七、docker registry
7.1 了解Docker Registry
7.1.1 介绍
- registry 用于保存docker 镜像,包括镜像的层次结构和元数据。
- 启动容器时,docker daemon会试图从本地获取相关的镜像;本地镜像不存在时,其将从registry中下载该镜像并保存到本地;
- 拉取镜像时,如果不知道registry仓库地址,默认从Docker Hub搜索拉取镜像
7.1.2 分类
- Sponsor Registry:第三方的registry,供客户和docker社区使用;
- mirror Registry:第三方的registry,只让客户使用;如docker cn和阿里云的镜像加速器;
- vendor Registry:服务商的registry,由发布docker镜像的供应商提供的registry;如红帽提供的专有的,收费提供;
- private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry;自建的registry,在本地搭建registry,节省带宽
7.1.3 registry组成(repository和index)
(1)Repository
-
由特定的docker镜像的所有迭代版本组成的镜像仓库;
-
一个registry中可以存在多个repository:
- repository可分为"顶层仓库"和"用户仓库"
- 用户仓库名称格式为"用户名/仓库名"
-
每个仓库可以包含多个Tag(标签),每个标签对应一个镜像
(2)Index
- 维护用户账户、镜像的校验以及公共命名空间的信息
- 相当于为registry提供了一个完成用户认证等功能的检索接口
7.1.4 拉取上传仓库镜像
(1)拉取镜像
bash
docker pull <registry>[:<port>]/[<namespace>/]<name>:<tag>
- registry:仓库服务器地址:不指定默认是docker hub
- port:端口;默认是443,因为是https协议
- namespace:名称空间,指是哪个用户的仓库,如果是顶层仓库,可省略
- name:仓库名
- tag:标签名;默认是latest版本
(2)上传镜像
bash
docker push [OPTIONS] NAME[:TAG]
7.1.5 知名docker仓库
-
例:docker pull quay.io/coreos/flannel:v0.10.0-amd64
7.2 在docker hub上创建自己的仓库
(1)在docker hub上创建,但注册docker hub需要科学上网;
说明:也可以在阿里云上https://cr.console.aliyun.com/cn-hangzhou/repositories创建自己的docker仓库
(2)将镜像上传到自己的registry
bash
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
test/nginx 1.15.5 5ca46f021c31 18 hours ago 253 MB
[root@localhost ~]# docker tag test/nginx:1.15.5 zhaojungle/nginx:1.15.5
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
test/nginx 1.15.5 5ca46f021c31 18 hours ago 253 MB
zhaojungle/nginx 1.15.5 5ca46f021c31 18 hours ago 253 MB
#使用自己的个人账号登录
[root@localhost ~]# docker login -u zhaojungle
Password:
Login Succeeded
[root@localhost ~]# docker push zhaojungle/nginx:1.15.5
The push refers to a repository [docker.io/zhaojungle/nginx]
70d470e27542: Pushed
eb29745b8228: Pushed
1.15.5: digest: sha256:73d7988aeef4b0a5bc30c36a369fc51c372bf6953fd5b3fdccde5177821569c6 size: 741
可在网页上查看到上传成功
(3)拉取自己的registry仓库中的镜像
先上传一个体积较小的镜像用来做测试:
bash
[root@localhost ~]# docker run -itd busybox sh
04170637da19d75af5ba46756a652b09fe163666e3cbf66902ab6235b243ce47
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04170637da19 busybox "sh" 18 seconds ago Up 17 seconds loving_meitner
7965e75709f9 php:5.6-fpm "docker-php-entryp..." 24 hours ago Up 24 hours 9000/tcp php-fpm
[root@localhost ~]# docker exec -it 041 sh
/ # echo this is a test > test
/ # cat test
this is a test
/ # exit
[root@localhost ~]# docker commit -a "add a test file" 041 zhaojungle/test:latest
sha256:9b5578cc29ffab8bf3269c855692945462a28eecb7cb02e906d71c6dc9c623a9
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
zhaojungle/test latest 9b5578cc29ff 21 seconds ago 1.22 MB
[root@localhost ~]# docker push zhaojungle/test:latest
在dockerhub上查看是否已经上传成功
将刚刚上传的镜像下载下来并运行:
bash
[root@localhost ~]# docker pull zhaojungle/test:latest
latest: Pulling from zhaojungle/test
76df9210b28c: Already exists
9be8462314c7: Pull complete
Digest: sha256:c4df398b85a2f749988e9f94b3ad42dc484e7d0753b67c31e37d10a21bc4717e
Status: Downloaded newer image for zhaojungle/test:latest
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
zhaojungle/test latest 9b5578cc29ff 5 minutes ago 1.22 MB
[root@localhost ~]# docker run -it --rm zhaojungle/test sh
/ # cat test
this is a test
7.3 搭建私有docker registry
docker官方提供的开源Registry很简单,只能作为存储镜像的仓库,没有额外的功能。
官方文档地址:https://docs.docker.com/registry/
官方github地址:https://github.com/distribution/distribution
7.3.1 下载docker registry镜像
bash
[root@localhost ~]# docker pull registry
[root@localhost ~]# docker image ls registry
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 75ef5b734af4 13 months ago 25.4MB
7.3.2 搭建仓库
- 配置不带用户认证的registry
bash
#指定将镜像存储至宿主机的/data/registry/
[root@localhost ~]# docker run --name registry -p 5000:5000 -v /registry:/var/lib/registry -d registry:latest
fc9e1ebae2808d13d402d25a1d3a17ae3e767d2fd4e697a11d6725e9b254a1a1
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc9e1ebae280 registry:latest "/entrypoint.sh /etc..." 1 second ago Up 1 second 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry
#给镜像重新打标签
[root@localhost ~]# docker image tag nginx:1.14-alpine 192.168.168.101:5000/test-nginx:1.14-alpine
#上传镜像会报错,因为上传时默认使用https的协议
[root@localhost ~]# docker push 192.168.168.101:5000/test-nginx:1.14-alpine
The push refers to repository [192.168.168.101:5000/test-nginx]
Get "https://192.168.168.101:5000/v2/": http: server gave HTTP response to HTTPS client
#将私有仓库认证为安全仓库
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://docker.m.daocloud.io",
"https://huecker.io",
"https://dockerhub.timeweb.cloud",
"https://noohub.ru",
"https://hub.oepkgs.net"
],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["192.168.168.101:5000"] #添加此行信息
}
[root@localhost ~]# systemctl restart docker
#启动容器
[root@localhost ~]# docker start registry
#此时无需用户认证即可上传镜像
[root@localhost ~]# docker push 192.168.168.101:5000/test-nginx:1.14-alpine
The push refers to repository [192.168.168.101:5000/test-nginx]
076c58d2644f: Pushed
b2cbae4b8c15: Pushed
5ac9a5170bf2: Pushed
a464c54f93a9: Pushed
1.14-alpine: digest: sha256:a3a0c4126587884f8d3090efca87f5af075d7e7ac8308cffc09a5a082d5f4760 size: 1153
#可以看到宿主机的该目录下有镜像数据了
[root@localhost ~]# ll /registry/
总用量 0
drwxr-xr-x 3 root root 22 11月 5 18:33 docker
#删除容器
[root@localhost auth]# docker rm -f registry
- 配置带basic认证的registry
bash
[root@localhost ~]# yum install -y httpd-tools
[root@localhost ~]# mkdir /registry-auth
[root@localhost registry-auth]# htpasswd -Bbn admin admin >> registry_htpasswd
[root@localhost registry-auth]# cat registry_htpasswd
admin:$2y$05$RCu8PiM0r.jXB/XJZ4oYNeHQozB4lH1IvdoxiTG.lwF9I1P2lF/F6
#运行容器
[root@localhost registry-auth]# docker run -d -p 5000:5000 -v /registry-auth/registry:/var/lib/registry -v /registry-auth/auth/:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry_htpasswd" --name registry registry
6364cb3f0653ce4a89a59c6a54c322136874e4c4598e90f49dfe57575dad7869
[root@localhost registry-auth]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6364cb3f0653 registry "/entrypoint.sh /etc..." 1 second ago Up 1 second 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry
#查看宿主机镜像存储目录,由于还未上传镜像,所以为空
[root@localhost registry-auth]# ll registry/
总用量 0
#上传镜像,提示未认证
[root@localhost registry-auth]# docker push 192.168.168.101:5000/test-nginx:1.14-alpine
The push refers to repository [192.168.168.101:5000/test-nginx]
076c58d2644f: Preparing
b2cbae4b8c15: Preparing
5ac9a5170bf2: Preparing
a464c54f93a9: Preparing
no basic auth credentials
#登录
[root@localhost registry-auth]# docker login 192.168.168.101:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
#认证成功后会生成认证文件
[root@localhost registry-auth]# cat /root/.docker/config.json
{
"auths": {
"192.168.168.101:5000": {
"auth": "YWRtaW46YWRtaW4="
}
}
}
#上传镜像,成功
[root@localhost registry-auth]# docker push 192.168.168.101:5000/test-nginx:1.14-alpine
The push refers to repository [192.168.168.101:5000/test-nginx]
076c58d2644f: Pushed
b2cbae4b8c15: Pushed
5ac9a5170bf2: Pushed
a464c54f93a9: Pushed
1.14-alpine: digest: sha256:a3a0c4126587884f8d3090efca87f5af075d7e7ac8308cffc09a5a082d5f4760 size: 1153
[root@localhost registry-auth]# ll registry/
总用量 0
drwxr-xr-x 3 root root 22 11月 5 19:04 docker
bash
#在node02上下载镜像
[root@node02 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["192.168.168.101:5000"]
}
[root@node02 ~]# systemctl restart docker
#提示未认证,无法拉取
[root@node02 ~]# docker pull 192.168.168.101:5000/test-nginx:1.14-alpine
Error response from daemon: Head "http://192.168.168.101:5000/v2/test-nginx/manifests/1.14-alpine": no basic auth credentials
#认证成功
[root@node02 ~]# docker login 192.168.168.101:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
#拉取镜像
Login Succeeded
[root@node02 ~]# docker pull 192.168.168.101:5000/test-nginx:1.14-alpine
[root@node02 ~]# docker image ls 192.168.168.101:5000/test-nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.168.101:5000/test-nginx 1.14-alpine 8a2fb25a19f5 5 years ago 16MB
#运行镜像
[root@node02 ~]# docker run -it --rm 192.168.168.101:5000/test-nginx:1.14-alpine /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:0a:0a:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.2/24 brd 10.10.0.255 scope global eth0
valid_lft forever preferred_lft forever
7.4 安装搭建私有仓库Harbor
7.4.1 Harbor介绍
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,由vmware开源,Harbor封装了Docker的registry v2,添加一些企业必须的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。其目标是帮助用户迅速搭建一个企业级的Docker registry服务。
vmware官方开源服务列表地址:https://github.com/vmware/
harbor官方github地址:https://github.com/goharbor/harbor
harbor官方网址:https://goharbor.io/
harbor特点:
- 基于角色的访问控制:一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
- 镜像复制:镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
- 图形化用户界面:用户可以通过浏览器来浏览,检索当前docker镜像仓库,管理项目和命名空间。
- AD/LDAP:harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
- 审计管理:所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
- 国际化:已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
- RESTful API:提供给管理员对Harbor更多的操控,使得与其它管理软件集成变得更容易。
- 部署简单:提供在线和离线两种安装工具。
7.4.2 安装harbor
下载地址:https://github.com/goharbor/harbor/releases
bash
[root@localhost ~]# cd /opt/
[root@localhost opt]# ll -h harbor-offline-installer-v2.11.1.tgz
-rw-r--r-- 1 root root 628M 11月 7 15:24 harbor-offline-installer-v2.11.1.tgz
[root@localhost opt]# tar xvf harbor-offline-installer-v2.11.1.tgz -C /usr/local/
[root@localhost opt]# cd /usr/local/harbor/
[root@localhost harbor]# ll
总用量 646848
-rw-r--r-- 1 root root 3646 8月 15 18:07 common.sh
-rw-r--r-- 1 root root 662330539 8月 15 18:07 harbor.v2.11.1.tar.gz
-rw-r--r-- 1 root root 14270 8月 15 18:07 harbor.yml.tmpl
-rwxr-xr-x 1 root root 1975 8月 15 18:07 install.sh
-rw-r--r-- 1 root root 11347 8月 15 18:07 LICENSE
-rwxr-xr-x 1 root root 1882 8月 15 18:07 prepare
(1)配置http网站的harbor仓库
bash
#修改仓库配置文件
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# vim harbor.yml
#配置仓库域名
hostname: reg.jungle.com
#配置http协议
http:
port: 80
#注释https协议的配置
#https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
#配置仓库的admin账号的密码
harbor_admin_password: 123456
#默认的数据目录,可以单独新建一个分区挂载至此目录用来存储仓库镜像数据
data_volume: /data
bash
#目前还没有数据目录,运行仓库后会创建
[root@localhost harbor]# ll /data
ls: 无法访问 '/data': 没有那个文件或目录
#运行配置仓库的脚本
[root@localhost harbor]# ./install.sh
#data目录会生成如下一些文件
[root@localhost harbor]# ll /data/
总用量 0
drwxr-xr-x. 2 10000 10000 6 11月 7 15:51 ca_download
drwx------. 3 systemd-coredump input 18 11月 7 15:51 database
drwxr-xr-x. 2 10000 10000 6 11月 7 15:51 job_logs
drwxr-xr-x. 2 systemd-coredump input 6 11月 7 15:51 redis
drwxr-xr-x. 2 10000 10000 6 11月 7 15:51 registry
drwxr-xr-x. 5 root root 46 11月 7 15:51 secret
#仓库相关的容器
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
447e2c4af6a4 goharbor/harbor-jobservice:v2.11.1 "/harbor/entrypoint...." 48 seconds ago Up 42 seconds (healthy) harbor-jobservice
2f061c322f76 goharbor/nginx-photon:v2.11.1 "nginx -g 'daemon of..." 48 seconds ago Up 46 seconds (healthy) 0.0.0.0:80->8080/tcp, [::]:80->8080/tcp nginx
3d3534cea04a goharbor/harbor-core:v2.11.1 "/harbor/entrypoint...." 48 seconds ago Up 46 seconds (healthy) harbor-core
2fa54b9c5c18 goharbor/harbor-registryctl:v2.11.1 "/home/harbor/start...." 48 seconds ago Up 47 seconds (healthy) registryctl
2285a5756805 goharbor/redis-photon:v2.11.1 "redis-server /etc/r..." 48 seconds ago Up 47 seconds (healthy) redis
3262282e8161 goharbor/harbor-portal:v2.11.1 "nginx -g 'daemon of..." 48 seconds ago Up 47 seconds (healthy) harbor-portal
436b23b2fbc9 goharbor/registry-photon:v2.11.1 "/home/harbor/entryp..." 48 seconds ago Up 47 seconds (healthy) registry
32b18cca200f goharbor/harbor-db:v2.11.1 "/docker-entrypoint...." 48 seconds ago Up 47 seconds (healthy) harbor-db
13653c09d87f goharbor/harbor-log:v2.11.1 "/bin/sh -c /usr/loc..." 48 seconds ago Up 47 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
在windows上写hosts解析文件后在浏览器通过域名访问:
登陆成功后如下所示
向仓库上传镜像
bash
#添加仓库免密认证
[root@localhost ~]# grep insecure /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry reg.jungle.com
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
#重新启动一下仓库
[root@localhost harbor]# docker compose stop
WARN[0000] /usr/local/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Stopping 9/9
✔ Container nginx Stopped 0.0s
✔ Container registryctl Stopped 0.0s
✔ Container harbor-jobservice Stopped 0.0s
✔ Container harbor-portal Stopped 0.0s
✔ Container harbor-core Stopped 0.0s
✔ Container harbor-db Stopped 0.1s
✔ Container registry Stopped 0.0s
✔ Container redis Stopped 0.0s
✔ Container harbor-log Stopped 10.2s
[root@localhost harbor]# docker compose start
WARN[0000] /usr/local/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 9/9
✔ Container harbor-log Started 0.2s
✔ Container registryctl Started 0.6s
✔ Container registry Started 0.5s
✔ Container redis Started 0.5s
✔ Container harbor-portal Started 0.5s
✔ Container harbor-db Started 0.5s
✔ Container harbor-core Started 0.2s
✔ Container harbor-jobservice Started 0.7s
✔ Container nginx Started 0.7s
#给镜像重新打标签
[root@localhost harbor]# docker tag nginx:1.27.2 reg.jungle.com/library/testnginx:1.27.2
#上传镜像失败,需要认证登录
[root@localhost harbor]# docker push reg.jungle.com/library/testnginx:1.27.2
The push refers to repository [reg.jungle.com/library/testnginx]
825fb68b6033: Preparing
7619c0ba3c92: Preparing
1c1f11fd65d6: Preparing
6b133b4de5e6: Preparing
3d07a4a7eb2a: Preparing
756474215d29: Waiting
8d853c8add5d: Waiting
unauthorized: unauthorized to access repository: library/testnginx, action: push: unauthorized to access repository: library/testnginx, action: push
#登录
[root@localhost harbor]# docker login reg.jungle.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
#登录成功后再次上传
[root@localhost harbor]# docker push reg.jungle.com/library/testnginx:1.27.2
The push refers to repository [reg.jungle.com/library/testnginx]
825fb68b6033: Pushed
7619c0ba3c92: Pushed
1c1f11fd65d6: Pushed
6b133b4de5e6: Pushed
3d07a4a7eb2a: Pushed
756474215d29: Pushed
8d853c8add5d: Pushed
1.27.2: digest: sha256:719b34dba7bd01c795f94b3a6f3a5f1fe7d53bf09e79e355168a17d2e2949cef size: 1778
在网站上查看
公开项目:拉取镜像不用登录,上传需要登录,例如library项目,只有上传镜像才需要登录
私有项目:拉取和上传镜像都需要登录
bash
#在另外的主机上拉取镜像
[root@node01 ~]# docker pull reg.jungle.com/library/testnginx:1.27.2
1.27.2: Pulling from library/testnginx
302e3ee49805: Pull complete
d07412f52e9d: Pull complete
9ab66c386e9c: Pull complete
4b563e5e980a: Pull complete
55af3c8febf2: Pull complete
5b8e768fb22d: Pull complete
85177e2c6f39: Pull complete
Digest: sha256:719b34dba7bd01c795f94b3a6f3a5f1fe7d53bf09e79e355168a17d2e2949cef
Status: Downloaded newer image for reg.jungle.com/library/testnginx:1.27.2
reg.jungle.com/library/testnginx:1.27.2
在网站上新建一个私有项目
bash
#前面登录过该仓库,会有记录
[root@localhost harbor]# cat /root/.docker/config.json
{
"auths": {
"reg.jungle.com": {
"auth": "YWRtaW46MTIzNDU2"
}
}
}
#登录后上传一个镜像
[root@localhost harbor]# docker tag busybox:latest reg.jungle.com/private/testbusybox:latest
[root@localhost harbor]# docker push reg.jungle.com/private/testbusybox:latest
The push refers to repository [reg.jungle.com/private/testbusybox]
49b3a50a2039: Pushed
latest: digest: sha256:401719cc3ec67aedaedfed7fb304e97fb605bdcfae29972eaeb59a98708fe066 size: 527
bash
#未登录时使用node01拉取该镜像,提示拉取失败
[root@node01 dockerimages]# docker pull reg.jungle.com/private/testbusybox:latest
Error response from daemon: unauthorized: unauthorized to access repository: private/testbusybox, action: pull: unauthorized to access repository: private/testbusybox, action: pull
#登录后拉取成功
[root@node01 dockerimages]# docker login reg.jungle.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
[root@node01 dockerimages]# docker pull reg.jungle.com/private/testbusybox:latest
latest: Pulling from private/testbusybox
Digest: sha256:401719cc3ec67aedaedfed7fb304e97fb605bdcfae29972eaeb59a98708fe066
Status: Downloaded newer image for reg.jungle.com/private/testbusybox:latest
reg.jungle.com/private/testbusybox:latest
在仓库上设置扫描器,需要手动开启扫描器功能
bash
#如果没有安装仓库,可以使用./install.sh --with-trivy开启扫描器功能,如果已经安装了,可以使用./prepare --with-trivy开启扫描器
[root@localhost harbor]# ./prepare --with-trivy
#重新启动仓库
[root@localhost harbor]# docker compose stop
[root@localhost harbor]# docker compose start
如图所示为harbor.v1.10.19版本的扫描器示例
如下图所示为harbor.v2.11.1的扫描器
(2)配置https网站的harbor仓库
bash
[root@localhost harbor]# mkdir /data/ssl -p
#制作ca的公私钥
[root@localhost data]# cd ssl/
[root@localhost ssl]# openssl genrsa -out ca.key 4096
[root@localhost ssl]# openssl req -x509 -new -sha512 -days 3650 -subj "/C=CN/ST=shaanxi/L=xi'an/O=jungle/OU=jungleCA/CN=jungle.com" -key ca.key -out ca.crt
[root@localhost ssl]# ll
总用量 8
-rw-r--r--. 1 root root 2033 11月 11 14:30 ca.crt
-rw-------. 1 root root 3272 11月 11 14:30 ca.key
#制作ca签名的公私钥
#创建私钥
[root@localhost ssl]# openssl genrsa -out jungle.key 4096
#创建证书签名请求文件
[root@localhost ssl]# openssl req -sha512 -new -subj "/C=CN/ST=shaanxi/L=xi'an/O=jungle/OU=jungle/CN=reg.jungle.com" -key jungle.key -out jungle.csr
#使用ca签名
[root@localhost ssl]# cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=reg.jungle.com
[root@localhost ssl]# openssl x509 -req -sha512 -in jungle.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile v3.ext -out jungle.crt
Certificate request self-signature ok
subject=C = CN, ST = shaanxi, L = xi'an, O = jungle, OU = jungle, CN = reg.jungle.com
[root@localhost ssl]# cd /usr/local/harbor/
[root@localhost harbor]# ll
总用量 646848
-rw-r--r--. 1 root root 3646 8月 15 18:07 common.sh
-rw-r--r--. 1 root root 662330539 8月 15 18:07 harbor.v2.11.1.tar.gz
-rw-r--r--. 1 root root 14270 8月 15 18:07 harbor.yml.tmpl
-rwxr-xr-x. 1 root root 1975 8月 15 18:07 install.sh
-rw-r--r--. 1 root root 11347 8月 15 18:07 LICENSE
-rwxr-xr-x. 1 root root 1882 8月 15 18:07 prepare
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
#修改配置文件中如下信息
[root@localhost harbor]# vim harbor.yml
hostname: reg.jungle.com
https:
port: 443
certificate: /data/ssl/jungle.crt
private_key: /data/ssl/jungle.key
harbor_admin_password: 123456
#安装仓库
[root@localhost harbor]# ./install.sh
#############也可以使用自签名公私钥######
[root@localhost ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout jungle.key -x509 -days 365 -subj "/C=CN/ST=shaanxi/L=xi'an/O=jungle/OU=jungleCA/CN=reg.jungle.com" --addext "subjectAltName = DNS:reg.jungle.com" -out jungle.crt
##############################################################
配置域名解析,并访问
新建testpublic公开项目,并上传
bash
#重新给镜像打标签
[root@localhost harbor]# docker tag nginx:1.27.2 reg.jungle.com/testpublic/testnginx:1.27.2
#需要先登录
[root@localhost harbor]# docker login reg.jungle.com
Username: admin
Password:
Error response from daemon: Get "https://reg.jungle.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
#需要先配置ca的证书到docker端,才能登陆成功
[root@localhost harbor]# mkdir /etc/docker/certs.d/reg.jungle.com -p
[root@localhost harbor]# cp /data/ssl/ca.crt /etc/docker/certs.d/reg.jungle.com/
#重新登录
[root@localhost harbor]# docker login reg.jungle.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
#上传镜像
[root@localhost harbor]# docker push reg.jungle.com/testpublic/testnginx:1.27.2
7.5 配置harbor高可用
(1)基于共享存储的高可用方案
此方案是多个harbor实例共享存储,通过负载均衡器实现多台服务器提供harbor服务。
(2)基于复制策略的高可用方案
此方案是使用harbor原生的远程复制功能实现镜像的一致性,通过负载均衡器实现多台服务器提供单一的harbor服务。
接下来演示基于harbor原生的远程复制功能实现镜像的一致性
bash
#配置第一台harbor,修改之前配置的harbor重启
hostname: 192.168.168.31
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# port: 443
# certificate: /data/ssl/jungle.crt
# private_key: /data/ssl/jungle.key
harbor_admin_password: 123456
[root@localhost harbor]# ./install.sh
#配置另外一台harbor
[root@localhost yum.repos.d]# yum install docker-ce -y
[root@localhost harbor]# systemctl start docker
#将harbor安装包从之前配置好的harbor拷贝至第二台harbor
[root@localhost opt]# scp /opt/harbor-offline-installer-v2.11.1.tgz root@192.168.168.101:/opt
#解压文件
[root@localhost opt]# tar xvf /opt/harbor-offline-installer-v2.11.1.tgz -C /usr/local/
#将第一台barbor的yml文件复制到第二台harbor
[root@localhost harbor]# scp /usr/local/harbor/harbor.yml root@192.168.168.101:/usr/local/harbor/
#注释该配置文件中的https配置
[root@localhost harbor]# vim harbor.yml
#https:
# port: 443
# certificate: /data/ssl/jungle.crt
# private_key: /data/ssl/jungle.key
#安装harbor
[root@localhost harbor]# ./install.sh
在192.168.168.31上新建testcontainers公开项目
在192.168.168.101上新建testcontianers项目
在第一台harbor上创建复制规则
bash
# 测试:当向192.168.168.101上传镜像后,镜像会自动同步至192.168.168.31仓库中
#配置docker仓库的免密
[root@master0101 yum.repos.d]# grep insecure /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.168.0/24
[root@master0101 yum.repos.d]# systemctl start docker
#打标签
[root@master0101 yum.repos.d]# docker tag nginx:1.27.2 192.168.168.101/testcontainers/testnginx:1.27.2
[root@master0101 yum.repos.d]# docker login 192.168.168.101
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
[root@master0101 yum.repos.d]# docker push 192.168.168.101/testcontainers/testnginx:1.27.2
The push refers to repository [192.168.168.101/testcontainers/testnginx]
825fb68b6033: Pushed
7619c0ba3c92: Pushed
1c1f11fd65d6: Pushed
6b133b4de5e6: Pushed
3d07a4a7eb2a: Pushed
756474215d29: Pushed
8d853c8add5d: Pushed
1.27.2: digest: sha256:719b34dba7bd01c795f94b3a6f3a5f1fe7d53bf09e79e355168a17d2e2949cef size: 1778
可以看到101上的复制管理下已经成功将镜像同步至31
在101上查看镜像上传成功
可以看到31上也有该镜像
在第二台上配置复制规则
bash
#测试
[root@master0101 opt]# docker tag busybox:latest 192.168.168.31/testcontainers/testbusybox:latest
[root@master0101 opt]# docker login 192.168.168.31
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
[root@master0101 opt]# docker push 192.168.168.31/testcontainers/testbusybox
Using default tag: latest
The push refers to repository [192.168.168.31/testcontainers/testbusybox]
49b3a50a2039: Pushed
latest: digest: sha256:401719cc3ec67aedaedfed7fb304e97fb605bdcfae29972eaeb59a98708fe066 size: 527
31上查看镜像复制同步成功
在101上也能看到镜像
如果在其中一台删除时,另外一台也同步删除的话,需要增加如下配置:
删除其中一个将镜像,可以看到对应日志显示
查看101上的镜像信息,也同步将镜像删除了
配置负载均衡
bash
[root@master0101 ~]# yum install haproxy -y
[root@master0101 ~]# cat /etc/haproxy/conf.d/harbor.cfg
listen harbor_port_80
bind 192.168.168.34:80
mode tcp
balance source
server 192.168.168.31 192.168.168.31:80 check inter 30s fall 3 rise 5
server 192.168.168.100 192.168.168.101:80 check inter 30s fall 3 rise 5
[root@master0101 ~]# systemctl restart haproxy
bash
#测试
[root@master0101 ~]# docker login 192.168.168.34
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
[root@master0101 opt]# docker tag alpine:latest 192.168.168.34/testcontainers/alpine:latest
[root@master0101 opt]# docker push 192.168.168.34/testcontainers/alpine:latest
The push refers to repository [192.168.168.34/testcontainers/alpine]
03901b4a2ea8: Pushed
latest: digest: sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f size: 528
刷新查看31和101上均有该镜像
bash
#测试能否拉取镜像
[root@master0101 opt]# docker pull 192.168.168.34/testcontainers/testnginx:1.27.2
1.27.2: Pulling from testcontainers/testnginx
Digest: sha256:719b34dba7bd01c795f94b3a6f3a5f1fe7d53bf09e79e355168a17d2e2949cef
Status: Downloaded newer image for 192.168.168.34/testcontainers/testnginx:1.27.2
192.168.168.34/testcontainers/testnginx:1.27.2
bash
#通过域名上传或者下载镜像
[root@master0101 opt]# tail -1 /etc/hosts
192.168.168.34 reg.jungle.com
[root@master0101 opt]# docker pull reg.jungle.com/testcontainers/testbusybox:latest
[root@master0101 opt]# docker image ls reg.jungle.com/testcontainers/testbusybox
REPOSITORY TAG IMAGE ID CREATED SIZE
reg.jungle.com/testcontainers/testbusybox latest 6fd955f66c23 18 months ago 4.26MB
[root@master0101 opt]# docker tag alpine:latest reg.jungle.com/testcontainers/testalpine:latest
[root@master0101 opt]# docker push reg.jungle.com/testcontainers/testalpine:latest
The push refers to repository [reg.jungle.com/testcontainers/testalpine]
03901b4a2ea8: Pushed
latest: digest: sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f size: 528
打开浏览器查看镜像是否上传成功