一、docker仓库简介:
- 仓库(Repository)就是存放镜像的地方。
- 注册服务器(Registry)的概念比较容易与仓库混淆。实际上注册服务器是用来管理仓库的服务器,一个服务器上可以存在多个仓库,而每个仓库下可以有多个镜像。
二、docker hub:
目前 Docker 官方维护的一个公共仓库,大部分需求我们都可以从 Docker Hub 中直接下载镜像来实现。
三、Registry注册服务器:
上传镜像到私有仓库
[root@server1 docker]# docker search registry
[root@server1 docker]# docker pull registry
[root@server1 docker]# docker images
[root@server1 docker]# docker history registry:latest
[root@server1 docker]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
0331f36cef7e260a1abc9db008fd3c6c7a849d948c7bd6228c0efb538e813304
[root@server1 docker]# docker tag webserver:v1 localhost:5000/webserver:latest
[root@server1 docker]# docker push localhost:5000/webserver
Using default tag: latest
The push refers to repository [localhost:5000/webserver]
d6f414d92a2a: Pushed
1d3b68b6972f: Pushed
de1602ca36c9: Pushed
latest: digest: sha256:3f9b3200bb2cd66b0b7ddf9512a959af14927b77b7a7f0e5e7d6cd429d03699e size: 949
远程拉取私有仓库镜像
在远端配置:
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"insecure-registries" : ["172.25.4.1:5000"]
}
[root@server2 docker]# systemctl reload docker.service
[root@server2 docker]# docker pull 172.25.4.1:5000/webserver
私有仓库加密:
[root@server1 ~]# mkdir -p certs
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server1 ~]# docker stop registry
registry
[root@server1 ~]# docker rm registry
registry
[root@server1 ~]# vim /etc/hosts
172.25.4.1 server1 reg.westos.org
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server1 ~]# curl -k https://172.25.4.1/v2/_catalog
{"repositories":["webserver"]}
[root@server1 ~]# docker tag game2048:latest reg.westos.org/game2048:latest
[root@server1 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# docker push reg.westos.org/game2048:latest
远程拉取时添加地址解析,并获取认证文件到远端的指定地址:
[root@server2 docker]# rm -rf daemon.json
[root@server2 docker]# systemctl reload docker.service
[root@server2 docker]# vim /etc/hosts
[root@server2 docker]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server2 docker]# cd certs.d/reg.westos.org/
[root@server2 reg.westos.org]# scp server1:/etc/docker/certs.d/reg.westos.org/ca.crt .
[root@server2 reg.westos.org]# ls
ca.crt
私有仓库认证
[root@server1 ~]# yum install -y httpd-tools^C
[root@server1 ~]# mkdir auth
[root@server1 ~]# htpasswd -B -c auth/htpasswd sk
New password:
Re-type new password:
Adding password for user sk
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
[root@server1 ~]# docker tag mario:latest reg.westos.org/mario:latest
[root@server1 ~]# docker login reg.westos.org
[root@server1 ~]# docker push reg.westos.org/mario:latest
远程拉取时添加地址解析,并登陆用户:
[root@server2 docker]# docker login reg.westos.org
[root@server2 docker]# docker pull reg.westos.org/mario
四、harbor仓库
- Harbor 是为企业用户设计的容器镜像仓库开源项目,包括了权限管理(RBAC)、LDAP、审计、安全漏洞扫描、镜像验真、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。
1、安装部署harbor仓库
[root@server1 ~]# ls
auth docker mario.tar
base-debian10.tar docker-compose-Linux-x86_64-1.27.0 nginx.tar
busybox.tar game2048.tar
certs harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
[root@server1 harbor]# vim harbor.yml
[root@server1 harbor]# cd
[root@server1 ~]# cp -r certs/ /
[root@server1 ~]# cd /certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
[root@server1 harbor]# ./install.sh
[root@server1 harbor]# docker-compose ps
用户是admin,密码为harbor配置文件里更改的:
成功进入web管理界面:
2、上传镜像和建立用户:
上传镜像
此处上传到公共仓库library:
[root@server1 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server1 harbor]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 harbor]# docker tag mario:latest reg.westos.org/library/mario:latest
[root@server1 harbor]# docker push reg.westos.org/library/mario:latest
建立私有仓库,上传镜像只需要tag时更改路径即可:
建立用户
可以给予不同的权限身份:
切换用户登陆后,访客只有读权限:
3、镜像签名:
[root@server1 harbor]# docker-compose down #删除镜像 stop是停止不删除可以再次start
[root@server1 harbor]# ./prepare #清理
[root@server1 harbor]# ./install.sh --help
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server1 harbor]# docker-compose ps
自带镜像增多:
部署根证书:
[root@server1 ~]# mkdir ~/.docker/tls/reg.westos.org:4443 -p
[root@server1 ~]# cd ~/.docker/tls/reg.westos.org:4443
[root@server1 reg.westos.org:4443]# cp /etc/docker/certs.d/reg.westos.org/ca.crt ca.crt
[root@server1 reg.westos.org:4443]# ls
ca.crt
启用docker内容信任:
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
上传镜像:
开启内容信任和自动扫描镜像,切记保存:
开启内容信任后,没有签名的镜像不能被下载:
[root@server1 harbor]# docker tag game2048:latest reg.westos.org/library/game2048:latest
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest
下图的认证密码有强壮度要求:
开启内容信任后,没有签名的镜像不能被下载:
注:再次上传镜像时,若只改标签,只需要输入仓库的key:
[root@server1 harbor]# docker tag busybox:latest reg.westos.org/library/game2048:v1
[root@server1 harbor]# docker push reg.westos.org/library/game2048:v1
删除签名
删除单个镜像的签名:
[root@server1 harbor]# docker trust revoke reg.westos.org/library/nginx:latest
关闭签名(不打开–with-clair扫描模块,极其占用内存):
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=0
[root@server1 harbor]# docker-compose down
[root@server1 harbor]# ./prepare
[root@server1 harbor]# ./install.sh --help
[root@server1 harbor]# ./install.sh --with-chartmuseum