Docker 私有仓库

1. Registry

官方私有仓库，优点：简单；缺点：部署无法进行复杂的管理操作

1.1 镜像

docker pull registry:2.7.1
docker pull joxit/docker-registry-ui:latest   # 非必须，简单的界面

1.2 配置

mkdir -p /etc/docker/registry

cat > /etc/docker/registry/config.yml <<EOF
version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['http://192.168.80.200']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Headers: ['Authorization', 'Accept']
    Access-Control-Max-Age: [1728000]
    Access-Control-Allow-Credentials: [true]
    Access-Control-Expose-Headers: ['Docker-Content-Digest']
  http2:
    disabled: false
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
EOF

1.3 启动

cat > docker-compose.yaml <<EOF
version: '2.0'
services:
  registry:
    image: registry:2.7.1
    ports:
      - 5000:5000
    volumes:
      - /opt/registry:/var/lib/registry
      - /etc/docker/registry/config.yml:/etc/docker/registry/config.yml
  ui:
    image: joxit/docker-registry-ui:latest
    ports:
      - 80:80
    environment:
      - REGISTRY_TITLE=My Private Docker Registry
      - REGISTRY_URL=http://192.168.80.200:5000
      - SINGLE_REGISTRY=true
    depends_on:
      - registry
EOF

docker-compose up -d

1.4 镜像推送

$ docker tag nginx 192.168.80.200:5000/nginx:latest

$ docker push 192.168.80.200:5000/nginx:latest
The push refers to repository [192.168.80.200:5000/nginx]
Get "https://192.168.80.200:5000/v2/": http: server gave HTTP response to HTTPS client

# 开启非安全认证
$ vi /etc/docker/daemon.json
{
  "insecure-registries" : [ "192.168.80.250:5000" ]
}

$ systemctl restart docker

1.5 登录界面

http://192.168.80.200

1.6 Restful API

参考：https://docs.docker.com/registry/spec/api/#detail

# API Version Check
$ curl 192.168.80.200:5000/v2/
{}

# Listing Repositories
$ curl 192.168.80.200:5000/v2/_catalog
{"repositories":["nginx"]}

# Listing Image Tags
$ curl 192.168.80.200:5000/v2/nginx/tags/list
{"name":"nginx","tags":["latest"]}

# Fetch the manifest by tag
$ curl 192.168.80.200:5000/v2/nginx/manifests/latest

# 获取镜像的digest
$ curl -I 192.168.80.200:5000/v2/nginx/manifests/latest -H 'Accept: application/vnd.docker.distribution.manifest.v2+json'
...
Docker-Content-Digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3

# Deleting an Image by digest, not supported by tag (只是删除了相关的tag，但文件实体并未删除)
$ curl -X DELETE 192.168.80.200:5000/v2/nginx/manifests/sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3

# 清理磁盘，是否已被删除的 blob 数据
$ docker exec -it docker-registry bin/registry garbage-collect /etc/docker/registry/config.yml

2. Harbor

VMware 出品，优点：大而全；缺点：过于庞大，安装很多组件，如redis， nginx，较耗资源

2.1 生成证书

mkdir -p /etc/harbor/pki && cd $_

# CA
openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
    -x509 -days 365 -out ca.crt \
    -subj "/C=CN/ST=Jiangsu/L=Nanjing/O=XTWL/OU=IT/CN=test"
    
# 签名
openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout harbor.key \
    -out harbor.csr \
    -subj "/C=CN/ST=Jiangsu/L=Nanjing/O=XTWL/OU=IT/CN=192.168.80.201"
    
# 生成证书
echo 'subjectAltName = IP:192.168.80.201' > extfile.cnf
openssl x509 -req -days 365 -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor.crt

2.2 安装包

mkdir -p ~/harbor && cd $_
wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
tar xzvf harbor-offline-installer-v2.4.1.tgz

2.3 配置

cd harbor
cp harbor.yml.tmpl harbor.yml

vi harbor.yml
hostname: 192.168.80.201
http:
  port: 8080
https:
  port: 443
  certificate: /etc/harbor/pki/harbor.crt
  private_key: /etc/harbor/pki/harbor.key

harbor_admin_password: Harbor12345
data_volume: /data
location: /var/log/harbor

2.4 安装

./install.sh
...
[Step 5]: starting Harbor ...
[+] Running 10/10
 ⠿ Network harbor_harbor        Created    0.2s
 ⠿ Container harbor-log         Started    1.6s
 ⠿ Container registryctl        Started    3.7s
 ⠿ Container registry           Started    3.0s
 ⠿ Container redis              Started    3.3s
 ⠿ Container harbor-portal      Started    3.7s
 ⠿ Container harbor-db          Started    3.6s
 ⠿ Container harbor-core        Started    4.8s
 ⠿ Container harbor-jobservice  Started    6.2s
 ⠿ Container nginx              Started    6.5s
✔ ----Harbor has been installed and started successfully.----

2.5 Docker 配置

dockerd 进程会将.crt文件标记为CA证书，.cert文件为客户端证书，所以需要先进行转换

cd /etc/harbor/pki
openssl x509 -inform PEM -in harbor.crt -out harbor.cert

mkdir -p /etc/docker/certs.d/192.168.80.201
cp harbor.cert /etc/docker/certs.d/192.168.80.201
cp harbor.key /etc/docker/certs.d/192.168.80.201
cp ca.crt /etc/docker/certs.d/192.168.80.201

systemctl restart docker

2.6 镜像推送

# 先登录
$ docker login https://192.168.80.201
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

# 推送镜像
$ docker tag busybox:latest 192.168.80.201/library/busybox:latest
$ docker push 192.168.80.201/library/busybox:latest
The push refers to repository [192.168.80.201/library/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527

2.7 登录界面

https://192.168.80.201 admin/Harbor12345

3. nexus3

可作为 docker , maven , yum, apt, PyPI，npm, go proxy 等私有仓库或代理。

3.1 安装

$ mkdir -p /opt/nexus3 && chown -R 200 /opt/nexus3
$ docker run -d --name nexus3 --restart=always -p 8081:8081 -v /opt/nexus3:/nexus-data sonatype/nexus3
    
$ docker logs -f nexus3
...
Started Sonatype Nexus OSS 3.37.3-02

3.2 登录

# 获取密码
$ docker exec nexus3 cat /nexus-data/admin.password
ac686e08-008c-4f60-aaf3-17a7bea079a1

# 登录并修改密码
http://192.168.80.200:8081  admin/ac686e08-008c-4f60-aaf3-17a7bea079a1

# 按向导修改密码，并开启匿名登录
admin/admin123

3.3 创建仓库

创建一个私有仓库的方法： Repository->Repositories 点击右边菜单 Create repository 选择 docker (hosted)

• Name: 仓库的名称
• HTTP: 仓库单独的访问端口（例如：8082）
• Hosted -> Deplioyment policy: 请选择 Allow redeploy 否则无法上传 Docker 镜像。

3.4 添加访问权限

菜单 Security->Realms 把 Docker Bearer Token Realm 移到右边的框中保存。

添加用户规则：菜单 Security->Roles->Create role 在 Privlleges 选项搜索 docker 把相应的规则移动到右边的框中然后保存。

添加用户：菜单 Security->Users->Create local user 在 Roles 选项中选中刚才创建的规则移动到右边的窗口保存。

3.5 开放端口

# docker 配置
$ vi /etc/docker/daemon.json 
{
  "insecure-registries" : [ "192.168.80.200:8082" ]
}
$ systemctl restart docker

# 服务IP
$ docker inspect nexus3 | grep -w IPAddress
"IPAddress": "172.17.0.2",

$ iptables -t nat -vnL
Chain POSTROUTING (policy ACCEPT 327 packets, 17060 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-f2446e4164ee  172.20.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:8081

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-f2446e4164ee *       0.0.0.0/0            0.0.0.0/0
  326 16984 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8081 to:172.17.0.2:8081

# 新增
iptables -t nat -A  DOCKER -p tcp --dport 8082 -j DNAT --to-destination 172.17.0.2:8082
iptables -t nat -A  DOCKER -p tcp ! -i docker0 --dport 8082 -j DNAT --to-destination 172.17.0.2:8082

# 端口列表
$ iptables -t nat -vnL DOCKER --line-number
Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
2        0     0 RETURN     all  --  br-f2446e4164ee *       0.0.0.0/0            0.0.0.0/0
3       25  1300 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8081 to:172.17.0.2:8081
4        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082 to:172.17.0.2:8082

# 删除 (需要时)
iptables -t nat -D DOCKER 4

3.6 镜像管理

# 登录仓库
$ docker login http://192.168.80.200:8082
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

# 上传镜像
$ docker tag busybox:latest 192.168.80.200:8082/repository/xtwl/busybox:latest
$ docker push 192.168.80.200:8082/repository/xtwl/busybox:latest
The push refers to repository [192.168.80.200:8082/repository/xtwl/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527