文章目录
1. Docker Registry
许多的 Registry 服务器都支持第三方用户注册,用户可以去这些服务器上做自己的镜像仓库,但是使用互联网上的 Registry 有一个缺陷,推送和下载镜像时很慢。而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。
Registry 用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建 Registry,也可以使用官方的 Docker Hub。
Docker Registry分类:
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用,收费的
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的 Registry 则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的 Registry 默认情况下都是基于https工作的,这是 Docker 的基本要求,而自建 Registry 时很可能是基于http工作的,但是Docker默认是拒绝使用http提供 Registry 服务的,除非明确的告诉它,我们就是要用http协议的Registry。
2. Docker Private Registry
有了容器时代以后,任何程序都应该运行在容器中,除了Kernel和init。而为了能够做 Docker Private Registry,Docker Hub官方直接把 Registry 做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry。
Registry 的主要作用是托管镜像,Registry 运行在容器中,而容器自己的文件系统是随着容器的生命周期终止和删除而被删除的,所以当我们把 Registry运行在容器中时,客户端上传了很多镜像,随着 Registry 容器的终止并删除,所有镜像都将化为乌有,因此这些镜像应该放在存储卷上,而且这个存储卷最好不要放在Docker主机本地,而应该放在一个网络共享存储上,比如NFS。不过,镜像文件自己定义的存储卷,还是一个放在Docker本地、Docker管理的卷,我们可以手动的将其改成使用其它文件系统的存储卷。
这就是使用容器来运行Registry的一种简单方式。自建Registry的另一种方式,就是直接安装docker-distribution软件。
2.1 使用官方镜像自建Registry
[root@localhost ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
ddad3d7c1e96: Pull complete
6eda6749503f: Pull complete
363ab70c2143: Pull complete
5b94580856e6: Pull complete
12008541203a: Pull complete
Digest: sha256:121baf25069a56749f249819e36b386d655ba67116d9c1c6c8594061852de4da
Status: Downloaded newer image for registry:latest
2f93bb5272ce551ca0c534ebedc5b4b4097ffde7264816b54f944bb3219aaba8
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:5000 [::]:*
LISTEN 0 128 [::]:22 [::]:*
3. Harbor
以上方式比较简陋,而且不能通过web界面管理。Harbor是由 VMWare 在Docker Registry 的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
- Project Harbor 是一个开源可信云原生注册表项目,用于存储、签名和扫描上下文。
- Harbor 通过添加用户通常需要的功能(例如安全性、身份和管理)来扩展开源 Docker Distribution。
- Harbor 支持高级功能,例如用户管理、访问控制、活动监控和实例之间的复制。
3.1 Harbor的功能
- 用户内容签名和验证
- 安全和漏洞分析
- 审计日志
- 身份集成和基于角色的访问控制
- 实例间镜像复制
- 可扩展的 API 和图形用户界面
- 国际化语言(目前支持英文和中文)
3.2 Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
官方文档地址
https://docs.docker.com/compose/
3.3 Harbor部署
harbor官方文档
https://github.com/goharbor/harbor
安装compose参考官方文档
https://docs.docker.com/compose/install/
//安装docker-compose
[root@node2 ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@node2 ~]# chmod +x /usr/local/bin/docker-compose
[root@node2 ~]# which docker-compose
/usr/local/bin/docker-compose
[root@node2 ~]# docker-compose --version
docker-compose version 1.29.2, build 5becea4c
//下载harbor并解压
[root@node2 src]# ls
debug harbor-offline-installer-v2.3.1.tgz kernels
[root@node2 src]# tar xf harbor-offline-installer-v2.3.1.tgz -C /usr/local
[root@node2 src]# cd /usr/local/
[root@node2 local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
[root@node2 local]# cd harbor/
[root@node2 harbor]# ls
common.sh harbor.v2.3.1.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
//将这个文件复制一个再修改
[root@node2 harbor]# cp harbor.yml.tmpl harbor.yml
[root@node2 harbor]# ls
common.sh harbor.v2.3.1.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@node2 harbor]# vim harbor.yml
省略N行...
hostname: 192.168.249.141
省略N行...
//启动程序
[root@node2 harbor]# bash install.sh
[root@node2 harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
web界面访问
用户:admin
密码:Harbor12345
创建用户
创建项目
为项目添加用户
3.4 传镜像
将node1上的镜像上传
[root@node1 ~]# vim /etc/docker/daemon.json
{
"bip": "10.0.0.1/24",
"registry-mirrors": ["https://1gnt5vnf.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.249.141"] #加入此行
}
//重启docker
[root@node1 ~]# systemctl restart docker
//登录到仓库
[root@node1 ~]# docker login 192.168.249.141
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
//上传镜像
[root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
lxr909626/httpd v0.1 62eb6750c913 5 days ago 85MB
//镜像的名字必须是这样
[root@node1 ~]# docker tag lxr909626/httpd:v0.1 192.168.249.141/projects/httpd:v0
[root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.249.141/projects/httpd v0 62eb6750c913 5 days ago 85MB
lxr909626/httpd v0.1 62eb6750c913 5 days ago 85MB
[root@node1 ~]# docker push 192.168.249.141/projects/httpd:v0
The push refers to repository [192.168.249.141/projects/httpd]
0ade59b98093: Pushed
332198eab6b4: Pushed
72e830a4dff5: Pushed
v0: digest: sha256:878d7a32084c45a8d7433f9d5aec1127542b6b4e80ef066bd661ae18ee0ca127 size: 951
查看仓库
使用Harbor的注意事项:
1、在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push。
2、在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数。
3、数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中。
4、Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help。
3.5 docker-compose命令的使用
docker-compose命令是基于docker-compose.yml来实现的,所以要在有这个文件的目录里执行命令。
[root@node2 ~]# docker-compose --help
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f <arg>...] [--profile <name>...] [options] [--] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name
(default: directory name)
--profile NAME Specify a profile to enable
-c, --context NAME Specify a context name
--verbose Show more output
--log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
--ansi (never|always|auto) Control when to print ANSI control characters
--no-ansi Do not print ANSI control characters (DEPRECATED)
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the
name specified in the client certificate
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
--compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent (DEPRECATED)
--env-file PATH Specify an alternate environment file
Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove resources
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show version information and quit
#如果不在存在docker-compose.yml的目录,则
[root@node2 ~]# docker-compose -f /usr/local/harbor/docker-compose.yml create
WARNING: The create command is deprecated. Use the up command with the --no-start flag instead.
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
//创建,这里只是创建,docker ps查看是没有容器运行的
[root@node2 harbor]# docker-compose create
WARNING: The create command is deprecated. Use the up command with the --no-start flag instead.
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
//删除容器
[root@node2 harbor]# docker-compose rm
Going to remove nginx, harbor-jobservice, harbor-core, redis, harbor-portal, harbor-db, registryctl, registry, harbor-log
Are you sure? [yN] y
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing redis ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing registry ... done
Removing harbor-log ... done
//创建并启动容器,默认是前台运行
[root@node2 harbor]# docker-compose up
Creating harbor-log ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating registry ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
//启动所有容器
[root@node2 harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
//停止所有容器
[root@node2 harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
//停止并删除资源,建议不要用,会把网络资源也删掉,需要重新装harbor
[root@node2 harbor]# docker-compose down
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing redis ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
//列出镜像
[root@node2 harbor]# docker-compose images
Container Repository Tag Image Id Size
----------------------------------------------------------------------------------
harbor-core goharbor/harbor-core v2.3.1 f05acc3947d6 157.5 MB
harbor-db goharbor/harbor-db v2.3.1 b16a9c81ef03 262.8 MB
harbor-jobservice goharbor/harbor-jobservice v2.3.1 d6e174ae0a00 170.7 MB
harbor-log goharbor/harbor-log v2.3.1 40a54594fe22 194.4 MB
harbor-portal goharbor/harbor-portal v2.3.1 4a15c5622fda 57.56 MB
nginx goharbor/nginx-photon v2.3.1 3b3ede1db494 44.34 MB
redis goharbor/redis-photon v2.3.1 4a0d49a4ece0 190.8 MB
registry goharbor/registry-photon v2.3.1 972ce19b1882 81.24 MB
registryctl goharbor/harbor-registryctl v2.3.1 91e798004920 132 MB
//查看日志,默认是看所有容器,可以指定看一个
[root@node2 harbor]# docker-compose logs registryctl
Attaching to registryctl
registryctl | Appending internal tls trust CA to ca-bundle ...
registryctl | Internal tls trust CA appending is Done.
registryctl | find: '/etc/harbor/ssl': No such file or directory
registryctl | 172.18.0.8 - - [10/Aug/2021:12:09:48 +0000] "GET /api/health HTTP/1.1" 200 9
registryctl | 172.18.0.8 - - [10/Aug/2021:12:09:58 +0000] "GET /api/health HTTP/1.1" 200 9
registryctl | 172.18.0.8 - - [10/Aug/2021:12:10:08 +0000] "GET /api/health HTTP/1.1" 200 9
//暂停,ps查看的话可以看到一个暂停的状态,就是没有工作,如果是web就可以看到不能访问
[root@node2 harbor]# docker-compose pause
Pausing harbor-log ... done
Pausing registryctl ... done
Pausing registry ... done
Pausing redis ... done
Pausing harbor-db ... done
Pausing harbor-portal ... done
Pausing harbor-core ... done
Pausing harbor-jobservice ... done
Pausing nginx ... done
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d3164db48291 goharbor/nginx-photon:v2.3.1 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes (Paused) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
2af8fc21671f goharbor/harbor-jobservice:v2.3.1 "/harbor/entrypoint.…" 5 minutes ago Up 5 minutes (Paused)
//取消暂停
[root@node2 harbor]# docker-compose unpause
Unpausing nginx ... done
Unpausing harbor-jobservice ... done
Unpausing harbor-core ... done
Unpausing harbor-portal ... done
Unpausing harbor-db ... done
Unpausing redis ... done
Unpausing registry ... done
Unpausing registryctl ... done
Unpausing harbor-log ... done
3.6 使用docker-compose.yml文件部署lamp
//创建存储目录,用于和容器共享
[root@localhost ~]# mkdri -p /lamp/httpd
//在目录里面放入喝容器共享的文件
[root@localhost ~]# cd /lamp/httpd/
[root@localhost httpd]# ls
httpd.conf httpd-vhosts.conf index.php
//创建容器网络
[root@localhost ~]# docker network create --subnet 10.0.0.0/24 --gateway 10.0.0.1 root_lamp
329a4dec676cd90e63fd014cefc6d9efd0fb2c5ea25bafaa93bf69605455d1b5
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
816d39044592 bridge bridge local
32b942b49812 harbor_harbor bridge local
e5c66809cafc host host local
97797dc3982f none null local
329a4dec676c root_lamp bridge local
//编写docker-compose.yml文件
[root@localhost ~]# cat docker-compose.yml
services:
httpd:
image: httpd:latest
container_name: httpd
restart: always
volumes:
- type: bind
source: /lamp/httpd/httpd.conf
target: /usr/local/apache2/conf/httpd.conf
- type: bind
source: /lamp/httpd/httpd-vhosts.conf
target: /usr/local/apache2/conf/extra/httpd-vhosts.conf
- type: bind
source: /lamp/httpd/index.php
target: /usr/local/apache2/htdocs/php/index.php
networks:
- lamp
ports:
- 80:80
mysql:
image: mysql:latest
container_name: mysql
restart: always
networks:
- lamp
ports:
- 3306:3306
php:
image: php:latest
container_name: php
restart: always
networks:
- lamp
ports:
- 9000:9000
networks:
lamp:
external: false
//创建并启动容器
[root@localhost ~]# docker-compose create
WARNING: The create command is deprecated. Use the up command with the --no-start flag instead.
Pulling httpd (httpd:latest)...
latest: Pulling from library/httpd
33847f680f63: Pull complete
d74938eee980: Pull complete
963cfdce5a0c: Pull complete
763d74736d95: Pull complete
a8c75048351a: Pull complete
Digest: sha256:eacdd6c7419ab95b43a258321fc6b38cf56004de4f6a952fc0d96a12730e04de
Status: Downloaded newer image for httpd:latest
Pulling mysql (mysql:latest)...
latest: Pulling from library/mysql
33847f680f63: Already exists
5cb67864e624: Pull complete
1a2b594783f5: Pull complete
b30e406dd925: Pull complete
48901e306e4c: Pull complete
603d2b7147fd: Pull complete
802aa684c1c4: Pull complete
715d3c143a06: Pull complete
6978e1b7a511: Pull complete
f0d78b0ac1be: Pull complete
35a94d251ed1: Pull complete
36f75719b1a9: Pull complete
Digest: sha256:8b928a5117cf5c2238c7a09cd28c2e801ac98f91c3f8203a8938ae51f14700fd
Status: Downloaded newer image for mysql:latest
Pulling php (php:latest)...
latest: Pulling from library/php
33847f680f63: Already exists
ba03c99d34ed: Pull complete
5f637ed06e1a: Pull complete
ecfd84713df3: Pull complete
381afe291f59: Pull complete
fa0ae8ecde8f: Pull complete
9ac3da1da0bd: Pull complete
e27c68bb487b: Pull complete
6a228220b4c3: Pull complete
Digest: sha256:74b3e070691df223ae61980575c4bb946ce15a852e76c6e50fdab11c95825d66
Status: Downloaded newer image for php:latest
Creating httpd ... done
Creating mysql ... done
Creating php ... done
[root@localhost ~]# docker-compose start
Starting httpd ... done
Starting mysql ... done
Starting php ... done
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:9000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:3306 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:9000 [::]:*
LISTEN 0 128 [::]:3306 [::]:*
LISTEN 0 128 [::]:80 [::]:*
587
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
