Docker Private Registry
Docker Registry
网上有很多的Registry
服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry
有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry
。
Registry
用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry
,也可以使用官方的Docker Hub。
Docker Registry分类:
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry
则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry
,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry
默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry
时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry
服务的,除非明确的告诉它,我们就是要用http协议的Registry
。
Docker Private Registry
为了帮助我们快速创建私有Registry,Docker专门提供了一个名为Docker Distribution的软件包,我们可以通过安装这个软件包快速构建私有仓库。
问:既然Docker是为了运行程序的,Docker Distribution能否运行在容器中?
容器时代,任何程序都应该运行在容器中,除了Kernel和init。而为了能够做Docker Private Registry,Docker Hub官方直接把Registry
做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry。
Registry
的主要作用是托管镜像,Registry
运行在容器中,而容器自己的文件系统是随着容器的生命周期终止和删除而被删除的,所以当我们把Registry
运行在容器中时,客户端上传了很多镜像,随着Registry
容器的终止并删除,所有镜像都将化为乌有,因此这些镜像应该放在存储卷上,而且这个存储卷最好不要放在Docker主机本地,而应该放在一个网络共享存储上,比如NFS。不过,镜像文件自己定义的存储卷,还是一个放在Docker本地、Docker管理的卷,我们可以手动的将其改成使用其它文件系统的存储卷。
这就是使用容器来运行Registry
的一种简单方式。自建Registry
的另一种方式,就是直接安装docker-distribution
软件。
使用docker-distribution自建Registry(适用于centos7)
[root@node02 ~]# yum -y install docker-distribution
[root@node02 ~]# vim /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry # 修改此处为一个容量大的磁盘分区目录
http:
addr: :5000
[root@node02 ~]# systemctl start docker-distribution
[root@node02 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:5000 [::]:*
LISTEN 0 128 [::]:22
在node01上使用自建的Registry去上传镜像
# 使用insecure-registries参数添加http支持
[root@node01 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://j3m2itm3.mirror.aliyuncs.com","https://registry.docker-cn.com"],
"insecure-registries": ["node02-linux.example.com:5000"]
}
[root@node01 ~]# systemctl restart docker
使用官方镜像自建Registry
[root@localhost ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
ddad3d7c1e96: Pull complete
6eda6749503f: Pull complete
363ab70c2143: Pull complete
5b94580856e6: Pull complete
12008541203a: Pull complete
Digest: sha256:121baf25069a56749f249819e36b386d655ba67116d9c1c6c8594061852de4da
Status: Downloaded newer image for registry:latest
f379873948c98b0e36dec3dca128b2d66e2ef6567f5809aa10e5634b0c5077fe
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:5000 [::]:*
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor的功能
- 多用户的管控(基于角色访问控制和项目隔离)
- 审计日志
- 安全和脆弱性分析
- 身份集成和基于角色的访问控制
- 实例之间的映像复制
- 可扩展API和图形用户界面
- 国际化(目前为英文和中文)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现
Compose is a tool for defining and running multi-container Docker
applications. With Compose, you use a YAML file to configure your
application’s services. Then, with a single command, you create and
start all the services from your configuration.
Harbor部署
[root@node1 ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 633 100 633 0 0 1148 0 --:--:-- --:--:-- --:--:-- 1148
100 12.1M 100 12.1M 0 0 980k 0 0:00:12 0:00:12 --:--:-- 1195k
[root@node1 ~]# chmod +x /usr/local/bin/docker-compose
[root@node1 ~]# ll /usr/local/bin/docker-compose
-rwxr-xr-x. 1 root root 12737304 8月 9 08:22 /usr/local/bin/docker-compose
//在github官网下载harbor的包
[root@node1 ~]# wget https://github.com/goharbor/harbor/releases/tag/v2.3.1/harbor-offline-installer-v2.3.1.tgz
[root@node1 ~]# ls
anaconda-ks.cfg harbor-offline-installer-v2.3.1.tgz
[root@node1 ~]# tar xf harbor-offline-installer-v2.3.1.tgz -C /usr/local/
[root@node1 ~]# cd /usr/local/
[root@node1 local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
//安装docker
[root@node1 local]# scp root@192.168.147.33:/etc/yum.repos.d/docker-ce.repo /etc/yum.repos.d
The authenticity of host '192.168.147.33 (192.168.147.33)' can't be established.
ECDSA key fingerprint is SHA256:RuFgm5pa1DPK2+Tu3pMEcR6v9dswSDz36msEy2vkNqI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.147.33' (ECDSA) to the list of known hosts.
root@192.168.147.33's password:
docker-ce.repo 100% 184 4.0KB/s 00:00
[root@node1 ~]# yum -y install --allowerasing docker-ce
[root@node1 ~]# systemctl start docker
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.147.55 //改为本机ip地址
//将http段注释掉,因为没有证书
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
[root@node1 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.8
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.2
…………
Creating harbor-log ... done
Creating registry ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
[root@node1 harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
输入自己的用户名和密码
进入私有仓库
使用Harbor的注意事项
在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help
docker-compose命令的使用
docker-compose命令是基于docker-compose.yml来控制的,所以要在有这个文件的目录里执行命令。
#如果不在存在docker-compose.yml的目录,则
[root@localhost ~]# docker-compose -f /usr/local/harbor/docker-compose.yml create
WARNING: The create command is deprecated. Use the up command with the --no-start flag instead.
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
//create #创建,这里只是创建,ps查看不会看到,因为没有运行
[root@node1 harbor]# docker-compose create
WARNING: The create command is deprecated. Use the up command with the --no-start flag instead.
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
//rm #删除停止的容器
[root@localhost harbor]# docker-compose rm
Going to remove nginx, harbor-jobservice, harbor-core, redis, harbor-portal, harbor-db, registryctl, registry, harbor-log
Are you sure? [yN] y
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing redis ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing registry ... done
Removing harbor-log ... done
//up 创建并启动,默认是前台运行
[root@localhost harbor]# docker-compose up
Creating harbor-log ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating registry ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
//start 启动
[root@localhost harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
//stop 停止
[root@localhost harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
//down #停止并删除资源,建议不要用,会把网络资源也删掉,需要重新装harbor
[root@localhost harbor]# docker-compose down
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping registry ... done
//images 列出镜像
[root@node1 harbor]# docker-compose images
Container Repository Tag Image Id Size
----------------------------------------------------------------------------------
harbor-core goharbor/harbor-core v2.3.1 f05acc3947d6 157.5 MB
harbor-db goharbor/harbor-db v2.3.1 b16a9c81ef03 262.8 MB
harbor-jobservice goharbor/harbor-jobservice v2.3.1 d6e174ae0a00 170.7 MB
harbor-log goharbor/harbor-log v2.3.1 40a54594fe22 194.4 MB
harbor-portal goharbor/harbor-portal v2.3.1 4a15c5622fda 57.56 MB
nginx goharbor/nginx-photon v2.3.1 3b3ede1db494 44.34 MB
redis goharbor/redis-photon v2.3.1 4a0d49a4ece0 190.8 MB
registry goharbor/registry-photon v2.3.1 972ce19b1882 81.24 MB
registryctl goharbor/harbor-registryctl v2.3.1 91e798004920 132 MB
//logs 查看日志,默认是看所有容器,可以指定看一个
[root@node1 harbor]# docker-compose logs registryctl
Attaching to registryctl
registryctl | Appending internal tls trust CA to ca-bundle ...
registryctl | Internal tls trust CA appending is Done.
registryctl | find: '/etc/harbor/ssl': No such file or directory
registryctl | 172.18.0.8 - - [10/Aug/2021:14:49:31 +0000] "GET /api/health HTTP/1.1" 200 9
//pause 暂停,ps查看的话可以看到一个暂停的状态,就是没有工作,如果是web就可以看到不能访问
[root@node1 harbor]# docker-compose pause
Pausing harbor-log ... done
Pausing registry ... done
Pausing registryctl ... done
Pausing harbor-db ... done
Pausing harbor-portal ... done
Pausing redis ... done
Pausing harbor-core ... done
Pausing harbor-jobservice ... done
Pausing nginx ... done
//unpause 取消暂停
[root@localhost harbor]# docker-compose unpause
Unpausing nginx ... done
Unpausing harbor-jobservice ... done
Unpausing harbor-core ... done
Unpausing harbor-portal ... done
Unpausing harbor-db ... done
Unpausing redis ... done
Unpausing registry ... done
Unpausing registryctl ... done
Unpausing harbor-log ... done
Harbor仓库的使用
[root@localhost ~]# vim /etc/docker/daemon.json
{
"bip": "10.0.0.1/24",
"insecure-registries": ["192.168.147.55"],
"registry-mirrors": ["https://l9h8fu9j.mirror.aliyuncs.com"]
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker login 192.168.147.55
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
新建一个项目
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
itmiao16/php v0 e0766fc4c36f 33 hours ago 5.6MB
itmiao16/nginx v0 a8b48423146f 33 hours ago 6.66MB
itmiao16/httpd v0 ff69992f125b 33 hours ago 14.1MB
alpine latest 021b3423115f 3 days ago 5.6MB
itmiao16/httpd v0.1 40087ea739c8 6 days ago 688MB
itmiao16/yh/httpd v0.1 40087ea739c8 6 days ago 688MB
yh/httpd v0.1 40087ea739c8 6 days ago 688MB
centos latest 300e315adb2f 8 months ago 209MB
[root@localhost ~]# docker tag alpine 192.168.147.55/alpine/alpine:latest
[root@localhost ~]# docker push 192.168.147.55/alpine/alpine:latest
The push refers to repository [192.168.147.55/alpine/alpine]
bc276c40b172: Pushed
latest: digest: sha256:be9bdc0ef8e96dbc428dc189b31e2e3b05523d96d12ed627c37aa2936653258c size: 528