Docker基础 - 09私有仓库搭建
一、 Docker registry
1.1 安装docker-registry
[root@component ~]# yum install docker-registry 软件包 docker-registry 已经被 docker-distribution 取代,改为尝试安装 docker-distribution-2.6.2-2.git48294d9.el7.x86_64 正在解决依赖关系 --> 正在检查事务 ---> 软件包 docker-distribution.x86_64.0.2.6.2-2.git48294d9.el7 将被 安装 --> 解决依赖关系完成
[root@component ~]# yum info docker-registry 已加载插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.bfsu.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn 可安装的软件包 名称 :docker-registry 架构 :x86_64 版本 :0.9.1 发布 :7.el7 大小 :123 k 源 :extras/7/x86_64 简介 : Registry server for Docker 网址 :https://github.com/docker/docker-registry 协议 : ASL 2.0 描述 : Registry server for Docker (hosting/delivering of repositories and images). [root@component ~]# yum info docker-distribution 已加载插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.bfsu.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn 已安装的软件包 名称 :docker-distribution 架构 :x86_64 版本 :2.6.2 发布 :2.git48294d9.el7 大小 :12 M 源 :installed 来自源:extras 简介 : Docker toolset to pack, ship, store, and deliver content 网址 :https://github.com/docker/distribution 协议 : ASL 2.0 描述 : Docker toolset to pack, ship, store, and deliver content
1.2 安装内容
[root@component ~]# rpm -ql docker-distribution /etc/docker-distribution/registry/config.yml /usr/bin/registry /usr/lib/systemd/system/docker-distribution.service /usr/share/doc/docker-distribution-2.6.2 /usr/share/doc/docker-distribution-2.6.2/AUTHORS /usr/share/doc/docker-distribution-2.6.2/CONTRIBUTING.md /usr/share/doc/docker-distribution-2.6.2/LICENSE /usr/share/doc/docker-distribution-2.6.2/MAINTAINERS /usr/share/doc/docker-distribution-2.6.2/README.md /var/lib/registry
1.3 配置文件
[root@component ~]# cat /etc/docker-distribution/registry/config.yml version: 0.1 log: fields: service: registry storage: cache: layerinfo: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000
1.4 启动服务
[root@component ~]# systemctl start docker-distribution [root@component ~]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1339/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd tcp6 0 0 ::1:25 :::* LISTEN 1339/master tcp6 0 0 :::5000 :::* LISTEN 2938/registry tcp6 0 0 :::22 :::* LISTEN 1094/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 745/chronyd udp6 0 0 ::1:323 :::* 745/chronyd [root@component ~]# systemctl status docker-distribution ● docker-distribution.service - v2 Registry server for Docker Loaded: loaded (/usr/lib/systemd/system/docker-distribution.service; disabled; vendor preset: disabled) Active: active (running) since 一 2021-11-08 22:19:11 CST; 7s ago Main PID: 2938 (registry) Tasks: 6 Memory: 4.1M CGroup: /system.slice/docker-distribution.service └─2938 /usr/bin/registry serve /etc/docker-distribution/registry/config.yml 11月 08 22:19:11 component systemd[1]: Started v2 Registry server for Docker. 11月 08 22:19:11 component registry[2938]: time="2021-11-08T22:19:11+08:00" level=warning msg="No HTTP secret ... 11月 08 22:19:11 component registry[2938]: time="2021-11-08T22:19:11+08:00" level=info msg="redis not conf...own" 11月 08 22:19:11 component registry[2938]: time="2021-11-08T22:19:11+08:00" level=info msg="Starting uploa...own" 11月 08 22:19:11 component registry[2938]: time="2021-11-08T22:19:11+08:00" level=info msg="using inmemory...own" 11月 08 22:19:11 component registry[2938]: time="2021-11-08T22:19:11+08:00" level=info msg="listening on [...own" Hint: Some lines were ellipsized, use -l to show in full. [root@component ~]#
1.5 推送镜像
[root@k8s-node33 docker_build]# vi /etc/hosts 192.168.6.100 registry.kunking.com [root@k8s-node33 docker_build]# docker tag myweb:v1.1 registry.kunking.com:5000/myweb:v1.1 [root@k8s-node33 docker_build]# docker push registry.kunking.com:5000/myweb:v1.1 The push refers to repository [registry.kunking.com:5000/myweb] Get https://registry.kunking.com:5000/v2/: dial tcp 192.168.6.100:5000: connect: no route to host # 关闭防火墙、SELinux [root@k8s-node33 docker_build]# docker push registry.kunking.com:5000/myweb:v1.1 The push refers to repository [registry.kunking.com:5000/myweb] Get https://registry.kunking.com:5000/v2/: http: server gave HTTP response to HTTPS client
[root@k8s-node33 docker_build]# vi /etc/docker/daemon.json "insecure-registries": ["registry.kunking.com:5000"], [root@k8s-node33 docker_build]# systemctl daemon-reload [root@k8s-node33 docker_build]# systemctl restart docker [root@k8s-node33 docker_build]# docker push registry.kunking.com:5000/myweb:v1.1 The push refers to repository [registry.kunking.com:5000/myweb] 782c9eda94c1: Pushed 6e2a64fdd4da: Pushed 7e6c3a77b084: Pushed 21d32b04beff: Pushed 65e1ea1dc98c: Pushed 88891187bdd7: Pushed 6e109f6c2f99: Pushed 0772cb25d5ca: Pushed 525950111558: Pushed 476baebdfbf7: Pushed v1.1: digest: sha256:1700e943dd58d0b46fbdd1fb1261ab0602db96f6695006c1d4cc9965c4a1cc96 size: 2399
1.6 镜像存放
[root@component ~]# cd /var/lib/registry/ [root@component registry]# ls docker [root@component registry]# cd docker/ [root@component docker]# ls registry [root@component docker]# cd registry/ [root@component registry]# ls v2 [root@component registry]# cd v2/ [root@component v2]# ls blobs repositories [root@component v2]# cd repositories/ [root@component repositories]# ls myweb [root@component repositories]# cd myweb/ [root@component myweb]# ls _layers _manifests _uploads [root@component myweb]# cd _layers/sha256/ [root@component sha256]# ls 07aded7c29c6011dfdf02fc98e087c941d3c2661c4e73d134c6491e25231d16c 44ac32b0bba890dcb4f6e51224f2ea6044a506f26edf62d39150927efbda7cc8 4ce73aa6e9b01ef152efc2cb67320b96ba96878ca897167291449f2bd58594f7 62219650d15e522cb6d5466c440c09bb5f14e39a0af0084fdcb2c9b43cdb207e 8700267f2376da8ddf80c62cb5e1f4183d3bdf6840a84aa87120243aff5259e7 8a7cef895d30ac3e673af4b4b10ac93bdc354df1a37f0599f2d52e7d1b761628 91d6e3e593db79f94bb7566733a8253b7bd245cc3ea670f0a349d19fe6960b8a 95ce909a1d85da85fc4c34c4c2fb8d9a4cceed90056081beb6d1ebf367c06f33 a5f37949b86f82644e948a4ce1f582050998bb13af4e1151f5335fd045e9e9fe ba05adead111a6627e025e506be29ab7d27a4b3c777dd5ebf1cf902efd69f022 bbe0b7acc89c9d8f880136e22d2243a220895f7a1bfa6113b4e0ebd090e88b81 [root@component sha256]#
1.7 镜像拉取
[root@k8s-node31 ~]# vi /etc/docker/daemon.json "insecure-registries": ["registry.kunking.com:5000"], [root@k8s-node31 ~]# docker pull registry.kunking.com:5000/myweb:v1.1
二、Harbor
2.1 介绍
Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.
2.2 Features
- Security
- Security and vulnerability analysis
- Content signing and validation
- Management
- Multi-tenant
- Extensible API and web UI
- Replication across many registries, including Harbor
- Identity integration and role-based access control
2.3 安装
[root@component ~]# yum install docker-compose [root@component ~]# yum info docker-compose 已加载插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.bupt.edu.cn * epel: mirrors.bfsu.edu.cn * extras: mirrors.bupt.edu.cn * updates: mirrors.bupt.edu.cn 已安装的软件包 名称 :docker-compose 架构 :noarch 版本 :1.18.0 发布 :4.el7 大小 :1.1 M 源 :installed 来自源:epel 简介 : Multi-container orchestration for Docker 网址 :https://github.com/docker/compose 协议 : ASL 2.0 描述 : Compose is a tool for defining and running multi-container Docker : applications. With Compose, you use a Compose file to configure your : application's services. Then, using a single command, you create and : start all the services from your configuration. : : Compose is great for development, testing, and staging environments, : as well as CI workflows. : : Using Compose is basically a three-step process. : : 1. Define your app's environment with a Dockerfile so it can be : reproduced anywhere. : 2. Define the services that make up your app in docker-compose.yml so : they can be run together in an isolated environment: : 3. Lastly, run docker-compose up and Compose will start and run your : entire app.
[root@component ~]# tar xf harbor-offline-installer-v1.10.9.tgz -C /usr/local/ [root@component harbor]# vi harbor.yml hostname: registry.kunking.com http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config # 练习模式,关闭https, 使用http进行学习 ##https: # https port for harbor, default is 443 ## port: 443 # The path of cert and key files for nginx ## certificate: /your/certificate/path ## private_key: /your/private/key/path
[root@component harbor]# ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.10 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.18.0 [Step 2]: loading Harbor images ... Loaded image: goharbor/harbor-core:v1.10.9 Loaded image: goharbor/harbor-jobservice:v1.10.9 Loaded image: goharbor/notary-signer-photon:v1.10.9 Loaded image: goharbor/nginx-photon:v1.10.9 Loaded image: goharbor/chartmuseum-photon:v1.10.9 Loaded image: goharbor/registry-photon:v1.10.9 Loaded image: goharbor/clair-photon:v1.10.9 Loaded image: goharbor/clair-adapter-photon:v1.10.9 Loaded image: goharbor/prepare:v1.10.9 Loaded image: goharbor/harbor-portal:v1.10.9 Loaded image: goharbor/harbor-db:v1.10.9 Loaded image: goharbor/notary-server-photon:v1.10.9 Loaded image: goharbor/harbor-log:v1.10.9 Loaded image: goharbor/harbor-registryctl:v1.10.9 Loaded image: goharbor/redis-photon:v1.10.9 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /usr/local/harbor /usr/src/app/utils/configs.py:100: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. configs = yaml.load(f) WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https /usr/src/app/utils/configs.py:90: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. versions = yaml.load(f) Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Creating harbor-log ... done Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir Creating registry ... done Creating harbor-core ... done Creating network "harbor_harbor" with the default driver Creating harbor-jobservice ... done Creating harbor-db ... Creating harbor-portal ... Creating redis ... Creating registry ... Creating registryctl ... Creating harbor-core ... Creating nginx ... Creating harbor-jobservice ... ✔ ----Harbor has been installed and started successfully.----
2.4 连接仓库
[root@k8s-node33 ~]# cat /etc/docker/daemon.json "insecure-registries": ["registry.kunking.com","registry.kunking.com:5000"], [root@k8s-node33 ~]# systemctl daemon-reload [root@k8s-node33 ~]# systemctl restart docker [root@k8s-node33 ~]# docker login registry.kunking.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
2.5 创建项目
2.6 推送镜像
[root@k8s-node33 ~]# docker tag myweb:v1.1 registry.kunking.com/devel/myweb:v1.1
[root@k8s-node33 ~]# docker push registry.kunking.com/devel/myweb:v1.1 The push refers to repository [registry.kunking.com/devel/myweb] 782c9eda94c1: Pushed 6e2a64fdd4da: Pushed 7e6c3a77b084: Pushed 21d32b04beff: Pushed 65e1ea1dc98c: Pushed 88891187bdd7: Pushed 6e109f6c2f99: Pushed 0772cb25d5ca: Pushed 525950111558: Pushed 476baebdfbf7: Pushed v1.1: digest: sha256:1700e943dd58d0b46fbdd1fb1261ab0602db96f6695006c1d4cc9965c4a1cc96 size: 2399
2.8 拉取镜像
[root@component harbor]# docker pull registry.kunking.com/devel/myweb:v1.1 v1.1: Pulling from devel/myweb 07aded7c29c6: Pull complete bbe0b7acc89c: Pull complete 44ac32b0bba8: Pull complete 91d6e3e593db: Pull complete 8700267f2376: Pull complete 4ce73aa6e9b0: Pull complete 8a7cef895d30: Pull complete a5f37949b86f: Pull complete 95ce909a1d85: Pull complete 62219650d15e: Pull complete Digest: sha256:1700e943dd58d0b46fbdd1fb1261ab0602db96f6695006c1d4cc9965c4a1cc96 Status: Downloaded newer image for registry.kunking.com/devel/myweb:v1.1 registry.kunking.com/devel/myweb:v1.1
2.9 管理服务
[root@component harbor]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11042/docker-proxy tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1008/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1219/master tcp 0 0 127.0.0.1:1514 0.0.0.0:* LISTEN 6994/docker-proxy tcp6 0 0 :::80 :::* LISTEN 11049/docker-proxy tcp6 0 0 :::22 :::* LISTEN 1008/sshd tcp6 0 0 ::1:25 :::* LISTEN 1219/master udp 0 0 127.0.0.1:323 0.0.0.0:* 730/chronyd udp6 0 0 ::1:323 :::* 730/chronyd [root@component harbor]# docker-compose unpause [root@component harbor]# docker-compose pause