Docker仓库(Harbor私有仓库)

一、什么是仓库?

Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。

二、配置镜像加速器

从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:

[root@server11 docker]# cat daemon.json 
{
  "registry-mirrors": ["https://afhtzwg6.mirror.aliyuncs.com"]
}

重载docker服务:
systemctl daemon-reload
systemctl restart docker

三、搭建私有仓库

Docker上传与拉伸的加密与认证:

1创建certs目录mkdir certs/
2生成key、CA证书

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
在这里插入图片描述
本地解析使reg.westos.org与ip172.25.11.11对应
在这里插入图片描述

[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
c2840d2054665e1786a7af93b2f243e1f8d65f86a0a8608d2b128e74d117e016

3加密

[root@server11 ~]# docker images
REPOSITORY                TAG       IMAGE ID       CREATED        SIZE
demo                      v1        08d1b013dbd9   20 hours ago   1.15MB
registry                  latest    678dfa38fcfa   5 weeks ago    26.2MB
nginx                     latest    4bb46517cac3   5 months ago   133MB
busybox                   latest    59788edf1f3e   2 years ago    1.15MB
game2048                  latest    19299002fdbe   4 years ago    55.5MB
reg.westos.org/game2048   latest    19299002fdbe   4 years ago    55.5MB
mario                     latest    9a35a9e43e8c   5 years ago    198MB

各个节点建立此目录
[root@server11 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server11 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
建此目录,docker会自动识别

[root@server11 ~]# docker push reg.westos.org/game2048:latest 
The push refers to repository [reg.westos.org/game2048]
88fca8ae768a: Pushed 
6d7504772167: Pushed 
192e9fad2abc: Pushed 
36e9226e74f8: Pushed 
011b303988d2: Pushed 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364

[root@server11 reg.westos.org]# scp ca.crt server12:/etc/docker/certs.d/reg.westos.org/
给server12、server13端本地解析,将172.25.11.11域名对应成reg.wstos.org
在这里插入图片描述
当然在12、13端也应有证书ca.crt
无ca.crt会报错
[root@sever12 ~]# docker pull reg.westos.org/game2048
Using default tag: latest
Error response from daemon: Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
正确的:
server12有了ca.crt就可以实现拉取景象
[root@sever12 ~]# docker pull reg.westos.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.westos.org/game2048:latest
reg.westos.org/game2048:latest
12、13端的/etc/docker/daemon.json也要编辑
在这里插入图片描述

4.认证:

[root@server11 ~]# mkdir auth
[root@server11 ~]# htpasswd -B -c auth/htpasswd lyx
New password: 
Re-type new password: 
Adding password for user lyx
[root@server11 ~]# htpasswd -B  auth/htpasswd admin
New password: 
Re-type new password: 
Adding password for user admin
[root@server11 ~]# cat auth/htpasswd 
lyx:$2y$05$1QvhWmMBGvr.POYBcMlaauT9Njqz5OHBqMwslaKFcdP8Twb69KIAq
admin:$2y$05$3lf6EbjN7LzIL3qEFFoaA.mqyLMc8n4I1vBPA/74n0satyIPCnaJy
[root@server11 ~]# docker rm -f registry 
registry
[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v " $(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
084b53998b3df547b4211a792c8b039fadfb89f0f410bea97804f72f7d0d008f

加密只要有ca.crt就可以push或pull,加上认证后,是无法push的,要进行登陆认证

[root@server11 ~]# docker login reg.westos.org
Username: lyx
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@server11 ~]# cat /root/.docker/config.json
{
	"auths": {
		"reg.westos.org": {
			"auth": "bHl4Ondlc3Rvcw=="
		}
	}
}
[root@server11 ~]# docker tag busybox:latest reg.westos.org/busybox:latest
[root@server11 ~]# docker images 
REPOSITORY                TAG       IMAGE ID       CREATED        SIZE
demo                      v1        08d1b013dbd9   21 hours ago   1.15MB
registry                  latest    678dfa38fcfa   5 weeks ago    26.2MB
nginx                     latest    4bb46517cac3   5 months ago   133MB
busybox                   latest    59788edf1f3e   2 years ago    1.15MB
reg.westos.org/busybox    latest    59788edf1f3e   2 years ago    1.15MB
game2048                  latest    19299002fdbe   4 years ago    55.5MB
reg.westos.org/game2048   latest    19299002fdbe   4 years ago    55.5MB
mario                     latest    9a35a9e43e8c   5 years ago    198MB
[root@server11 ~]# docker push reg.westos.org/busybox
reg.westos.org/busybox         reg.westos.org/busybox:latest
[root@server11 ~]# docker push reg.westos.org/busybox:latest 
The push refers to repository [reg.westos.org/busybox]
8a788232037e: Layer already exists 
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

push成功

12端:

[root@sever12 ~]# docker images
REPOSITORY                  TAG       IMAGE ID       CREATED       SIZE
172.25.11.11:5000/busybox   latest    59788edf1f3e   2 years ago   1.15MB
reg.westos.org/game2048     latest    19299002fdbe   4 years ago   55.5MB
[root@sever12 ~]# docker push reg.westos.org/game2048
Using default tag: latest
The push refers to repository [reg.westos.org/game2048]
88fca8ae768a: Preparing 
6d7504772167: Preparing 
192e9fad2abc: Preparing 
36e9226e74f8: Preparing 
011b303988d2: Preparing 
no basic auth credentials
[root@sever12 ~]# docker pull reg.westos.org/busybox
Using default tag: latest
Error response from daemon: Head https://reg.westos.org/v2/busybox/manifests/latest: no basic auth credentials

同样要进行认证,这次我们使用另一个用户身份进入仓库

[root@sever12 ~]# docker login reg.westos.org
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@sever12 ~]# docker pull reg.westos.org/busybox
Using default tag: latest
latest: Pulling from busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for reg.westos.org/busybox:latest
reg.westos.org/busybox:latest

Harbor 仓库:

harbor端:
安装下载 harbor-offline-installer-v1.10.1.tgz docker-compose-Linux-x86_64-1.27.0
[root@server11 ~]cp -r certs/ /certs
[root@server11 harbor]vim harbor.yml
在这里插入图片描述
安装配置好docker-compose命令
[root@server11 harbor]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server11 harbor]# cd /usr/local/bin/
[root@server11 bin]# ls
docker-compose
[root@server11 bin]# chmod +x docker-compose
开始安装运行
在这里插入图片描述
网页端

在网页上访问172.25.11.11
在这里插入图片描述

维护人员用户与访客用户的区别:

维护人员用户:

[root@server11 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server11 harbor]# docker login reg.westos.org
Username: lyx
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server11 harbor]# docker tag  reg.westos.org/busybox:latest reg.westos.org/westos/busybox:latest
[root@server11 harbor]# docker push reg.westos.org/westos/busybox:latest
The push refers to repository [reg.westos.org/westos/busybox]
8a788232037e: Pushed 
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
[root@server11 harbor]# docker pull goharbor/harbor-migrator:v1.10.1 
v1.10.1: Pulling from goharbor/harbor-migrator
Digest: sha256:96a52c12490986816f3884ecdfd1786a186e0d72b37652818dee0b56d67f9cba
Status: Image is up to date for goharbor/harbor-migrator:v1.10.1
docker.io/goharbor/harbor-migrator:v1.10.1

访客用户:

[root@sever12 ~]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@sever12 ~]# docker login reg.westos.org
Username: demo
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@sever12 ~]# docker images
REPOSITORY                  TAG       IMAGE ID       CREATED       SIZE
reg.westos.org/busybox      latest    59788edf1f3e   2 years ago   1.15MB
172.25.11.11:5000/busybox   latest    59788edf1f3e   2 years ago   1.15MB
reg.westos.org/game2048     latest    19299002fdbe   4 years ago   55.5MB
[root@sever12 ~]# docker tag reg.westos.org/busybox reg.westos.org/westos/busybox
[root@sever12 ~]# docker push reg.westos.org/westos/busybox
Using default tag: latest
The push refers to repository [reg.westos.org/westos/busybox]
8a788232037e: Layer already exists 
errors:
denied: requested access to the resource is denied
unauthorized: authentication required

不能上传只能拉伸

[root@sever12 ~]# docker pull reg.westos.org/westos/busybox:latest 
latest: Pulling from westos/busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Image is up to date for reg.westos.org/westos/busybox:latest
reg.westos.org/westos/busybox:latest
[root@sever12 ~]# docker images
REPOSITORY                      TAG       IMAGE ID       CREATED       SIZE
reg.westos.org/westos/busybox   latest    59788edf1f3e   2 years ago   1.15MB
172.25.11.11:5000/busybox       latest    59788edf1f3e   2 years ago   1.15MB
reg.westos.org/busybox          latest    59788edf1f3e   2 years ago   1.15MB
reg.westos.org/game2048         latest    19299002fdbe   4 years ago   55.5MB

Harbor部署认证的镜像

[root@server11 harbor]# ls
common     docker-compose.yml     harbor.yml  LICENSE
common.sh  harbor.v1.10.1.tar.gz  install.sh  prepare
[root@server11 harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx             ... done
[root@server11 harbor]# ./prepare 
[root@server11 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[Step 0]: checking if docker is installed ...

部署根证书:
/etc/docker/certs.d/reg.westos.org/ca.crt
~/.docker/tls/reg.westos.org:4443/ca.crt

[root@server11 .docker]# docker tag game2048:latest reg.westos.org/westos/game2048:latest
[root@server11 ~]# cd ~/.docker/
[root@server11 .docker]# ls
config.json
[root@server11 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server11 .docker]# cd tls/
[root@server11 tls]# ls
reg.westos.org:4443
[root@server11 tls]# cd reg.westos.org\:4443/
[root@server11 reg.westos.org:4443]# cp /certs/westos.org.crt ca.crt

启用docker内容信任:

[root@server11 .docker]# export DOCKER_CONTENT_TRUST=1
[root@server11 .docker]#  export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443

上传镜像:
需要输入密码
第一次为 root key,第二次的为repository key

[root@server11 reg.westos.org:4443]# docker push reg.westos.org/westos/game2048:latest 
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Mounted from library/game2048 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. 
Enter passphrase for new root key with ID 79f161e: 
Repeat passphrase for new root key with ID 79f161e: 
Enter passphrase for new repository key with ID 05c2f20: 
Repeat passphrase for new repository key with ID 05c2f20: 
Finished initializing "reg.westos.org/westos/game2048"
Successfully signed reg.westos.org/westos/game2048:latest

root key: westoslyx repository key: lyxwestos

若只改标签,上传时只需要输入repository key

[root@server11 reg.westos.org:4443]# docker tag reg.westos.org/westos/game2048:latest reg.westos.org/westos/game2048:v1
[root@server11 reg.westos.org:4443]# docker push reg.westos.org/westos/game2048:v1
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Layer already exists 
v1: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
Enter passphrase for repository key with ID 05c2f20: 
Successfully signed reg.westos.org/westos/game2048:v1

删除签名:docker trust revoke reg.westos.org/library/nginx:latest
自动扫描镜像打开上传时会显示检测完,没有漏洞
也可把它设置为0,重新执行无认证模板的安装脚本
export DOCKER_CONTENT_TRUST=0
docker-compose down
./prepare
./install.sh --with-chartmuseum

docker 仓库子命令

docker search查询镜像
docker pull拉取镜像
docker push上传镜像
docker login登录仓库
docker logout登出仓库
  • GET
已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 深蓝海洋 设计师:CSDN官方博客 返回首页