Docker 仓库是用来包含镜像的位置,Docker提供一个注册服
务器(Register)来保存多个仓库,每个仓库又可以包含多个
具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
1.docker搭建私有仓库
#下载registry镜像
[root@server1 ~]# docker search registry
[root@server1 ~]# docker pull registry
[root@server1 ~]# docker images registry
[root@server1 ~]# docker ps -a
[root@server1 ~]# docker history registry:latest
#运行registry容器
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
[root@server1 ~]# docker ps
[root@server1 ~]# netstat -antlp
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 2 root root 6 Jul 20 21:52 /opt/registry/
上传镜像到本地仓库,本地镜像在命名时需要加上仓库的ip和端口
[root@server1 ~]# docker tag registry:latest localhost:5000/registry:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 1fd8e1b0bb7e 3 months ago 26.2MB
localhost:5000/registry latest 1fd8e1b0bb7e 3 months ago 26.2MB
[root@server1 ~]# docker push localhost:5000/registry
2.docker仓库加密、认证
[root@server1 ~]# mkdir certs -p
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server1 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org/
[root@server1 ~]# cd certs/
[root@server1 ~]#docker run -d --name registry -v /opt/registry/:/var/lib/registry -p 443:443 -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server1 ~]#docker ps
[root@server1 ~]#netstat -antlp
[root@server1 ~]#docker push reg.westos.org/nginx:latest
[root@server1 ~]#curl -k https://reg.westos.org/v2/_catalog
[root@server1 ~]# mkdir auth
[root@server1 ~]# yum install -y httpd-tools
[root@server1 ~]# htpasswd -Bc auth/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
[root@server1 ~]# htpasswd -B auth/htpasswd gy
New password:
Re-type new password:
Adding password for user gy
[root@server1 ~]# docker run -d --name registry -v /opt/registry/:/var/lib/registry -p 443:443 -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
06e8c894a89dd4516623fb8104a4678f9b9704a38caae3da886856879c567ec4
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
06e8c894a89d registry "/entrypoint.sh /etc…" 10 seconds ago Up 9 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 ~]# cat /root/.docker/config.json
{
"auths": {
"reg.westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.15 (linux)"
}
}
[root@server1 ~]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server1 ~]# cat /root/.docker/config.json
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.15 (linux)"
}
server2远程登陆
[root@server2 ~]# yum install -y docker-ce
[root@server2 ~]# systemctl enable --now docker
[root@server1 ~]# scp -r /etc/docker/certs.d/ root@server2:/etc/docker/
[root@server2 docker]# docker login reg.westos.org
Username: gy
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 docker]# docker pull reg.westos.org/nginx
Using default tag: latest
latest: Pulling from nginx
b4d181a07f80: Pull complete
66b1c490df3f: Pull complete
d0f91ae9b44c: Pull complete
baf987068537: Pull complete
6bbc76cbebeb: Pull complete
32b766478bc2: Pull complete
Digest: sha256:1c70a669bbf07f9862f269162d776c35144b116938d1becb4e4676270cff8f75
Status: Downloaded newer image for reg.westos.org/nginx:latest
reg.westos.org/nginx:latest
3.harbor仓库
准备文件
harbor-offline-installer-v1.10.1.tgz
docker-compose-Linux-x86_64-1.27.0
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# cd harbor/
[root@server1 harbor]# vim harbor.yml #修改配置文件相关信息
hostname: reg.westos.org #主机名
certificate: /data/certs/westos.org.crt #密钥
private_key: /data/certs/westos.org.key
harbor_admin_password: westos #登陆密码
[root@server1 ~]# mkdir /data
[root@server1 ~]# mv certs/ /data/
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ./install.sh
浏览器访问172.25.14.1/harbor,用户admin、密码westos
查看到默认仓库
server打标签并上传nginx至library中
[root@server1 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest
[root@server1 ~]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
9d1af766c818: Pushed
d97733c0a3b6: Pushed
c553c6ba5f13: Pushed
48b4a40de359: Pushed
ace9ed9bcfaf: Pushed
764055ebc9a7: Pushed
latest: digest: sha256:1c70a669bbf07f9862f269162d776c35144b116938d1becb4e4676270cff8f75 size: 1570
server2通过library安装nginx
docker info 查看到
Registry Mirrors:
https://reg.westos.org/
Live Restore Enabled: false
网页中查看到相关日志
启动
查看容器相关信息,访问发现nginx启动成功
[root@server2 docker]# docker inspect demo
"IPAddress": "172.17.0.2",
[root@server2 docker]# curl 172.17.0.2
添加仓库westos
server1上传game2048至westos中
创建用户gy
设置权限为westos仓库的访客(只能下载不能上传)
[root@server2 docker]# docker login reg.westos.org
Username :gy
Password: #上面设置的密码
Login Succeeded
#下载成功
[root@server2 docker]# docker pull reg.westos.org/westos/game2048:latest
latest: Pulling from westos/game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.westos.org/westos/game2048:latest
reg.westos.org/westos/game2048:latest
4.添加内容信任和扫描参数
扫描漏洞
清理环境
[root@server1 harbor]# docker-compose down
扫描漏洞
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server1 harbor]# docker-compose ps
启用docker内容信任
[root@server1 harbor]# docker images game2048
REPOSITORY TAG IMAGE ID CREATED SIZE
game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@server1 harbor]# docker tag game2048:latest reg.westos.org/library/game2048:latest
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Mounted from westos/game2048
6d7504772167: Mounted from westos/game2048
192e9fad2abc: Mounted from westos/game2048
36e9226e74f8: Mounted from westos/game2048
011b303988d2: Mounted from westos/game2048
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server1 ~]# cd .docker/
[root@server1 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server1 .docker]# cd tls/reg.westos.org\:4443/
[root@server1 reg.westos.org:4443]# cp /data/certs/westos.org.crt ca.crt
[root@server1 ~]# docker push reg.westos.org/westos/game2048:latest
关闭内容信任并清理缓存,重新安装
[root@server1 ~]# export DOCKER_CONTENT_TRUST=0
[root@server1 ~]# cd harbor/
[root@server1 harbor]# docker-compose down
[root@server1 harbor]# ./install.sh --with-chartmuseum