docker的几种镜像仓库,你用过几个?
文章目录
- docker镜像仓库——公有仓库和私有仓库
-
- Docker hub共有仓库
-
- 注册 docker hub 账号
- 登录docker hub
- push本地镜像到docker hub
- 注销登录
- registry搭建私有仓库
-
- 获取registry镜像
- 运行私有仓库服务
- 测试:从其他dockerhost节点pull刚操才上传的镜像
- 搭建harbor企业私有仓库
-
- harbor的三种安装方式
- 离线安装
- dockerhost测试
- 阿里云个人私有仓库
-
- 测试阿里云镜像上传
- 测试上传到阿里云的镜像的拉取
docker镜像仓库——公有仓库和私有仓库
Docker hub共有仓库
Docker Hub官网:https://hub.docker.com/
目前 Docker 官方维护了一个公共仓库Docker Hub ,大部分需求都可以通 过在 Docker Hub 中直接下载镜像来实现。如果你觉得拉取 Docker Hub 的镜像比较慢的话,我们可以配置一个镜像加速器,当然国内大部分云厂 商都提供了相应的加速器,简单配置即可。
镜像是docker的基础,我们可以从docker.hub官方共有的仓库去拉取镜像,也可以自己去建立自己的私有仓库
共有仓库我就不多说了,注册账号登录即可,重点是私有仓库;
我总结了3中私有仓库的方法
- registry镜像搭建本地私有仓库
- harbor搭建私有仓库
- 注册使用阿里云的私有仓库
注册 docker hub 账号
你可以在 https://cloud.docker.com 免费注册一个 Docker 账号。
登录docker hub
通过执行docker login命令交互式的输入用户名及密码来完成在命令行 界面登录 Docker Hub。
[root@docker03 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: hbhdlzs
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
push本地镜像到docker hub
# 登录账号
docker login
# 换标签,重命名
#push镜像到docker.hub
[root@docker01 ~]# docker tag mycentos:nginx hbhdlzs/mycentos:centos7
[root@docker01 ~]# docker push hbhdlzs/mycentos:centos7
The push refers to repository [docker.io/hbhdlzs/mycentos]
3da9897ebbf4: Pushing 136.2MB/153.6MB
edf3aa290fb3: Pushing 148.6MB/203.3MB
等待上传完成即可!
注销登录
你可以通过docker logout 退出登录
[root@docker03 ~]# docker logout
Removing login credentials for https://index.docker.io/v1/
registry搭建私有仓库
docker-registry是官方提供的工具,可以用于构建私有的镜像仓库。
registry分为v1版本和v2版本,v1是有Python语言编写的,v2是使用go语言编写的,相对而言, v2版本的会更加快速简洁
获取registry镜像
# docker pull registry:2
运行私有仓库服务
docker run -itd --name registry --restart=always -p 5000:5000 -v /registry:/var/lib/registry registry:2
编辑docker.service配置文件
#添加这样的一行
#因为docker默认是从dockehub上下载镜像的,需要在本地指定一下私有仓库的IP加端口, 这是因为 Docker 默认不允许非 HTTPS 方式推送镜像。如果没做这一步,会报HTTPS的错
上传镜像到私有仓库
#改完名字上传到私有仓库,
[root@docker01 ~]# docker tag dhcp:dhcpd 172.16.46.111:5000/dhcpd:lzs
[root@docker01 ~]# docker pull 172.16.46.111:5000/dhcpd:lzs
Error response from daemon: manifest for 172.16.46.111:5000/dhcpd:lzs not found
[root@docker01 ~]# docker push 172.16.46.111:5000/dhcpd:lzs
The push refers to repository [172.16.46.111:5000/dhcpd]
8d3d1c857813: Pushed
37ee4253c76e: Pushed
b57c79f4a9f3: Pushed
d60e01b37e74: Pushed
e45cfbc98a50: Pushed
762d8e1a6054: Pushed
lzs: digest: sha256:fdc7ff6f265249a104f32f1d7aed0aedaf2f2fc62ea10eebf596e2af3b670477 size: 1569
可以通过查看挂载的目录来判断是否push成功
测试:从其他dockerhost节点pull刚操才上传的镜像
dockerhost节点使用这个私有仓库的时候也需要在 配置文件 添加如下的一行声明一下,这是一个不安全的连接
-- insecure-registry 172.16.46.111:5000
[root@docker03 ~]# docker pull 172.16.46.111:5000/dhcpd:lzs
lzs: Pulling from dhcpd
898c46f3b1a1: Pull complete
63366dfa0a50: Pull complete
041d4cd74a92: Pull complete
6e1bee0f8701: Pull complete
114483241095: Pull complete
ef446bdcb1f0: Pull complete
Digest: sha256:fdc7ff6f265249a104f32f1d7aed0aedaf2f2fc62ea10eebf596e2af3b670477
Status: Downloaded newer image for 172.16.46.111:5000/dhcpd:lzs
搭建harbor企业私有仓库
hrbor是什么?为什么会用到Harbor?
harbor是构建企业级私有docker镜像的仓库的开源解决方案,它是 Docker Registry的更高级封装,它除了提供友好的Web UI界面,角色和用 户权限管理,用户操作审计等功能外,它还整合了K8s的插件(Add-ons)仓 库,即Helm通过chart方式下载,管理,安装K8s插件,而chartmuseum 可以提供存储chart数据的仓库【注:helm就相当于k8s的yum】
另外它还 整合了两个开源的安全组件,一个是Notary,另一个是Clair,Notary类似 于私有CA中心,而Clair则是容器安全扫描工具,它通过各大厂商提供的 CVE漏洞库来获取最新漏洞信息,并扫描用户上传的容器是否存在已知的 漏洞信息,这两个安全功能对于企业级私有仓库来说是非常具有意义的。
harbor的三种安装方式
- 在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
- 离线安装:安装包包含部署的相关镜像,因此安装包比较大
- OVA安装程序(第三方):当用户具有vCenter环境时,使用此安装程序,在部署 OVA后启动Harbor
离线安装
下载docker-compose工具,主要用于docker容器统一管理
#github下载docker-compose
curl -L https://github.com/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#给docker-compose可执行权限
chmod +x /usr/local/bin/docker-compose
#下载依赖包,默认安安装docker时已经下载
yum -y install yum-utils device-mapper-persistent- data lvm2
#下载harbor离线包
#wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.4.tgz
##由于国外网站,下载很慢 ,可能会失败,导入Harbor离线安装包,并解压到/usr/local/下
tar -zxf harbor-offline-installer-v1.7.4.tgz -C /usr/local/
修改配置文件,只修改主机即可
新版本安装和执行方式可能会不一样,harbor2.x版本可以翻找其他以前的博客,有详细安装文档
[root@docker01 ~]# grep -Ev '^$|^#' /usr/local/harbor/harbor.cfg
_version = 1.7.0
hostname = 172.16.46.111 #修改此处的地址
ui_url_protocol = http
max_job_workers = 10
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
//hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或 localhost
hostname = 192.168.1.100
//访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http
//最大连接数
max_job_workers = 10
//是否生成证书
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
//关于日志切割选项
log_rotate_count = 50
//关于日志切割的大小,可以是KB、MB、GB
log_rotate_size = 200M
//是否启用代理访问
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
//邮件设置,发送重置密码邮件时使用
email_identity =email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin [email protected]
email_ssl = false
email_insecure = false
//启动Harbor后,管理员admin,UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345
//认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认 是db_auth,mysql认证
auth_mode = db_auth
是否开启自注册
self_registration = on
//token有效时间,默认30分钟
token_expiration = 30
//用户创建项目权限控制,默认是everyone(所有人),也可以设置为
adminonly(只能管理员)
project_creation_restriction = everyon
修改完配置文件后,在的当前目录执行./install.sh,Harbor服务就会根 据当期目录下的docker-compose.yml开始下载依赖的镜像
PS: web界面会占用80端口,保证宿主机80端口空闲
[root@docker01 harbor]# ./install.sh
docker-compose的控制
启动harbor: docker-compose start
停止harbor: docker-compose stop
重启harbor: docker-compose restart
PS:使用docker-compose工具时,必须和docker-compose.yml在同一个目录或者子目录
否则,如下图报错
出现了上面的界面全部done完成以后,harbor基本上是已经下载完毕了
我们尝试访问harbor界面
[root@docker01 harbor]# grep '12345' /usr/local/harbor/harbor.cfg
harbor_admin_password = Harbor12345
默认账号和密码harbor.cfg配置文件有显示
默认账号:admin
默认密码:Harbor12345
同registry,需要在配置文件进行更改,添加不安全的通知
[root@docker01 harbor]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry 172.16.46.111
[root@docker01 harbor]# systemctl daemon-reload
[root@docker01 harbor]# systemctl restart docker
如果想要上传镜像或者拉取镜像,必须使用用户登录
[root@docker01 ~]# docker login -u admin -p Harbor12345 172.16.46.111
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
测试上传个镜像
[root@docker01 ~]# docker tag httpd:latest 172.16.46.111/myhttpd/httpd:v1
[root@docker01 ~]# docker push 172.16.46.111/myhttpd/httpd:v1
The push refers to repository [172.16.46.111/myhttpd/httpd]
5d727ac94391: Pushed
4cfc2b1d3e90: Pushed
484fa8d4774f: Pushed
ca9ad7f0ab91: Pushed
13cb14c2acd3: Mounted from lzs/nginx
v1: digest: sha256:ad116b4faf32a576572c1501e3c83ecae52ed3ba161de2f50a89d24b796bd3eb size: 1367
dockerhost测试
上面呢也有说过,如果其他dockerhost也需要此镜像,那么,也是需要修改配置文件的,然后等登录才可以拉取 私有的镜像
--insecure-registry 172.16.46.111
systemctl daemon-reload
systemctl restart docker
[root@docker03 ~]# docker login -u admin -p Harbor12345 172.16.46.111
[root@docker03 ~]# docker pull 172.16.46.111/myhttpd/httpd:v1
v1: Pulling from myhttpd/httpd
8559a31e96f4: Already exists
bd517d441028: Pull complete
f67007e59c3c: Pull complete
83c578481926: Pull complete
f3cbcb88690d: Pull complete
Digest: sha256:ad116b4faf32a576572c1501e3c83ecae52ed3ba161de2f50a89d24b796bd3eb
Status: Downloaded newer image for 172.16.46.111/myhttpd/httpd:v1
[root@docker03 ~]# docker run -itd --name dc02 -p8081:80 172.16.46.111/myhttpd/httpd:v1
5bcbd59a1e4f662b4f8959ea87af796569bd85815d3d3ec1594546a37723b9e5
[root@docker03 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5bcbd59a1e4f 172.16.46.111/myhttpd/httpd:v1 "httpd-foreground" 4 seconds ago Up 2 seconds 0.0.0.0:8081->80/tcp dc02
67c22d175dfb 172.16.46.111/lzs/nginx:v1 "/docker-entrypoint.…" 7 minutes ago Up 7 minutes 0.0.0.0:8080->80/tcp dc01
[root@docker03 ~]#
[root@docker03 ~]#
[root@docker03 ~]# curl -I 172.16.46.113:8081
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2020 13:48:27 GMT
Server: Apache/2.4.43 (Unix)
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html
退出登录
[root@master ~]# docker logout 172.16.46.111
Removing login credentials for 172.16.46.111
阿里云个人私有仓库
这里建议阿里云的这款仓库就当做个人版使用吧,估计你放个公司的镜像,老板都要疯狂了,自己开心就好。
登录阿里云账号
https://promotion.aliyun.com/ntms/act/kubernetes.html
创建一个命名空间
有了命名空间,我们就可以创建我们的镜像仓库
到这里,阿里云上的镜像仓库已经创建OK
根据以下操作就ok,简单,方便。
测试阿里云镜像上传
#登录到阿里云
[root@docker03 ~]# docker login --username=八十万小学生总教头 registry.cn-hangzhou.aliyuncs.com
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#镜像打标签并上传
[root@docker03 ~]# docker tag 0901fa9da894 registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
[root@docker03 ~]# docker push registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
The push refers to repository [registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx]
2808ec4a8ea7: Pushed
4856db5e4f59: Pushed
7ef35766ef7d: Pushed
0e32546a8af0: Pushed
13cb14c2acd3: Mounted from lzs1226/mycentos
v1: digest: sha256:8ff4598873f588ca9d2bf1be51bdb117ec8f56cdfd5a81b5bb0224a61565aa49 size: 1362
#到这里就已经上传完成
测试上传到阿里云的镜像的拉取
#登录
docker login --username=八十万小学生总教头 registry.cn-hangzhou.aliyuncs.com
#pull镜像
docker pull registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
[root@docker03 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
v1: Pulling from 2020-07/mynginx
8559a31e96f4: Pull complete
1cf27aa8120b: Pull complete
67d252a8c1e1: Pull complete
9c2b660fcff6: Pull complete
4584011f2cd1: Pull complete
Digest: sha256:8ff4598873f588ca9d2bf1be51bdb117ec8f56cdfd5a81b5bb0224a61565aa49
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
运行一个容器测试
[root@docker03 ~]# docker run -itd --name dc01 -P registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1
51d01e0a9501eecb5274bbf68a6f78034859d03d493dfb37b7593b8edb0474db
[root@docker03 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
51d01e0a9501 registry.cn-hangzhou.aliyuncs.com/2020-07/mynginx:v1 "/docker-entrypoint.…" 7 seconds ago Up 6 seconds 0.0.0.0:32768->80/tcp dc01
[root@docker03 ~]#
文章到此为止了!