docker镜像仓库

搭建私有镜像仓库

Docker Hub作为Docker默认官方公共镜像，如果想自己搭建私有镜像仓库，官方也提供registry镜像，使得搭建私有仓库非常简单。

下载registry镜像并启动

[root@docker ~]# docker pull registry
[root@docker ~]# docker run -d -v /opt/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry
790e35569960041b5976786ab76babc8213e81e0a2d3b1bf3a9c0b5cc2bd1280

测试查看镜像仓库中所有镜像

[root@docker ~]# curl http://192.168.193.128:5000/v2/_catalog
{"repositories":[]}

私有镜像仓库管理

配置私有仓库可信任

[root@docker ~]# cat /etc/docker/daemon.json
{
    "registry-mirrors":["https://registry.docker-cn.com"],
    "insecure-registries":["192.168.193.128：5000"]
}
[root@docker ~]# systemctl restart docker

打标签

[root@docker ~]# docker tag nginx:1.12 192.168.193.128:5000/nginx:1.12

上传

[root@docker ~]# docker push 192.168.193.128:5000/nginx:1.12
[root@docker ~]# curl http://192.168.193.128:5000/v2/_catalog
{"repositories":["nginx"]}
查看信息
[root@docker ~]# curl http://192.168.193.128:5000/v2/nginx/tags/list
{"name":"nginx","tags":["1.12"]}

下载

[root@docker ~]# docker run -itd --name nginx -p 80:80 192.168.193.128:5000/nginx:1.12
6c13f1122f713237e44aabe58f345652785d21f4b2a1deda05985bbf03b5a1be

企业通常使用Docker Harbor镜像管理工具。

Docker Hub公共镜像仓库使用

注册账号

https://hub.docker.com/

登录Docker Hub

创建仓库

linux端登录

[root@docker ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: yinshoucheng
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
或
[root@docker ~]# docker login --username=yinshoucheng --password=123456

镜像打标签

[root@docker ~]# docker tag nginx:1.12 yinshoucheng/golden:1.12

上传

[root@docker ~]# docker push yinshoucheng/golden:1.12

搜索测试

[root@docker ~]# docker search yinshoucheng
NAME                  DESCRIPTION         STARS               OFFICIAL            AUTOMATED
yinshoucheng/golden                       0

下载

[root@docker ~]# docker pull yinshoucheng/golden:1.12

企业级私有镜像仓库Harbor

Harbor是VMware公司开源的企业级Docker Registry项目，项目地址：https://github.com/vmware/harbor

下载离线安装包

安装docker

[root@docker ~]# docker info
Containers: 26
 Running: 1
 Paused: 0
 Stopped: 25
Images: 16
Server Version: 18.09.6
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.697GiB
Name: docker
ID: 3EAH:DXYW:7DXA:76IW:AKHC:TKG5:FC5N:QPRB:SFAY:T6HB:LSCS:CUPK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: yinshoucheng
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 192.168.193.128:5000
 127.0.0.0/8
Registry Mirrors:
 https://registry.docker-cn.com/
Live Restore Enabled: false
Product License: Community Engine

安装docker-compose

https://github.com/docker/compose/releases/

[root@docker ~]# curl -L https://github.com/docker/compose/releases/download/1.25.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@docker ~]# chmod +x /usr/local/bin/docker-compose
[root@docker ~]# docker-compose --version
docker-compose version 1.25.0-rc1, build 8552e8e2

自签TLS证书

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

解压
[root@docker ~]# tar -zxf harbor-offline-installer-v1.8.1.tgz
[root@docker ~]#
[root@docker ~]# cd harbor
创建存放ssl的目录
[root@docker harbor]# mkdir ssl
生成ca根证书
[root@docker harbor]# mkdir ssl
[root@docker harbor]# cd ssl
[root@docker ssl]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
> -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
........................................................................................................................................................................++
...............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:goldenyin
Email Address []:
[root@docker ssl]# ls
ca.crt  ca.key
[root@docker ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.goldenyin.com.key -out reg.goldenyin.com.csr
Generating a 4096 bit RSA private key
.................................................................................................................................................................................................++
........++
writing new private key to 'reg.goldenyin.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:reg.goldenyin.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@docker ssl]# ls
ca.crt  ca.key  reg.goldenyin.com.csr  reg.goldenyin.com.key
[root@docker ssl]# openssl x509 -req -days 365 -in reg.goldenyin.com.csr -CA ca.crt -CAkey ca.key -CA.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.goldenyin.com.crt
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=reg.goldenyin.com
Getting CA Private Key
[root@docker ssl]# ls
ca.crt  ca.srl                 reg.goldenyin.com.csr
ca.key  reg.goldenyin.com.crt  reg.goldenyin.com.key

Harbor安装与配置

[root@docker ssl]# cd ..
[root@docker harbor]# ls
harbor.v1.8.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare  ssl
配置harbor.cfg（新版已经改成harbor.yml）
修改配置，协议，证书，管理员密码　
示例：
hostname = reg.goldenyin.com
将http:和port:80注释（新版本）
ui_url_protocol = https（新版无此项）
ssl_cert = ./ssl/reg.lvusyy.com.crt（新版本certificate: ./ssl/reg.goldenyin.com.crt）
ssl_cert_key = ./ssl/reg.lvusyy.com.key（新版本private_key: ./ssl/reg.goldenyin.com.key）
harbor_admin_password = harbor12345
[root@docker harbor]#  ./prepare （读取配置文件，新版本无需此步骤操作）
将https:和port:443注释取消（新版本）
external_url: https://reg.goldenyin.com:8433（新版本）
[root@docker harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://reg.goldenyin.com.
For more details, please visit https://github.com/goharbor/harbor .

windows主机配置hosts（C:\Windows\System32\drivers\etc\hosts）
192.168.193.128 reg.goldenyin.com

http://reg.goldenyin.com/

https://reg.goldenyin.com/（未配置）

docker主机访问Harbor

[root@docker harbor]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.193.128 reg.goldenyin.com
[root@docker harbor]# docker login reg.goldenyin.com
创建证书保存目录
[root@docker harbor]# mkdir -p /etc/docker/certs.d/reg.goldenyin.com
拷贝证书
[root@docker reg.goldenyin.com]# ls
reg.goldenyin.com.crt
重新登录
[root@docker harbor]# docker login reg.goldenyin.com

docker tag SOURCE_IMAGE[:TAG] reg.goldenyin.com/test/IMAGE[:TAG]

docker push reg.goldenyin.com/test/IMAGE[:TAG]