目录
一、什么是仓库
二、安装配置Docker Hub
三、配置镜像加速器
四、Registry 工作原理
五、CONTENTS
六、搭建私有仓库
一、什么是仓库
什么是仓库?
• Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器
(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
• Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
二、Docker Hub的介绍
Docker Hub
docker hub是docker公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库
三、docker的安装配置
首先在https://hub.docker.com/网站注册一个账号
• 在docker hub上新建一个公共仓库
3.1安装docker
[root@server1 ~]# systemctl enable --now docker 启动docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
解压
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# ls
anaconda-ks.cfg harbor harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
编辑配置文件
[root@server1 harbor]# vim harbor.yml
5 hostname: reg.westos.org
15 #port: 443
17 #certificate: /your/certificate/path
18 #private_key: /your/private/key/path
27 harbor_admin_password: westos
运行docker-compose-Linux-x86_64-1.24.1
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.24.1 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
解析
[root@server1 ~]# cat /etc/hosts 添加解析
172.25.254.5 server1 reg.westos.org
运行
[root@server1 harbor]# ./install.sh 完成后会生成一个文件
[root@server1 harbor]# ls
common common.sh (新)docker-compose.yml harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
3.2创建证书和秘钥
cd /data/
[root@server1 data]# mkdir -p certs
只有365天有效期
[root@server1 data]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server1 data]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
3.3设置加密
[root@server1 harbor]# pwd
/root/harbor
[root@server1 harbor]# vim harbor.yml
17 certificate: /data/certs/westos.org.crt
18 private_key: /data/certs/westos.org.key
3.4改过配置文件,更新
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common common.sh docker-compose.yml harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
[root@server1 harbor]# ./prepare 清除原先配置
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@server1 harbor]# ./install.sh 再次启动
[root@server2harbor]# netstat -tnpl 443端口已经打开
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:1514 0.0.0.0:* LISTEN 19178/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7510/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7677/master
tcp6 0 0 :::80 :::* LISTEN 19826/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 7510/sshd
tcp6 0 0 ::1:25 :::* LISTEN 7677/master
tcp6 0 0 :::443 :::* LISTEN 19806/docker-proxy
3.5浏览器添加证书后直接访问主机IP
四、远程上传镜像到搭建好的私有仓库中
安装docker的流程与server5相同
[root@server5 ~]# cat /etc/hosts 添加解析
172.25.254.1 server1 reg.westos.org
获取Nginx镜像
[root@server5 ~]# docker load -i nginx.tar 容器中导入镜像
[root@server5 ~]# docker images 查看
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest e548f1a579cf 2 years ago 109MB
[root@server5 reg.westos.org]# mkdir -p /etc/docker/certs.d/reg.westos.org 创建目录注意域名
上传证书到新建的目录,并且重名为ca.crt此路径为默认设置,不需要重启docker服务
[root@server1 certs]# scp westos.org.crt server5:/etc/docker/certs.d/reg.westos.org/ca.crt
[root@server5 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org
[root@server5 reg.westos.org]# ls
ca.crt
[root@server5 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest 打标签指定路径
[root@server5 reg.westos.org]# docker login reg.westos.org 上传镜像前必须登录认证域名
[root@server5 reg.westos.org]# docker push reg.westos.org/library/nginx 再次上传成功
浏览器输入 server:1172.25.254.1的主机IP查看镜像已经上传
注意:下载镜像不需要做认证 docker pull reg.westos.org/library/nginx
三、配置镜像加速器
从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里
以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:
mkdir -p /etc/docker
/etc/docker/daemon.json
{
“registry-mirrors”: [“https://ck7lkd69.mirror.aliyuncs.com”]
}
systemctl daemon-reload
systemctl restart docker
[root@server5 docker]# docker rmi nginx 删除镜像
Untagged: nginx:latest
[root@server5 docker]# docker rmi reg.westos.org/library/nginx:latest
[root@server5 docker]# docker images 查看
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@server5 ~]# docker pull nginx 设置完镜像加速器直接拉取镜像不需要指定一长串路径
测试一下镜像加速器
在server1上传game2048镜像,然后server2拉取镜像
上传镜像需要认证:server1创建证书存放目录
[root@server1 docker]# mkdir -p certs.d/reg.westos.org/
[root@server1 docker]# ls
certs.d key.json
[root@server1 docker]# cd certs.d/reg.westos.org/
[root@server1 reg.westos.org]# scp /data/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org]# ls
ca.crt
[root@server1 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org
[root@server1 reg.westos.org]# docker login reg.westos.org 认证登录
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 reg.westos.org]# cd
[root@server1 ~]# ls
anaconda-ks.cfg game2048.tar harbor harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# docker load -i game2048.tar 导入镜像
Loaded image: game2048:latest
[root@server1 ~]# docker push reg.westos.org/library/game2048 上传镜像指明仓库路径
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
server2拉取game2048
[root@server2 docker]# docker pull game2048
Using default tag: latest
latest: Pulling from library/game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for game2048:latest
docker.io/library/game2048:latest 拉取地址是在私有仓库拉取的
私有仓库没有镜像就要去官网拉取,但是必须联网
四、Registry 工作原理
一次docker pull 或 push背后发生的事情
index服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去index服务上做认证,然后查找镜像所在的registry的地址并放回给docker客户端,docker客户端再从registry下载镜像,在下载过程中 registry会去index校验客户端token的合法性,不同镜像可以保存在不同的registry服务上,其索引信息都放在index服务上。
Docker Registry有三个角色,分别是index、registry和registry client。
• index
• 负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
• Web UI
• 元数据存储
• 认证服务
• 符号化
registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
• Registry Client
• Docker充当registry客户端来维护推送和拉取,以及客户端的授权。
新建harbor仓库
开发人员可以上镜像但是不能管理删除
仓库设置为公开,不需要再登录认证直接可以下传镜像
增加dockhub一些组件
[root@server1 ~]# cd harbor/ 必须在目录下执行
[root@server1 harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
[root@server1 harbor]# ./install.sh --help 查看帮助
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary(镜像信任) if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-clair(镜像安全扫描) if needs enable Clair in Harbor
Please set --with-chartmuseum(支持chake) if needs enable Chartmuseum in Harbor
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
退出重新登录
也可以打开自动扫描器
测试自动扫描器
[root@server1 ~]# docker load -i busybox.tar 镜像导入容器
8a788232037e: Loading layer [==================================================>] 1.37MB/1.37MB
Loaded image: busybox:latest
[root@server1 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org/ 创建认证目录
[root@server1 ~]# scp /data/certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt 获取再认证文件
[root@server1 ~]# docker tag busybox:latest reg.westos.org/library/busybox 打标签
[root@server1 ~]# docker login reg.westos.org 登录认证
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# docker push reg.westos.org/library/busybox 上传镜像
The push refers to repository [reg.westos.org/library/busybox]
8a788232037e: Pushed
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
接下来取消自动扫描器,开始自动信任测试
[root@server1 ~]# docker pull reg.westos.org/library/nginx 不用认证登录 是公开的
Using default tag: latest
Error response from daemon: unknown: The image is not signed in Notary.
图像没有在公证中签名
• 镜像签名:https://goharbor.io/docs/1.10/working-with-projects/workingwith-images/pulling-pushing-images/
部署根证书
[root@server1 .docker]# mkdir -p tls/reg.westos.org\:4443/
[root@server1 .docker]# cd tls/reg.westos.org\:4443/
[root@server1 reg.westos.org:4443]# ls
此处docker引擎和操作系统都可以使用此文件
[root@server1 reg.westos.org:4443]# cp /etc/docker/certs.d/reg.westos.org/ca.crt .
[root@server1 reg.westos.org:4443]# ls
ca.crt
启用docker内容信任:
[root@server1 reg.westos.org:4443]# export DOCKER_CONTENT_TRUST=1
[root@server1 reg.westos.org:4443]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server1 ~]# docker load -i myapp.tar
[root@server1 ~]# docker tag ikubernetes/myapp:v1 reg.westos.org/library/myapp:v1
[root@server1 ~]# docker load -i myapp.tar
[root@server1 ~]# docker tag ikubernetes/myapp:v1 reg.westos.org/westos/myapp:v1
第一遍设置密码。第二遍直=认证上传
[root@server1 ~]# docker push reg.westos.org/westos/myapp:v1
The push refers to repository [reg.westos.org/westos/myapp]
a0d2c4392b06: Layer already exists
05a9e65e2d53: Layer already exists
68695a6cfd7d: Layer already exists
c1dc81a64903: Layer already exists
8460a579ab63: Layer already exists
d39d92664027: Layer already exists
v1: digest: sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e size: 1569
Signing and pushing trust metadata
Enter passphrase for repository key with ID 5433f54: Westos123
Passphrase incorrect. Please retry.
Enter passphrase for repository key with ID 5433f54: QQ123456
Successfully signed reg.westos.org/westos/myapp:v1
再次测试只要输入正确免密就可上传成功
[root@server1 ~]# docker tag ikubernetes/myapp:v2 reg.westos.org/westos/myapp:v2
[root@server1 ~]# docker push reg.westos.org/westos/myapp:v2
The push refers to repository [reg.westos.org/westos/myapp]
05a9e65e2d53: Layer already exists
68695a6cfd7d: Layer already exists
c1dc81a64903: Layer already exists
8460a579ab63: Layer already exists
d39d92664027: Layer already exists
v2: digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102 size: 1362
Signing and pushing trust metadata
Enter passphrase for repository key with ID 5433f54:
Passphrase incorrect. Please retry.
Enter passphrase for repository key with ID 5433f54:
Successfully signed reg.westos.org/westos/myapp:v2
远程拉取镜像测试
[root@server5 ~]# docker pull reg.westos.org/westos/myapp:v2 拉取
v2: Pulling from westos/myapp
Digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102
Status: Downloaded newer image for reg.westos.org/westos/myapp:v2
reg.westos.org/westos/myapp:v2
[root@server1 ~]# docker trust inspect reg.westos.org/westos/myapp:v2 查看签名信息
[root@server1 ~]# docker trust revoke reg.westos.org/westos/myapp:v2 删除签名信息
Enter passphrase for repository key with ID 5433f54:
Successfully deleted signature for reg.westos.org/westos/myapp:v2