docker鏡像倉庫

搭建私有鏡像倉庫

Docker Hub做爲Docker默認官方公共鏡像，若是想本身搭建私有鏡像倉庫，官方也提供registry鏡像，使得搭建私有倉庫很是簡單。
下載registry鏡像並啓動

[root@docker ~]# docker pull registry
[root@docker ~]# docker run -d -v /opt/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry
790e35569960041b5976786ab76babc8213e81e0a2d3b1bf3a9c0b5cc2bd1280

測試查看鏡像倉庫中全部鏡像

[root@docker ~]# curl http://192.168.193.128:5000/v2/_catalog
{"repositories":[]}

私有鏡像倉庫管理

配置私有倉庫可信任

[root@docker ~]# cat /etc/docker/daemon.json 
{
    "registry-mirrors":["https://registry.docker-cn.com"],
    "insecure-registries":["192.168.193.128：5000"]
}
[root@docker ~]# systemctl restart docker

打標籤

[root@docker ~]# docker tag nginx:1.12 192.168.193.128:5000/nginx:1.12

上傳

[root@docker ~]# docker push 192.168.193.128:5000/nginx:1.12
[root@docker ~]# curl http://192.168.193.128:5000/v2/_catalog
{"repositories":["nginx"]}
查看信息
[root@docker ~]# curl http://192.168.193.128:5000/v2/nginx/tags/list
{"name":"nginx","tags":["1.12"]}

下載

[root@docker ~]# docker run -itd --name nginx -p 80:80 192.168.193.128:5000/nginx:1.12
6c13f1122f713237e44aabe58f345652785d21f4b2a1deda05985bbf03b5a1be

企業一般使用Docker Harbor鏡像管理工具。

Docker Hub公共鏡像倉庫使用

註冊帳號
https://hub.docker.com/
登陸Docker Hub
建立倉庫

linux端登陸

[root@docker ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: yinshoucheng
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
或
[root@docker ~]# docker login --username=yinshoucheng --password=123456

鏡像打標籤

[root@docker ~]# docker tag nginx:1.12 yinshoucheng/golden:1.12

上傳

[root@docker ~]# docker push yinshoucheng/golden:1.12

搜索測試

[root@docker ~]# docker search yinshoucheng
NAME                  DESCRIPTION         STARS               OFFICIAL            AUTOMATED
yinshoucheng/golden                       0

下載

[root@docker ~]# docker pull yinshoucheng/golden:1.12

企業級私有鏡像倉庫Harbor

Harbor是VMware公司開源的企業級Docker Registry項目，項目地址：https://github.com/vmware/harbor
下載離線安裝包

安裝docker

[root@docker ~]# docker info
Containers: 26
 Running: 1
 Paused: 0
 Stopped: 25
Images: 16
Server Version: 18.09.6
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.697GiB
Name: docker
ID: 3EAH:DXYW:7DXA:76IW:AKHC:TKG5:FC5N:QPRB:SFAY:T6HB:LSCS:CUPK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: yinshoucheng
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 192.168.193.128:5000
 127.0.0.0/8
Registry Mirrors:
 https://registry.docker-cn.com/
Live Restore Enabled: false
Product License: Community Engine

安裝docker-compose
https://github.com/docker/compose/releases/

[root@docker ~]# curl -L https://github.com/docker/compose/releases/download/1.25.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@docker ~]# chmod +x /usr/local/bin/docker-compose
[root@docker ~]# docker-compose --version
docker-compose version 1.25.0-rc1, build 8552e8e2

自籤TLS證書
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

解壓
[root@docker ~]# tar -zxf harbor-offline-installer-v1.8.1.tgz 
[root@docker ~]# 
[root@docker ~]# cd harbor
建立存放ssl的目錄
[root@docker harbor]# mkdir ssl
生成ca根證書
[root@docker harbor]# mkdir ssl
[root@docker harbor]# cd ssl
[root@docker ssl]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
> -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
........................................................................................................................................................................++
...............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:goldenyin
Email Address []:
[root@docker ssl]# ls
ca.crt  ca.key
[root@docker ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.goldenyin.com.key -out reg.goldenyin.com.csr
Generating a 4096 bit RSA private key
.................................................................................................................................................................................................++
........++
writing new private key to 'reg.goldenyin.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:reg.goldenyin.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@docker ssl]# ls
ca.crt  ca.key  reg.goldenyin.com.csr  reg.goldenyin.com.key
[root@docker ssl]# openssl x509 -req -days 365 -in reg.goldenyin.com.csr -CA ca.crt -CAkey ca.key -CA.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.goldenyin.com.crt
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=reg.goldenyin.com
Getting CA Private Key
[root@docker ssl]# ls
ca.crt  ca.srl                 reg.goldenyin.com.csr
ca.key  reg.goldenyin.com.crt  reg.goldenyin.com.key

Harbor安裝與配置

[root@docker ssl]# cd ..
[root@docker harbor]# ls
harbor.v1.8.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare  ssl
配置harbor.cfg（新版已經改爲harbor.yml）
修改配置，協議，證書，管理員密碼　
示例：
hostname = reg.goldenyin.com
將http:和port:80註釋（新版本）
ui_url_protocol = https（新版無此項）
ssl_cert = ./ssl/reg.lvusyy.com.crt（新版本certificate: ./ssl/reg.goldenyin.com.crt）
ssl_cert_key = ./ssl/reg.lvusyy.com.key（新版本private_key: ./ssl/reg.goldenyin.com.key）
harbor_admin_password = harbor12345
[root@docker harbor]#  ./prepare （讀取配置文件，新版本無需此步驟操做）
將https:和port:443註釋取消（新版本）
external_url: https://reg.goldenyin.com:8433（新版本）
[root@docker harbor]# ./install.sh 
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://reg.goldenyin.com. 
For more details, please visit https://github.com/goharbor/harbor .

windows主機配置hosts（C:\Windows\System32\drivers\etc\hosts）
192.168.193.128 reg.goldenyin.com

http://reg.goldenyin.com/

https://reg.goldenyin.com/（未配置）

docker主機訪問Harbor

[root@docker harbor]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.193.128 reg.goldenyin.com
[root@docker harbor]# docker login reg.goldenyin.com
建立證書保存目錄
[root@docker harbor]# mkdir -p /etc/docker/certs.d/reg.goldenyin.com
拷貝證書
[root@docker reg.goldenyin.com]# ls
reg.goldenyin.com.crt
從新登陸
[root@docker harbor]# docker login reg.goldenyin.com

docker tag SOURCE_IMAGE[:TAG] reg.goldenyin.com/test/IMAGE[:TAG] docker push reg.goldenyin.com/test/IMAGE[:TAG]