Docker 仓库、harbor仓库
1. docker搭建私有仓库
下载registry镜像
[root@server3 ~]# docker search registry
[root@server3 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
ddad3d7c1e96: Pull complete
6eda6749503f: Pull complete
363ab70c2143: Pull complete
5b94580856e6: Pull complete
12008541203a: Pull complete
[root@server3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
registry latest 1fd8e1b0bb7e 3 months ago 26.2MB
[root@server3 ~]# mkdir docker
[root@server3 ~]# ls
[root@server3 ~]# docker images registry
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 1fd8e1b0bb7e 3 months ago 26.2MB
[root@server3 ~]# docker history registry:latest
运行registry容器
[root@server3 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
[root@server3 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b8c186ef8ee2 registry "/entrypoint.sh /etc…" 10 seconds ago Up 9 seconds 0.0.0.0:5000->5000/tcp registry
[root@server3 ~]# netstat -antlp
[root@server3 ~]# ll -d /opt/registry/
drwxr-xr-x 2 root root 6 Jul 21 09:43 /opt/registry/
上传镜像到本地仓库,本地镜像在命名时需要加上仓库的ip和端口
[root@server3 ~]# docker tag registry:latest localhost:5000/registry:latest
[root@server3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
localhost:5000/nginx latest 4cdc5dd7eaad 2 weeks ago 133MB
[root@server3 ~]# docker push localhost:5000/nginx
[root@server3 ~]# tree /opt/registry/
[root@server3 ~]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
docker 加密 认证
远程拉取仓库
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# vim daemon.json
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker pull 172.25.16.1:5000/nginx
[root@server2 docker]# docker images
[root@server2 docker]# docker tag 172.25.16.3:5000/nginx nginx
[root@server2 docker]# docker images
[root@server2 docker]# docker run -d nginx
签名加密
[root@server3 ~]# mkdir -p certs
[root@server3 ~]# docker stop registry
registry
[root@server3 ~]# docker rm registry
registry
[root@server3 ~]# ll /opt/registry/
total 0
drwxr-xr-x 3 root root 22 Jul 21 09:47 docker
[root@server3 ~]# docker rmi localhost:5000/nginx:latest
[root@server3 ~]# cd certs/
[root@server3 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server3 ~]# vim /etc/hosts
172.25.16.3 server3 reg.westos.org
[root@server3 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server3 ~]# docker tag game2048:latest reg.westos.org/game2048:latest
[root@server3 ~]# docker push reg.westos.org/game2048:latest
[root@server3 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server3 ~]# ls certs/
westos.org.crt westos.org.key
[root@server3 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server3 ~]# ll /etc/docker/certs.d/reg.westos.org/ca.crt
-rw-r--r-- 1 root root 2106 Jul 21 10:00 /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server3 ~]# docker push reg.westos.org/game2048:latest
The push refers to repository [reg.westos.org/game2048]
[root@server3 ~]# cd /etc/docker/certs.d/reg.westos.org/
[root@server3 reg.westos.org]# scp ca.crt server2:/etc/docker/certs.d/reg.westos.org/
[root@server2 docker]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server2 docker]# vim /etc/hosts
[root@server2 docker]# cd /etc/docker/certs.d/reg.westos.org/
[root@server2 reg.westos.org]# docker pull reg.westos.org/game2048
认证
[root@server3 ~]# curl -k https://172.25.16.3/v2/_catalog
{"repositories":["game2048","nginx"]}
[root@server3 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 Jul 21 09:47 /opt/registry/
[root@server3 ~]# docker rm -f registry
registry
[root@server3 ~]# mkdir auth
[root@server3 ~]# yum provides */htpasswd
[root@server3 ~]# yum install -y httpd-tools
[root@server3 ~]# htpasswd -c -B auth/htpasswd linux
New password:
Re-type new password:
Adding password for user linux
[root@server3 ~]# htpasswd -B auth/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
[root@server3 ~]# cat auth/htpasswd
linux:$2y$05$dAwWXeILalAHoTHD0gG7Ue.7aASrHqAkDmUK3BaqWhut1PRZPBNGm
admin:$2y$05$UrwnDmpSTlt4/0KDJiXc8OUXaVQR3BdDcCztFNydrfE64gf3btfWq
[root@server3 ~]# ls certs/
westos.org.crt westos.org.key
[root@server3 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2005233a70f0 registry "/entrypoint.sh /etc…" 18 seconds ago Up 17 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server3 ~]# docker tag nginx:latest reg.westos.org/nginx:latest
[root@server3 ~]# docker pull reg.westos.org/nginx
[root@server3 ~]# docker login reg.westos.org
[root@server3 ~]# cat /root/.docker/config.json
[root@server3 ~]# docker push reg.westos.org/nginx:latest ##server3上传
[root@server2 reg.westos.org]# docker login reg.westos.org
[root@server2 reg.westos.org]# docker pull reg.westos.org/nginx
## server2拉取
2. harbor仓库
建立公共仓库
[root@server3 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server3 ~]# chmod +x /usr/local/bin/docker-compose
[root@server3 harbor]# docker rm -f registry
[root@server3 ~]# mkdir /data
mkdir: cannot create directory ‘/data’: File exists
[root@server3 ~]# cp -r certs/ /
[root@server3 ~]# cd certs/
[root@server3 certs]# ls
westos.org.crt westos.org.key
[root@server3 ~]# cd harbor/
[root@server3 harbor]# vim harbor.yml
hostname: reg.westos.org
certificate: /certs/westos.org.crt
private_key: /certs/westos.org.key
harbor_admin_password: westos
[root@server3 harbor]# cd /data/
[root@server3 data]# ls
secret
[root@server3 data]# cd
[root@server3 ~]# mv certs/ /data/
[root@server3 ~]# cd harbor/
[root@server3 harbor]# ls
common harbor.v1.10.1.tar.gz input LICENSE
common.sh harbor.yml install.sh prepare
[root@server3 harbor]# ./install.sh
[root@server3 harbor]# docker ps
[root@server3 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server3 harbor]# cat ~/.docker/config.json
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.15 (linux)"
}
[root@server3 harbor]# docker login reg.westos.org
[root@server3 harbor]# docker tag nginx:latest reg.westos.org/library/nginx:laest
[root@server3 harbor]# docker push reg.westos.org/library/nginx:latest
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
certs.d key.json
[root@server2 docker]# vim daemon.json
{
“registry-mirrors”: [“https://reg.westos.org”]
}
[root@server2 docker]# systemctl reload docker.service
[root@server2 docker]# docker pull nginx
[root@server3 harbor]# docker tag nginx:latest reg.westos.org/library/nginx:laest
[root@server3 harbor]# docker push reg.westos.org/library/nginx:latest
[root@server3 harbor]# cd /data/
[root@server3 data]# ls
建立私有仓库
新建用户
[root@server3 harbor]# docker logout reg.westos.org
[root@server3 harbor]# docker login reg.westos.org
Username: linux #维护人员
Password:
[root@server2 docker]# docker tag mario:latest reg.westos.org/westos/mario:latest
[root@server2 docker]# docker push reg.westos.org/mario:latest
```![在这里插入图片描述](https://img-blog.csdnimg.cn/img_convert/0f50d7cf24821222ba7403a219de312c.png#pic_center)
![在这里插入图片描述](https://img-blog.csdnimg.cn/img_convert/f955435b9b8d1e8b0cce36d5a9a29f56.png#pic_center)
```bash
[root@server2 docker]# docker logout reg.westos.org
[root@server2 docker]# docker login reg.westos.org
Username: demo
Password:
[root@server2 docker]# docker images
[root@server2 docker]# docker rmi 9a35a9e43e8c --force
强制删除
[root@server2 docker]# docker pull mario
添加内容信任和扫描参数
清理环境
[root@server3 harbor]# docker-compose down
[root@server3 harbor]# ./prepare #清理
扫描漏洞
[root@server3 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server3 harbor]# docker-compose ps
扫描漏洞
[root@server3 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server3 harbor]# docker login reg.westos.org
Username: admin
Password:
[root@server3 harbor]# docker push reg.westos.org/library/mario:latest
测试是否自动扫描
启用docker内容信任
[root@server3 harbor]# docker images game2048
[root@server3 harbor]# docker tag game2048:latest reg.westos.org/library/game2048:latest
[root@server3 harbor]# docker push reg.westos.org/library/game2048:latest
[root@server3 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server3 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server3 harbor]# docker rmi reg.westos.org/westos/game2048:latest
关闭内容信任并清理缓存,重新安装
[root@server3 harbor]# export DOCKER_CONTENT_TRUST=0
[root@server3 harbor]# ls
common common.sh docker-compose.yml harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
[root@server3 harbor]# docker-compose down
./prepare