一 镜像仓库介绍

1.1 简介

  1. 镜像仓库用于存放 Docker镜像
  2. Docker registry提供镜像仓库服务
  3. 一个 Docker registry可以包含多个镜像仓库
  4. 仓库分为公共镜像仓库与私有镜像仓库

1.2 公共镜像仓库

  1. hub.docker.com
  2. quay.io
  3. gcr.io

1.3 使用官方仓库的缺陷

  • 需要 internet连接,上传和下载速度慢
  • 上传到 docker hub的镜像任何人都可以访问,虽然可以用私有
  • repository,但不是免费的
  • 因安全原因很多组织不允许将镜像放到外网

1.4 运行一个镜像仓库

[root@docker-server3 ~]# docker run -d -p 5000:5000  -v  /data/registry:/var/lib/registry  registry:2

registry:2:默认从官方拉取,版本是2

-p:默认端口是5000,映射到本地5000端口

-v:本地挂载到容器的仓库存储镜像位置,持久化出来

Unable to find image 'registry:2' locally
2: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:2
feebef9a6ec69e63d5f97bfe93edeed14e15d32c979f5152bedb22f5069e4e4b

[root@docker-server3 ~]# docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 seconds ago Up 40 seconds 0.0.0.0:5000->5000/tcp funny_archimedes
f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Up 3 hours 80/tcp beautiful_wilbur
10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie

1.5 推送镜像

[root@docker-server3 ~]# docker tag nginx:v1.5 192.168.132.133:5000/library/nginx:v1.5

[root@docker-server3 ~]# docker image ls

REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
192.168.132.133:5000/library/nginx v1.5 ba600822f908 7 hours ago 418MB
nginx v1.5 ba600822f908 7 hours ago 418MB
nginx v1.4 e51688c79109 8 hours ago 418MB
nginx v1.3 80a81192811a 8 hours ago 418MB
nginx v1.2 852fb29d5783 9 hours ago 418MB
nginx v1.1 68354cda3d7b 9 hours ago 418MB
nginx v1.0 cd520a2362fb 9 hours ago 418MB
openssh v1.8 64e76b90e1fa 9 hours ago 306MB
openssh v1.7 a208eefd515d 10 hours ago 306MB
openssh v1.6 7c3b42276adb 10 hours ago 306MB
openssh v1.5 90743d882696 17 hours ago 306MB
openssh v1.3 0244c59bf444 2 days ago 306MB
openssh v1.4 2412a6e26b9c 2 days ago 306MB
openssh v1.2 c399a750ed03 2 days ago 361MB
openssh v1.0 d98ba06569f3 2 days ago 361MB
nginx latest f7bb5701a33c 5 days ago 126MB
busybox latest 6d5fcfe5ff17 7 days ago 1.22MB
hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB
centos 7 5e35e350aded 7 weeks ago 203MB
registry 2 f32a97de94e1 10 months ago 25.8MB

[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5

The push refers to repository [192.168.132.133:5000/library/nginx]
Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client

发现需要使用https认证,而且之歌认证还必须是合法的认证证书

需要配置docker配置

[root@docker-server3 ~]# cat /etc/docker/daemon.json

{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.132.133:5000"]
}

[root@docker-server3 ~]# systemctl restart docker

[root@docker-server3 ~]# docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 13 minutes ago Exited (2) 27 seconds ago funny_archimedes
f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 27 seconds ago beautiful_wilbur
10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie

[root@docker-server3 ~]# docker start feebef9a6ec6

[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5

The push refers to repository [192.168.132.133:5000/library/nginx]
fc2a1b35c0a9: Pushed
fdd515349bc6: Pushed
72838385a292: Pushed
77b174a6a187: Pushed
v1.5: digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f size: 1155

镜像推送成功,但是这种仓库,无法直接看到仓库的镜像

1.6 安装web控制的镜像仓库

[root@docker-server3 ~]# docker run -d -p 8080:8080 -v /etc/localtime:/etc/localtime  --name registry-web -e REGISTRY_HOST=registry  -e REGISTRY_PORT=5000 -e REGISTRY_URL=http://registry:5000/v2  --link funny_archimedes:registry  hyper/docker-registry-web

-p:映射到8080端口

--name:取名微博registry-web

-e:传递参数

--link:使用link连接,funny_archimedes是上个私有仓库的名字

Unable to find image 'hyper/docker-registry-web:latest' locally
latest: Pulling from hyper/docker-registry-web
04c996abc244: Pull complete
d394d3da86fe: Pull complete
bac77aae22d4: Pull complete
b48b86b78e97: Pull complete
09b3dd842bf5: Pull complete
69f4c5394729: Pull complete
b012980650e9: Pull complete
7c7921c6fda1: Pull complete
e20331c175ea: Pull complete
40d5e82892a5: Pull complete
a414fa9c865a: Pull complete
0304ae3409f3: Pull complete
13effc1a664f: Pull complete
e5628d0e6f8c: Pull complete
0b0e130a3a52: Pull complete
d0c73ab65cd2: Pull complete
240c0b145309: Pull complete
f1fd6f874e5e: Pull complete
40b5e021928e: Pull complete
88a8c7267fbc: Pull complete
f9371a03010e: Pull complete
Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae
Status: Downloaded newer image for hyper/docker-registry-web:latest
c3025c175eae0a1a28f3cf881c363a10688ca8e9170c9557e3fd70d903f2f99f

[root@docker-server3 ~]# docker ps -a

CONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS                      PORTS                    NAMES
c3025c175eae hyper/docker-registry-web "start.sh" 59 seconds ago Up 58 seconds 0.0.0.0:8080->8080/tcp registry-web
feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 minutes ago Up 28 minutes 0.0.0.0:5000->5000/tcp funny_archimedes
f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 28 minutes ago beautiful_wilbur
10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie

访问http://192.168.132.133:8080/

点进去

另一个机器下载镜像

[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5

Error response from daemon: Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client

[root@docker-server1 ~]# vi /etc/docker/daemon.json

{
"insecure-registries":["http://192.168.132.133:5000"],
"registry-mirrors":["https://o0o4czij.mirror.aliyuncs.com"]
}

[root@docker-server1 ~]# systemctl restart docker
[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5

v1.5: Pulling from library/nginx
ab5ef0e58194: Pull complete
2a95ef35dfe4: Pull complete
c7655bb407fc: Pull complete
95fb544c76c7: Pull complete
Digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f
Status: Downloaded newer image for 192.168.132.133:5000/library/nginx:v1.5
192.168.132.133:5000/library/nginx:v1.5

[root@docker-server1 ~]# docker image ls

REPOSITORY                                                    TAG                 IMAGE ID            CREATED                  SIZE
192.168.132.133:5000/library/nginx v1.5 ba600822f908 Less than a second ago 418MB
ubuntu 16.04 5f2bf26e3524 2 months ago 123MB
httpd 2.4 d3017f59d5e2 2 months ago 165MB
busybox latest 020584afccce 2 months ago 1.22MB
nginx latest 540a289bab6c 2 months ago 126MB
hub.darren.com/library/nginx version1 540a289bab6c 2 months ago 126MB
centos latest 0f3e07c0138f 3 months ago 220MB
centos 6 d0957ffdf8a2 9 months ago 194MB
registry.cn-hangzhou.aliyuncs.com/google_containers/coredns 1.1.3 b3b94275d97c 19 months ago 45.6MB

1.8 缺点

这个镜像仓库配置成功,但是缺陷很明显

  1. 缺少认证机制,任何人都可以随意拉取及上传镜像,安全性缺失
  2. 缺乏镜像清理机制,镜像可以push却不能删除,日积月累,占用空间会越来越大
  3. 缺乏相应的扩展机制

私有仓库:

  • harbor:vmware中国社区
  • quay:红帽收购后开源

二  harbor介绍

2.1 harbor简介

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

Harbor官方网站:http://vmware.github.io/harbor/

Harbor源码地址:https://github.com/vmware/harbor

harbor的二进制包同时提供online和offline版本,我们这里直接使用online版本。

官方位置:https://github.com/goharbor/harbor

2.2 harbor架构

2.3 harbor六大模块

  • Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
  • Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
  • Core services: Harbor的核心功能,主要包括如下3个服务:
    • UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。1) WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。 2) Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service。 3) Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
    • Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
    • Log collector: 负责收集其他模块的日志到一个地方

2.4 harbor组件说明

需要说明的是,harbor的每个组件都是以Docker容器的形式构建的,可以使用Docker Compose来进行部署,当然,如果环境中使用了kubernetes,harbor也提供了kubernetes的配置文件。

harbor共有8个容器组成:

  • ui:harbor的核心服务。
  • log:运行着rsyslog的容器,进行日志收集。
  • mysql:由官方mysql镜像构成的数据库容器,现在使用postgresql
  • nginx:使用Nginx做反向代理
  • registry:官方的Docker registry
  • adminserver:harbor的配置数据管理器
  • jobservice:Harbor的任务管理服务。
  • redis:用于存储session

2.5 hatbor工作原理

Docker Login

  1. 首先,登录请求会被 Proxy容器接收到,根据预先设置的匹配规则,该请求会被转发给后端 Registry容器。
  2. 2Registry接收到请求后,解析请求,因为配置了基于 token的认证,所以会查扌 token,发现请求没有 token后,返回错误代码401以及 token服努的地URL
  3. Docker客户端接收到错误请求后,转而向token服努地址发送请求,并根据HTTP协议的BasicAuthentication规范,将用户名密码组合并编码,放在请求头部( header)
  4. 同样,该请求会先发到 Proxy容器,继而转发给ui/ token的咨器该荟最接受请求,将请求头解码,获取到用户名密码
  5. ui/ token的吝器获取到用户名密码后,通过重询数据库进行比对验证(如果是LDAP的认证方式就是引LDAP服务进行校验),比对成功后,返回成功的状码,并用密钥生成 token,一并发送绐 Docker客户端

Docker push

  1. 同样,首先与 Registery通信,返回个 token服务的地址URL
  2. Docker客户端会与 token服务通信,指明要申请一个 push image操作的 token
  3. 3token服努访问数据库验证当前用户是否有该操作的权限,如果有,会将 rImage信息以及push操作进行编码,用私钥签名,生成 token返回给 Docker客户
  4. Docker客户端再次与 Registry通信,不过这次会将 token放到请求 header中, Registry收到请求后利用公钥解码并核对,核对成功,便可以开始push操作

三 HARBOR安装

使用v1.9.3版本实验

删掉所有容器

[root@docker-server3 ~]# docker ps -aq |xargs docker rm -fv

3.1 下载包

下载在线的harbor包:https://github.com/goharbor/harbor/releases/tag/v1.9.3

[root@docker-server3 ~]# wget https://github.com/goharbor/harbor/releases/download/v1.9.3/harbor-online-installer-v1.9.3.tgz

[root@docker-server3 ~]# tar -xf harbor-online-installer-v1.9.3.tgz

[root@docker-server3 ~]# mv harbor /usr/local/

[root@docker-server3 ~]# cd /usr/local/harbor/

[root@docker-server3 harbor]# ll

-rw-r--r-- 1 root root  5805 Nov 18 03:37 harbor.yml
-rwxr-xr-x 1 root root 5088 Nov 18 03:37 install.sh
-rw-r--r-- 1 root root 11347 Nov 18 03:37 LICENSE
-rwxr-xr-x 1 root root 1748 Nov 18 03:37 prepare

3.2 生成证书

[root@docker-server3 harbor]# mkdir pki

[root@docker-server3 harbor]# cd pki

[root@docker-server3 pki]# openssl genrsa -des3 -out server.key 1024

[root@docker-server3 pki]# openssl rsa -in server.key -out server.key

[root@docker-server3 pki]# openssl req -new -key server.key -out server.csr

[root@docker-server3 pki]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[root@docker-server3 pki]# ll

-rw-r--r-- 1 root root 920 Jan  3 03:06 server.crt
-rw-r--r-- 1 root root 684 Jan 3 03:04 server.csr
-rw-r--r-- 1 root root 887 Jan 3 03:03 server.key

3.3 harbor配置

[root@docker-server3 pki]# cd ../

[root@docker-server3 harbor]# grep -Ev "^$|[;#]" harbor.yml

hostname: darren.test.com
https:
port: 443
certificate: /usr/local/harbor/pki/server.crt
private_key: /usr/local/harbor/pki/server.key
harbor_admin_password: Harbor12345
database:
password: root123
max_idle_conns: 50
max_open_conns: 100
data_volume: /data
clair:
updaters_interval: 12
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 1.9.0
proxy:
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair
components:
- core
- jobservice
- clair

[root@docker-server3 harbor]# ./prepare

prepare base dir is set to /usr/local/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[root@docker-server3 harbor]# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 19.03.5
Need to install docker-compose(1.18.0+) by yourself first and run this script again.

3.4 安装docker-compose

docker-compose是一个容器编排工具,https://github.com/docker/compose

下载最新版本

[root@docker-server3 harbor]# wget https://github.com/docker/compose/releases/download/1.25.0/docker-compose-Linux-x86_64

[root@docker-server3 harbor]# chmod +x docker-compose-Linux-x86_64

[root@docker-server3 harbor]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose

3.5 安装

[root@docker-server3 harbor]# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 19.03.5

Note: docker-compose version: 1.25.0

[Step 1]: preparing environment ...
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir [Step 2]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Pulling log (goharbor/harbor-log:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-log
b950b5dd94ab: Already exists
1fefec4d6309: Pull complete
fbbcfef46e70: Pull complete
459a9232cb22: Pull complete
a5ae36915def: Pull complete
46f9c2f74703: Pull complete
9deb3de04c54: Pull complete
909a05fc4700: Pull complete
Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07
Status: Downloaded newer image for goharbor/harbor-log:v1.9.3
Pulling registry (goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3)...
v2.7.1-patch-2819-2553-v1.9.3: Pulling from goharbor/registry-photon
b950b5dd94ab: Already exists
1f4568af817f: Pull complete
be92c4733d10: Pull complete
1d666391d7e5: Pull complete
71b9f2abeafa: Pull complete
d855fea51058: Pull complete
Digest: sha256:78bf8ca6c84e58f11369d07817589391c72b07ac2528b898332d2d5ffe554f8c
Status: Downloaded newer image for goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3
Pulling registryctl (goharbor/harbor-registryctl:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-registryctl
b950b5dd94ab: Already exists
63505c20b7ca: Pull complete
8f807bf00d34: Pull complete
8e9de15b00b6: Pull complete
ea11b966c1d1: Pull complete
b4cf4b6f96d5: Pull complete
cee638fc0ad7: Pull complete
Digest: sha256:a5141c71bc6e5d541c9ee3459ea100c14b2b84d3897a99e02d4cff090dacd721
Status: Downloaded newer image for goharbor/harbor-registryctl:v1.9.3
Pulling postgresql (goharbor/harbor-db:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-db
b950b5dd94ab: Already exists
06fad8ffb3f8: Pull complete
2b68b32f8088: Pull complete
d7c46e659a6a: Pull complete
6a67b71cc8b5: Pull complete
fe8a70af51fb: Pull complete
3b5d884187b3: Pull complete
2d1536f2a1d3: Pull complete
dc417e3b633a: Pull complete
Digest: sha256:0fc09367feed82cdcc558823bd848752f155d65e52c245f1429d1a53915a4c1b
Status: Downloaded newer image for goharbor/harbor-db:v1.9.3
Pulling portal (goharbor/harbor-portal:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-portal
b950b5dd94ab: Already exists
043df33993ba: Pull complete
d8d460d2082b: Pull complete
11b3c3c9b803: Pull complete
198c8fefbd72: Pull complete
5b2f09f123e1: Pull complete
86acd987157f: Pull complete
Digest: sha256:d96d934dab47bfe426c33b37533094289e8f4111d0e3e0b1517c341831ff8466
Status: Downloaded newer image for goharbor/harbor-portal:v1.9.3
Pulling redis (goharbor/redis-photon:v1.9.3)...
v1.9.3: Pulling from goharbor/redis-photon
b950b5dd94ab: Already exists
b8fbe9dc9dde: Pull complete
e19904d63c6a: Pull complete
7cae1df3c795: Pull complete
93a7821ea4c9: Pull complete
Digest: sha256:893bed91214737244c1bc43005fa7f72c10d94b599a272e2982e22fa5b49757d
Status: Downloaded newer image for goharbor/redis-photon:v1.9.3
Pulling core (goharbor/harbor-core:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-core
b950b5dd94ab: Already exists
841d1d9cb8fd: Pull complete
a7452e6907b4: Pull complete
3163e443b06b: Pull complete
7f2a5aff198c: Pull complete
c240a35553e3: Pull complete
Digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88
Status: Downloaded newer image for goharbor/harbor-core:v1.9.3
Pulling jobservice (goharbor/harbor-jobservice:v1.9.3)...
v1.9.3: Pulling from goharbor/harbor-jobservice
b950b5dd94ab: Already exists
089caec5e122: Pull complete
3de3c64f442a: Pull complete
Digest: sha256:4fbf1ea5553d61fd6cbf58b5db9a2dc44cc1ff3d2704902e920f79b76e3a17ce
Status: Downloaded newer image for goharbor/harbor-jobservice:v1.9.3
Pulling proxy (goharbor/nginx-photon:v1.9.3)...
v1.9.3: Pulling from goharbor/nginx-photon
b950b5dd94ab: Already exists
3b5b95273977: Pull complete
Digest: sha256:4facb727a4abfdb0b1c64eab2ef3c85b461c8201cdd5cf9a5c07a41704f89793
Status: Downloaded newer image for goharbor/nginx-photon:v1.9.3
Creating harbor-log ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating redis ... done
Creating registry ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://darren.test.com.
For more details, please visit https://github.com/goharbor/harbor .

[root@docker-server3 harbor]# docker ps -a

CONTAINER ID        IMAGE                                                    COMMAND                  CREATED              STATUS                        PORTS                                         NAMES
3582c06fad6f goharbor/harbor-jobservice:v1.9.3 "/harbor/harbor_jobs…" About a minute ago Up About a minute (healthy) harbor-jobservice
28dc54458c79 goharbor/nginx-photon:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
3c4a4e6810b2 goharbor/harbor-core:v1.9.3 "/harbor/harbor_core" About a minute ago Up About a minute (healthy) harbor-core
234f0e80a188 goharbor/redis-photon:v1.9.3 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) 6379/tcp redis
42155f90c422 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 "/entrypoint.sh /etc…" About a minute ago Up About a minute (healthy) 5000/tcp registry
5aea0ad776ad goharbor/harbor-registryctl:v1.9.3 "/harbor/start.sh" About a minute ago Up About a minute (healthy) registryctl
b5ef61bcb28b goharbor/harbor-portal:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 8080/tcp harbor-portal
2a8fc240e768 goharbor/harbor-db:v1.9.3 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 5432/tcp harbor-db
47a172fa7361 goharbor/harbor-log:v1.9.3 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log

3.6 访问测试

访问:https://darren.yutian.com/

登陆后

这里的访问级别是公开,意味着其他奇迹不用登陆,就可以直接pull镜像

[root@docker-server3 harbor]# ll /data/

drwxr-xr-x  2   10000    10000    6 Jan  3 03:35 ca_download
drwx------ 19 polkitd ssh_keys 4096 Jan 3 03:58 database
-rw-r--r-- 1 root root 12 Jan 2 19:02 index.html
drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 job_logs
drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 psc
drwxr-xr-x 2 polkitd ssh_keys 22 Jan 3 04:03 redis
drwxr-xr-x 3 10000 10000 20 Jan 3 01:03 registry
drwxr-xr-x 6 root root 58 Jan 3 03:57 secret

这个目录几乎可以对接所有的对象存储,这是官方的一个配置实例

https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md#backend

storage_service:
ca_bundle:
swift:
username: admin
password: ADMIN_PASS
authurl: http://keystone_addr:35357/v3/auth
tenant: admin
domain: default
region: regionOne
container: docker_images"
redirect:
disable: false

更完整实例https://docs.docker.com/registry/configuration/#storage

[root@docker-server3 harbor]# docker image ls

REPOSITORY                           TAG                             IMAGE ID            CREATED             SIZE
192.168.132.133:5000/library/nginx v1.5 ba600822f908 10 hours ago 418MB
nginx v1.5 ba600822f908 10 hours ago 418MB
nginx v1.4 e51688c79109 11 hours ago 418MB
nginx v1.3 80a81192811a 11 hours ago 418MB
nginx v1.2 852fb29d5783 12 hours ago 418MB
nginx v1.1 68354cda3d7b 12 hours ago 418MB
nginx v1.0 cd520a2362fb 12 hours ago 418MB
openssh v1.8 64e76b90e1fa 13 hours ago 306MB
openssh v1.7 a208eefd515d 13 hours ago 306MB
openssh v1.6 7c3b42276adb 13 hours ago 306MB
openssh v1.5 90743d882696 20 hours ago 306MB
openssh v1.4 2412a6e26b9c 2 days ago 306MB
openssh v1.3 0244c59bf444 2 days ago 306MB
openssh v1.2 c399a750ed03 2 days ago 361MB
openssh v1.0 d98ba06569f3 2 days ago 361MB
nginx latest f7bb5701a33c 5 days ago 126MB
busybox latest 6d5fcfe5ff17 7 days ago 1.22MB
hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB
goharbor/redis-photon v1.9.3 33aaebc86b13 7 weeks ago 111MB
goharbor/harbor-registryctl v1.9.3 27af14c21462 7 weeks ago 103MB
goharbor/registry-photon v2.7.1-patch-2819-2553-v1.9.3 4c51bdb781e2 7 weeks ago 85.7MB
goharbor/nginx-photon v1.9.3 c6934119da35 7 weeks ago 44MB
goharbor/harbor-log v1.9.3 00a3acdb5d11 7 weeks ago 82.3MB
goharbor/harbor-jobservice v1.9.3 a3288107fff4 7 weeks ago 141MB
goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB
goharbor/harbor-portal v1.9.3 6f5b0504c96b 7 weeks ago 51.4MB
goharbor/harbor-db v1.9.3 6004d1d5f272 7 weeks ago 148MB
goharbor/prepare v1.9.3 272365739d13 7 weeks ago 149MB
centos 7 5e35e350aded 7 weeks ago 203MB
registry 2 f32a97de94e1 10 months ago 25.8MB
hyper/docker-registry-web latest 0db5683824d8 3 years ago 599MB

3.7 简单管理

[root@docker-server3 harbor]# docker tag goharbor/harbor-log:v1.9.3 darren.yutian.com/library/harbor-log:v1.9.3

[root@docker-server3 harbor]# docker image ls

darren.yutian.com/library/harbor-log   v1.9.3                          00a3acdb5d11        7 weeks ago         82.3MB

[root@docker-server3 harbor]# vi /etc/docker/daemon.json

{
"log-driver":"journald",
"bip":"192.168.0.1/24",
"insecure-registries":["http://192.168.132.133:5000","https://darren.yutian.com"]
}

[root@docker-server3 harbor]# vi /etc/hosts

192.168.132.133  darren.yutian.com

访问和推送的都需要做以上操作,修改daoker配置和hots文件

推送镜像

[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3

The push refers to repository [darren.yutian.com/library/harbor-log]
2e2e439cb618: Preparing
f14e11ea2c25: Preparing
c684117da188: Preparing
a94dcd551900: Preparing
12a81f321c68: Preparing
fa60bb5fba7f: Waiting
4bb3c8da2619: Waiting
47a4bb1cfbc7: Waiting
denied: requested access to the resource is denied

被拒绝,是因为可以拉取,但是推送就必须登陆

登陆harbor

[root@docker-server3 harbor]# docker login https://darren.yutian.com

Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded

再次推送成功

[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3

The push refers to repository [darren.yutian.com/library/harbor-log]
2e2e439cb618: Pushed
f14e11ea2c25: Pushed
c684117da188: Pushed
a94dcd551900: Pushed
12a81f321c68: Pushed
fa60bb5fba7f: Pushed
4bb3c8da2619: Pushed
47a4bb1cfbc7: Pushed
v1.9.3: digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 size: 1984

查看web界面

拉取镜像

[root@docker-server2 ~]# docker pull darren.yutian.com/library/harbor-log:v1.9.3

v1.9.3: Pulling from library/harbor-log
b950b5dd94ab: Pull complete
1fefec4d6309: Pull complete
fbbcfef46e70: Pull complete
459a9232cb22: Pull complete
a5ae36915def: Pull complete
46f9c2f74703: Pull complete
9deb3de04c54: Pull complete
909a05fc4700: Pull complete
Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07
Status: Downloaded newer image for darren.yutian.com/library/harbor-log:v1.9.3
darren.yutian.com/library/harbor-log:v1.9.3

这个就不需要登陆就可以拉取镜像,是因为lirary是公开

创建一个新的私有仓库

新建项目
项目名称:自己取名
存储数量:-1表示不限制
存储容量:-1表示不限制
点击确定

上传一个镜像

[root@docker-server3 ~]# docker image ls

goharbor/harbor-core                   v1.9.3                          9d394b9f6b49        7 weeks ago         155MB

[root@docker-server3 ~]# docker tag goharbor/harbor-core:v1.9.3 darren.yutian.com/docker/harbor-core:v1.9.3

[root@docker-server3 ~]# docker image ls

goharbor/harbor-core                   v1.9.3                          9d394b9f6b49        7 weeks ago         155MB
darren.yutian.com/docker/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB

已经是登陆状态会有一个隐藏文件

[root@docker-server3 ~]# ll ~/.docker/config.json

-rw------- 1 root root 155 Jan 3 04:32 /root/.docker/config.json

[root@docker-server3 ~]# cat ~/.docker/config.json

{
"auths": {
"darren.yutian.com": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.5 (linux)"
}

[root@docker-server3 ~]# docker push darren.yutian.com/docker/harbor-core:v1.9.3

The push refers to repository [darren.yutian.com/docker/harbor-core]
376871497fae: Pushed
5fb810768754: Pushed
3c10f4815fc0: Pushed
17c27eb4f7f8: Pushed
b2329d5f99cf: Pushed
47a4bb1cfbc7: Mounted from library/harbor-log
v1.9.3: digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88 size: 1580

然后再去其他的机器拉取

[root@docker-server1 ~]# docker pull darren.yutian.com/docker/harbor-core:v1.9.3

Error response from daemon: pull access denied for darren.yutian.com/docker/harbor-core, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

这时这个私有仓库的镜像,也必须有登录的用户才能有权限拉取


博主声明:本文的内容来源主要来自誉天教育晏威老师,由本人实验完成操作验证,需要的博友请联系誉天教育(http://www.yutianedu.com/),获得官方同意或者晏老师(https://www.cnblogs.com/breezey/)本人同意即可转载,谢谢!

DOCKER学习_016:Docker镜像仓库和HARBOR的简单安装和管理的更多相关文章

  1. Docker学习之Docker镜像基本使用

    Docker学习之Docker镜像基本使用 获取镜像 命令格式:docker pull [选项] [Docker Registry 地址[:端口号]/]仓库名[:标签] 例如: docker pull ...

  2. Docker学习(五): 仓库与数据管理

    特别声明: 博文主要是学习过程中的知识整理,以便之后的查阅回顾.部分内容来源于网络(如有摘录未标注请指出).内容如有差错,也欢迎指正! =============系列文章============= 1 ...

  3. Docker学习笔记 — Docker私有仓库搭建

    Docker学习笔记 — Docker私有仓库搭建   目录(?)[-] 环境准备 搭建私有仓库 测试 管理仓库中的镜像 查询 删除 Registry V2   和Mavan的管理一样,Dockers ...

  4. Docker学习之Docker容器基本使用

    Docker学习之Docker容器基本使用 新建容器并启动 命令格式:docker run --options repository:tag 后台运行 命令格式:-d 已存在的容器相关操作 启动:do ...

  5. docker 系列 - 企业级私有镜像仓库Harbor部署(转载)

     本文转载自 搜云库 的文章 https://www.jianshu.com/p/7d76850de03f  , 感谢作者 3.png 上一篇文章搭建了一个具有基础功能,权限认证.TLS 的私有仓库, ...

  6. docker学习之二镜像创建

    继上一篇docker入门之后写一点使用的经验. 通过命令:docker run -it REPOSITORY或IMAGE ID   注:-it后面跟的字段可以通过下面指令获得 创建运行的容器,会进入一 ...

  7. Docker学习笔记 - Docker的镜像

    一个容器实际上是运行在宿主机上的一个进程. 只不过在启动这个进程之前进行了一些特殊处理,让这个容器进入了一个全新的虚拟环境,与宿主机的环境分开, 所以这个进程及其子进程认为自己运行在一个独立的世界里面 ...

  8. Docker 学习3 Docker镜像管理基础

    一.docker 常用操作及原理 1.docker 常用操作 2.docker 机制 1.docker client端是通过http或者https与server端通信的.个 2.docker 镜像可以 ...

  9. Docker学习之2——镜像

    镜像(Images) 镜像是Docker的三大核心之一,类似于虚拟机,作用和虚拟机是一样的,唯独是组成部分会有些区别.简单的说如果我们想启动一个容器就必须要有镜像.docker运行容器前需要本地存在对 ...

随机推荐

  1. (四)Struts2的Action(深入讲解版)

    Struts2的Action 开发者需要提供大量的Action,并在struts.xml中配置Action.Action类里包含了对用户请求的处理逻辑,因为我们也称Action为业务控制器. 一.编写 ...

  2. Vue3 封装第三方组件(一)做一个合格的传声筒

    各种UI库的功能都是非常强大的,尤其对于我这种不会 css 的人来说,就更是帮了大忙了. 只是嘛,如果再封装一下的话,那么用起来就会更方便了. 那么如何封装呢? 封装三要素 -- 属性.插槽.事件.方 ...

  3. OAuth 2.0 单元测试解决方案

    为什么需要单元测试 单元测试拥有保证代码质量.尽早发现软件 Bug.简化调试过程.促进变化并简化集成.使流程更灵活等优势.单元测试是针对代码单元的独立测试,核心是"独立",优势来源 ...

  4. JDBC_09_Statement 和 PreparedStatement

    Statement 和 PreparedStatement * Statement数据库操作对象存在SQL注入问题,而PreparedStatement预编译数据库操作对象解决了SQL注入问题. * ...

  5. istio1.2.2 安装及使用示例

    前言 本文介绍istio的安装及使用 dashboard,grafana,prometheus,kiali,jaeger的配置示例.演示通过istio的ingressgateway统一访问入口 Ist ...

  6. 9.while循环

    while 循环 语法: while( 布尔表达式 ) { //循环内容 } 布尔值为 true 开始循环,为 false 结束循环 死循环:布尔值一直为 true. 例: package com.w ...

  7. 【译】Android NDK API 规范

    [译]Android NDK API 规范 译者按: 修改R代码遇到Lint tool的报错,搜到了这篇文档,aosp仓库地址:Android NDK API Guidelines. 975a589 ...

  8. php 不定参数的传递

    相关函数 func_get_args func_num_args <?php function more_args(){ $args = func_get_args(); for($i=0;$i ...

  9. 《机器学习Python实现_10_09_集成学习_bagging_stacking原理及实现》

    介绍 前面对模型的组合主要用了两种方式: (1)一种是平均/投票: (2)另外一种是加权平均/投票: 所以,我们有时就会陷入纠结,是平均的好,还是加权的好,那如果是加权,权重又该如何分配的好?如果我们 ...

  10. poj2418map或者字典树

    题意:      给你一些串,然后求出每个串出现的概率. 思路:      简单题目,做法也很多,我用字典树做了下,然后又用map做了下,其实这个题目我感觉直接排序一遍之后线性输出应该是最简单最快的( ...