私有仓库Harbor部署
Docker Registry
网上有很多的Registry服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。
Registry用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry,也可以使用官方的Docker Hub。
Docker Registry分类:
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry服务的,除非明确的告诉它,我们就是要用http协议的Registry。
Harbor
Harbor镜像仓库部署
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Harbor是一个开源可信的云原生的仓库项目,用于存储、用户管理和查找镜像。
Harbor通过添加用户通常需要的功能,如安全、身份和管理,扩展了开源Docker分发版。
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
-
多租户内容签名和验证
-
安全性和漏洞分析
-
审计日志记录
-
身份集成和基于角色的访问控制
-
实例之间的映像复制
-
可扩展API和图形UI
-
国际化(目前为中英文化)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用YAML文件来配置应用程序的服务。然后,通过一个命令,您可以创建并启动配置中的所有服务
Harbor部署:
环境说明:
| 主机 | IP | 服务 |
|---|---|---|
| registry.example.com/CentOS8 (Harbor仓库) | 192.168.101.110 | docker docker-compose harbor |
| localhost.localdomain/CentOS8 | 192.168.101.120 | docker |
安装docker
registry.example.com 主机安装
# 配置docker源
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1919 100 1919 0 0 11156 0 --:--:-- --:--:-- --:--:-- 11156
[root@localhost yum.repos.d]# ls
CentOS-Stream-AppStream.repo CentOS-Stream-Extras.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-HighAvailability.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-Media.repo docker-ce.repo
# 替换docker-ce.repo中的关键字为mirrors.aliyun.com
[root@localhost yum.repos.d]# sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# 安装docker
[root@localhost yum.repos.d]# dnf -y install docker-ce
# 关闭防火墙和seLinux
[root@localhost yum.repos.d]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost yum.repos.d]# setenforce 0
[root@localhost yum.repos.d]# getenforce
Permissive
# 设置docker开机自启
[root@localhost yum.repos.d]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[root@localhost yum.repos.d]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
# 配置阿里云加速器
[root@localhost ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://wn5c7d7w.mirror.aliyuncs.com"]
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker info
.....
Registry Mirrors:
https://wn5c7d7w.mirror.aliyuncs.com/
.....
安装docker-compose
registry.example.com 主机安装
安装官网:安装 Docker Compose |Docker 文档
[root@localhost yum.repos.d]# cd
[root@localhost ~]# ls /usr/local/bin/
[root@localhost ~]#
[root@localhost bin]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 664 100 664 0 0 118 0 0:00:05 0:00:05 --:--:-- 160
100 12.1M 100 12.1M 0 0 509k 0 0:00:24 0:00:24 --:--:-- 1006k
[root@localhost ~]# ls /usr/local/bin/
docker-compose
[root@localhost ~]# chmod +x /usr/local/bin/docker-compose
[root@localhost ~]# which docker-compose
/usr/local/bin/docker-compose
[root@localhost ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[root@localhost ~]# docker --version
Docker version 20.10.12, build e91ed57
搭建Harbor
registry.example.com 主机安装
下载地址:Release v2.3.5 · goharbor/harbor · GitHub
# 下载并上传Harbor包
[root@localhost ~]# ls /usr/src/
debug harbor-offline-installer-v2.3.5.tgz kernels
# 解压
[root@localhost src]# ls /usr/local/
bin etc games include lib lib64 libexec sbin share src
[root@localhost src]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/
[root@localhost src]# cd /usr/local/
[root@localhost local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
# 修改主机名
[root@localhost local]# cd harbor
[root@localhost harbor]# hostnamectl set-hostname registry.example.com
[root@localhost harbor]# bash
[root@registry harbor]# hostname
registry.example.com
[root@registry harbor]# cp harbor.yml.tmpl harbor.yml
# 修改配置文件
[root@registry harbor]# vim harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: registry.example.com # 修改为当前主机名
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https: # 添加注释
# https port for harbor, default is 443
#port: 443 # 添加注释
# The path of cert and key files for nginx
#certificate: /your/certificate/path # 添加注释
#private_key: /your/private/key/path # 添加注释
........
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 # Harbor web界面登录密码
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 # 数据库密码
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100 # 空闲最大连接数
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900 # 打开最大文件数
# The default data volume
data_volume: /data # 数据存放位置
# 修改hosts文件添加映射
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.101.110 registry.example.com
[root@registry ~]# ping registry.example.com
PING registry.example.com (192.168.101.110) 56(84) bytes of data.
64 bytes from registry.example.com (192.168.101.110): icmp_seq=1 ttl=64 time=0.073 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=4 ttl=64 time=0.042 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=5 ttl=64 time=0.038 ms
# 执行安装脚本
[root@registry harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.2
[Step 2]: loading Harbor images ...
...............
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating redis ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
# 查看
[root@registry harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.5 1730c6f650e2 5 days ago 81.9MB
goharbor/chartmuseum-photon v2.3.5 47004f032938 5 days ago 179MB
goharbor/redis-photon v2.3.5 3d0cedc89a0d 5 days ago 156MB
goharbor/trivy-adapter-photon v2.3.5 5c0212e98070 5 days ago 133MB
goharbor/notary-server-photon v2.3.5 f20a76c65359 5 days ago 111MB
goharbor/notary-signer-photon v2.3.5 b9fa38eef4d7 5 days ago 108MB
goharbor/harbor-registryctl v2.3.5 7a52567a76ca 5 days ago 133MB
goharbor/registry-photon v2.3.5 cf22d3e386b8 5 days ago 82.6MB
goharbor/nginx-photon v2.3.5 5e3b6d9ce11a 5 days ago 45.7MB
goharbor/harbor-log v2.3.5 a03e4bc963d6 6 days ago 160MB
goharbor/harbor-jobservice v2.3.5 2ac32df5a2e0 6 days ago 211MB
goharbor/harbor-core v2.3.5 23baee01156f 6 days ago 193MB
goharbor/harbor-portal v2.3.5 bb545cdedf5a 6 days ago 58.9MB
goharbor/harbor-db v2.3.5 9826c57a5749 6 days ago 221MB
goharbor/prepare v2.3.5 a1ceaabe47b2 6 days ago 255MB
[root@registry harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
779cf4b59089 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint.…" 59 seconds ago Up 58 seconds (healthy) harbor-jobservice
686123a9e789 goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of…" 59 seconds ago Up 58 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
192afc12b0df goharbor/harbor-core:v2.3.5 "/harbor/entrypoint.…" About a minute ago Up 59 seconds (healthy) harbor-core
f22ed219514c goharbor/harbor-db:v2.3.5 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
68e99a0f8b1d goharbor/registry-photon:v2.3.5 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
f31a1a3db38f goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
230852b4624f goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
4b251b48fa0c goharbor/redis-photon:v2.3.5 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
debb1c1a36d6 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@registry harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
浏览器访问
localhost.localdomain主机 安装docker步骤同上面Harbor仓库安装docker步骤一致
localhost.localdomain主机 配置参数 insecure(不安全的),因为没有使用https,使用的是http
[root@registry harbor]# cat /etc/docker/daemon.json
{
"insecure-registries": ["registry.example.com"] # 添加Harbor仓库对应主机名
}
[root@registry harbor]# systemctl daemon-reload
[root@registry harbor]# systemctl restart docker
修改 localhost.localdomain主机 的hosts文件
# 配置hosts文件
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.220.17 registry.example.com # Harbor仓库的IP和主机名
[root@localhost ~]# ping registry.example.com
PING registry.example.com (192.168.101.110) 56(84) bytes of data.
64 bytes from registry.example.com (192.168.101.110): icmp_seq=1 ttl=64 time=1.91 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=2 ttl=64 time=0.289 ms
64 bytes from registry.example.com (192.168.101.110): icmp_seq=3 ttl=64 time=0.256 ms
localhost.localdomain主机 使用docker来拉取官方镜像,然后传到刚搭建的Harbor仓库
[root@registry ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@localhost docker]# docker images # 查看
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
# 将busybox镜像改名并上传到刚搭建的Harbor仓库
[root@localhost docker]# docker tag busybox:latest registry.example.com/library/busybox:latest
[root@localhost docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
# 登录
[root@localhost ~]# docker login registry.example.com
Username: admin
Password: # 密码为登录web界面的密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 上传到Harbor仓库
[root@localhost ~]# docker push registry.example.com/library/busybox:latest
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
web界面 查看
测试:删除 localhost.localdomain主机 本地镜像,从Harbor仓库拉取
# 删除前查看
[root@localhost ~]# docker images # 删除前查看
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
# 删除镜像registry.example.com/library/busybox
[root@localhost ~]# docker rmi registry.example.com/library/busybox
Untagged: registry.example.com/library/busybox:latest
Untagged: registry.example.com/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
# 删除后查看
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
# 从Harbor仓库拉取镜像
[root@localhost ~]# docker push registry.example.com/library/busybox:latest
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
# 查看
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
281
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
