Docker（仓库）——Docker Hub 公共仓库+企业级私有仓库搭建流程

目录
一、什么是仓库
二、安装配置Docker Hub
三、配置镜像加速器
四、Registry 工作原理
五、CONTENTS
六、搭建私有仓库

一、什么是仓库
什么是仓库？
• Docker 仓库是用来包含镜像的位置，Docker提供一个注册服务器
（Register）来保存多个仓库，每个仓库又可以包含多个具备不同tag的镜像。
• Docker运行中使用的默认仓库是 Docker Hub 公共仓库。

二、Docker Hub的介绍
Docker Hub
docker hub是docker公司维护的公共仓库，用户可以免费使用，也可以购买私有仓库

三、docker的安装配置
首先在https://hub.docker.com/网站注册一个账号
• 在docker hub上新建一个公共仓库
3.1安装docker

[root@server1 ~]# systemctl enable --now docker  启动docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

解压
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz 
[root@server1 ~]# ls
anaconda-ks.cfg  harbor  harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh  harbor.v1.10.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare
编辑配置文件
[root@server1 harbor]# vim harbor.yml 
5    hostname: reg.westos.org
15   #port: 443
17   #certificate: /your/certificate/path
18   #private_key: /your/private/key/path
27    harbor_admin_password: westos
运行docker-compose-Linux-x86_64-1.24.1
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.24.1 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
解析
[root@server1 ~]# cat  /etc/hosts  添加解析
172.25.254.5 server1 reg.westos.org 
运行
[root@server1 harbor]# ./install.sh  完成后会生成一个文件
[root@server1 harbor]# ls  
common  common.sh  （新）docker-compose.yml  harbor.v1.10.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare

3.2创建证书和秘钥

cd /data/
[root@server1 data]# mkdir -p certs
只有365天有效期
[root@server1 data]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt

[root@server1 data]# cd certs/
[root@server1 certs]# ls
westos.org.crt  westos.org.key

3.3设置加密

[root@server1 harbor]# pwd
/root/harbor
[root@server1 harbor]# vim harbor.yml 

 17   certificate: /data/certs/westos.org.crt
 18   private_key: /data/certs/westos.org.key

3.4改过配置文件，更新

[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common  common.sh  docker-compose.yml  harbor.v1.10.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare
[root@server1 harbor]# ./prepare    清除原先配置
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@server1 harbor]# ./install.sh 再次启动
[root@server2harbor]# netstat -tnpl   443端口已经打开
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:1514          0.0.0.0:*               LISTEN      19178/docker-proxy  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7510/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7677/master         
tcp6       0      0 :::80                   :::*                    LISTEN      19826/docker-proxy  
tcp6       0      0 :::22                   :::*                    LISTEN      7510/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      7677/master         
tcp6       0      0 :::443                  :::*                    LISTEN      19806/docker-proxy  

3.5浏览器添加证书后直接访问主机IP


四、远程上传镜像到搭建好的私有仓库中

安装docker的流程与server5相同
[root@server5 ~]# cat /etc/hosts  添加解析
172.25.254.1 server1 reg.westos.org
获取Nginx镜像
[root@server5 ~]# docker load -i nginx.tar   容器中导入镜像
[root@server5 ~]# docker images   查看
REPOSITORY                     TAG                 IMAGE ID            CREATED             SIZE
nginx                          latest              e548f1a579cf        2 years ago         109MB
[root@server5 reg.westos.org]# mkdir -p /etc/docker/certs.d/reg.westos.org  创建目录注意域名
上传证书到新建的目录，并且重名为ca.crt此路径为默认设置，不需要重启docker服务
[root@server1 certs]# scp westos.org.crt server5:/etc/docker/certs.d/reg.westos.org/ca.crt
[root@server5 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org
[root@server5 reg.westos.org]# ls
ca.crt

[root@server5 ~]#  docker tag nginx:latest  reg.westos.org/library/nginx:latest 打标签指定路径
[root@server5 reg.westos.org]# docker login reg.westos.org  上传镜像前必须登录认证域名
[root@server5 reg.westos.org]# docker push reg.westos.org/library/nginx    再次上传成功

浏览器输入 server：1172.25.254.1的主机IP查看镜像已经上传

注意：下载镜像不需要做认证 docker pull reg.westos.org/library/nginx

三、配置镜像加速器
从docker hub上下载镜像的速度太慢，需要配置镜像加速器，这里
以阿里云为例：(需要提前注册阿里云帐号)
配置docker daemon文件：
mkdir -p /etc/docker
/etc/docker/daemon.json
{
“registry-mirrors”: [“https://ck7lkd69.mirror.aliyuncs.com”]
}

systemctl daemon-reload
systemctl restart docker

[root@server5 docker]# docker rmi nginx  删除镜像
Untagged: nginx:latest
[root@server5 docker]# docker rmi reg.westos.org/library/nginx:latest 
[root@server5 docker]# docker images   查看
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@server5 ~]# docker pull nginx  设置完镜像加速器直接拉取镜像不需要指定一长串路径 

测试一下镜像加速器
在server1上传game2048镜像，然后server2拉取镜像

上传镜像需要认证：server1创建证书存放目录
[root@server1 docker]# mkdir -p certs.d/reg.westos.org/
[root@server1 docker]# ls
certs.d  key.json
[root@server1 docker]# cd certs.d/reg.westos.org/
[root@server1 reg.westos.org]# scp /data/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org]# ls
ca.crt
[root@server1 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org

[root@server1 reg.westos.org]# docker login reg.westos.org  认证登录
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server1 reg.westos.org]# cd
[root@server1 ~]# ls
anaconda-ks.cfg  game2048.tar  harbor  harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# docker load -i game2048.tar   导入镜像
Loaded image: game2048:latest
[root@server1 ~]# docker push reg.westos.org/library/game2048  上传镜像指明仓库路径
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Pushed 
6d7504772167: Pushed 
192e9fad2abc: Pushed 
36e9226e74f8: Pushed 
011b303988d2: Pushed 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364

server2拉取game2048

[root@server2 docker]# docker pull game2048
Using default tag: latest
latest: Pulling from library/game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for game2048:latest
docker.io/library/game2048:latest   拉取地址是在私有仓库拉取的
私有仓库没有镜像就要去官网拉取，但是必须联网

四、Registry 工作原理
一次docker pull 或 push背后发生的事情

index服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候，首先会去index服务上做认证，然后查找镜像所在的registry的地址并放回给docker客户端，docker客户端再从registry下载镜像，在下载过程中 registry会去index校验客户端token的合法性，不同镜像可以保存在不同的registry服务上，其索引信息都放在index服务上。
Docker Registry有三个角色，分别是index、registry和registry client。

• index
• 负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
• Web UI
• 元数据存储
• 认证服务
• 符号化

registry：是镜像和图表的仓库，它不具有本地数据库以及不提供用户认证，通过Index Auth service的Token的方式进行认证。

• Registry Client
• Docker充当registry客户端来维护推送和拉取，以及客户端的授权。

新建harbor仓库

开发人员可以上镜像但是不能管理删除

仓库设置为公开，不需要再登录认证直接可以下传镜像

增加dockhub一些组件

[root@server1 ~]# cd harbor/  必须在目录下执行
[root@server1 harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx             ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done
[root@server1 harbor]# ./install.sh --help  查看帮助

Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary（镜像信任） if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
Please set --with-clair（镜像安全扫描） if needs enable Clair in Harbor
Please set --with-chartmuseum（支持chake） if needs enable Chartmuseum in Harbor
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum

退出重新登录



也可以打开自动扫描器

测试自动扫描器

[root@server1 ~]# docker load  -i busybox.tar   镜像导入容器
8a788232037e: Loading layer [==================================================>]   1.37MB/1.37MB
Loaded image: busybox:latest
[root@server1 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org/  创建认证目录
[root@server1 ~]# scp /data/certs/westos.org.crt  /etc/docker/certs.d/reg.westos.org/ca.crt  获取再认证文件
[root@server1 ~]# docker tag busybox:latest reg.westos.org/library/busybox  打标签
[root@server1 ~]# docker login reg.westos.org  登录认证
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server1 ~]# docker push reg.westos.org/library/busybox  上传镜像
The push refers to repository [reg.westos.org/library/busybox]
8a788232037e: Pushed 
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

接下来取消自动扫描器，开始自动信任测试

[root@server1 ~]# docker pull reg.westos.org/library/nginx  不用认证登录 是公开的
Using default tag: latest
Error response from daemon: unknown: The image is not signed in Notary.
图像没有在公证中签名

• 镜像签名：https://goharbor.io/docs/1.10/working-with-projects/workingwith-images/pulling-pushing-images/ 

部署根证书

[root@server1 .docker]#  mkdir -p tls/reg.westos.org\:4443/
[root@server1 .docker]# cd tls/reg.westos.org\:4443/
[root@server1 reg.westos.org:4443]# ls
此处docker引擎和操作系统都可以使用此文件
[root@server1 reg.westos.org:4443]# cp /etc/docker/certs.d/reg.westos.org/ca.crt  .  
[root@server1 reg.westos.org:4443]# ls 
ca.crt

启用docker内容信任：

 [root@server1 reg.westos.org:4443]#  export DOCKER_CONTENT_TRUST=1
 [root@server1 reg.westos.org:4443]#  export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443

[root@server1 ~]# docker load  -i myapp.tar 
[root@server1 ~]# docker tag ikubernetes/myapp:v1 reg.westos.org/library/myapp:v1

[root@server1 ~]# docker load  -i myapp.tar
[root@server1 ~]# docker tag ikubernetes/myapp:v1 reg.westos.org/westos/myapp:v1
第一遍设置密码。第二遍直=认证上传
[root@server1 ~]# docker push reg.westos.org/westos/myapp:v1
The push refers to repository [reg.westos.org/westos/myapp]
a0d2c4392b06: Layer already exists 
05a9e65e2d53: Layer already exists 
68695a6cfd7d: Layer already exists 
c1dc81a64903: Layer already exists 
8460a579ab63: Layer already exists 
d39d92664027: Layer already exists 
v1: digest: sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e size: 1569
Signing and pushing trust metadata
Enter passphrase for repository key with ID 5433f54:  Westos123
Passphrase incorrect. Please retry.
Enter passphrase for repository key with ID 5433f54:  QQ123456
Successfully signed reg.westos.org/westos/myapp:v1

再次测试只要输入正确免密就可上传成功

[root@server1 ~]# docker tag ikubernetes/myapp:v2 reg.westos.org/westos/myapp:v2
[root@server1 ~]# docker push reg.westos.org/westos/myapp:v2
The push refers to repository [reg.westos.org/westos/myapp]
05a9e65e2d53: Layer already exists 
68695a6cfd7d: Layer already exists 
c1dc81a64903: Layer already exists 
8460a579ab63: Layer already exists 
d39d92664027: Layer already exists 
v2: digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102 size: 1362
Signing and pushing trust metadata
Enter passphrase for repository key with ID 5433f54: 
Passphrase incorrect. Please retry.
Enter passphrase for repository key with ID 5433f54: 
Successfully signed reg.westos.org/westos/myapp:v2

远程拉取镜像测试

[root@server5 ~]# docker pull reg.westos.org/westos/myapp:v2  拉取
v2: Pulling from westos/myapp
Digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102
Status: Downloaded newer image for reg.westos.org/westos/myapp:v2
reg.westos.org/westos/myapp:v2

[root@server1 ~]# docker trust inspect  reg.westos.org/westos/myapp:v2 查看签名信息
[root@server1 ~]# docker trust revoke reg.westos.org/westos/myapp:v2   删除签名信息
Enter passphrase for repository key with ID 5433f54: 
Successfully deleted signature for reg.westos.org/westos/myapp:v2