind /data/registry /var/lib/registry true rprivate}]
注:
2.3 从私有仓库上传下载镜像
2.3.1 将本地的镜像上传到私有仓库
(1)先将本地仓库打上合适的标签
[root@docker1 ~]# docker tag busybox:latest 192.168.10.102:5000/busybox:v0.1[root@docker1 ~]# docker image lsREPOSITORY TAG IMAGE ID CREATED SIZE192.168.10.102:5000/busybox v0.1 758ec7f3a1ee 13 days ago 1.15 MBbusybox latest 758ec7f3a1ee 13 days ago 1.15 MB
(2)尝试上传镜像
[root@docker1 ~]# docker push 192.168.10.102:5000/busybox:v0.1The push refers to a repository [192.168.10.102:5000/busybox]Get https://192.168.10.102:5000/v1/_ping: http: server gave HTTP response to HTTPS client
可以看到上传镜像失败。其原因为:Docker 上传下载默认只支持 HTTPS 协议,搭建的私有仓库是 HTTP 协议。
(3)修改重启 Docker 服务
[root@docker1 ~]# vim /etc/docker/daemon.json{ "registry-mirrors": ["https://registry.docker-cn.com"], "insecure-registries": ["192.168.10.102:5000"]}[root@docker1 ~]# systemctl restart docker
注:让 Docker 支持私有仓库为 Insecure Registry。
(4)再次上传镜像
[root@docker1 ~]# docker push 192.168.10.102:5000/busybox:v0.1The push refers to a repository [192.168.10.102:5000/busybox]23bc2b70b201: Pushedv0.1: digest: sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbe size: 527
(5)在私有仓库的服务器上验证
[root@docker2 ~]# ls /data/registry/docker/registry/v2/blobs repositories
(6)从私有仓库拉取镜像,先删除再拉取
[root@docker1 ~]# docker rmi 192.168.10.102:5000/busybox:v0.1Untagged: 192.168.10.102:5000/busybox:v0.1Untagged: 192.168.10.102:5000/busybox@sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbe[root@docker1 ~]# docker image lsREPOSITORY TAG IMAGE ID CREATED SIZEbusybox latest 758ec7f3a1ee 2 weeks ago 1.15 MB[root@docker1 ~]# docker pull 192.168.10.102:5000/busybox:v0.1v0.1: Pulling from busyboxDigest: sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbeStatus: Downloaded newer image for 192.168.10.102:5000/busybox:v0.1[root@docker1 ~]# docker image lsREPOSITORY TAG IMAGE ID CREATED SIZE192.168.10.102:5000/busybox v0.1 758ec7f3a1ee 2 weeks ago 1.15 MB
3、安装搭建私有仓库 Harbor
3.1 认识 Harbor
3.1.1 Harbor 介绍
Harbor 是一个开源的可信云本机注册表项目,用于存储,签名和扫描内容。Harbor 由 Cloud Native Computing Foundation(CNCF)托管。
Harbor 通过添加用户通常需要的功能(如安全性,身份和管理)来扩展开源 Docker Distribution。使注册表更接近构建和运行环境可以提高 Image 传输效率。Harbor 支持在注册表之间复制映像,还提供高级安全功能,如用户管理,访问控制和活动审计。
项目地址:https://github.com/goharbor/harbor
3.1.2 Harbor 特征
3.1.3 Harbor 配置参数
(1)参数介绍
① 配置参数位于文件 harbor.cfg 中。
② 在 harbor.cfg 中有两类参数,必需参数和可选参数。
③ 注意:如果您选择通过 Portal 设置这些参数,请务必在 Harbor 启动后立即执行此操作。特别是,您必须在 Harbor 中注册或创建任何新用户之前设置所需的 auth_mode。当系统中有用户时(除默认管理员用户外), 无法更改 auth_mode。
④ 请注意,至少需要更改 hostname 属性。
(2)必需参数
(3)可选参数
(4)配置存储后端(可选)
默认情况下,Harbor 将镜像存储在本地文件系统中。在生产环境中,您可以考虑使用其他存储后端而不是本地文件系统,如 S3,OpenStack Swift,Ceph等。这些参数是注册表的配置。
例如,如果使用 Openstack Swift 作为存储后端,则参数可能如下所示:
registry_storage_provider_name = swiftregistry_storage_provider_config = “ username:admin,password:ADMIN_PASS,authurl:http:// keystone_addr:35357 / v3 / aut
3.2 安装主机的先决条件
3.2.1 硬件
资源 | 容量 | 描述 |
---|---|---|
CPU | 最小 2CPU | 4CPU 是首选 |
内存 | 最小 4GB | 8GB 是首选 |
磁盘 | 最小 40GB | 160GB 是首选 |
3.2.2 软件
软件 | 版本 | 描述 |
---|---|---|
Python | 2.7 或更高版本 | 请注意,您可能必须在 Linux 发行版(Gentoo,Arch)上安装 Python,默认情况下不安装 Python 解释器 |
Docker Engine | 版本1.10或更高版本 | 有关安装说明,请参阅:https://docs.docker.com/engine/installation/ |
Docker Compose | 版本1.6.0 或更高版本 | 有关安装说明,请参阅:https://docs.docker.com/compose/install/ |
OpenSSL | 最新的是首选 | 为 Harbor 生成证书和密钥 |
3.2.3 网络端口
端口 | 协议 | 描述 |
---|---|---|
443 | HTTPS | Harbor 门户和核心 API 将接受此端口上的 https 协议请求 |
4443 | HTTPS | 只有在启用 “公证” 时才需要连接到 Dock的 Docker Content Trust 服务 |
80 | HTTP | Harbor 端口和核心 API 将接受此端口上的 http 协议请求 |
3.2.4 添加一块 50G 新硬盘(如果磁盘足够,可忽略)
(1)查询添加的磁盘的名字
$ fdisk -lDisk /dev/sdb: 53.7 GB, 53687091200 bytes, 104857600 sectorsUnits = sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytes
(2)对磁盘进行分区
$ fdisk /dev/sdbCommand (m for help): mCommand (m for help): nPartition type: p primary (0 primary, 0 extended, 4 free) e extendedUsing default response pPartition number (1-4, default 1):First sector (2048-104857599, default 2048):Using default value 2048Last sector, +sectors or +size{K,M,G} (2048-104857599, default 104857599):Using default value 104857599Partition 1 of type Linux and of size 50 GiB is setCommand (m for help): wThe partition table has been altered!
Calling ioctl() to re-read partition table.Syncing disks.
(3)磁盘文件格式化
$ [root@centos7-1 ~]# mkfs.ext3 /dev/sdb1
(4)挂载磁盘
$ vim /etc/fstab 设为开机自动挂载/dev/sdb1 /data ext3 defaults 0 0$ mount -a 挂载磁盘
(5)验证
[root@centos7-1 ~]# df -h /dataFilesystem Size Used Avail Use% Mounted on/dev/sdb1 50G 52M 47G 1% /data
3.2.5 安装 Docker 编排工具 Docker Compose
方案1:直接 yum 安装
[root@docker2 ~]# yum -y install docker-compose
方案2:在 GitHub 上选择自己需要的版本下载安装
$ curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose$ chmod +x /usr/local/bin/docker-compose$ docker-compose versiondocker-compose version 1.23.2, build 1110ad01docker-py version: 3.6.0CPython version: 3.6.7OpenSSL version: OpenSSL 1.1.0f 25 May 2017
3.4 安装搭建 Harbor
3.4.1 下载 Harbor 安装包
[root@docker2 ~]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz[root@docker2 ~]# tar -C /data/ -xvf harbor-offline-installer-v1.7.1.tgz
3.4.2 配置 Harbor 服务
(1)修改 harbor.cfg 配置文件
[root@docker2 ~]# cd /data/harbor/[root@docker2 harbor]# grep "^[^#]" harbor.cfg_version = 1.7.0hostname = docker2ui_url_protocol = httpmax_job_workers = 2customize_crt = onssl_cert = /data/cert/server.crtssl_cert_key = /data/cert/server.keysecretkey_path = /dataadmiral_url = NAlog_rotate_count = 50log_rotate_size = 200Mhttp_proxy =https_proxy =no_proxy = 127.0.0.1,localhost,core,registryemail_identity =email_server = smtp.mydomain.comemail_server_port = 25email_username = sample_admin@mydomain.comemail_password = abcemail_from = admin <sample_admin@mydomain.com>email_ssl = falseemail_insecure = falseharbor_admin_password = Harbor12345auth_mode = db_authldap_url = ldaps://ldap.mydomain.comldap_basedn = ou=people,dc=mydomain,dc=comldap_uid = uidldap_scope = 2ldap_timeout = 5ldap_verify_cert = trueldap_group_basedn = ou=group,dc=mydomain,dc=comldap_group_filter = objectclass=groupldap_group_gid = cnldap_group_scope = 2self_registration = ontoken_expiration = 30project_creation_restriction = everyonedb_host = postgresqldb_password = alongdb_port = 5432db_user = postgresredis_host = redisredis_port = 6379redis_password = alongredis_db_index = 1,2,3clair_db_host = postgresqlclair_db_password = alongclair_db_port = 5432clair_db_username = postgresclair_db = postgresclair_updaters_interval = 12uaa_endpoint = uaa.mydomain.orguaa_clientid = iduaa_clientsecret = secretuaa_verify_cert = trueuaa_ca_cert = /path/to/ca.pemregistry_storage_provider_name = filesystemregistry_storage_provider_config =registry_custom_ca_bundle =
主要修改了以下几个参数:
这里的 Harbor 为 HTTP 方式部署的,即:Insecure Registry。Docker 官方是推荐你采用 Secure Registry 的工作模式的,即 Transport 采用 TLS 。当然部署为 HTTPS 方式会更加安全。如果要部署为 HTTPS 方式,需要修改以下几项内容:
hostname = hub.hi-linux.comui_url_protocol = httpscustomize_crt = offssl_cert = /opt/certs/fullchain.cerssl_cert_key = /opt/certs/hub.hi-linux.com.key
参数解释
如果你配置了 HTTPS 方式,当然就需要一个 SSL 证书。当下申请一个免费的 SSL 证书已经不是什么难事了,你可以使用 acme.sh 快速申请一个 Let’s Encrypt 证书,类似下面这样:
$ acme.sh --installcert \-d example.com -d *.hi-linux.com \ --key-file /opt/certs/hub.hi-linux.com.key \ --fullchain-file /opt/certs/fullchain.cer
(2)定义 docker-compose.yml 文件(可省略)
docker-compose.yml 文件是 Docker 编排文件。
① 端口
ports: - 80:80 - 443:443 - 4443:4443
② 定义存储器路径 在生产环境中,尽量将容器的存储卷定义在空间较为充足的磁盘。
volumes: - /data/registry:/storage:z
3.4.3 安装启动 Harbor
[root@docker2 harbor]# ./install.sh[Step 0]: checking installation environment ...
Note: docker version: 18.03.1
Note: docker-compose version: 1.23.2
[Step 1]: loading Harbor images ...Loaded image: goharbor/registry-photon:v2.6.2-v1.7.1Loaded image: goharbor/harbor-migrator:v1.7.1Loaded image: goharbor/harbor-adminserver:v1.7.1Loaded image: goharbor/harbor-core:v1.7.1Loaded image: goharbor/harbor-log:v1.7.1Loaded image: goharbor/harbor-jobservice:v1.7.1Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.1Loaded image: goharbor/clair-photon:v2.0.7-v1.7.1Loaded image: goharbor/harbor-portal:v1.7.1Loaded image: goharbor/harbor-db:v1.7.1Loaded image: goharbor/redis-photon:v1.7.1Loaded image: goharbor/nginx-photon:v1.7.1Loaded image: goharbor/harbor-registryctl:v1.7.1Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.1Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.1 [Step 2]: preparing environment ...Generated and saved secret to file: /data/secretkeyGenerated configuration file: ./common/config/nginx/nginx.confGenerated configuration file: ./common/config/adminserver/envGenerated configuration file: ./common/config/core/envGenerated configuration file: ./common/config/registry/config.ymlGenerated configuration file: ./common/config/db/envGenerated configuration file: ./common/config/jobservice/envGenerated configuration file: ./common/config/jobservice/config.ymlGenerated configuration file: ./common/config/log/logrotate.confGenerated configuration file: ./common/config/registryctl/envGenerated configuration file: ./common/config/core/app.confGenerated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crtThe configuration files are ready, please use docker-compose to start the service. [Step 3]: checking existing instance of Harbor ... [Step 4]: starting Harbor ...Creating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registry ... doneCreating harbor-db ... doneCreating registryctl ... doneCreating harbor-adminserver ... doneCreating redis ... doneCreating harbor-core ... doneCreating harbor-portal ... doneCreating harbor-jobservice ... doneCreating nginx ... done ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://docker2.For more details, please visit https://github.com/goharbor/harbor .
3.4.3 安装后验证
(1)打开了一些端口
[root@docker2 harbor]# ss -nutlp |grep dockertcp LISTEN 0 128 127.0.0.1:1514 *:* users:(("docker-proxy",pid=1440,fd=4))tcp LISTEN 0 128 :::80 :::* users:(("docker-proxy",pid=2204,fd=4))tcp LISTEN 0 128 :::443 :::* users:(("docker-proxy",pid=2192,fd=4))tcp LISTEN 0 128 :::4443 :::* users:(("docker-proxy",pid=2181,fd=4))
(2)Harbor 实际就是启动了一些 Docker 服务
[root@docker2 ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESdef22a8eeb9a goharbor/nginx-photon:v1.7.1 "nginx -g 'daemon of…" 2 hours ago Up 2 hours (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginxa410a38479fa goharbor/harbor-portal:v1.7.1 "nginx -g 'daemon of…" 2 hours ago Up 2 hours (healthy) 80/tcp harbor-portale25f87eb80db goharbor/harbor-jobservice:v1.7.1 "/harbor/start.sh" 2 hours ago Up 2 hours harbor-jobservice2be7211535a2 goharbor/harbor-core:v1.7.1 "/harbor/start.sh" 2 hours ago Up 2 hours (healthy) harbor-core26681dde1dec goharbor/harbor-db:v1.7.1 "/entrypoint.sh post…" 2 hours ago Up 2 hours (healthy) 5432/tcp harbor-db80f592176896 goharbor/harbor-registryctl:v1.7.1 "/harbor/start.sh" 2 hours ago Up 2 hours (healthy) registryctldef7f9892e46 goharbor/redis-photon:v1.7.1 "docker-entrypoint.s…" 2 hours ago Up 2 hours 6379/tcp redis9af874368813 goharbor/registry-photon:v2.6.2-v1.7.1 "/entrypoint.sh /etc…" 2 hours ago Up 2 hours (healthy) 5000/tcp registry0f7156ac62f7 goharbor/harbor-adminserver:v1.7.1 "/harbor/start.sh" 2 hours ago Up 2 hours (healthy) harbor-adminserver3e45524ef1f0 goharbor/harbor-log:v1.7.1 "/bin/sh -c /usr/loc…" 2 hours ago Up 2 hours (healthy) 127.0.0.1:1514->10514/tcp harbor-log
4、使用 Harbor
4.1 Harbor 页面基础操作
(1)网页登录 http://192.168.130.102
(2)登录 Harbor 后一些简单的操作
(3)用户管理
注:密码要有一定的复杂度
(4)邮件配置
(5)新建一个项目
4.2 上传下载镜像到 Harbor 仓库
(1)修改 Docker 配置,添加 Harbor 仓库为新的 Insecure Registry
[root@docker1 ~]# cat /etc/docker/daemon.json{ "registry-mirrors": ["https://registry.docker-cn.com"], "insecure-registries": ["192.168.10.102:5000"], "insecure-registries": ["docker2:80"]}[root@docker1 ~]# systemctl restart docker
(2)把要上传的镜像打上合适的标签
[root@docker1 ~]# docker tag busybox:latest docker2:80/demo/busybox:v0.1[root@docker1 ~]# docker tag nginx:1.14-alpine docker2:80/demo/nginx:v0.1[root@docker1 ~]# docker tag nginx:1.14 docker2:80/demo/nginx:v0.2[root@docker1 ~]# docker image lsREPOSITORY TAG IMAGE ID CREATED SIZEdocker2:80/demo/nginx v0.2 3f55d5bb33f3 11 days ago 109 MBdocker2:80/demo/busybox v0.1 758ec7f3a1ee 2 weeks ago 1.15 MBdocker2:80/demo/nginx v0.1 c5b6f731fbc0 2 weeks ago 17.7 MB
(3)登录 Harbor 仓库
[root@docker1 ~]# docker login docker2:80Username: adminPassword:Login Succeeded
(4)上传镜像
[root@docker1 ~]# docker push docker2:80/demo/busybox:v0.1The push refers to a repository [docker2:80/demo/busybox]23bc2b70b201: Pushedv0.1: digest: sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbe size: 527[root@docker1 ~]# docker push docker2:80/demo/nginx #如果不知道tag,会把这个镜像的所有tag都上传The push refers to a repository [docker2:80/demo/nginx]59b059d445c1: Layer already exists0246bb21855f: Layer already exists42acf078bf60: Layer already exists7bff100f35cb: Layer already existsv0.1: digest: sha256:438d8080098025e9983f253af806c1d1aa6b48be2ef1913991dab506bb3d4f72 size: 11536959f2c2a244: Pushed06eb7a5682d6: Pushed7b4e562e58dc: Pushedv0.2: digest: sha256:1313a52e3fd1718b1c36822cefa0e51950654004dcf12b08affb3067e02c6d9c size: 948
(5)在 Harbor 上验证上传成功
(6)拉取 Harbor 中的镜像
[root@docker1 ~]# docker rmi docker2:80/demo/busybox:v0.1Untagged: docker2:80/demo/busybox:v0.1Untagged: docker2:80/demo/busybox@sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbe[root@docker1 ~]# docker image ls docker2:80/demo/busybox:v0.1REPOSITORY TAG IMAGE ID CREATED SIZE[root@docker1 ~]# docker pull docker2:80/demo/busybox:v0.1v0.1: Pulling from demo/busyboxDigest: sha256:cbcde3595079b1f7a6b046e96e7547fe786d5c2c8eba678bc260161bc01b8dbeStatus: Downloaded newer image for docker2:80/demo/busybox:v0.1[root@docker1 ~]# docker image ls docker2:80/demo/busybox:v0.1REPOSITORY TAG IMAGE ID CREATED SIZEdocker2:80/demo/busybox v0.1 758ec7f3a1ee 2 weeks ago 1.15 MB
(7)在 Harbor Web 页面可以进行很多实用的操作,如:给镜像打标、复制镜像、删除镜像等
4.3 控制 Harbor 服务
在 Harbor 安装路径下,使用 docker-compose 命令对 Harbor 进行控制。
(1)暂停 Harbor 服务
[root@docker2 harbor]# docker-compose pausePausing harbor-log ... donePausing harbor-adminserver ... donePausing registry ... donePausing redis ... donePausing registryctl ... donePausing harbor-db ... donePausing harbor-core ... donePausing harbor-jobservice ... donePausing harbor-portal ... donePausing nginx ... done
(2)关闭 Harbor 服务
[root@docker2 harbor]# docker-compose stopStopping nginx ... doneStopping harbor-portal ... doneStopping harbor-jobservice ... doneStopping harbor-core ... doneStopping harbor-db ... doneStopping registryctl ... doneStopping redis ... doneStopping registry ... doneStopping harbor-adminserver ... doneStopping harbor-log ... done[root@docker2 harbor]# ss -nutlNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 *:22 *:*
(3)开启 Harbor 服务
[root@docker2 harbor]# docker-compose startStarting log ... doneStarting registry ... doneStarting registryctl ... doneStarting postgresql ... doneStarting adminserver ... doneStarting core ... doneStarting portal ... doneStarting redis ... doneStarting jobservice ... doneStarting proxy ... done
来源:cnblogs 原文:http://t.cn/ES6OXhq 题图:来自谷歌图片搜索 版权:本文版权归原作者所有 投稿:欢迎投稿,投稿邮箱: editor@hi-linux.com
今日思想
人生自有其沉浮,每个人都应该学会忍受生活中属于自己的一份悲伤,只有这样,你才能体会到什么叫做成功。
—— 李嘉诚