Docker 学习（二）——私有仓库搭建

Docker仓库是集中存储和管理Docker镜像的平台，支持镜像的上传、下载、版本管理等功能。

一、Docker仓库分类

1.公有仓库

Docker Hub：官方默认公共仓库，提供超过10万+镜像，支持用户上传和管理镜像。

第三方平台：如阿里云ACR、腾讯云TCR等，提供镜像加速和企业级功能。

2。私有仓库

Registry：Docker官方提供的基础私有仓库工具，支持本地部署，但功能较简单。

Harbor：企业级私有仓库，支持角色权限、审计日志、镜像扫描等高级功能，适合生产环境。

3.混合仓库

云服务集成：如阿里云ACR、华为云SWR，结合公有云和私有仓库优势，提供安全托管和全球加速。

二、私有仓库的搭建

1. 使用Registry搭建基础私有仓库

1.1、新建并启动容器

[root@localhost ~]# docker run -d -p 5000:5000 registry:2    
 #会自动下载和启动一个registry容器，创建本地的私有云服务
Unable to find image 'registry:2' locally
2: Pulling from library/registry
44cf07d57ee4: Pull complete
bbbdd6c6894b: Pull complete
8e82f80af0de: Pull complete
3493bf46cdec: Pull complete
6d464ea18732: Pull complete
Digest: sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
Status: Downloaded newer image for registry:2
8fd929126d42e2be363130e8f38087f1eb627b112c164d32f4c62b422b2b5d96
[root@localhost ~]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
registry     2         26b2eb03618e   17 months ago   25.4MB

其中 -p 5000:5000 表示将容器的 5000 端口映射到主机的 5000 端口，用于访问私有仓库

1.2、配置Docker客户端信任私有仓库：

[root@localhost ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": [
        "https://docker.m.daocloud.io",
        "https://hub-mirror.c.163.com",
        "https://mirror.baidubce.com",
        "https://docker.nju.edu.cn"
    ],
"insecure-registries": ["192.168.8.161:5000"]
}
#insecure-registries：指定不安全的仓库地址，允许 Docker 客户端通过 HTTP 协议访问该地址

[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl enable --now docker

1.3、 标记镜像

[root@localhost ~]# docker tag registry:2 192.168.8.161:5000/registry:2
[root@localhost ~]# docker images
REPOSITORY                    TAG       IMAGE ID       CREATED         SIZE
192.168.8.161:5000/registry   2         26b2eb03618e   17 months ago   25.4MB
registry                      2         26b2eb03618e   17 months ago   25.4MB

1.4、将镜像推送到私有仓库

[root@localhost ~]# docker push 192.168.8.161:5000/registry:2
The push refers to repository [192.168.8.161:5000/registry]
53c600587fd6: Pushed
858f5c95b990: Pushed
811f3777554a: Pushed
f646c8e10325: Pushed
f44f286046d9: Pushed
2: digest: sha256:266f282fabd7cd3df053ee7c658c77b42380d44344e33d16c5a4e58d0d5a77d7 size: 1363

1.5 、查看192.168.8.161:5000中的镜像

[root@localhost ~]# curl http://192.168.8.161:5000/v2/_catalog
{"repositories":["registry"]}

1.6、用任意一台能访问到192.168.8.161地址的机器下载镜像

2. 使用Harbor搭建企业级私有仓库

1、下载最新版 Docker-Compose

curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

2、下载Harbor安装包并解压

[root@localhost ~]# tar xzf harbor-offline-installer-v2.6.1.tgz -C /usr/local
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# ls
common.sh             harbor.yml.tmpl  LICENSE
harbor.v2.6.1.tar.gz  install.sh       prepare

3、准备证书

[root@localhost ~]# mkdir /data/certs
[root@localhost ~]# openssl req -newkey rsa:4096 \
> -nodes -sha256 -keyout /data/certs/admin.org.key \
> -addext "subjectAltName = DNS:www.harbor1.com" \
> -x509 -days 365 -out /data/certs/admin.org.crt
Generating a RSA private key
..............................................++++
..................................++++
writing new private key to '/data/certs/admin.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:80
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:shewai
Organizational Unit Name (eg, section) []:xingong
Common Name (eg, your name or your server's hostname) []:jike
Email Address []:admin@qq.com

4、配置Harbor参数

[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# ls
common.sh             harbor.yml.tmpl  LICENSE
harbor.v2.6.1.tar.gz  install.sh       prepare
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# vim harbor.yml
#分别修改以下参数
hostname: www.harbor1.com
certificate: /data/certs/admin.org.crt
private_key: /data/certs/admin.org.key
harbor_admin_password: 123456

[root@localhost harbor]# ./prepare
[root@localhost harbor]# ./install.sh 
[Step 0]: checking if docker is installed ...

Note: docker version: 26.1.3

5、验证

[root@localhost ~]# echo "127.0.0.1 www.harbor1.com" >> /etc/hosts

浏览器验证（需添加本地域名映射）