Docker 私有Registry
Registry用於保存docker鏡像,包括鏡像的層次結構和元數據。用戶能夠自建Registry,也可以使用官方的Docker Hub。nginx
Docker Registry 分類:git
- Sponsor Registry: 第三方的registry,供客戶和Docker社區使用
- Mirror Registry: 第三方的registryy,只讓客戶使用
- Vendor Registry: 由發佈Docker鏡像的供應商提供的registry
- Private Registry: 經過設有防火牆和額外的安全層的私有實體提供的registry
私有Registry
使用前先要將服務部署到服務器上。github
YUM安裝
能夠經過yum安裝:redis
yum install docker-registry yum install docker-distribution
上面兩個命令都會安裝docker-distribution只要執行一個就行了。sql
軟件包的信息:docker
[root@Docker ~]# yum info docker-distribution 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com 可安裝的軟件包 名稱 :docker-distribution 架構 :x86_64 版本 :2.6.2 發佈 :2.git48294d9.el7 大小 :3.5 M 源 :extras/7/x86_64 簡介 : Docker toolset to pack, ship, store, and deliver content 網址 :https://github.com/docker/distribution 協議 : ASL 2.0 描述 : Docker toolset to pack, ship, store, and deliver content [root@Docker ~]#
這個就不裝了,由於還能夠將服務安裝在容器中運行。shell
容器安裝
docker官方也提供了容器,基於容器提供Registry服務。json
下載鏡像:api
[root@Docker ~]# docker image pull registry Using default tag: latest latest: Pulling from library/registry c87736221ed0: Pull complete 1cc8e0bb44df: Pull complete 54d33bcb37f5: Pull complete e8afc091c171: Pull complete b4541f6d3db6: Pull complete Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146 Status: Downloaded newer image for registry:latest [root@Docker ~]#
啓動容器:瀏覽器
docker run -d -p 5000:5000 --restart always --name registry registry
配置文件
查看registry的配置文件:
[root@Docker ~]# docker container exec -it registry cat /etc/docker/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
[root@Docker ~]#
這裏是默認的配置文件。配置文件是經過CMD命令指定的,默認的dockerfile的CMD指令以下:
CMD ["/etc/docker/registry/config.yml"]
鏡像存放的位置
鏡像Dockerfile中有一條VOLUME指令,這個路徑就是容器是存放鏡像的路徑:
VOLUME ["/var/lib/registry"]
啓動鏡像時,能夠使用-v參數,指定宿主機的目錄。
上傳鏡像
上傳鏡像前,先要給鏡像打標:
[root@Docker ~]# docker push busybox loclhost:5000/busybox
這裏要準備將本地的busybox推送到服務器loclhost:5000。這裏省略了倉庫的用戶名,沒有用戶名就是一個頂層倉庫。
推送:
[root@Docker ~]# docker push localhost:5000/busybox The push refers to repository [localhost:5000/busybox] 0d315111b484: Pushed latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527 [root@Docker ~]#
不往本機lo接口推,也就是服務器地址不使用localhost或127.0.0.1。而是向本機的網卡地址推。就像其餘主機要向本機的registry推送同樣了。而後會產生以下的錯誤:
[root@Docker ~]# docker push 192.168.24.170:5000/busybox The push refers to repository [192.168.24.170:5000/busybox] Get https://192.168.24.170:5000/v2/: http: server gave HTTP response to HTTPS client [root@Docker ~]#
這裏的問題是,docker默認是使用https協議工做的,而registry服務器的響應是http協議。解決的辦法有兩個。
第一個方法是修改registry來適應docker,registry服務器改成https協議
第二個方法是修改docker來使用registry,將registry服務器地址加入到docker的insecure-registries中去
配置insecure-registries
修改配置文件,而後重啓加載後就能夠推送上去了:
[root@Docker ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
"insecure-registries": ["192.168.24.170:5000"]
}
[root@Docker ~]# systemctl reload docker
[root@Docker ~]# docker push 192.168.24.170:5000/busybox
The push refers to repository [192.168.24.170:5000/busybox]
0d315111b484: Layer already exists
latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527
[root@Docker ~]#
下載鏡像
指定Registry下載以前上傳的鏡像:
[root@Docker ~]# docker pull 192.168.24.170:5000/busybox Using default tag: latest latest: Pulling from busybox ee153a04d683: Pull complete Digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 Status: Downloaded newer image for 192.168.24.170:5000/busybox:latest [root@Docker ~]#
Harbor
Harbor是一個用於存儲和分發Docker鏡像的企業級Registry服務器。
Harbor特性
基於角色的訪問控制:用戶與Docker鏡像倉庫經過「項目」進行組織管理,一個用戶能夠對多個鏡像倉庫在同一命名空間(project)裏有不一樣的權限。
鏡像複製:鏡像能夠在多個Registry實例中複製(同步)。尤爲適合於負載均衡,高可用,混合雲和多雲的場景。
圖形化用戶界面:用戶能夠經過瀏覽器來瀏覽,檢索當前Docker鏡像倉庫,管理項目和命名空間。
AD/LDAP 支持:Harbor能夠集成企業內部已有的AD/LDAP,用於鑑權認證管理。
審計管理:全部針對鏡像倉庫的操做均可以被記錄追溯,用於審計管理。
國際化:已擁有英文、中文、德文、日文和俄文的本地化版本。更多的語言將會添加進來。
RESTful API:RESTful API 提供給管理員對於Harbor更多的操控, 使得與其它管理軟件集成變得更容易。
部署簡單:提供在線和離線兩種安裝工具, 也能夠安裝到vSphere平臺(OVA方式)虛擬設備。
安裝準備
github項目地址:
https://github.com/vmware/harbor
這是一個vmware的開源項目,實際會跳轉到下面這個地址:
https://github.com/goharbor/harbor
下載 harbor
查看項目的README,Features的內容上面提過了,這裏主要看Install & Run部分的內容。
首先是下載
Harbor release:
https://github.com/goharbor/harbor/releases
$ wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.2-rc1.tgz
安裝配置嚮導
Installation & Configuration Guide:
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
硬件要求:
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
軟件要求:
| Software | Version | Description |
|---|---|---|
| Docker engine | version 17.06.0-ce+ or higher | For installation instructions, please refer to: docker engine doc |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: docker compose doc |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
安裝步驟:
- Download the installer;
- Configure harbor.yml;
- Run install.sh to install and start Harbor;
下載完以後,先解壓:
[root@Harbor ~]# tar xvf harbor-offline-installer-v1.8.1.tar -C /opt harbor/harbor.v1.8.1.tar.gz harbor/prepare harbor/LICENSE harbor/install.sh harbor/harbor.yml [root@Harbor ~]#
下載的文件在解壓後就不須要了。解壓後的文件在安裝完成後也都是不須要的。因此下載到哪裏,解壓到哪裏其實都不重要。建議能夠解壓到 /opt 或 /usr/local 這兩個目錄裏。
安裝包中的鏡像
解壓後的文件中,有一個文件harbor.v1.8.1.tar.gz。這個是被導出的docker鏡像。還記得docker save命令吧,能夠打包導出多個鏡像並完成壓縮:
$ docker save myimg/httpd:v1 myimg/httpd:v2 | gzip > myimage_latest.tar.gz
這個文件應該就是這麼來的。以後的安裝過程當中,則是會把這個文件裏的全部鏡像作一次批量導入:
$ docker load -i myimage_latest.tar.gz
在安裝時執行的install.sh腳本里有解壓並導入鏡像的語句:
if [ -f harbor*.tar.gz ]
then
h2 "[Step $item]: loading Harbor images ..."; let item+=1
docker load -i ./harbor*.tar.gz
fi
安裝的依賴和過程
Harbor的安裝,就是給當前的主機安裝不少容器,而且把這些容器都啓動起來。啓動Harbor就是用docker-compose把這些容器的啓動起來,而關閉harbor也是經過docker-compose來把容器一次關閉。之因此須要藉助docker-compose,由於harbor是由不少容器協同過程的,容器之間又依賴關係,這些都須要docker-compose這個單機編排工具來協調。
因此安裝harbor前,須要安裝好docker-compose,才能實現本地的容器的編排。須要安裝好docker,才能把本地的鏡像啓動起來。鏡像就在下載解壓的文件中。而且還須要啓動docker,這樣才能運行容器。
準備工做完成後,就是執行harbor準備的install.sh腳本,在本地加載好鏡像,經過docker-compose把這些鏡像依次啓動起來,而且運行在本地的docker上。
修改harbor.yml配置文件,主機名必定看改掉,最好使用本機的域名,若是沒有域名那麼就用本機的IP地址。沒改的話,會有以下的錯誤提示:
[root@Harbor harbor]# ./install.sh ➜ Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients. Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. Please set --with-clair if needs enable Clair in Harbor Please set --with-chartmuseum if needs enable Chartmuseum in Harbor [root@Harbor harbor]#
檢查發現沒有安裝docker:
[root@Harbor harbor]# ./install.sh [Step 0]: checking installation environment ... ✖ Need to install docker(17.06.0+) first and run this script again. [root@Harbor harbor]#
檢查發現沒有安裝docker-compose:
[root@Harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.1 ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again. [root@Harbor harbor]#
檢查發現docker沒有啓動:
[root@Harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? [root@Harbor harbor]#
Docker Compose
Docker的單機編排工具。官方文檔:
https://docs.docker.com/compose/
爲了簡化harbor的安裝和部署,因此harbor作成了在容器中運行的應用。可是harbor的運行還依賴不少其餘的應用,因此須要編排幾個容器來協同工做。因此harbor的部署和使用時須要藉助Docker的單機編排工具Docker Compose。
安裝docker-compose,位於epel源中:
yum install docker-compose
Compose模板文件
模板文件是使用Compose的核心,設計的指令關鍵字也有不少,默認的模板文件名稱爲docker-compose.yml,格式爲YAML格式。
這個不是重點,能安裝使用harbor就行了,不過仍是簡單瞭解一下。
要使用docker-compose就要寫一個編排腳本,和dockerfile相似,也是有不少指令。定義要啓動的每個容器,指明依賴關係,這樣被依賴的容器須要先啓動。關閉容器的時候也要對稱,先把沒有被依賴的容器關閉掉。
順便就來看下harbor的docker-compose.yml文件:
[root@Harbor harbor]# cat docker-compose.yml
version: '2.3' # docker-compose的版本
services: # 定義一個服務
log: # 服務的名稱,服務是經過容器來提供的,具體就是下面的設置
image: goharbor/harbor-log:v1.8.1 # 指定容器的鏡像,也能夠用build指令經過dockerfile建立
container_name: harbor-log # 生成的容器的名稱
restart: always # 容器自動重啓
dns_search: .
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes: # 定義卷
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks: # 加入的網絡
- harbor
registry:
image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: /data/secret/registry/root.crt
target: /etc/registry/root.crt
networks:
- harbor
dns_search: .
depends_on: # 依賴的容器名稱
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
registryctl:
image: goharbor/harbor-registryctl:v1.8.1
container_name: registryctl
env_file:
- ./common/config/registryctl/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: ./common/config/registryctl/config.yml
target: /etc/registryctl/config.yml
networks:
- harbor
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registryctl"
postgresql:
image: goharbor/harbor-db:v1.8.1
container_name: harbor-db
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /data/database:/var/lib/postgresql/data:z
networks:
harbor:
dns_search: .
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "postgresql"
core:
image: goharbor/harbor-core:v1.8.1
container_name: harbor-core
env_file:
- ./common/config/core/env
restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
volumes:
- /data/ca_download/:/etc/core/ca/:z
- /data/psc/:/etc/core/token/:z
- /data/:/data/:z
- ./common/config/core/certificates/:/etc/core/certificates/:z
- type: bind
source: ./common/config/core/app.conf
target: /etc/core/app.conf
- type: bind
source: /data/secret/core/private_key.pem
target: /etc/core/private_key.pem
- type: bind
source: /data/secret/keys/secretkey
target: /etc/core/key
networks:
harbor:
dns_search: .
depends_on:
- log
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "core"
portal:
image: goharbor/harbor-portal:v1.8.1
container_name: harbor-portal
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
networks:
- harbor
dns_search: .
depends_on:
- log
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "portal"
jobservice:
image: goharbor/harbor-jobservice:v1.8.1
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/job_logs:/var/log/jobs:z
- type: bind
source: ./common/config/jobservice/config.yml
target: /etc/jobservice/config.yml
networks:
- harbor
dns_search: .
depends_on:
- redis
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
redis:
image: goharbor/redis-photon:v1.8.1
container_name: redis
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/redis:/var/lib/redis
networks:
harbor:
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: goharbor/nginx-photon:v1.8.1
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
dns_search: .
ports:
- 80:80
depends_on:
- postgresql
- registry
- core
- portal
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
[root@Harbor harbor]#
安裝 Harbor
安裝前,須要去修改一下harbor.yml這個文件的配置,至少要把主機名改掉,以前已經說過了。其餘配置按須要修改,不改也可以安裝了。
一切準備就行,就能夠安裝了:
[root@Harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... ba58b7bb3f17: Loading layer 33.32MB/33.32MB ......略過...... Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1 [Step 2]: preparing environment ... prepare base dir is set to /opt/harbor Generated configuration file: /config/log/logrotate.conf ......略過...... Generated certificate, key file: /secret/core/private_key.pem, cert file: /secreCreating harbor-log ... done Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir Creating registry ... done Creating harbor-core ... done [Step 3]: starting Harbor ... Creating harbor-portal ... done Creating nginx ... done Creating harbor-db ... Creating redis ... Creating registryctl ... Creating registry ... Creating harbor-core ... Creating harbor-portal ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://HarborStudy. For more details, please visit https://github.com/goharbor/harbor . [root@Harbor harbor]#
安裝成功,能夠看看監聽的端口,安裝了哪些鏡像,啓動了哪些容器:
$ ss -tnl $ docker images $ docker ps
登陸 Harbor
默認的密碼在harbor.yml有設置的:
harbor_admin_password: Harbor12345
用戶名是admin,密碼沒改的話就是默認的,能夠登陸進去。
使用瀏覽器訪問Web頁面,能夠看到一些管理界面。
另外要上傳或下載鏡像,須要在命令行使用docker命令,在那以前也須要登陸Harbor,使用docker login命令來完成登陸:
[root@Harbor harbor]# docker login localhost Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@Harbor harbor]#
登陸成功以後,才能推送鏡像。
中止 Harbor
要想中止或啓動harbor,須要經過docker-compose命令。
在操做以前,最好先切換目錄到要操做的docker-compose.yml所在的目錄,這樣docker-compose可以自動找到模板文件並進行操做。
中止harbor:
[root@Harbor harbor]# cd /opt/harbor/ [root@Harbor harbor]# docker-compose stop Stopping nginx ... done Stopping harbor-portal ... done Stopping harbor-jobservice ... done Stopping harbor-core ... done Stopping registryctl ... done Stopping harbor-db ... done Stopping registry ... done Stopping redis ... done Stopping harbor-log ... done [root@Harbor harbor]#
而後再次啓動:
[root@Harbor harbor]# docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting core ... done Starting portal ... done Starting redis ... done Starting jobservice ... done Starting proxy ... done [root@Harbor harbor]#
- 1. 7.docker私有registry
- 2. Docker 私有倉庫 --docker-registry
- 3. docker——7、Docker私有Registry(Harbor)
- 4. Docker Registry--私有docker站
- 5. docker建立私有registry
- 6. Docker建立私有Registry
- 7. Docker第七回(私有Registry)
- 8. Docker搭建私有registry
- 9. Docker 之 私有倉庫registry
- 10. docker 私有registry 配置
- 更多相關文章...
- • Rust 所有權 - RUST 教程
- • MacOS Docker 安裝 - Docker教程
- • Docker 清理命令
- • 再有人問你分佈式事務,把這篇扔給他
-
每一个你不满意的现在,都有一个你没有努力的曾经。