docker《四》---镜像仓库

一、docker仓库之分布式 Harbor

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，由vmware开源，其通过添加一些企业必需的功能特性，例如安全、标识和管理等，扩展了开源Docker Distribution。作为一个企业级私有Registry服务器，Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制，镜像全部保存在私有Registry中， 确保数据和知识产权在公司内部网络中管控，另外，Harbor也提供了高级的安全特性，诸如用户管理，访问控制和活动审计等。

vmware官方开源服务列表地址：https://vmware.github.io/harbor/cn/
harbor官方github地址：https://github.com/vmware/harbor
harbor官方网址：https://goharbor.io/

1.1 安装验证

下载地址：https://github.com/vmware/harbor/releases

1.1.1 安装docker

root@ubuntu-node1:~#  curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
root@ubuntu-node1:~# add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
root@ubuntu-node1:~# apt-get -y update
root@ubuntu-node1:~# apt-cache madison docker-ce
root@ubuntu-node1:~# apt-get -y install docker-ce=18.06.3~ce~3-0~ubuntu

1.1.2 安装docker-compose

root@ubuntu-node1:~# apt install python-pip -y
root@ubuntu-node1:~# pip install --upgrade pip
root@ubuntu-node1:~# pip install docker-compose

1.1.3 下载安装Harbor

root@ubuntu-node1:/usr/local# cd src/
root@ubuntu-node1:/usr/local/src# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.6.tgz
root@ubuntu-node1:/usr/local/src# tar xf harbor-offline-installer-v1.7.6.tgz
root@ubuntu-node1:/usr/local/src# ln -sv /usr/local/src/harbor /usr/local/
root@ubuntu-node1:/usr/local/src# cd /usr/local/harbor

1.1.4 编辑配置文件

root@ubuntu-node1:/usr/local/harbor# grep "^[a-Z]" harbor.cfg
hostname = 10.10.100.141   #访问地址，可以配置域名
ui_url_protocol = http
max_job_workers = 10
customize_crt = on
#https证书，不使用https不需要配置
ssl_cert = /data/cert/server.crt   
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
#邮箱配置
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
#harbor默认登入密码
harbor_admin_password = 12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
#数据库配置
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password =
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle =

1.1.5 执行安装脚本

root@ubuntu-node1:/usr/local/harbor# ./install.sh

root@ubuntu-node1:/usr/local/harbor# docker-compose ps

       Name                     Command                   State                                     Ports
---------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/start.sh                 Up (healthy)
harbor-core          /harbor/start.sh                 Up (healthy)
harbor-db            /entrypoint.sh postgres          Up (healthy)     5432/tcp
harbor-jobservice    /harbor/start.sh                 Up
harbor-log           /bin/sh -c /usr/local/bin/ ...   Up (unhealthy)   127.0.0.1:1514->10514/tcp
harbor-portal        nginx -g daemon off;             Up (healthy)     80/tcp
nginx                nginx -g daemon off;             Up (healthy)     0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis                docker-entrypoint.sh redis ...   Up               6379/tcp
registry             /entrypoint.sh /etc/regist ...   Up (healthy)     5000/tcp
registryctl          /harbor/start.sh                 Up (healthy)

1.1.6 web访问Harbor界面

默认管理员账号admin，密码为刚刚配置文件设置的默认密码

新建项目，且设置公开

1.1.7 验证docker使用harbor仓库上传下载镜像

注：如果harbor配置的是https的话，本地docker不需要配置insecure-registries，可直接访问

root@docker-node1:~# vim /etc/docker/daemon.json
{
  "insecure-registries": ["10.10.100.141"]
}
#修改后重启docker
root@docker-node1:~# systemctl restart docker
#登入到harbor仓库
root@docker-node1:~# docker login 10.10.100.141
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

1.1.7.1 上传镜像

**上传镜像到harbor需要修改images的名称，不修改成指定格式无法将镜像上传到harbor仓库，格式为: Harbor IP/项目名/image名字:版本号： **

root@docker-node1:~# docker tag nginx-alpine:v1 10.10.100.141/web/nginx-alpine:v1
root@docker-node1:~# docker push 10.10.100.141/web/nginx-alpine:v1
The push refers to repository [10.10.100.141/web/nginx-alpine]
ddc309cf59d3: Pushed
9969af496b6e: Pushed
4b86e0a77a34: Pushed
2ec87f690297: Pushed
934c77b2ea92: Pushed
d07dbd491380: Pushed
eea6ac42165e: Pushed
f1dd685eb59e: Pushed
v1: digest: sha256:e6595a10e3a81a904b6208111e8fca1c02017ebbde0af19e6cbc8da262e79a4c size: 1994

登入到harbor界面可以看到刚刚上传的镜像

1.1.7.1 下载镜像

在另外一台docker服务器拉取刚刚上传的镜像

root@ubuntu-node1:~# vim /etc/docker/daemon.json
{
  "insecure-registries": ["10.10.100.141"]
}
root@ubuntu-node1:~# systemctl restart docker
root@ubuntu-node1:~# docker pull 10.10.100.141/web/nginx-alpine:v1
v1: Pulling from web/nginx-alpine
4e9f2cdf4387: Pull complete
7a753d57e56e: Pull complete
bb84b807b575: Pull complete
3647e32e5f4b: Pull complete
736998b92547: Pull complete
7bdf93fd3edc: Pull complete
9a79e359db13: Pull complete
43373424221d: Pull complete
Digest: sha256:e6595a10e3a81a904b6208111e8fca1c02017ebbde0af19e6cbc8da262e79a4c
Status: Downloaded newer image for 10.10.100.141/web/nginx-alpine:v1
root@ubuntu-node1:~# docker images
REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
10.10.100.141/web/nginx-alpine   v1                  1e6b3b403914        47 hours ago        216MB

二、实现harbor高可用

2.1 高可用实现方式

Harbor支持基于策略的Docker镜像复制功能，这类似于MySQL的主从同步，其可以实现不同的数据中心、不同的运行环境之间同步镜像，并提供友好的管理界面，大大简化了实际运维中的镜像管理工作，已经有用很多互联网公司使用harbor搭建内网docker仓库的案例，并且还有实现了双向复制的案列，本文将实现单向复制的部署

2.2 实现单向复制

在10.10.100.142安装harbor，实现从刚刚安装的10.10.100.141到142的单向复制

安装好好登入到harbor

登入到web界面新建web项目

2.2.1 新建目录

在主仓库管理界面新建需要复制的目标

2.2.2 新建复制规则

2.2.3 查看主同步状态

2.2.4 从harbor查看镜像

2.3 实现双向同步

2.3.1 从harbor创建同步规则

规则方式与主harbor相同，写对方的IP+用户名密码，然后点测试连接，确认可以测试连接通过。