Docker镜像的仓库(Harbor)

一、简介

1、镜像的仓库

 镜像仓库用于存放 Docker镜像
Docker registry提供镜像仓库服务
一个 Docker registry可以包含多个镜像仓库
仓库分为公共镜像仓库与私有镜像仓库

搭建私有仓库的两种方式:RegistryHarbor

2、使用官方仓库的缺陷

需要 internet连接,上传和下载速度慢
上传到 docker hub的镜像任何人都可以访问,虽然可以用私有
repository,但不是免费的
因安全原因很多组织不允许将镜像放到外网

二、registry 仓库 

系统 IP 主机名 角色
CentOS 7.4 192.168.2.17 Docker1 Docker、registry、harbor
CentOS 7.4 192.168.2.1 Docker2 Docker、

 1、启动registry容器仓库

Docker 官方提供了一个搭建私有仓库的镜像 registry ,只需把镜像下载下来,运行容器并暴露5000端口,就可以使用了

   -p:默认端口是5000,映射到本地5000端口
   -v:将本地的/data/registry文件目录挂载到容器的/var/lib/registry目录下
[root@Docker1 ~]# docker run -d -p 5000:5000 -v /data/registry:/var/lib/registry  registry:2                       

[root@Docker1 ~]# docker ps            
CONTAINER ID   IMAGE        COMMAND                  CREATED          STATUS          PORTS                                       NAMES
dba2d52fda19   registry:2   "/entrypoint.sh /etc…"   13 seconds ago   Up 12 seconds   0.0.0.0:5000->5000/tcp, :::5000->5000/tcp   busy_bouman

可以访问查看192.168.2.17:5000/v2

Docker镜像的仓库(Harbor)_第1张图片

 2、推送镜像


[root@Docker1 ~]# docker tag nginx:latest 192.168.2.17:5000/librar/nginx:latest          

[root@Docker1 ~]# docker images                 
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
registry                         2         9c97225e83c8   3 weeks ago   24.2MB
192.168.2.17:5000/librar/nginx   latest    c316d5a335a5   5 weeks ago   142MB
nginx                            latest    c316d5a335a5   5 weeks ago   142MB

[root@Docker1 ~]# vim /etc/docker/daemon.json     #配置docker
{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17:5000"]
}

保存

[root@Docker1 ~]# systemctl restart docker               

[root@Docker1 ~]# docker ps -a             
CONTAINER ID   IMAGE        COMMAND                  CREATED          STATUS                      PORTS     NAMES
dba2d52fda19   registry:2   "/entrypoint.sh /etc…"   18 minutes ago   Exited (2) 35 seconds ago             busy_bouman
[root@Docker1 ~]# docker start dba2d52fda19               
dba2d52fda19

[root@Docker1 ~]# docker push 192.168.2.17:5000/librar/nginx:latest           
The push refers to repository [192.168.2.17:5000/librar/nginx]
762b147902c0: Pushed 
235e04e3592a: Pushed 
6173b6fa63db: Pushed 
9a94c4a55fe4: Pushed 
9a3a6af98e18: Pushed 
7d0ebbe3f5d2: Pushed 
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

可以访问查看我们推送的镜像

Docker镜像的仓库(Harbor)_第2张图片

 我们也可以下载到本地


[root@Docker1 ~]# docker rmi 192.168.2.17:5000/librar/nginx:latest       
Untagged: 192.168.2.17:5000/librar/nginx:latest
Untagged: 192.168.2.17:5000/librar/nginx@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
[root@Docker1 ~]# docker images          
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
registry     2         9c97225e83c8   3 weeks ago   24.2MB
nginx        latest    c316d5a335a5   5 weeks ago   142MB
————————————————————————————————————————————
[root@Docker1 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest              
latest: Pulling from librar/nginx
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest
192.168.2.17:5000/librar/nginx:latest
————————————————————————————————————————————
[root@Docker1 ~]# docker images          
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
registry                         2         9c97225e83c8   3 weeks ago   24.2MB
192.168.2.17:5000/librar/nginx   latest    c316d5a335a5   5 weeks ago   142MB
nginx                            latest    c316d5a335a5   5 weeks ago   142MB

在Docker2上下载推送(安装省略..)


[root@Docker2 ~]# vim /etc/docker/daemon.json     #配置docker
{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17:5000"]
}

保存

[root@Docker2 ~]# systemctl restart docker              

[root@Docker2 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest                     
latest: Pulling from librar/nginx
5eb5b503b376: Pull complete 
1ae07ab881bd: Pull complete 
78091884b7be: Pull complete 
091c283c6a66: Pull complete 
55de5851019b: Pull complete 
b559bad762be: Pull complete 
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest
192.168.2.17:5000/librar/nginx:latest

[root@Docker2 ~]# docker images              #下载到本地了
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
192.168.2.17:5000/librar/nginx   latest    c316d5a335a5   5 weeks ago   142MB

[root@Docker2 ~]# docker tag 192.168.2.17:5000/librar/nginx:latest 192.168.2.17:5000/librar/nginx2:latest              
[root@Docker2 ~]# docker push 192.168.2.17:5000/librar/nginx2:latest                 
The push refers to repository [192.168.2.17:5000/librar/nginx2]
762b147902c0: Mounted from librar/nginx 
235e04e3592a: Mounted from librar/nginx 
6173b6fa63db: Mounted from librar/nginx 
9a94c4a55fe4: Mounted from librar/nginx 
9a3a6af98e18: Mounted from librar/nginx 
7d0ebbe3f5d2: Mounted from librar/nginx 
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

 可以看到已经上传上去了

Docker镜像的仓库(Harbor)_第3张图片

 三、搭建harbor私有镜像仓库

 1、Harbor简介

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等

Harbor官方网站:Harbor
Harbor源码地址:GitHub - goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content.

2、harbor架构

Docker镜像的仓库(Harbor)_第4张图片

 3、harbor六大模块

Proxy:HarborregistryUItoken services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上

Registry:负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token

Core services:Harbor的核心功能,主要包括如下3个服务:

UI:作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像
1)、WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harborwebhook endpointHarbor使用webhook来更新日志、初始化同步job
2)、Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service 
3)、Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据

Job services:主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上
Log collector:负责收集其他模块的日志到一个地方

4、hatbor工作原理

 Docker Login

Docker镜像的仓库(Harbor)_第5张图片

1)、首先,登录请求会被 Proxy容器接收到,根据预先设置的匹配规则,该请求会被转发给后端 Registry容器。
2)、Registry接收到请求后,解析请求,因为配置了基于 token的认证,所以会查找 token,发现请求没有 token后,返回错误代码401以及 token服努的地URL
3)、Docker客户端接收到错误请求后,转而向token服努地址发送请求,并根据HTTP协议的BasicAuthentication规范,将用户名密码组合并编码,放在请求头部( header)
4)、同样,该请求会先发到 Proxy容器,继而转发给ui/ token的咨器该荟最接受请求,将请求头解码,获取到用户名密码
5)、ui/ token的吝器获取到用户名密码后,通过重询数据库进行比对验证(如果是LDAP的认证方式就是引LDAP服务进行校验),比对成功后,返回成功的状码,并用密钥生成 token,一并发送绐 Docker客户端

Docker push

Docker镜像的仓库(Harbor)_第6张图片

1)、同样,首先与 Registery通信,返回个 token服务的地址URL
2)、Docker客户端会与 token服务通信,指明要申请一个 push image操作的 token
3)、token服努访问数据库验证当前用户是否有该操作的权限,如果有,会将 rImage信息以及push操作进行编码,用私钥签名,生成 token返回给 Docker客户
4)、Docker客户端再次与 Registry通信,不过这次会将 token放到请求 header中, Registry收到请求后利用公钥解码并核对,核对成功,便可以开始push操作

5、HARBOR安装


[root@Docker1 ~]# ls harbor-offline-installer-v1.10.4.tgz             
harbor-offline-installer-v1.10.4.tgz

[root@Docker1 ~]# tar xf harbor-offline-installer-v1.10.4.tgz -C /usr/local/                         

修改Harbor的配置文件


[root@Docker1 ~]# vi /usr/local/harbor/harbor.yml                    
..
      5 hostname: 192.168.2.17        #修改成本地IP
      6 
      7 # http related config
      8 #http:
      9   # port for http, default is 80. If https enabled, this port will redirect to https         port
     10   port: 80
     11 
     12 # https related config
     13 #https:                                       #注释掉https
     14   # https port for harbor, default is 443
     15   #port: 443                                  #注释
     16   # The path of cert and key files for nginx
     17   #certificate: /your/certificate/path        #注释
     18   #private_key: /your/private/key/path        #注释
.....
...

保存

安装docker-compose:下载docker-compose文件


[root@Docker1 ~]# cd /usr/bin/                
[root@Docker1 bin]# chmod a+x docker-compose              

启动Harbor


[root@Docker1 bin]# cd /usr/local/harbor/            
[root@Docker1 harbor]# sh install.sh            

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.12

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.23.2

[Step 2]: loading Harbor images ...
.........................
.......
..

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating registry      ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating registryctl   ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

 启动关闭命令


docker-compose up -d            启动 Harbor
docker-compose stop             关闭 Harbor

访问:192.168.2.17     用户名:admin  密码:Harbor12345   (注意密码H是大写

Docker镜像的仓库(Harbor)_第7张图片

Docker镜像的仓库(Harbor)_第8张图片

 6、从docker2上给docker1上传镜像

修改点docker配置文件


[root@Docker2 ~]# vim /etc/docker/daemon.json                  

{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17"]
}

保存

[root@Docker2 ~]# systemctl restart docker               

[root@Docker2 ~]# docker login -u admin -p Harbor12345 192.168.2.17          #登录hardor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@Docker2 ~]# docker tag nginx2:latest 192.168.2.17/library/nginx2:latest              
[root@Docker2 ~]# docker images                
REPOSITORY                    TAG       IMAGE ID       CREATED       SIZE
nginx2                        latest    c316d5a335a5   5 weeks ago   142MB
192.168.2.17/library/nginx2   latest    c316d5a335a5   5 weeks ago   142MB
——————————
[root@Docker2 ~]# docker push 192.168.2.17/library/nginx2:latest                   
The push refers to repository [192.168.2.17/library/nginx2]
762b147902c0: Pushed 
235e04e3592a: Pushed 
6173b6fa63db: Pushed 
9a94c4a55fe4: Pushed 
9a3a6af98e18: Pushed 
7d0ebbe3f5d2: Pushed 
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

查看上传结果

Docker镜像的仓库(Harbor)_第9张图片

Docker镜像的仓库(Harbor)_第10张图片

 上传成功,接下来进行下载


[root@Docker2 ~]# docker rmi 192.168.2.17/library/nginx2:latest                       
Untagged: 192.168.2.17/library/nginx2:latest
Untagged: 192.168.2.17/library/nginx2@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
[root@Docker2 ~]# docker images                        
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
nginx2       latest    c316d5a335a5   5 weeks ago   142MB

[root@Docker2 ~]# docker pull 192.168.2.17/library/nginx2:latest             
latest: Pulling from library/nginx2
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17/library/nginx2:latest
192.168.2.17/library/nginx2:latest


[root@Docker2 ~]# docker images                
REPOSITORY                    TAG       IMAGE ID       CREATED       SIZE
nginx2                        latest    c316d5a335a5   5 weeks ago   142MB
192.168.2.17/library/nginx2   latest    c316d5a335a5   5 weeks ago   142MB

也可以创建一个新用户进行上传下载

你可能感兴趣的:(docker,Docker镜像的仓库)