zoukankan      html  css  js  c++  java
  • Docker第七回(私有Registry)

    一、Docker Registry的分类

    Registry用来保存docker镜像,包括镜像的层次结构和元数据,用户可以自建Registry,也可以使用官方的docker hub

    • Sponsor Registry:第三方的Registry,供客户和docker社区使用

    • Mirror Registry:第三方的Registry,只让客户使用

    • Vendor Registry:由发布Docker镜像的供应商提供的Registry

    • Private Registry:通过设有防火墙和额外的安全层的私有实体提供的Registry

    二、Docker Distribution

    docker distribution是docker为我们提供的私有仓库软件包,它也可以运行在容器中。因此,在docker hub中有它的镜像。但是docker  distribution并没有web界面,不支持像docker hub一样在web中浏览、搜索镜像,更不支持利用docker file实现在docker hub中自动构建镜像。要实现这个功能,可以使用harbor

    1、docker distribution的安装方式

    • 通过下载ducker hub上的docker distribution镜像来让它跑在容器中,因为容器一旦停止,数据将被删除的特性,我们还要为它提供存储卷,利用网络文件系统来持久化仓库中的镜像数据

    • yum安装,docker distribution的安装包在yum仓库的Extras中,可以直接安装

    2、yum安装docker distribution

    2.1、安装

    [root@centos7-node2 ~]# yum info docker-distribution
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
     * base: centos.ustc.edu.cn
     * extras: mirror.bit.edu.cn
     * updates: mirror.bit.edu.cn
    Installed Packages
    Name        : docker-distribution
    Arch        : x86_64
    Version     : 2.6.2
    Release     : 2.git48294d9.el7
    Size        : 12 M
    Repo        : installed
    From repo   : extras
    Summary     : Docker toolset to pack, ship, store, and deliver content
    URL         : https://github.com/docker/distribution
    License     : ASL 2.0
    Description : Docker toolset to pack, ship, store, and deliver content
    
    [root@centos7-node2 ~]# yum install docker-distribution
    
    [root@centos7-node2 ~]# rpm -ql docker-distribution
    /etc/docker-distribution/registry/config.yml
    /usr/bin/registry
    /usr/lib/systemd/system/docker-distribution.service
    /usr/share/doc/docker-distribution-2.6.2
    /usr/share/doc/docker-distribution-2.6.2/AUTHORS
    /usr/share/doc/docker-distribution-2.6.2/CONTRIBUTING.md
    /usr/share/doc/docker-distribution-2.6.2/LICENSE
    /usr/share/doc/docker-distribution-2.6.2/MAINTAINERS
    /usr/share/doc/docker-distribution-2.6.2/README.md
    /var/lib/registry
    
    [root@centos7-node2 ~]# service docker-distribution start
    Redirecting to /bin/systemctl start docker-distribution.service
    [root@centos7-node2 ~]# netstat -tlunp |grep 5000
    tcp6       0      0 :::5000                 :::*                    LISTEN      2912/registry
     

    2.2、配置

    默认配置文件即可,根据自己需要更改

    [root@centos7-node2 ~]# vim /etc/docker-distribution/registry/config.yml
    version: 0.1
    log:
      fields:
        service: registry
    storage:
        cache:
            layerinfo: inmemory
        filesystem:
            rootdirectory: /var/lib/registry
    http:
        addr: :5000
     

    3、制作镜像并上传到docker-distribution

    3.1、制作镜像并上传

    [root@bogon ~]# docker tag httpd:1.1 centos7-node2.local:5000/httpd:1.1
    [root@bogon ~]# docker image ls
    REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
    centos7-node2.local:5000/httpd   1.1                 bbffcf779dd4        2 weeks ago         264MB
    httpd                            1.1                 bbffcf779dd4        2 weeks ago         264MB
    nginx                            stable              ecc98fc2f376        5 weeks ago         109MB
    
    [root@bogon ~]# docker pull centos7-node2.local:5000/httpd:1.1
    Error response from daemon: Get https://centos7-node2.local:5000/v2/: dial tcp 192.168.31.187:5000: connect: no route to host
    
    [root@bogon ~]# vim /etc/docker/daemon.json
    "insecure-registries": ["centos7-node2.local:5000"]
    [root@bogon ~]# service docker restart
    Redirecting to /bin/systemctl restart docker.service
    
    [root@bogon ~]# docker push centos7-node2.local:5000/httpd:1.1
    The push refers to repository [centos7-node2.local:5000/httpd]
    ddcb568d3d1e: Pushed 
    da6517724f67: Pushed 
    1.1: digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5 size: 741
     

    # docker客户端默认使用https和Registry通信,如果私有仓库是http协议,需要更改docker客户端配置文件

    3.2、docker distribution中验证

    [root@centos7-node2 ~]# ll /var/lib/registry/docker/registry/v2/repositories/httpd/_layers/sha256/
    total 0
    drwxr-xr-x. 2 root root 18 Nov 20 17:15 bbffcf779dd42e070d52a4661dcd3eaba2bed898bed8bbfe41768506f063ad32
    drwxr-xr-x. 2 root root 18 Nov 20 17:15 f06537d9e799fdeca094e95d56295b96359d188988b5d78353f716de5856b5b1
    drwxr-xr-x. 2 root root 18 Nov 20 17:15 f9f73d801f0558b085ffa505240a065319269c4cefbe9c2e60103d58761edfa8
     

    3.3、在docker客户端中删除刚才的镜像并重新获取

    [root@bogon ~]# docker image rm centos7-node2.local:5000/httpd:1.1
    Untagged: centos7-node2.local:5000/httpd:1.1
    Untagged: centos7-node2.local:5000/httpd@sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    [root@bogon ~]# 
    [root@bogon ~]# docker image ls
    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
    httpd               1.1                 bbffcf779dd4        2 weeks ago         264MB
    nginx               stable              ecc98fc2f376        5 weeks ago         109MB
    
    
    [root@bogon ~]# docker pull centos7-node2.local:5000/httpd:1.1
    1.1: Pulling from httpd
    Digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    Status: Downloaded newer image for centos7-node2.local:5000/httpd:1.1
    [root@bogon ~]# docker image ls
    REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
    centos7-node2.local:5000/httpd   1.1                 bbffcf779dd4        2 weeks ago         264MB
    httpd                            1.1                 bbffcf779dd4        2 weeks ago         264MB
    nginx                            stable              ecc98fc2f376        5 weeks ago         109MB
     

    三、harbor是什么

    harbor是由Google、IBM、Microsoft共同成立的CNCF(云原生计算基金会),一个专门维护k8s等项目的第三方组织。它维护的项目有k8s、prometheus等,包括刚刚加入的harbor(私有仓库服务器软件)项目。harbor现在已经是一个企业级的仓库应用程序。由VMWare在docker distribution的基础上做的二次开发项目,加入了很多额外的程序,包括一个web界面。所以,我们可以使用harbor来构建完整的本地私有仓库。

    Project Harbor is an open source trusted cloud native Registry project that stores, signs, adn scans content。

    Harbor extends the open source Docker Distribution by adding the functionalities  usually required by users such as security,identity and management

    Harbor supports advanced features such as user management,access control,activity monitoring, and replication  between instances

    1、harbor的特性

    • 支持多租户,一个harbor可以让很多用户注册进来管理自己的仓库

    • 支持安全、风险分析

    •  支持审计日志

    • 基于角色的访问控制

    • 支持多个harbor间的replication

    • 可扩展的api,ui图形界面

    • 国际化的,当前支持english and chinese

    2、harbor的安装

    harbor官方为了简化它的安装,把harbor做成了在容器中运行的应用,由于harbor依赖于mysql、redis等很多存储系统。所以需要多个容器协同工作。因此vmware的harbor在部署和使用时需要借助docker的单机变盘工具compose

    下载地址:https://github.com/goharbor/harbor/releases

    安装文档:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md

    [root@centos7-node2 src]# wget  
    [root@centos7-node2 src]# tar -zxvf harbor-offline-installer-v1.5.4.tgz -C /usr/local/
    [root@centos7-node2 src]# cd /usr/local/harbor/
    [root@centos7-node2 harbor]# sed -i 's/hostname = reg.mydomain.com/hostname = centos7-node2.local/g' ./harbor.cfg
    [root@centos7-node2 harbor]# yum install docker-compose
    [root@centos7-node2 harbor]# yum install epel-release
    [root@centos7-node2 harbor]# yum install docker-compose
    [root@centos7-node2 harbor]# ./install.sh
    
    ?.----Harbor has been installed and started successfully.----
    
    Now you should be able to visit the admin portal at http://centos7-node2.local. 
    For more details, please visit https://github.com/vmware/harbor .
    
    
    [root@centos7-node2 harbor]# docker container ls -a
    CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                             PORTS                                                              NAMES
    2ecc079867c6        vmware/nginx-photon:v1.5.4             "nginx -g 'daemon of??   14 seconds ago      Up 12 seconds (health: starting)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
    a1b51d6d296a        vmware/harbor-jobservice:v1.5.4        "/harbor/start.sh"       14 seconds ago      Up 12 seconds                                                                                         harbor-jobservice
    0ffb3f2a442e        vmware/harbor-ui:v1.5.4                "/harbor/start.sh"       16 seconds ago      Up 14 seconds (health: starting)                                                                      harbor-ui
    1c5e3590ac25        vmware/registry-photon:v2.6.2-v1.5.4   "/entrypoint.sh serv??   19 seconds ago      Up 16 seconds (health: starting)   5000/tcp                                                           registry
    fd09682ac89a        vmware/harbor-adminserver:v1.5.4       "/harbor/start.sh"       19 seconds ago      Up 16 seconds (health: starting)                                                                      harbor-adminserver
    054710b41aa2        vmware/harbor-db:v1.5.4                "/usr/local/bin/dock??   19 seconds ago      Up 16 seconds (health: starting)   3306/tcp                                                           harbor-db
    c03daf7e3bb1        vmware/redis-photon:v1.5.4             "docker-entrypoint.s??   19 seconds ago      Up 17 seconds                      6379/tcp                                                           redis
    b1fcf0c916a1        vmware/harbor-log:v1.5.4               "/bin/sh -c /usr/loc??   22 seconds ago      Up 18 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log
    [root@centos7-node2 harbor]#
     

    harbor安装成功后会启动8个容器。

    注意:由于harbor的网络是nat,所以要开启防火墙服务,否则会安装不了。

    最后安装成功的web界面

    image.png

    3、使用harbor web界面

    3.1、创建新项目

    image.png

    3.2、点击新创建的项目,目前还没有任何镜像

    image.png

    3.3、使用docker客户端制作镜像并上传

    [root@bogon ~]# docker tag centos7-node2.local:5000/httpd:1.1 centos7-node2.local/development/httpd:1.2
    [root@bogon ~]# docker tag centos7-node2.local:5000/httpd:1.1 centos7-node2.local/development/httpd:1.3
    [root@bogon ~]# docker tag centos7-node2.local:5000/httpd:1.1 centos7-node2.local/development/httpd:1.4
    [root@bogon ~]# docker login centos7-node2.local
    Username: gouyacai
    Password: 
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    
    [root@bogon ~]# docker push centos7-node2.local/development/httpd:1.2
    The push refers to repository [centos7-node2.local/development/httpd]
    ddcb568d3d1e: Pushed 
    da6517724f67: Pushed 
    1.2: digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5 size: 741
    [root@bogon ~]# docker push centos7-node2.local/development/httpd:1.3
    The push refers to repository [centos7-node2.local/development/httpd]
    ddcb568d3d1e: Layer already exists 
    da6517724f67: Layer already exists 
    1.3: digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5 size: 741
    [root@bogon ~]# docker push centos7-node2.local/development/httpd:1.4
    The push refers to repository [centos7-node2.local/development/httpd]
    ddcb568d3d1e: Layer already exists 
    da6517724f67: Layer already exists 
    1.4: digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5 size: 741
     

    image.png

    3.4、从harbor中拉取镜像到docker客户端

    [root@bogon ~]# docker image rm centos7-node2.local/development/httpd:1.2
    Untagged: centos7-node2.local/development/httpd:1.2
    [root@bogon ~]# docker image rm centos7-node2.local/development/httpd:1.3
    Untagged: centos7-node2.local/development/httpd:1.3
    [root@bogon ~]# docker image rm centos7-node2.local/development/httpd:1.4
    Untagged: centos7-node2.local/development/httpd:1.4
    Untagged: centos7-node2.local/development/httpd@sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    [root@bogon ~]# 
    [root@bogon ~]# docker image ls
    REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
    centos7-node2.local:5000/httpd   1.1                 bbffcf779dd4        2 weeks ago         264MB
    httpd                            1.1                 bbffcf779dd4        2 weeks ago         264MB
    nginx                            stable              ecc98fc2f376        5 weeks ago         109MB
    centos                           6.6                 4e1ad2ce7f78        5 weeks ago         203MB
    redis                            4-alpine            05097a3a0549        6 weeks ago         30MB
    
    [root@bogon ~]# docker pull centos7-node2.local/development/httpd:1.2
    1.2: Pulling from development/httpd
    Digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    Status: Downloaded newer image for centos7-node2.local/development/httpd:1.2
    
    [root@bogon ~]# docker pull centos7-node2.local/development/httpd:1.3
    1.3: Pulling from development/httpd
    Digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    Status: Downloaded newer image for centos7-node2.local/development/httpd:1.3
    
    [root@bogon ~]# docker pull centos7-node2.local/development/httpd:1.4
    1.4: Pulling from development/httpd
    Digest: sha256:e40c5748459eb28eb7cb39eb35f863abcd6b1aa1f341f1f8e999a27537d34bb5
    Status: Downloaded newer image for centos7-node2.local/development/httpd:1.4
    
    [root@bogon ~]# docker image ls
    REPOSITORY                              TAG                 IMAGE ID            CREATED             SIZE
    httpd                                   1.1                 bbffcf779dd4        2 weeks ago         264MB
    centos7-node2.local/development/httpd   1.2                 bbffcf779dd4        2 weeks ago         264MB
    centos7-node2.local/development/httpd   1.3                 bbffcf779dd4        2 weeks ago         264MB
    centos7-node2.local/development/httpd   1.4                 bbffcf779dd4        2 weeks ago         264MB

     

     
  • 相关阅读:
    帧锁定同步算法
    为 Raft 引入 leader lease 机制解决集群脑裂时的 stale read 问题
    etcd:从应用场景到实现原理的全方位解读
    给定一个二叉搜索树(BST),找到树中第 K 小的节点
    UDP如何实现可靠传输
    理解TCP/IP三次握手与四次挥手的正确姿势
    Redis持久化
    Redis提供的持久化机制(RDB和AOF)
    redis渐进式 rehash
    redis rehash
  • 原文地址:https://www.cnblogs.com/baomaggie/p/11622765.html
Copyright © 2011-2022 走看看