一、什么是仓库?
Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
二、配置镜像加速器
从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:
[root@server11 docker]# cat daemon.json
{
"registry-mirrors": ["https://afhtzwg6.mirror.aliyuncs.com"]
}
重载docker服务:
systemctl daemon-reload
systemctl restart docker
三、搭建私有仓库
Docker上传与拉伸的加密与认证:
1创建certs目录mkdir certs/
2生成key、CA证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
本地解析使reg.westos.org与ip172.25.11.11对应
[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
c2840d2054665e1786a7af93b2f243e1f8d65f86a0a8608d2b128e74d117e016
3加密
[root@server11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v1 08d1b013dbd9 20 hours ago 1.15MB
registry latest 678dfa38fcfa 5 weeks ago 26.2MB
nginx latest 4bb46517cac3 5 months ago 133MB
busybox latest 59788edf1f3e 2 years ago 1.15MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
reg.westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
给各个节点建立此目录
[root@server11 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server11 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
建此目录,docker会自动识别
[root@server11 ~]# docker push reg.westos.org/game2048:latest
The push refers to repository [reg.westos.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
[root@server11 reg.westos.org]# scp ca.crt server12:/etc/docker/certs.d/reg.westos.org/
给server12、server13端本地解析,将172.25.11.11域名对应成reg.wstos.org
当然在12、13端也应有证书ca.crt
无ca.crt会报错
[root@sever12 ~]# docker pull reg.westos.org/game2048
Using default tag: latest
Error response from daemon: Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
正确的:
server12有了ca.crt就可以实现拉取景象
[root@sever12 ~]# docker pull reg.westos.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.westos.org/game2048:latest
reg.westos.org/game2048:latest
12、13端的/etc/docker/daemon.json也要编辑
4.认证:
[root@server11 ~]# mkdir auth
[root@server11 ~]# htpasswd -B -c auth/htpasswd lyx
New password:
Re-type new password:
Adding password for user lyx
[root@server11 ~]# htpasswd -B auth/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
[root@server11 ~]# cat auth/htpasswd
lyx:$2y$05$1QvhWmMBGvr.POYBcMlaauT9Njqz5OHBqMwslaKFcdP8Twb69KIAq
admin:$2y$05$3lf6EbjN7LzIL3qEFFoaA.mqyLMc8n4I1vBPA/74n0satyIPCnaJy
[root@server11 ~]# docker rm -f registry
registry
[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v " $(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
084b53998b3df547b4211a792c8b039fadfb89f0f410bea97804f72f7d0d008f
加密只要有ca.crt就可以push或pull,加上认证后,是无法push的,要进行登陆认证
[root@server11 ~]# docker login reg.westos.org
Username: lyx
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server11 ~]# cat /root/.docker/config.json
{
"auths": {
"reg.westos.org": {
"auth": "bHl4Ondlc3Rvcw=="
}
}
}
[root@server11 ~]# docker tag busybox:latest reg.westos.org/busybox:latest
[root@server11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v1 08d1b013dbd9 21 hours ago 1.15MB
registry latest 678dfa38fcfa 5 weeks ago 26.2MB
nginx latest 4bb46517cac3 5 months ago 133MB
busybox latest 59788edf1f3e 2 years ago 1.15MB
reg.westos.org/busybox latest 59788edf1f3e 2 years ago 1.15MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
reg.westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server11 ~]# docker push reg.westos.org/busybox
reg.westos.org/busybox reg.westos.org/busybox:latest
[root@server11 ~]# docker push reg.westos.org/busybox:latest
The push refers to repository [reg.westos.org/busybox]
8a788232037e: Layer already exists
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
push成功
12端:
[root@sever12 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.25.11.11:5000/busybox latest 59788edf1f3e 2 years ago 1.15MB
reg.westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@sever12 ~]# docker push reg.westos.org/game2048
Using default tag: latest
The push refers to repository [reg.westos.org/game2048]
88fca8ae768a: Preparing
6d7504772167: Preparing
192e9fad2abc: Preparing
36e9226e74f8: Preparing
011b303988d2: Preparing
no basic auth credentials
[root@sever12 ~]# docker pull reg.westos.org/busybox
Using default tag: latest
Error response from daemon: Head https://reg.westos.org/v2/busybox/manifests/latest: no basic auth credentials
同样要进行认证,这次我们使用另一个用户身份进入仓库
[root@sever12 ~]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@sever12 ~]# docker pull reg.westos.org/busybox
Using default tag: latest
latest: Pulling from busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for reg.westos.org/busybox:latest
reg.westos.org/busybox:latest
Harbor 仓库:
harbor端:
安装下载 harbor-offline-installer-v1.10.1.tgz docker-compose-Linux-x86_64-1.27.0
[root@server11 ~]cp -r certs/ /certs
[root@server11 harbor]vim harbor.yml
安装配置好docker-compose命令
[root@server11 harbor]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server11 harbor]# cd /usr/local/bin/
[root@server11 bin]# ls
docker-compose
[root@server11 bin]# chmod +x docker-compose
开始安装运行
网页端
在网页上访问172.25.11.11
维护人员用户与访客用户的区别:
维护人员用户:
[root@server11 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server11 harbor]# docker login reg.westos.org
Username: lyx
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server11 harbor]# docker tag reg.westos.org/busybox:latest reg.westos.org/westos/busybox:latest
[root@server11 harbor]# docker push reg.westos.org/westos/busybox:latest
The push refers to repository [reg.westos.org/westos/busybox]
8a788232037e: Pushed
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
[root@server11 harbor]# docker pull goharbor/harbor-migrator:v1.10.1
v1.10.1: Pulling from goharbor/harbor-migrator
Digest: sha256:96a52c12490986816f3884ecdfd1786a186e0d72b37652818dee0b56d67f9cba
Status: Image is up to date for goharbor/harbor-migrator:v1.10.1
docker.io/goharbor/harbor-migrator:v1.10.1
访客用户:
登陆仓库:
[root@sever12 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
reg.westos.org/busybox latest 59788edf1f3e 2 years ago 1.15MB
172.25.11.11:5000/busybox latest 59788edf1f3e 2 years ago 1.15MB
reg.westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@sever12 ~]# docker tag reg.westos.org/busybox reg.westos.org/westos/busybox
[root@sever12 ~]# docker push reg.westos.org/westos/busybox
Using default tag: latest
The push refers to repository [reg.westos.org/westos/busybox]
8a788232037e: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
不能上传只能拉伸
[root@sever12 ~]# docker pull reg.westos.org/westos/busybox:latest
latest: Pulling from westos/busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Image is up to date for reg.westos.org/westos/busybox:latest
reg.westos.org/westos/busybox:latest
[root@sever12 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
reg.westos.org/westos/busybox latest 59788edf1f3e 2 years ago 1.15MB
172.25.11.11:5000/busybox latest 59788edf1f3e 2 years ago 1.15MB
reg.westos.org/busybox latest 59788edf1f3e 2 years ago 1.15MB
reg.westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
Harbor部署认证的镜像
[root@server11 harbor]# ls
common docker-compose.yml harbor.yml LICENSE
common.sh harbor.v1.10.1.tar.gz install.sh prepare
[root@server11 harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
[root@server11 harbor]# ./prepare
[root@server11 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[Step 0]: checking if docker is installed ...
部署根证书:
/etc/docker/certs.d/reg.westos.org/ca.crt
~/.docker/tls/reg.westos.org:4443/ca.crt
[root@server11 .docker]# docker tag game2048:latest reg.westos.org/westos/game2048:latest
[root@server11 ~]# cd ~/.docker/
[root@server11 .docker]# ls
config.json
[root@server11 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server11 .docker]# cd tls/
[root@server11 tls]# ls
reg.westos.org:4443
[root@server11 tls]# cd reg.westos.org\:4443/
[root@server11 reg.westos.org:4443]# cp /certs/westos.org.crt ca.crt
启用docker内容信任:
[root@server11 .docker]# export DOCKER_CONTENT_TRUST=1
[root@server11 .docker]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
上传镜像:
需要输入密码
第一次为 root key,第二次的为repository key
[root@server11 reg.westos.org:4443]# docker push reg.westos.org/westos/game2048:latest
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Mounted from library/game2048
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
You are about to create a new root signing key passphrase.
Enter passphrase for new root key with ID 79f161e:
Repeat passphrase for new root key with ID 79f161e:
Enter passphrase for new repository key with ID 05c2f20:
Repeat passphrase for new repository key with ID 05c2f20:
Finished initializing "reg.westos.org/westos/game2048"
Successfully signed reg.westos.org/westos/game2048:latest
root key: westoslyx repository key: lyxwestos
若只改标签,上传时只需要输入repository key
[root@server11 reg.westos.org:4443]# docker tag reg.westos.org/westos/game2048:latest reg.westos.org/westos/game2048:v1
[root@server11 reg.westos.org:4443]# docker push reg.westos.org/westos/game2048:v1
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Layer already exists
v1: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
Enter passphrase for repository key with ID 05c2f20:
Successfully signed reg.westos.org/westos/game2048:v1
删除签名:docker trust revoke reg.westos.org/library/nginx:latest
自动扫描镜像打开上传时会显示检测完,没有漏洞
也可把它设置为0,重新执行无认证模板的安装脚本
export DOCKER_CONTENT_TRUST=0
docker-compose down
./prepare
./install.sh --with-chartmuseum
docker 仓库子命令
docker search | 查询镜像 |
---|---|
docker pull | 拉取镜像 |
docker push | 上传镜像 |
docker login | 登录仓库 |
docker logout | 登出仓库 |
- GET