前言
一、docker仓库加密
[root@ecs-0002 ~]# kubectl -n nfs-client-provisioner get pod
NAME READY STATUS RESTARTS AGE
nfs-client-provisioner-6d58898c57-55qnk 1/1 Running 0 9m35s
创建用户并修改密码
[root@docker1 ~]# htpasswd -B auth/htpasswd msy
New password:
Re-type new password:
Adding password for user msy
[root@docker1 ~]# cat auth/htpasswd
admin:$2y$05$kLPoaynpBGEe4GByYhZYG.U/CxXzdtJunNA258bNNejn719BKkRaK
msy:$2y$05$BDzyn0LQhi4bRGuIGZhLeuDcvyko8F/1ZHH8GUd7t3FifSYu9UNyW
删除原来的容器,创建新的需要有密码认证的容器后,再次进行访问,发现用原来的方式不能直接访问,需要添加-u 输入用户名和密码之后才能访问
[root@docker1 ~]# docker run -d --name registry -v /opt/registry:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /root/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
01641c6513c0c2f4ddfea38e21244e74da9e656074b380cd4963f3ea4f77904a
[root@docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01641c6513c0 registry "/entrypoint.sh /etc…" 5 seconds ago Up 3 seconds 0.0.0.0:443->443/tcp, :::443->443/tcp, 5000/tcp registry
可以看到添加了我们刚刚设置的用户名和密码之后就可以成功访问容器中的内容
[root@docker1 ~]# curl -k https://localhost/v2/_catalog -u msy:westos
{"repositories":["game2048","nginx"]}
[root@docker1 ~]# curl -k https://localhost/v2/_catalog
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
设置过用户密码认证之后,不论是在私有仓库上传镜像还是在客户端通过私有仓库拉取镜像都需要首先登录仓库才能够进行上传和拉取,否则将会报错
[root@docker1 ~]# docker tag centos:7 reg.westos.org/library/centos:7
[root@docker1 ~]# docker push reg.westos.org/library/centos:7
The push refers to repository [reg.westos.org/library/centos]
174f56854903: Preparing
no basic auth credentials
[root@docker1 ~]# docker login reg.westos.org
Username: msy
Password:
Error response from daemon: login attempt to https://reg.westos.org/v2/ failed with status: 401 Unauthorized
[root@docker1 ~]# docker login reg.westos.org
Username: msy
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker1 ~]# docker push reg.westos.org/library/centos:7
The push refers to repository [reg.westos.org/library/centos]
174f56854903: Pushed
7: digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f size: 529
[root@docker2 ~]# docker login reg.westos.org
Username: msy
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker2 ~]# docker pull reg.westos.org/library/centos:7
7: Pulling from library/centos
2d473b07cdd5: Pull complete
Digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f
Status: Downloaded newer image for reg.westos.org/library/centos:7
reg.westos.org/library/centos:7
[root@docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
reg.westos.org/nginx latest 51086ed63d8c 4 weeks ago 142MB
reg.westos.org/library/centos 7 eeb6ee3f44bd 13 months ago 204MB
二、harbor仓库部署
首先下载harbor以及docker-compose,修改相关配置文件之后进行安装
[root@docker1 ~]# mv docker-compose-linux-x86_64-v2.5.0 /usr/local/bin/docker-compose
[root@docker1 ~]# chmod +x /usr/local/bin/docker-compose
[root@docker1 ~]# cd harbor/
[root@docker1 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
[root@docker1 harbor]# ls
common common.sh docker-compose.yml harbor.v2.5.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@docker1 harbor]# docker-compose ps
NAME COMMAND SERVICE STATUS PORTS
harbor-core "/harbor/entrypoint.…" core running (healthy)
harbor-db "/docker-entrypoint.…" postgresql running (healthy)
harbor-jobservice "/harbor/entrypoint.…" jobservice running (healthy)
harbor-log "/bin/sh -c /usr/loc…" log running (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal "nginx -g 'daemon of…" portal running (healthy)
nginx "nginx -g 'daemon of…" proxy running (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp, :::80->8080/tcp, :::443->8443/tcp
redis "redis-server /etc/r…" redis running (healthy)
registry "/home/harbor/entryp…" registry running (healthy)
registryctl "/home/harbor/start.…" registryctl running (healthy)
完成之后我们进行访问,如果成功访问就是部署成功。harbor仓库中包含了我们可能用到的许多容器,而且图形化界面更有利于我们使用
我们在以与harbor一致的用户登入仓库之后,上传镜像,在harbor仓库页面我们就可以看到已经上传的镜像
[root@docker1 ~]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker1 ~]# docker push reg.westos.org/library/centos:7
The push refers to repository [reg.westos.org/library/centos]
174f56854903: Pushed
7: digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f size: 529
我们使用另一个主机进行拉取,会发现速度比之前外网拉取快许多,而且在harbor中查看日志可以看到我们刚刚的操作,比如用admin用户上传以及匿名拉取镜像
[root@docker2 ~]# docker pull centos:7
7: Pulling from library/centos
2d473b07cdd5: Pull complete
Digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
我们可以新建一个私有仓库,并且上传镜像,并在另一台中主机进行拉取,我们通过日志就可以看到我们所有的操作,很清楚明了
公开和私有仓库的差别是私有仓库需要我们登录认证之后才能进行拉取,而公开仓库所有人都可以拉取镜像而不需要进行认证,私有仓库的安全性更高