Docker Private Registry |
您所在的位置:网站首页 › photon browser官网 › Docker Private Registry |
|
文章目录 1 Docker Registry2 Docker Private Registry3 使用docker-distribution自建Registry3.1 使用官方镜像自建Registry 4 Harbor4.1 Harbor介绍4.2 Harbor的功能4.3 Docker compose4.4 Harbor部署4.5 Harbor仓库的使用4.6 创建harbor普通用户 1 Docker Registry 网上有很多的Registry服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。 Registry用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry,也可以使用官方的Docker Hub。 Docker Registry分类 Sponsor Registry:第三方的Registry,供客户和Docker社区使用Mirror Registry:第三方的Registry,只让客户使用Vendor Registry:由发布docker镜像的供应商提供的registryPrivate Registry:通过设有防火墙和额外的安全层的私有实体提供的registry事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。 所有的Registry默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry服务的,除非明确的告诉它,我们就是要用http协议的Registry。 2 Docker Private Registry为了帮助我们快速创建私有Registry,Docker专门提供了一个名为Docker Distribution的软件包,我们可以通过安装这个软件包快速构建私有仓库 容器时代,任何程序都应该运行在容器中,除了Kernel和init。而为了能够做Docker Private Registry,Docker Hub官方直接把Registry做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry,当然我们也可以把Docker Distribution运行在容器中 Registry的主要作用是托管镜像,Registry运行在容器中,而容器自己的文件系统是随着容器的生命周期终止和删除而被删除的,所以当我们把Registry运行在容器中时,客户端上传了很多镜像,随着Registry容器的终止并删除,所有镜像都将化为乌有,因此这些镜像应该放在存储卷上,而且这个存储卷最好不要放在Docker主机本地,而应该放在一个网络共享存储上,比如NFS。不过,镜像文件自己定义的存储卷,还是一个放在Docker本地、Docker管理的卷,我们可以手动的将其改成使用其它文件系统的存储卷。 这就是使用容器来运行Registry的一种简单方式。自建Registry的另一种方式,就是直接安装docker-distribution软件。 3 使用docker-distribution自建Registry注意:此方法适用于CentOS7上做 //在node02上自建Registry [[email protected] ~]# yum -y install docker-distribution [[email protected] ~]# vim /etc/docker-distribution/registry/config.yml version: 0.1 log: fields: service: registry storage: cache: layerinfo: inmemory filesystem: rootdirectory: /var/lib/registry # 修改此处为一个容量大的磁盘分区目录 http: addr: :5000 [[email protected] ~]# systemctl start docker-distribution [[email protected] ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 [::1]:25 [::]:* LISTEN 0 128 [::]:5000 [::]:* LISTEN 0 128 [::]:22 //在node01上上传镜像自建的Registry上去 # 使用insecure-registries参数添加http支持 [[email protected] ~]# vim /etc/docker/daemon.json { "registry-mirrors": ["https://j3m2itm3.mirror.aliyuncs.com","https://registry.docker-cn.com"], "insecure-registries": ["node02-linux.example.com:5000"] } [[email protected] ~]# systemctl restart docker [[email protected] ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 2073e0bcb60e 2 weeks ago 127MB busybox latest 6d5fcfe5ff17 8 weeks ago 1.22MB [[email protected] ~]# docker tag nginx:latest node02-linux.example.com:5000/nginx:latest [[email protected] ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 2073e0bcb60e 2 weeks ago 127MB node02-linux.example.com:5000/nginx latest 2073e0bcb60e 2 weeks ago 127MB busybox latest 6d5fcfe5ff17 8 weeks ago 1.22MB [[email protected] ~]# docker push node02-linux.example.com:5000/nginx The push refers to repository [node02-linux.example.com:5000/nginx] 22439467ad99: Pushed b4a29beac87c: Pushed 488dfecc21b1: Pushed latest: digest: sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94 size: 948 3.1 使用官方镜像自建Registry [[email protected] ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry [[email protected] ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 [::1]:25 [::]:* LISTEN 0 128 [::]:5000 [::]:* LISTEN 0 128 [::]:22 [::]:* 4 Harbor无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。 但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF组织青睐的项目,其名为Harbor。 4.1 Harbor介绍 Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。Project Harbor是一个开源的受信任云本地注册表项目,用于存储、标记和扫描上下文。Harbor通过添加用户通常需要的功能,如安全性、身份标识和管理,扩展了开源Docker发行版。Harbor支持用户管理、访问控制、活动监控和实例之间的复制等高级特性。 4.2 Harbor的功能 多用户的管控(基于角色访问控制和项目隔离)审计日志安全和脆弱性分析身份集成和基于角色的访问控制实例之间的映像复制可扩展API和图形用户界面国际化(目前为英文和中文) 4.3 Docker composeHarbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。 Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用一个YAML文件来配置应用程序的服务。然后,使用一个命令,您可以从您的配置中创建并启动所有的服务。 Docker compose官方文档 安装Docker compose //下载配置docker-ce源 [[email protected] ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo [[email protected] ~]# sed -i '[email protected]://[email protected]://mirrors.tuna.tsinghua.edu.cn/[email protected]' /etc/yum.repos.d/docker-ce.repo [[email protected] ~]# yum clean all //安装docker [[email protected] ~]# yum -y install docker-ce //安装docker compose [[email protected] ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose [[email protected] ~]# ls /usr/local/bin/ docker-compose //将执行权限应用于二进制文件 [[email protected] ~]# chmod +x /usr/local/bin/docker-compose [[email protected] ~]# ls -l /usr/local/bin/docker-compose -rwxr-xr-x. 1 root root 12737304 12月 16 03:03 /usr/local/bin/docker-compose [[email protected] ~]# which docker-compose /usr/local/bin/docker-compose //查看版本号 [[email protected] ~]# docker-compose version docker-compose version 1.29.2, build 5becea4c docker-py version: 5.0.0 CPython version: 3.7.10 OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019 4.4 Harbor部署Harbor官方文档 环境说明 主机IP服务registry.example.com192.168.25.147HarborDocker192.168.25.148Docker //关闭防火墙 [[email protected] ]# systemctl disable --now firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [[email protected] ]# sed -i 's/enforcing/disabled/' /etc/selinux/config [[email protected] ]# reboot //这里我采用的是离线安装harbor [[email protected] ~]# cd /usr/src/ [[email protected] src]# ls debug harbor-offline-installer-v2.3.5.tgz kernels //要用md5sum与官网的md5sum文件进行对比,查看包是否完整 [[email protected] src]# md5sum harbor-offline-installer-v2.3.5.tgz f1e01bbb4b62bf4a31a103d8c7c5a215 harbor-offline-installer-v2.3.5.tgz //解压harbor [[email protected] src]# ls /usr/local/ bin etc games include lib lib64 libexec sbin share src [[email protected]localhost src]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/ [[email protected] src]# ls /usr/local/ bin etc games harbor include lib lib64 libexec sbin share src //启动docker服务 [[email protected] src]# systemctl enable --now docker Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service. [[email protected] src]# systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: > Active: active (running) since Thu 2021-12-16 03:18:00 EST; 5s ago Docs: https://docs.docker.com Main PID: 16793 (dockerd) Tasks: 9 Memory: 37.7M CGroup: /system.slice/docker.service └─16793 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/container> 12月 16 03:17:59 localhost.localdomain dockerd[16793]: time="2021-12-16T03:17:59.05> 12月 16 03:17:59 localhost.localdomain dockerd[16793]: time="2021-12-16T03:17:59.05> 12月 16 03:17:59 localhost.localdomain dockerd[16793]: time="2021-12-16T03:17:59.05> 12月 16 03:17:59 localhost.localdomain dockerd[16793]: time="2021-12-16T03:17:59.97> 12月 16 03:18:00 localhost.localdomain dockerd[16793]: time="2021-12-16T03:18:00.10> 12月 16 03:18:00 localhost.localdomain dockerd[16793]: time="2021-12-16T03:18:00.23> 12月 16 03:18:00 localhost.localdomain dockerd[16793]: time="2021-12-16T03:18:00.25> lines 1-17 //配置docker镜像加速器 [[email protected] ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://xj3hc284.mirror.aliyuncs.com"] } [[email protected] ~]# systemctl daemon-reload [[email protected] ~]# systemctl restart docker //先修改要配置的主机名和域名映射 [[email protected] ~]# hostnamectl set-hostname registry.example.com [[email protected] ~]# bash [[email protected] ~]# hostname registry.example.com [[email protected] ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.25.147 registry.example.com //修改harbor配置文件 [[email protected] ~]# cd /usr/local/harbor/ [[email protected] harbor]# ls common.sh harbor.yml install.sh prepare harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE [[email protected] harbor]# cp harbor.yml.tmpl harbor.yml #备份文件 [[email protected] harbor]# cat harbor.yml # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: registry.example.com #修改这里的内容为当前主机的主机名或IP地址 # http related config #因为当前环境我没有证书所以要把https的相关内容注释掉 http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config #https: # https port for harbor, default is 443 # port: 443 # The path of cert and key files for nginx # certificate: /your/certificate/path #private_key: /your/private/key/path //harbor的web界面登陆密码和一些其他配置也在harbor.yml文件中,可根据你的需要进行修改 //安装harbor [[email protected] harbor]# ls common.sh harbor.yml install.sh prepare harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE [[email protected] harbor]# ./install.sh ........ Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating registryctl ... done Creating redis ... done Creating registry ... done Creating harbor-portal ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- [[email protected] harbor]# ls common docker-compose.yml harbor.yml install.sh prepare common.sh harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE //查看镜像 [[email protected] ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/harbor-exporter v2.3.5 1730c6f650e2 6 days ago 81.9MB goharbor/chartmuseum-photon v2.3.5 47004f032938 6 days ago 179MB goharbor/redis-photon v2.3.5 3d0cedc89a0d 6 days ago 156MB goharbor/trivy-adapter-photon v2.3.5 5c0212e98070 6 days ago 133MB goharbor/notary-server-photon v2.3.5 f20a76c65359 6 days ago 111MB goharbor/notary-signer-photon v2.3.5 b9fa38eef4d7 6 days ago 108MB goharbor/harbor-registryctl v2.3.5 7a52567a76ca 6 days ago 133MB goharbor/registry-photon v2.3.5 cf22d3e386b8 6 days ago 82.6MB goharbor/nginx-photon v2.3.5 5e3b6d9ce11a 6 days ago 45.7MB goharbor/harbor-log v2.3.5 a03e4bc963d6 6 days ago 160MB goharbor/harbor-jobservice v2.3.5 2ac32df5a2e0 6 days ago 211MB goharbor/harbor-core v2.3.5 23baee01156f 6 days ago 193MB goharbor/harbor-portal v2.3.5 bb545cdedf5a 6 days ago 58.9MB goharbor/harbor-db v2.3.5 9826c57a5749 6 days ago 221MB goharbor/prepare v2.3.5 a1ceaabe47b2 6 days ago 255MB //查看运行的容器 [[email protected] ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7e77a6c4f0d3 goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx 7e80b1a29965 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-jobservice 2a2c46eedcc3 goharbor/harbor-core:v2.3.5 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-core e17225ac5aef goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) harbor-portal 5691a353369e goharbor/registry-photon:v2.3.5 "/home/harbor/entryp…" 2 minutes ago Up 2 minutes (healthy) registry 17a674e37ef5 goharbor/redis-photon:v2.3.5 "redis-server /etc/r…" 2 minutes ago Up 2 minutes (healthy) redis 1e5c5421b587 goharbor/harbor-db:v2.3.5 "/docker-entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-db 71a401d21cda goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start.…" 2 minutes ago Up 2 minutes (healthy) registryctl a860f4f6dcf3 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc…" 2 minutes ago Up 2 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log //查看运行的harbor的端口号 [[email protected] ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 127.0.0.1:1514 0.0.0.0:* LISTEN 0 128 0.0.0.0:80 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:80 [::]:* LISTEN 0 128 [::]:22 [::]:* [[email protected] ~]#在浏览器上访问harbor web界面 注意 使用docker-compose { start|stop }来启动或停止Harbor,要注意的是要启动或停止Harbor的时候必须要在Harbor的工作目录中进行即/usr/local/harbor目录中。因为docker-compose命令是基于docker-compose.yml来控制的,所以要在有这个文件的目录里执行命令。 使用Harbor的注意事项 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help 4.5 Harbor仓库的使用 //在Docker主机中配置insecure-registries参数 [[email protected] ~]# cat /etc/docker/daemon.json { "insecure-registries": ["registry.example.com"], #添加此行,填写registry的主机名或IP "registry-mirrors": ["https://xj3hc284.mirror.aliyuncs.com"] } [[email protected] ~]# systemctl daemon-reload [[email protected] ~]# systemctl restart docker //在Docker主机中配置harbor的域名解析 [[email protected] ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.25.147 registry.example.com //登录harbor仓库 [[email protected] ~]# docker login registry.example.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded在harbor上新建一个项目仓库 //在docker主机中上传镜像到harbor中 [[email protected] ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.example.com/web/httpd latest 1b4af18e5f93 7 days ago 713MB [[email protected] ~]# docker push registry.example.com/web/httpd:latest The push refers to repository [registry.example.com/web/httpd] e156d35ef4d9: Pushed 322c2244e46e: Pushed cee7b76bfe86: Pushed c55cdbeda06b: Pushed 74ddd0ec08fa: Pushed latest: digest: sha256:45c6f563701932e6cb8182ab238f71cbefdea98e9949b4e01a7657a45e184489 size: 1374在harbor仓库中查看 4.6 创建harbor普通用户
用tom用户登录 因为我给tom用户的开发者只能读写不能删除 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |