容器系列之私有仓库
1.docker私有仓库
场景分析:使用互联网的registry的缺陷是推送和下载image都不会太快,有可能在生产环境中并行操作几十上百个,甚至更多更多,
而且可能在docker host是没有这个image,如果要在互联网中下载是非常慢的,带宽如果不够大,可能要10几分钟才能启动
起来使用,很多时候要制作私有的registry.
2.Docker Registry分类
Registry用于保存docker镜像,包括镜像的层次结构和元数据
用户可自建Registry,也可使用官方Docker Hub
分类:
- Sponsor Registry:第三方的registry,供客户和Docker社区使用
- Mirror Registry: 第三方的registry,只让客户使用
- Vendor Registry: 由发布Docker金翎奖的供应商提供registry
- Private Registry: 通过设有防火墙的安全层的私胡实体提供的registry
注: 自建仓库最好是生产环境所在的局域网内,才可以达到快的目的,在机房就在机房,如果在阿里云的,直接在它那里注册账号使用。
3.docker-distribution
分析:实现快速创建私有registry,docker-distribution也可以运行在容器中使用,任何程序都可以,除了kernel,docker官方直接把regisrty做成image。
registry主要作用是托管镜像,registry自身就运行在容器中,它是有生命周期的,客户端把image上传到registry时,如果容器终止,这些image也会没有了,所以镜像应该存放在volume中,而且最好不在放在docker host的本地,使用网络存储,不过这个镜像文件还是放在docker host本地的管理卷。
[root@node1 ~]# yum info docker-registry
Name : docker-registry
Arch : x86_64
Version : 0.9.1
Release : 7.el7
Size : 123 k
Repo : extras/7/x86_64
Summary : Registry server for Docker
URL : https://github.com/docker/docker-registry
License : ASL 2.0
Description : Registry server for Docker (hosting/delivering of repositories and images).
[root@node1 ~]# yum install docker-registry
docker-distribution x86_64 2.6.2-2.git48294d9.el7 实质安装的包
[root@node1 ~]# rpm -ql docker-distribution
/etc/docker-distribution/registry/config.yml 配置文件
/usr/bin/registry 主程序
/usr/lib/systemd/system/docker-distribution.service 启动服务
/usr/share/doc/docker-distribution-2.6.2
/usr/share/doc/docker-distribution-2.6.2/AUTHORS
/usr/share/doc/docker-distribution-2.6.2/CONTRIBUTING.md
/usr/share/doc/docker-distribution-2.6.2/LICENSE
/usr/share/doc/docker-distribution-2.6.2/MAINTAINERS
/usr/share/doc/docker-distribution-2.6.2/README.md
/var/lib/registry #存放路径
[root@node1 ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry ##路径
http:
addr: :5000 ##没写ip,是所有,5000是端口
[root@node1 ~]# systemctl start docker-distribution
[root@node1 ~]# netstat -atn|grep 5000
tcp6 0 0 :::5000 :::* LISTEN
把image推送到仓库中
首先要打标
[root@node1 ~]# docker tag myweb:v0.3-11 node1.reid.com:5000/myweb:v0.3-11 #myweb:v0.3-11中间没有其他用户名,表示是顶层仓库
[root@node1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "10.0.0.1/16",
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"],
"insecure-registries": ["node1.reid.com:5000"]
}
注:修改客户端为不安全,因为默认就是https,所以docker client也是https,而本地服务器是http
[root@node1 ~]# systemctl restart docker
[root@node1 ~]# ll /var/lib/registry/
total 0
[root@node1 ~]# docker push node1.reid.com:5000/myweb:v0.3-11
The push refers to repository [node1.reid.com:5000/myweb]
2ca70fe0a2b1: Pushed
00194a00096e: Pushed
9a07ffbe3d7d: Pushed
955e7d7f7300: Pushed
95bb4e754f2d: Pushed
ebf12965380b: Pushed
v0.3-11: digest: sha256:0a99db6c199627a8457ab00ea0dc227ecf69eb0ed807bb528442292e7d49f23e size: 1568
[root@node1 ~]# ll /var/lib/registry/docker/registry/v2/repositories/
total 0
drwxr-xr-x 5 root root 55 Oct 3 13:49 myweb
在其它主机上下载
[root@node3 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["node1.reid.com:5000"]
}
[root@node3 ~]# systemctl restart docker
[root@node3 ~]# tail -1 /etc/hosts
192.168.56.129 node1.reid.com node1 #要对主机解析
[root@node3 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@node3 ~]# docker pull node1.reid.com:5000/myweb:v0.3-11
v0.3-11: Pulling from myweb
c67f3896b22c: Pull complete
428de5b8d58a: Pull complete
7efd417f3e28: Pull complete
61a56b170416: Pull complete
74398042b688: Pull complete
f92ba09b8fd1: Pull complete
Digest: sha256:0a99db6c199627a8457ab00ea0dc227ecf69eb0ed807bb528442292e7d49f23e
Status: Downloaded newer image for node1.reid.com:5000/myweb:v0.3-11
[root@node3 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
node1.reid.com:5000/myweb v0.3-11 006c64e4b95b 4 hours ago 17.4MB
3.Harbor
Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能
特征:
- 多租户内容签署和校验
- 安全和漏洞分析
- 审计日志
- 集成认证,基于角色访问控制
- 可扩展API,图形界面
- 目前支持英语和中文
依赖于docker compose
https://docs.docker.com/compose/
[root@node1 ~]# yum info docker-compose Name : docker-compose #要先写一个compose的模板,基于这个文件来启动所有的容器 Arch : noarch Version : 1.18.0 Release : 1.el7 Size : 226 k Repo : epel/x86_64 Summary : Multi-container orchestration for Docker URL : https://github.com/docker/compose
4.Harbor部署
https://github.com/goharbor/harbor/releases
下载安装包
[root@node3 ~]# wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.3.tgz [root@node3 ~]# tar xf harbor-offline-installer-v1.5.3.tgz -C /usr/local/
配置参数
[root@node3 ~]# vim /usr/local/harbor/harbor.cfg hostname = node3.reid.com harbor_admin_password = Harbor12345 db_password = root123
安装compose
[root@node3 harbor]# yum install epel-release -y [root@node3 harbor]# yum install docker-compose -y
执行安装脚本
[root@node3 ~]# cd /usr/local/harbor/ [root@node3 harbor]# ls common docker-compose.yml harbor.v1.5.3.tar.gz NOTICE docker-compose.clair.yml ha install.sh open_source_license docker-compose.notary.yml harbor.cfg LICENSE prepare [root@node3 harbor]# ./install.sh #运行起来比较慢,主要是要展开harbor.v1.5.3.tar.gz,是docker-compose.yml中定义的所有容器的image,image可以使用docker save打包的 ✔ ----Harbor has been installed and started successfully.---- [root@node3 harbor]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 127.0.0.1:1514 *:* LISTEN 0 128 *:111 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 :::443 :::* ## LISTEN 0 128 :::4443 :::* ## LISTEN 0 128 :::111 :::* LISTEN 0 128 :::80 :::* ## LISTEN 0 128 :::22 :::*
web操作:
创建用户
新建目标
项目管理
推送方式
使用客户端推送测试
设置为http方式(非安全模式)
[root@node1 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "10.0.0.1/16",
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"],
"insecure-registries": ["node3.reid.com"] #默认80
}
[root@node1 ~]# systemctl restart docker
#打标签,与仓库项目一致
[root@node1 ~]# docker tag myweb:v0.3-11 node3.reid.com/devel/myweb:v0.3-11
登录harbor
[root@node1 ~]# tail -1 /etc/hosts
192.168.56.19 node3.reid.com
[root@node1 ~]# docker login node3.reid.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
#推送
[root@node1 ~]# docker push node3.reid.com/devel/myweb
The push refers to repository [node3.reid.com/devel/myweb]
2ca70fe0a2b1: Pushed
00194a00096e: Pushed
9a07ffbe3d7d: Pushed
955e7d7f7300: Pushed
95bb4e754f2d: Pushed
ebf12965380b: Pushed
v0.3-11: digest: sha256:0a99db6c199627a8457ab00ea0dc227ecf69eb0ed807bb528442292e7d49f23e size: 1568
5.Harbor镜像存储
Harbor的默认镜像存储路径在/data/registry目录下,映射到docker容器里面的/storage目录下。
这个参数是在docker-compose.yml中指定的,在docker-compose up -d运行之前修改。
如果希望将Docker镜像存储到其他的磁盘路径,可以修改这个参数。
[root@node3 ~]# ls -l /data/registry/docker/registry/v2/repositories/devel/ total 0 drwxr-xr-x 5 10000 10000 55 Oct 3 16:24 myweb
Harbor的操作
[root@node3 ~]# cd /usr/local/harbor/ [root@node3 harbor]# ls 最好在这个目录下操作,能自动读取docker-compose.yml common docker-compose.notary.yml ha harbor.v1.5.3.tar.gz LICENSE open_source_license docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE prepare [root@node3 harbor]# docker-compose pause 停止harbor服务 Pausing harbor-log ... done Pausing redis ... done Pausing harbor-db ... done Pausing harbor-adminserver ... done Pausing registry ... done Pausing harbor-ui ... done Pausing harbor-jobservice ... done Pausing nginx ... done [root@node3 harbor]# docker-compose unpause 启动harbor服务 Unpausing nginx ... done Unpausing harbor-jobservice ... done Unpausing harbor-ui ... done Unpausing registry ... done Unpausing harbor-adminserver ... done Unpausing harbor-db ... done Unpausing redis ... done Unpausing harbor-log ... done
