【笔记4】docker-compose和Harbor

docker-compose

一、概述

Compose 是用于定义和运行多容器 Docker 应用程序的工具。通过 Compose，您可以使用 YML 文件来配置应用程序需要的所有服务。然后，使用一个命令，就可以从 YML 文件配置中创建并启动所有服务。

二、使用方法

• 安装

curl -L https://github.com/docker/compose/releases/download/v2.15.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

• 授予执行权限

chmod +x /usr/local/bin/docker-compose

• 查看版本号

docker-compose version

• 创建部署文件

cat > wordpress.yml <<EOF
version: "3"
services:
   mysql:
     image: mysql:5.6
     ports:
       - "3306:3306"
     environment:
       - "MYSQL_ROOT_PASSWORD=123456"
       - "MYSQL_PASSWORD=123456"
       - "MYSQL_USER=tom"
       - "MYSQL_DATABASE=wordpress"
   wordpress:
     image: wordpress
     ports:
       - "80:80"
     environment:
       - "WORDPRESS_DB_NAME=wordpress"
       - "WORDPRESS_DB_USER=tom"
       - "WORDPRESS_DB_PASSWORD=123456"
       - "WORDPRESS_DB_HOST=mysql"
EOF

• 部署程序

docker-compose -f wordpress.yml up -d

• 启动程序

docker-compose -f wordpress.yml start

• 停止程序

docker-compose -f wordpress.yml stop 

• 删除程序

docker-compose -f wordpress.yml down

Harbor

harbor是VMware公司开源的一个docker镜像管理项目，它包括权限管理、日志审核、自我注册、镜像复制等功能。
官方网站：https://goharbor.io/

创建证书

可以根据官方的指引操作创建自签名证书

• 生成 CA 证书

mkdir -p /opt/harbor/cert && cd /opt/harbor/cert

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.129.131" \
 -key ca.key \
 -out ca.crt

• 生成服务器证书

openssl genrsa -out 192.168.129.131.key 4096

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.129.131" \
    -key 192.168.129.131.key \
    -out 192.168.129.131.csr
    
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=192.168.129.131
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 192.168.129.131.csr \
    -out 192.168.129.131.crt

安装步骤

• 下载安装文件

在此连接下载Harbor的安装文件：https://github.com/goharbor/harbor/releases

wget https://github.com/goharbor/harbor/releases/download/v2.9.1/harbor-online-installer-v2.9.1.tgz
tar zxvf harbor-online-installer-v2.9.1.tgz -C /opt/

• 准备配置文件

cd /opt/harbor
cp harbor.yml.tmpl harbor.yml

• 编辑配置文件

# 修改主机名
sed -i 's/reg.mydomain.com/192.168.129.131/g' harbor.yml
# 修改证书配置
sed -i 's$/your/certificate/path$/opt/harbor/cert/192.168.129.131.crt$g' harbor.yml
sed -i 's$/your/private/key/path$/opt/harbor/cert/192.168.129.131.key$g' harbor.yml
# 修改管理员密码
sed -i 's/Harbor12345/W4rI6rKmglnCTB1/g' harbor.yml

• 执行安装脚本

./install.sh

• 给配置文件目录授权（此操作在openEuler中需要执行，否则容器会因权限问题无法启动）

chown 10000:10000 common -R 

• 重启程序

docker-compose restart 

• 查看程序状态

[root@localhost harbor]# docker-compose ps
NAME                IMAGE                                  COMMAND                  SERVICE             CREATED             STATUS                    PORTS
harbor-core         goharbor/harbor-core:v2.9.1            "/harbor/entrypoint.…"   core                About an hour ago   Up 12 minutes (healthy)   
harbor-db           goharbor/harbor-db:v2.9.1              "/docker-entrypoint.…"   postgresql          About an hour ago   Up 12 minutes (healthy)   
harbor-jobservice   goharbor/harbor-jobservice:v2.9.1      "/harbor/entrypoint.…"   jobservice          About an hour ago   Up 12 minutes (healthy)   
harbor-log          goharbor/harbor-log:v2.9.1             "/bin/sh -c /usr/loc…"   log                 About an hour ago   Up 12 minutes (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       goharbor/harbor-portal:v2.9.1          "nginx -g 'daemon of…"   portal              About an hour ago   Up 12 minutes (healthy)   
nginx               goharbor/nginx-photon:v2.9.1           "nginx -g 'daemon of…"   proxy               About an hour ago   Up 12 minutes (healthy)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis               goharbor/redis-photon:v2.9.1           "redis-server /etc/r…"   redis               About an hour ago   Up 12 minutes (healthy)   
registry            goharbor/registry-photon:v2.9.1        "/home/harbor/entryp…"   registry            About an hour ago   Up 12 minutes (healthy)   
registryctl         goharbor/harbor-registryctl:v2.9.1     "/home/harbor/start.…"   registryctl         About an hour ago   Up 12 minutes (healthy)   
trivy-adapter       goharbor/trivy-adapter-photon:v2.9.1   "/home/scanner/entry…"   trivy-adapter       About an hour ago   Up 12 minutes (healthy)   

修改docker的证书

• 将之前创建的证书转换下格式

openssl x509 -inform PEM -in 192.168.129.131.crt -out 192.168.129.131.cert

• 将证书移动到docker的目录下

cp 192.168.129.131.cert /etc/docker/certs.d/192.168.129.131/
cp 192.168.129.131.key /etc/docker/certs.d/192.168.129.131/
cp ca.crt /etc/docker/certs.d/192.168.129.131/

• 重启docker

systemctl restart docker 

使用方式

访问192.168.129.131，进入登陆页面

登陆后跳转到主界面

创建一个新项目

创建机器人账号，仅授予拉取和推送权限，并在随后弹出的窗口复制账号的密码

配置docker登陆私有仓库

[root@localhost ~]# docker login 192.168.129.131
Username: robot$test+testbot
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

将镜像打标签并推送到Harbor中

[root@localhost ~]# docker tag nginx:1.23.2 192.168.129.131/test/nginx:1.23.2
[root@localhost ~]# docker push 192.168.129.131/test/nginx:1.23.2
The push refers to repository [192.168.129.131/test/nginx]
7b72d5d921cb: Pushed 
aa3739f310f5: Pushed 
6906edffc609: Pushed 
f88642d922a1: Pushed 
2842e5d66803: Pushed 
b5ebffba54d3: Pushed 
1.23.2: digest: sha256:d5e4095bb4bcd2c40d6aba552f9ea66aacb1d0a5137a521dc6b0503b40b08921 size: 1570

在Harbor中查看推送的镜像