镜像仓库用于存放 Docker镜像
Docker registry提供镜像仓库服务
一个 Docker registry可以包含多个镜像仓库
仓库分为公共镜像仓库与私有镜像仓库
搭建私有仓库的两种方式:Registry、Harbor
需要 internet连接,上传和下载速度慢
上传到 docker hub的镜像任何人都可以访问,虽然可以用私有
repository,但不是免费的
因安全原因很多组织不允许将镜像放到外网
系统 | IP | 主机名 | 角色 |
CentOS 7.4 | 192.168.2.17 | Docker1 | Docker、registry、harbor |
CentOS 7.4 | 192.168.2.1 | Docker2 | Docker、 |
Docker 官方提供了一个搭建私有仓库的镜像 registry ,只需把镜像下载下来,运行容器并暴露5000端口,就可以使用了
-p:默认端口是5000,映射到本地5000端口
-v:将本地的/data/registry文件目录挂载到容器的/var/lib/registry目录下
[root@Docker1 ~]# docker run -d -p 5000:5000 -v /data/registry:/var/lib/registry registry:2
[root@Docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dba2d52fda19 registry:2 "/entrypoint.sh /etc…" 13 seconds ago Up 12 seconds 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp busy_bouman
可以访问查看192.168.2.17:5000/v2
[root@Docker1 ~]# docker tag nginx:latest 192.168.2.17:5000/librar/nginx:latest
[root@Docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 9c97225e83c8 3 weeks ago 24.2MB
192.168.2.17:5000/librar/nginx latest c316d5a335a5 5 weeks ago 142MB
nginx latest c316d5a335a5 5 weeks ago 142MB
[root@Docker1 ~]# vim /etc/docker/daemon.json #配置docker
{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17:5000"]
}
保存
[root@Docker1 ~]# systemctl restart docker
[root@Docker1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dba2d52fda19 registry:2 "/entrypoint.sh /etc…" 18 minutes ago Exited (2) 35 seconds ago busy_bouman
[root@Docker1 ~]# docker start dba2d52fda19
dba2d52fda19
[root@Docker1 ~]# docker push 192.168.2.17:5000/librar/nginx:latest
The push refers to repository [192.168.2.17:5000/librar/nginx]
762b147902c0: Pushed
235e04e3592a: Pushed
6173b6fa63db: Pushed
9a94c4a55fe4: Pushed
9a3a6af98e18: Pushed
7d0ebbe3f5d2: Pushed
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570
可以访问查看我们推送的镜像
我们也可以下载到本地
[root@Docker1 ~]# docker rmi 192.168.2.17:5000/librar/nginx:latest
Untagged: 192.168.2.17:5000/librar/nginx:latest
Untagged: 192.168.2.17:5000/librar/nginx@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
[root@Docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 9c97225e83c8 3 weeks ago 24.2MB
nginx latest c316d5a335a5 5 weeks ago 142MB
————————————————————————————————————————————
[root@Docker1 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest
latest: Pulling from librar/nginx
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest
192.168.2.17:5000/librar/nginx:latest
————————————————————————————————————————————
[root@Docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 9c97225e83c8 3 weeks ago 24.2MB
192.168.2.17:5000/librar/nginx latest c316d5a335a5 5 weeks ago 142MB
nginx latest c316d5a335a5 5 weeks ago 142MB
在Docker2上下载推送(安装省略..)
[root@Docker2 ~]# vim /etc/docker/daemon.json #配置docker
{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17:5000"]
}
保存
[root@Docker2 ~]# systemctl restart docker
[root@Docker2 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest
latest: Pulling from librar/nginx
5eb5b503b376: Pull complete
1ae07ab881bd: Pull complete
78091884b7be: Pull complete
091c283c6a66: Pull complete
55de5851019b: Pull complete
b559bad762be: Pull complete
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest
192.168.2.17:5000/librar/nginx:latest
[root@Docker2 ~]# docker images #下载到本地了
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.2.17:5000/librar/nginx latest c316d5a335a5 5 weeks ago 142MB
[root@Docker2 ~]# docker tag 192.168.2.17:5000/librar/nginx:latest 192.168.2.17:5000/librar/nginx2:latest
[root@Docker2 ~]# docker push 192.168.2.17:5000/librar/nginx2:latest
The push refers to repository [192.168.2.17:5000/librar/nginx2]
762b147902c0: Mounted from librar/nginx
235e04e3592a: Mounted from librar/nginx
6173b6fa63db: Mounted from librar/nginx
9a94c4a55fe4: Mounted from librar/nginx
9a3a6af98e18: Mounted from librar/nginx
7d0ebbe3f5d2: Mounted from librar/nginx
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570
可以看到已经上传上去了
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等
Harbor官方网站:Harbor
Harbor源码地址:GitHub - goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content.
Proxy:Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上
Registry:负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token
Core services:Harbor的核心功能,主要包括如下3个服务:
UI:作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像
1)、WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等
2)、Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service
3)、Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据
Job services:主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上
Log collector:负责收集其他模块的日志到一个地方
Docker Login
1)、首先,登录请求会被 Proxy容器接收到,根据预先设置的匹配规则,该请求会被转发给后端 Registry容器。
2)、Registry接收到请求后,解析请求,因为配置了基于 token的认证,所以会查找 token,发现请求没有 token后,返回错误代码401以及 token服努的地URL
3)、Docker客户端接收到错误请求后,转而向token服努地址发送请求,并根据HTTP协议的BasicAuthentication规范,将用户名密码组合并编码,放在请求头部( header)
4)、同样,该请求会先发到 Proxy容器,继而转发给ui/ token的咨器该荟最接受请求,将请求头解码,获取到用户名密码
5)、ui/ token的吝器获取到用户名密码后,通过重询数据库进行比对验证(如果是LDAP的认证方式就是引LDAP服务进行校验),比对成功后,返回成功的状码,并用密钥生成 token,一并发送绐 Docker客户端
Docker push
1)、同样,首先与 Registery通信,返回个 token服务的地址URL
2)、Docker客户端会与 token服务通信,指明要申请一个 push image操作的 token
3)、token服努访问数据库验证当前用户是否有该操作的权限,如果有,会将 rImage信息以及push操作进行编码,用私钥签名,生成 token返回给 Docker客户
4)、Docker客户端再次与 Registry通信,不过这次会将 token放到请求 header中, Registry收到请求后利用公钥解码并核对,核对成功,便可以开始push操作
[root@Docker1 ~]# ls harbor-offline-installer-v1.10.4.tgz
harbor-offline-installer-v1.10.4.tgz
[root@Docker1 ~]# tar xf harbor-offline-installer-v1.10.4.tgz -C /usr/local/
修改Harbor的配置文件
[root@Docker1 ~]# vi /usr/local/harbor/harbor.yml
..
5 hostname: 192.168.2.17 #修改成本地IP
6
7 # http related config
8 #http:
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 port: 80
11
12 # https related config
13 #https: #注释掉https
14 # https port for harbor, default is 443
15 #port: 443 #注释
16 # The path of cert and key files for nginx
17 #certificate: /your/certificate/path #注释
18 #private_key: /your/private/key/path #注释
.....
...
保存
安装docker-compose:下载docker-compose文件
[root@Docker1 ~]# cd /usr/bin/
[root@Docker1 bin]# chmod a+x docker-compose
启动Harbor
[root@Docker1 bin]# cd /usr/local/harbor/
[root@Docker1 harbor]# sh install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.23.2
[Step 2]: loading Harbor images ...
.........................
.......
..
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registry ... done
Creating redis ... done
Creating harbor-portal ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
启动关闭命令
docker-compose up -d 启动 Harbor
docker-compose stop 关闭 Harbor
访问:192.168.2.17 用户名:admin 密码:Harbor12345 (注意密码H是大写)
修改点docker配置文件
[root@Docker2 ~]# vim /etc/docker/daemon.json
{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.2.17"]
}
保存
[root@Docker2 ~]# systemctl restart docker
[root@Docker2 ~]# docker login -u admin -p Harbor12345 192.168.2.17 #登录hardor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@Docker2 ~]# docker tag nginx2:latest 192.168.2.17/library/nginx2:latest
[root@Docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx2 latest c316d5a335a5 5 weeks ago 142MB
192.168.2.17/library/nginx2 latest c316d5a335a5 5 weeks ago 142MB
——————————
[root@Docker2 ~]# docker push 192.168.2.17/library/nginx2:latest
The push refers to repository [192.168.2.17/library/nginx2]
762b147902c0: Pushed
235e04e3592a: Pushed
6173b6fa63db: Pushed
9a94c4a55fe4: Pushed
9a3a6af98e18: Pushed
7d0ebbe3f5d2: Pushed
latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570
查看上传结果
上传成功,接下来进行下载
[root@Docker2 ~]# docker rmi 192.168.2.17/library/nginx2:latest
Untagged: 192.168.2.17/library/nginx2:latest
Untagged: 192.168.2.17/library/nginx2@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
[root@Docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx2 latest c316d5a335a5 5 weeks ago 142MB
[root@Docker2 ~]# docker pull 192.168.2.17/library/nginx2:latest
latest: Pulling from library/nginx2
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for 192.168.2.17/library/nginx2:latest
192.168.2.17/library/nginx2:latest
[root@Docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx2 latest c316d5a335a5 5 weeks ago 142MB
192.168.2.17/library/nginx2 latest c316d5a335a5 5 weeks ago 142MB
也可以创建一个新用户进行上传下载