1 Docker Hub
#Docker Hub被用于源代码管理集成,也用于构建和测试工具来加速部署周期,部署周期从天减少到以分钟计算,Docker宣称已经允许用户加速应用的传输。
#架构和技术堆栈升级对于Docker Hub的大规模和不可预知的采用是必须的。
#作为开发人员迅速采用Docker容器,IT管理员加速将其纳入企业生产环境。除了管理和配置工具,还需要编排和调度软件。
#当然有些内网环境需要访问Docker Hub,这时候就访问不了,这时就需要搭建一套内网DockerHub,官方有推出docker-registry工具,可以用于构建私有的镜像仓库,实现简单。
2 环境准备
[root@dockerhub250 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@dockerhub250 ~]# ifconfig eth1
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.2.250 netmask 255.255.255.0 broadcast 172.16.2.255
复制代码2.1 docker安装
#安装必要的一些系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2
复制代码#添加软件源信息
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
复制代码#查看可用 docker 版本
yum list docker-ce.x86_64 --showduplicates | sort -r
复制代码#安装docker-ce,也可以根据上面罗列的各版本使用指定版本安装
yum -y install docker-ce
复制代码#开启Docker服务
systemctl enable docker
systemctl start docker
复制代码2.2 docker加速
#添加加速文件配置,这里选用了阿里云的配置
#vim /etc/docker/daemon.json
{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"]}
复制代码#重新加载服务,重启docker,并查看是否生效
systemctl daemon-reload
systemctl restart docker
docker info
复制代码3 私有仓库搭建
3.1 查看registry的版本
[root@dockerhub250 ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The Docker Registry 2.0 implementation for s… 3062 [OK]
distribution/registry WARNING: NOT the registry official image!!! … 57 [OK]
stefanscherer/registry-windows Containerized docker registry for Windows Se… 32
budry/registry-arm Docker registry build for Raspberry PI 2 and… 18
deis/registry Docker image registry for the Deis open sour… 12
jc21/registry-ui A nice web interface for managing your Docke… 12
anoxis/registry-cli You can list and delete tags from your priva… 10 [OK]
sixeyed/registry Docker Registry 2.6.0 running on Windows - N… 10
pallet/registry-swift Add swift storage support to the official do… 4 [OK]
allingeek/registry A specialization of registry:2 configured fo… 4 [OK]
arm32v6/registry The Docker Registry 2.0 implementation for s… 3
goharbor/registry-photon 2
conjurinc/registry-oauth-server Docker registry authn/authz server backed by… 1
concourse/registry-image-resource 1
ibmcom/registry Docker Image for IBM Cloud private-CE (Commu… 1
metadata/registry Metadata Registry is a tool which helps you … 1 [OK]
webhippie/registry Docker images for Registry 1 [OK]
kontena/registry Kontena Registry 0
gisjedi/registry-proxy Reverse proxy of registry mirror image gisje… 0
dwpdigital/registry-image-resource Concourse resource type 0
lorieri/registry-ceph Ceph Rados Gateway (and any other S3 compati… 0
convox/registry 0
digillect/registry-cleaner Tool to remove unused images from Docker reg… 0 [OK]
pivnet/registry-gcloud-image 0
upmcenterprises/registry-creds
复制代码3.2 安装registry
[root@dockerhub250 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest
[root@dockerhub250 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2d4f4b5309b1 2 months ago 26.2MB
复制代码#创建本地目录,用于映射本地目录进docker里,目的是,当容器崩溃时,数据还在,随时以启用一个新容器替换
mkdir -p /data/dockerhub
复制代码#启动registry
docker run -d -v /data/dockerhub:/var/lib/registry -p 5000:5000 --restart=always --name dockerhub-registry2.0 registry
复制代码#访问网址http://172.16.1.250:5000/v2,如果出现以下页面说明正常
[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/
{}
复制代码
3.3 上传镜像至私有仓库
[root@dockerhub250 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4bb46517cac3 8 days ago 133MB
registry latest 2d4f4b5309b1 2 months ago 26.2MB
#将要推送至私有仓库的docker镜像做标识
[root@dockerhub250 ~]# docker tag nginx:latest 172.16.1.250:5000/nginx:latest
[root@dockerhub250 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 4bb46517cac3 8 days ago 133MB
172.16.1.250:5000/nginx latest 4bb46517cac3 8 days ago 133MB
registry latest 2d4f4b5309b1 2 months ago 26.2MB
#通过 docker push 命令将 nginx 镜像 push到私有仓库
[root@dockerhub250 ~]# docker push 172.16.1.250:5000/nginx:latest
The push refers to repository [172.16.1.250:5000/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362
#查看是否上传成功
[root@dockerhub250 ~]# curl http://127.0.0.1:5000/v2/_catalog
{"repositories":["nginx"]}
#查看镜像信息
[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/nginx/tags/list
{"name":"nginx","tags":["latest"]}
复制代码#从其他内网机器验证拉取镜像
[root@k8snode172 ~]# docker pull 172.16.1.250:5000/nginx
Using default tag: latest
latest: Pulling from nginx
bf5952930446: Pull complete
cb9a6de05e5a: Pull complete
9513ea0afb93: Pull complete
b49ea07d2e93: Pull complete
a5e4a503d449: Pull complete
Digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c
Status: Downloaded newer image for 172.16.1.250:5000/nginx:latest
172.16.1.250:5000/nginx:latest
[root@k8snode172 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.1.250:5000/nginx latest 4bb46517cac3 8 days ago 133MB
复制代码4 harbor
harbor项目 github地址
#作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
#基于角色的访问控制 – 用户与 Docker 镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
- 镜像复制 – 镜像可以在多个 Registry 实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
- 图形化用户界面 – 用户可以通过浏览器来浏览,检索当前 Docker 镜像仓库,管理项目和命名空间。
- AD/LDAP 支持 – Harbor 可以集成企业内部已有的 AD/LDAP,用于鉴权认证管理。
- 审计管理 – 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
- 国际化 – 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
- RESTful API – RESTful API 提供给管理员对于 Harbor 更多的操控, 使得与其它管理软件集成变得更容易。
- 部署简单 – 提供在线和离线两种安装工具, 也可以安装到 vSphere 平台(OVA 方式)虚拟设备。
4.1 下载并安装harbor
#==harbor项目有基本要求:docker 17.06.0-ce+、golang : 1.12.0+ 和 docker-compose 1.18.0+ ==
[root@dockerhub250 ~]# yum install golang docker-ce docker-compose
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* elrepo: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package golang-1.13.14-1.el7.x86_64 already installed and latest version
Package 3:docker-ce-19.03.12-3.el7.x86_64 already installed and latest version
Package docker-compose-1.18.0-4.el7.noarch already installed and latest version
复制代码#这里直接选用了下载最新版本的harbor离线安装包
#下载
[root@dockerhub250 ~]# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz
#解压
[root@dockerhub250 ~]# tar zxvf harbor-offline-installer-v2.0.2.tgz
复制代码#harbor默认工作方式是http,但是这只能在页面访问,默认harbor推送拉取镜像时走的是https,所以需要配置下https
#生成秘钥和自签名证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
#生成证书签名请求(域名访问,就把common name的值写为域名):
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.kkcai.vip.key -out harbor.kkcai.vip.csr
#生成服务器证书
openssl x509 -req -days 365 -in harbor.kkcai.vip.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.kkcai.vip.crt
[root@dockerhub250 harbor]# ll
total 535264
-rw-r--r-- 1 root root 2045 Aug 22 15:32 ca.crt
-rw-r--r-- 1 root root 3272 Aug 22 15:32 ca.key
-rw-r--r-- 1 root root 17 Aug 22 15:36 ca.srl
-rw-r--r-- 1 root root 3361 Jul 28 17:47 common.sh
-rw-r--r-- 1 root root 1948 Aug 22 15:36 harbor.kkcai.vip.crt
-rw-r--r-- 1 root root 1797 Aug 22 15:34 harbor.kkcai.vip.csr
-rw-r--r-- 1 root root 3272 Aug 22 15:34 harbor.kkcai.vip.key
-rw-r--r-- 1 root root 548041010 Jul 28 17:47 harbor.v2.0.2.tar.gz
-rw-r--r-- 1 root root 7829 Aug 22 12:00 harbor.yml
-rw-r--r-- 1 root root 7828 Jul 28 17:47 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2523 Jul 28 17:47 install.sh
-rw-r--r-- 1 root root 11347 Jul 28 17:47 LICENSE
-rwxr-xr-x 1 root root 1856 Jul 28 17:47 prepare
复制代码#安装证书
[root@dockerhub250 harbor]# mkdir -p /etc/cert/harbor
[root@dockerhub250 harbor]# cp harbor.kkcai.vip.crt harbor.kkcai.vip.key /etc/cert/harbor
[root@dockerhub250 harbor]# ll /etc/cert/harbor/
total 8
-rw-r--r-- 1 root root 1948 Aug 22 15:38 harbor.kkcai.vip.crt
-rw-r--r-- 1 root root 3272 Aug 22 15:38 harbor.kkcai.vip.key
复制代码#==由于我内网有搭建了DNS服务器,因此没有设置hosts,如果内网没有搭建DNS的同学,请vim /etc/hosts 给域名添加个路由地址==
#快捷添加hosts
echo "172.16.1.250 harbor.kkcai.vip" >>/etc/hosts
复制代码#进到目录复制默认文件并修改配置文件harbor.yml
[root@dockerhub250 harbor]# cp harbor.yml.tmpl harbor.yml
[root@dockerhub250 harbor]# vim harbor.yml
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
#建议使用域名
hostname: harbor.kkcai.vip
#修改证书位置
certificate: /etc/cert/harbor/harbor.kkcai.vip.crt
private_key: /etc/cert/harbor/harbor.kkcai.vip.key
#harbor密码
harbor_admin_password: devops
# Harbor数据库密码
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: devops
#数据存储位置
data_volume: /data/harbor
复制代码#运行install.sh进行安装
[root@dockerhub250 harbor]# sh install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/prepare:v2.0.2
Loaded image: goharbor/harbor-jobservice:v2.0.2
Loaded image: goharbor/harbor-registryctl:v2.0.2
Loaded image: goharbor/registry-photon:v2.0.2
Loaded image: goharbor/harbor-core:v2.0.2
Loaded image: goharbor/notary-signer-photon:v2.0.2
Loaded image: goharbor/clair-photon:v2.0.2
Loaded image: goharbor/trivy-adapter-photon:v2.0.2
Loaded image: goharbor/harbor-log:v2.0.2
Loaded image: goharbor/nginx-photon:v2.0.2
Loaded image: goharbor/clair-adapter-photon:v2.0.2
Loaded image: goharbor/chartmuseum-photon:v2.0.2
Loaded image: goharbor/harbor-portal:v2.0.2
Loaded image: goharbor/harbor-db:v2.0.2
Loaded image: goharbor/redis-photon:v2.0.2
Loaded image: goharbor/notary-server-photon:v2.0.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating harbor-db ... done
Creating harbor-core ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating redis ...
Creating harbor-db ...
Creating registryctl ...
Creating harbor-portal ...
Creating registry ...
Creating harbor-core ...
Creating nginx ...
Creating harbor-jobservice ...
✔ ----Harbor has been installed and started successfully.----
复制代码#常用命令
4.2 验证harbor是否安装成功
#访问网址:harbor.kkcai.vip/
#默认账号是 admin 密码 devops
4.3 验证harbor是否能够正常推送镜像
#创建docker证书存放位置,并复制ca证书
[root@dockerhub250 harbor]# mkdir -p /etc/docker/certs.d/harbor.kkcai.vip
[root@dockerhub250 harbor]# cp ca.crt /etc/docker/certs.d/harbor.kkcai.vip
复制代码#docker登录harbor
[root@dockerhub250 harbor]# docker login harbor.kkcai.vip
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
复制代码#推送镜像至对应的项目中
[root@dockerhub250 harbor]# docker tag nginx:latest harbor.kkcai.vip/library/nginx:latest
[root@dockerhub250 harbor]# docker push harbor.kkcai.vip/library/nginx:latest
The push refers to repository [harbor.kkcai.vip/library/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362
复制代码#查看harbor web页面,已经推送成功
4.4 添加第三方仓库
#系统管理-仓库管理-新建目标
#提供者选择:Docker Registry
#目标名:test
#目标URL:http://172.16.1.250:5000 (为前面创建的私有仓库,前面创建的为不鉴权的方式,因此不需要填写用户名密码)
#确定即可
X.遇到的问题
X.1 WARNING: bridge-nf-call-iptables is disabled
#问题表现
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
#原因:由于网桥工作于数据链路层,在iptables没有开启 bridge-nf时,数据会直接经过网桥转发,结果就是对FORWARD的设置失效;
#解决方案:编辑配置,添加如下配置保存并重新加载
#vim /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#sysctl -p
复制代码X.2 Get http: server gave HTTP response to HTTPS client
#问题表现
[root@dockerhub250 ~]# docker push 172.16.1.250:5000/nginx:latest
The push refers to repository [172.16.1.250:5000/nginx]
Get https://172.16.1.250:5000/v2/: http: server gave HTTP response to HTTPS client
#原因:docker registry未采用https服务,而客户端docker使用https请求push所致
#解决方案:编辑配置,添加 "insecure-registries":["172.16.1.250:5000"] 配置保存并重新加载
#vim /etc/docker/daemon.json
{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"], "insecure-registries":["172.16.1.250:5000"]}
#systemctl restart docker
复制代码© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
