Docker私有registry(简单学习)及使用docker-compose快速搭建简易harbor仓库
Docker Registry分类
- Registry用于保存docker镜像,包括镜像的层次结构和元数据
- 用户可以自建registry,也可以使用官方的Docker Hub
- 分类
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用
- Vendor Registry:由发布Docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
docker registry默认使用https
docker-distribution:docker官方的registry镜像,拖到本地运行为容器即可
也可以在本机安装docker-distribution:
[root@docker1 ~]# yum install docker-distribution.x86_64
[root@docker1 ~]# rpm -ql docker-distribution
/etc/docker-distribution/registry/config.yml
/usr/bin/registry
/usr/lib/systemd/system/docker-distribution.service
/usr/share/doc/docker-distribution-2.6.2
/usr/share/doc/docker-distribution-2.6.2/AUTHORS
/usr/share/doc/docker-distribution-2.6.2/CONTRIBUTING.md
/usr/share/doc/docker-distribution-2.6.2/LICENSE
/usr/share/doc/docker-distribution-2.6.2/MAINTAINERS
/usr/share/doc/docker-distribution-2.6.2/README.md
/var/lib/registry查看默认的配置文件:
[root@docker1 ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000启动docker-distribution
[root@docker1 ~]# systemctl start docker-distribution
[root@docker1 ~]# ss -ltunp | grep :5000
tcp LISTEN 0 128 :::5000 :::* users:(("registry",pid=36076,fd=3))现在将docker2机器上的镜像传到docker1的registry上,必须先给docker images打标签,因为默认的标签为docker hub的顶层仓库
hosts对docker1机器IP做解析
[root@docker2 ~]# docker images | head -2
REPOSITORY TAG IMAGE ID CREATED SIZE
docker1:5000/httpd v0.2 a83a2c1ac8b3 2 days ago 1.15MB
[root@docker2 ~]# tail -1 /etc/hosts
192.168.2.163 docker1docker push 推镜像
会报错,提示docker客户端是https,而docker服务端给的http响应,即docker push时默认是基于https的,而docker1服务器是http的
[root@docker2 ~]# docker push docker1:5000/httpd:v0.2
The push refers to repository [docker1:5000/httpd]
Get https://docker1:5000/v2/: http: server gave HTTP response to HTTPS client修改docker客户端配置文件,告诉我就用不安全的http,就可以成功push了
[root@docker2 ~]# vim /etc/docker/daemon.json
[root@docker2 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://7f28zkr3.mirror.aliyuncs.com"],
"insecure-registries":["docker1:5000"]
}
[root@docker2 ~]# systemctl restart docker
[root@docker2 ~]#
[root@docker2 ~]# docker push docker1:5000/httpd:v0.2
The push refers to repository [docker1:5000/httpd]
c8afcb5503d3: Pushed
23bc2b70b201: Pushed
v0.2: digest: sha256:7bc2e3c0bca86a692501522ff7adf637c1fcda87fca23a754e7db68f00c80f54 size: 734上传的镜像在/var/lib/registry/目录下面,可以自行去查看,镜像是一层一层的
[root@docker1 ~]# cd /var/lib/registry/docker/registry/v2/repositories/httpd/
[root@docker1 httpd]# ls
_layers _manifests _uploads
[root@docker1 httpd]# ls _layers/sha256/
0d92fe152d7718e782cdae0ef465c5891492fdf7420a637e8c46057df21ecd83/ b4a6e23922ddc3d105fee9afff80151a13fe058143351a8e9294286575f2f37e/
a83a2c1ac8b323164e6143d302ee9c9d2e380956181390c67d38b5454ba4883c/
[root@docker1 httpd]# ls _layers/sha256/0d92fe152d7718e782cdae0ef465c5891492fdf7420a637e8c46057df21ecd83/
link在docker1机器上尝试拖下来此镜像,也必须修改docker配置文件使用不安全的http
[root@docker1 httpd]# vim /etc/docker/daemon.json
[root@docker1 httpd]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://7f28zkr3.mirror.aliyuncs.com"],
"bip":"10.0.0.1/16",
"hosts":["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"],
"insecure-registries":["docker1:5000"]
}
[root@docker1 httpd]# systemctl restart docker
[root@docker1 httpd]# docker pull docker1:5000/httpd:v0.2
v0.2: Pulling from httpd
Digest: sha256:7bc2e3c0bca86a692501522ff7adf637c1fcda87fca23a754e7db68f00c80f54
Status: Downloaded newer image for docker1:5000/httpd:v0.2
[root@docker1 httpd]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker1:5000/httpd v0.2 a83a2c1ac8b3 2 days ago 1.15MBHarbor
github首页:https://docs.docker.com/compose/compose-file/
安装文档:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
自动构建,web hook,漂亮的界面,可以像docker hub一样可以在web界面搜索镜像
docker registry的二次开发
Project Harbor is an open source trusted cloud native registry project that stores ,signs and scans content。
- Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security and management。
- Harbor supports advanced features such as user management,access control,activity monitoring,and replications between instances.
Features
Multi-tenant content signing and validation
Security and vulenvability analysis
Audit logging
Idention intergration and role-based access control
image replications between instances
Extensible API and graphical UI
Internationalization(currently english and Chinese)
docker compose
参考:https://docs.docker.com/compose/compose-file/
docker的单机编排工具:
通过compose离线安装harbor
下载解压包:
[root@docker1 ~]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.0.tgz
root@docker1 ~]# tar xf harbor-offline-installer-v1.7.0.tgz -C /usr/local
[root@docker1 ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
[root@docker1 ~]# docker-compose.yaml为docker-compose配置文件,默认即可
编辑harbor配置文件
主机名,harbor登陆名密码,是否https,harbor1.7采用的数据库是postgresql,还使用到了redis
hostname = harbor.uscwifi.cn
max_job_workers = 10 #work数
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
log_rotate_count = 50
log_rotate_size = 200M
email_server = smtp.mydomain.com
harbor_admin_password = Harbor12345
db_host = postgresql
b_password = root123
#The port of Harbor database host
db_port = 5432
db_user = postgres开始安装harbor
[root@docker1 harbor]# yum install epel-release.noarch -y
[root@docker1 harbor]# yum install docker-compose -y
[root@docker1 harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 18.06.1
Note: docker-compose version: 1.18.0
[Step 1]: loading Harbor images ...
93e951af0370: Loading layer [==================================================>] 32.92MB/32.92MB
b07c3b7617d1: Loading layer [==================================================>] 8.955MB/8.955MB
8a648a517967: Loading layer [==================================================>] 15.6MB/15.6MB
779c814058b2: Loading layer [==================================================>] 17.41kB/17.41kB
9e20a0be79e4: Loading layer [==================================================>] 15.6MB/15.6MB
Loaded image: goharbor/harbor-adminserver:v1.7.0
4297ec306d6c: Loading layer [==================================================>] 8.955MB/8.955MB
a12cde073f45: Loading layer [==================================================>] 22.8MB/22.8MB
0c1bffe1be38: Loading layer [==================================================>] 3.072kB/3.072kB
fed6dbfa94fa: Loading layer [==================================================>] 7.465MB/7.465MB
d6eb3348ffbe: Loading layer [==================================================>] 30.26MB/30.26MB
Loaded image: goharbor/harbor-registryctl:v1.7.0
c13145c62cf8: Loading layer [==================================================>] 64.84MB/64.84MB
4c99c8ba2cde: Loading layer [==================================================>] 3.072kB/3.072kB
44a1362c9b8e: Loading layer [==================================================>] 59.9kB/59.9kB
8ce0285d24fc: Loading layer [==================================================>] 61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v1.7.0
d4fcd72d2acd: Loading layer [==================================================>] 8.96MB/8.96MB
b08aeb2eb53f: Loading layer [==================================================>] 35.08MB/35.08MB
ae47b31c410d: Loading layer [==================================================>] 2.048kB/2.048kB
e441c5110655: Loading layer [==================================================>] 3.072kB/3.072kB
2fd30180e5e5: Loading layer [==================================================>] 35.08MB/35.08MB
Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.0
136482b2f6f3: Loading layer [==================================================>] 3.39MB/3.39MB
039eae17292e: Loading layer [==================================================>] 4.716MB/4.716MB
dc5eee7908d6: Loading layer [==================================================>] 3.584kB/3.584kB
Loaded image: goharbor/harbor-portal:v1.7.0
0e74496c6950: Loading layer [==================================================>] 8.955MB/8.955MB
15c9a151202f: Loading layer [==================================================>] 21.51MB/21.51MB
953c969e39ad: Loading layer [==================================================>] 21.51MB/21.51MB
Loaded image: goharbor/harbor-jobservice:v1.7.0
eb5a3a0dbc61: Loading layer [==================================================>] 3.39MB/3.39MB
Loaded image: goharbor/nginx-photon:v1.7.0
bc23790eef84: Loading layer [==================================================>] 63.31MB/63.31MB
5ca06da9ad20: Loading layer [==================================================>] 40.57MB/40.57MB
4f32f5a7c4c9: Loading layer [==================================================>] 6.656kB/6.656kB
37ae4614bffc: Loading layer [==================================================>] 2.048kB/2.048kB
36f46ea7b71d: Loading layer [==================================================>] 7.68kB/7.68kB
99bf27d6d0cc: Loading layer [==================================================>] 2.56kB/2.56kB
13e21e5fbfc6: Loading layer [==================================================>] 2.56kB/2.56kB
35d4106fa26d: Loading layer [==================================================>] 2.56kB/2.56kB
Loaded image: goharbor/harbor-db:v1.7.0
3ebe32b61098: Loading layer [==================================================>] 8.954MB/8.954MB
8667645d95c3: Loading layer [==================================================>] 13.43MB/13.43MB
cade3b441a2a: Loading layer [==================================================>] 17.3MB/17.3MB
9fb1d77ff057: Loading layer [==================================================>] 11.26kB/11.26kB
25a21beb926b: Loading layer [==================================================>] 3.072kB/3.072kB
ba2ec726786e: Loading layer [==================================================>] 30.72MB/30.72MB
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.0
5090c10b14d0: Loading layer [==================================================>] 12.11MB/12.11MB
4b1d5b0385f5: Loading layer [==================================================>] 17.3MB/17.3MB
f9f418bec695: Loading layer [==================================================>] 11.26kB/11.26kB
da1e63f4a31b: Loading layer [==================================================>] 3.072kB/3.072kB
3f8b984303e8: Loading layer [==================================================>] 29.41MB/29.41MB
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.0
31675abcf456: Loading layer [==================================================>] 113MB/113MB
5094a1326364: Loading layer [==================================================>] 11.46MB/11.46MB
b324c0e7a2d3: Loading layer [==================================================>] 2.048kB/2.048kB
a16d9ae02855: Loading layer [==================================================>] 48.13kB/48.13kB
a8362a2377a9: Loading layer [==================================================>] 3.072kB/3.072kB
8dd4465b785e: Loading layer [==================================================>] 11.51MB/11.51MB
Loaded image: goharbor/clair-photon:v2.0.7-v1.7.0
4de51055f30c: Loading layer [==================================================>] 133.2MB/133.2MB
a3dbf62e8962: Loading layer [==================================================>] 684MB/684MB
042663fd852c: Loading layer [==================================================>] 7.68kB/7.68kB
a8704e62e5a5: Loading layer [==================================================>] 212kB/212kB
Loaded image: goharbor/harbor-migrator:v1.7.0
d071182f0989: Loading layer [==================================================>] 8.955MB/8.955MB
f3612283b0e7: Loading layer [==================================================>] 27.24MB/27.24MB
36eb37ad53c8: Loading layer [==================================================>] 5.632kB/5.632kB
ab115d85bed7: Loading layer [==================================================>] 27.24MB/27.24MB
Loaded image: goharbor/harbor-core:v1.7.0
4b0f921bbad9: Loading layer [==================================================>] 50.39MB/50.39MB
b7135566a59e: Loading layer [==================================================>] 3.584kB/3.584kB
c396d105f9d0: Loading layer [==================================================>] 3.072kB/3.072kB
e13ef0c2ab14: Loading layer [==================================================>] 4.096kB/4.096kB
fd02ffa15f0c: Loading layer [==================================================>] 3.584kB/3.584kB
c7a5e5579a32: Loading layer [==================================================>] 10.24kB/10.24kB
Loaded image: goharbor/harbor-log:v1.7.0
1a6785975e13: Loading layer [==================================================>] 8.955MB/8.955MB
7211858db3fc: Loading layer [==================================================>] 3.072kB/3.072kB
bd91fc754ebc: Loading layer [==================================================>] 2.56kB/2.56kB
cdafbc058a04: Loading layer [==================================================>] 2.56kB/2.56kB
3fa42220b2aa: Loading layer [==================================================>] 2.048kB/2.048kB
044cc5016d5f: Loading layer [==================================================>] 22.8MB/22.8MB
1fc77ba8533d: Loading layer [==================================================>] 22.8MB/22.8MB
Loaded image: goharbor/registry-photon:v2.6.2-v1.7.0
[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Creating harbor-log ... done
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
Creating harbor-adminserver ... done
Creating harbor-core ... done
[Step 4]: starting Harbor ...
Creating harbor-portal ... done
Creating nginx ... done
Creating registry ...
Creating harbor-adminserver ...
Creating harbor-db ...
Creating registryctl ...
Creating redis ...
Creating harbor-core ...
Creating harbor-portal ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://harbor.uscwifi.cn.
For more details, please visit https://github.com/goharbor/harbor .通过IP访问harbor web界面
进去之后如下图:
创建用户:
仓库管理:
复制管理:
配置管理:
在uscwifi用户里面创建个仓库推送镜像:
将镜像推送到harbor
先修改docker配置文件,允许http,然后登陆仓库,打标签,push
[root@docker1 ~]# vim /etc/docker/daemon.json
[root@docker1 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://7f28zkr3.mirror.aliyuncs.com"],
"bip":"10.0.0.1/16",
"hosts":["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"],
"insecure-registries":["docker1:5000"]
"insecure-registries":["harbor.uscwifi.cn"]
}
[root@docker1 ~]# systemctl restart docker
offline_token=true&service=harbor-registry: dial tcp: lookup harbor.uscwifi.cn on 192.168.183.2:53: no such host
[root@docker1 harbor]# vim /etc/hosts
[root@docker1 harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 harbor.uscwifi.cn
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@docker1 harbor]# docker login harbor.uscwifi.cn
Username: uscwifi
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker1 harbor]# docker push harbor.uscwifi.cn/web/myweb:v0.1-7
The push refers to repository [harbor.uscwifi.cn/web/myweb]
52f1f723f5b6: Pushed
ff40bd797a08: Pushed
b090ec92960a: Pushed
cf1f565e7522: Pushed
23bc2b70b201: Pushed
v0.1-7: digest: sha256:311afc783dae27b1a2d569d308f46f4c61f1f190e70e726a26d1301bdb41d120 size: 1360web界面查看:
停止和启动harbor,使用docker compose,在harbor目录中执行(docker-compose.yml文件在此目录)
[root@docker1 ~]# docker-compose start
ERROR:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml
[root@docker1 ~]# cd /usr/local/harbor/
[root@docker1 harbor]# docker-compose start
Starting log ... done
Starting postgresql ... done
Starting registry ... done
Starting registryctl ... done
Starting redis ... done
Starting adminserver ... done
Starting core ... done
Starting portal ... done
Starting proxy ... done
Starting jobservice ... done
[root@docker1 harbor]# docker-compose pause
Pausing harbor-log ... done
Pausing registry ... done
Pausing harbor-adminserver ... done
Pausing registryctl ... done
Pausing harbor-db ... done
Pausing redis ... done
Pausing harbor-core ... done
Pausing harbor-jobservice ... done
Pausing harbor-portal ... done
Pausing nginx ... done
[root@docker1 harbor]# docker-compose unpause
Unpausing nginx ... done
Unpausing harbor-portal ... done
Unpausing harbor-jobservice ... done
Unpausing harbor-core ... done
Unpausing redis ... done
Unpausing harbor-db ... done
Unpausing registryctl ... done
Unpausing harbor-adminserver ... done
Unpausing registry ... done
Unpausing harbor-log ... donedocker-compose的帮助
[root@docker1 harbor]# docker-compose --help
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f ...] [options] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file (default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name (default: directory name)
--verbose Show more output
--no-ansi Do not print ANSI control characters
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the name specified
in the client certificate (for example if your docker host
is an IP address)
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
Commands:
build Build or rebuild services
bundle Generate a Docker bundle from the Compose file
config Validate and view the Compose file
create Create services
down Stop and remove containers, networks, images, and volumes
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker-Compose version information