1. Dcoekr私有仓库使用
1.1 docker registry介绍
官方的Docker hub是一个用于管理公共镜像的好地方,我们可以在上面找到我们想要的镜像,也可以把我们自己的镜像推送上去。但是,有时候,我们的使用场景需要我们拥有一个私有的镜像仓库用于管理我们自己的镜像。这个可以通过开源软件Registry来达成目的。
Registry在github上有两份代码:老代码库和新代码库。老代码是采用python编写的,存在pull和push的性能问题,出到0.9.1版本之后就标志为deprecated,不再继续开发。从2.0版本开始就到在新代码库进行开发,新代码库是采用go语言编写,修改了镜像id的生成算法、registry上镜像的保存结构,大大优化了pull和push镜像的效率
1.2 部署无认证的docker registry
1.2.1 下载镜像
[root@docker01 ~]# docker pull registry:2.7.1
1.2.2 安装registry
# --restart=always: 当容器异常停止时,自动启动(重启)容器
[root@docker01 ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry:2.7.1
61c0d9792c835541eb93bc11c8ea8cd7e2bc9f706dd4af9565325f3567f1b23d
[root@docker01 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61c0d9792c83 registry:2.7.1 "/entrypoint.sh /etc…" 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry
1.2.3 上传镜像到私有仓库
# docker push上传镜像时,默认是上传到官方仓库的,如果需要上传到私有仓库,就要给镜像打上私有仓库的标签,如果是开启了登录认证的私有仓库,需要先登录,再上传。
# 上传镜像流程:打标签、登录仓库、上传
[root@docker01 ~]# docker tag alpine:latest 10.0.0.11:5000/alpine:latest
[root@docker01 ~]# docker push 10.0.0.11:5000/alpine:latest
The push refers to repository [10.0.0.11:5000/alpine]
Get https://10.0.0.11:5000/v2/: http: server gave HTTP response to HTTPS client # 这里是因为默认私有仓库走的是https协议,而我们启动仓库时,用的是http协议,所以上传失败,解决方法如下
# 更改daemon.json配置文件,添加信任
[root@docker01 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["10.0.0.11:5000"] # 安全的私有仓库(每添加新的一行配置时,都要在上一行的末尾添加一个 , 逗号,不然重启docker会失败)
}
[root@docker01 ~]# systemctl restart docker
[root@docker01 ~]# docker push 10.0.0.11:5000/alpine:latest
The push refers to repository [10.0.0.11:5000/alpine]
ace0eda3e3be: Pushed
latest: digest: sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e size: 528
# 这里镜像就推送成功了
1.3 部署带basic认证的registry
1.3.1 安装httpd-tools吗,并进行配置
[root@docker01 ~]# yum -y install httpd-tools
[root@docker01 ~]# mkdir /opt/registry-var/auth -p
[root@docker01 ~]# htpasswd -Bbn admin 123456 >> /opt/registry-var/auth/htpasswd
[root@docker01 ~]# cat /opt/registry-var/auth/htpasswd
admin:$2y$05$wWzxWJ1ne0eD/AbupxYGAeifyOesr0yMLUQp4lAEG84biYQh.SwMi
1.3.2 启动容器
[root@docker01 ~]# docker rm -f `docker ps -a -q`
61c0d9792c83
0a0a3665c7f0
e7d55ceb545c
9abc121fa093
# -e 传输变量和变量值到容器中
[root@docker01 ~]# docker run -d -p 5000:5000 --restart=always -v /opt/registry-var/auth/:/auth/ -v /opt/myregistry:/var/lib/registry -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry:2.7.1
c7bb33e3337052c6bfe7fdbe57053298b009f5e0e38c11ef1c10a76073ae9e59
[root@docker01 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c7bb33e33370 registry:2.7.1 "/entrypoint.sh /etc…" 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp upbeat_jennings
1.3.3 上传(下载)镜像到容器中
[root@docker01 ~]# docker pull 10.0.0.11:5000/alpine:latest
Error response from daemon: Get http://10.0.0.11:5000/v2/alpine/manifests/latest: no basic auth credentials # 这里下载镜像失败,是因为开启了认证,需要登录才行
# 登录仓库
[root@docker01 ~]# docker login 10.0.0.11:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json. # 登录凭证文件,只要这个文件存在,就不用重复登录
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 下载镜像
[root@docker01 ~]# docker pull 10.0.0.11:5000/alpine:latest
latest: Pulling from alpine
Digest: sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e
Status: Image is up to date for 10.0.0.11:5000/alpine:latest
10.0.0.11:5000/alpine:latest
web效果
2. Docker企业级镜像仓库Harbor使用
Registry缺点:
用户权限设置不合理,要么谁都能下载,要么谁都不不能下载。没有什么管理员和普通用户之说。
没有图形化界面。
功能太少,简单,删除镜像比较麻烦,还要手动删除。
2.1 安装Harbor私有仓库
安装要求:docker1.17以上,docker-commps1.18及以上
Github地址:https://github.com/goharbor/harbor
官方文档:https://goharbor.io/docs/2.0.0/install-config/
[root@docker01 ~]# ll -h
total 528M
-rw-r--r-- 1 root root 528M Dec 22 18:27 harbor-offline-installer-v1.8.0.tgz
# 清理环境
[root@docker01 ~]# docker rm -f `docker ps -a -q`
[root@docker01 ~]# tar zxf harbor-offline-installer-v1.8.0.tgz -C /opt/
[root@docker01 ~]# cd /opt/harbor/
[root@docker01 /opt/harbor]#
[root@docker01 /opt/harbor]# ls
harbor.v1.8.0.tar.gz # harbor镜像包 harbor.yml install.sh LICENSE prepare
[root@docker01 /opt/harbor]# docker load -i harbor.v1.8.0.tar.gz
2.1.1 安装http协议的harbor
[root@docker01 /opt/harbor]# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 10.0.0.11 # 改一下这个访问地址就可以了
[root@docker01 /opt/harbor]# ./install.sh
…………省略部分输出
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://10.0.0.11.
For more details, please visit https://github.com/goharbor/harbor .
2.2 浏览器访问
2.3 上传镜像到harbor仓库
[root@docker02 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://hub-mirror.c.163.com"],
"insecure-registries": ["10.0.0.11"], # 把原来registry的5000端口去掉。因为这里使用的就是80端口,所以可以不加端口号
"hosts":["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"cluster-store": "consul://10.0.0.13:8500",
"cluster-advertise": "10.0.0.12:2376"
}
[root@docker02 ~]# systemctl restart docker
[root@docker02 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
consul latest 2823bc69f80f 5 days ago 120MB
nginx latest bc9a0695f571 3 weeks ago 133MB
busybox latest d8233ab899d4 22 months ago 1.2MB
centos 6.9 adf829198a7f 2 years ago 195MB
[root@docker02 ~]# docker tag centos:6.9 10.0.0.11/library/centos:6.9
[root@docker02 ~]# docker login 10.0.0.11
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker02 ~]# docker push 10.0.0.11/library/centos:6.9
The push refers to repository [10.0.0.11/library/centos]
b5e11aae8a8e: Pushed
6.9: digest: sha256:0e59afcc4d7a07fcbd6285f79f6f377ce997ae091c10f8e3c2feb2bcda90b06c size: 529
浏览器查看
3. 配置harbor https
由于这里我没有证书,所以只讲一下如何修改配置文件
[root@docker01 /opt/harbor]# vim harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 10.0.0.11
# http related config
#http: # 注释原来的http
# port for http, default is 80. If https enabled, this port will redirect to https port
# port: 80 # 注释原来的80
# https related config
https: # 使用https
# # https port for harbor, default is 443
port: 443 # 使用443
# # The path of cert and key files for nginx
certificate: /your/certificate/path # 证书文件存放位置
private_key: /your/private/key/path # 私钥文件存放位置
# 重启服务
[root@docker01 /opt/harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
# 这里可以使用 docker-compose stop all停止所有服务,然后ps -ef查看这里服务进程是否还在运行,如果还在运行,就kill掉。
# 然后 docker-compose start all,保险起见,一个服务一个服务的启动
# 如果还是不行,就入下
[root@docker01 /opt/harbor]# vim install.sh # 把下面内容注释掉,然后重新./install.sh
if [ -f harbor*.tar.gz ]
then
h2 "[Step $item]: loading Harbor images ..."; let item+=1
docker load -i ./harbor*.tar.gz
fi