docker-私有仓库-harbor
目录
1.docker私有仓库
使用docker hub官方仓库,或者是访问一个公网上的仓库来推送下载镜像都会存在一个缺陷,也就是速度上的问题,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry则是最好的选择。yin因为他们属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry默认情况下都是基于https工作的,这是Docker的基本要求.Docker默认是拒绝使用http提供Registry服务的,除非明确的告诉它。即在docker配置中确切指定"insecure-registries"。
1.1 私有仓库
官方私有仓库
为了能够做Docker Private Registry,Docker Hub官方直接把Registry做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry。
第三方私有仓库:比如harbor
2.harbor
2.1 简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,Harbor提供了更好的性能和安全。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
- 特性
- 基于角色的访问控制:用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
- 镜像复制: 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
- 图形化用户界面: 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
- AD/LDAP 支持 : Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
- 审计管理 : 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
- RESTful API : RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易
- 部署简单 : 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。
- 远程同步复制功能
Harbor提供了基于策略的镜像同步复制功能。以项目为单位,通过配置复制同步策略,可以实现在多个Harbor实例间进行镜像同步复制。Harbor的镜像同步功能支持错误或失败重传,支持镜像增量同步复制。
2.2 部署
安装docker-compose
- 基于python环境使用pip安装
[root@vm1 soft]# yum -y install python36
.............................
Installed:
python3-pip-9.0.3-18.el8.noarch python3-setuptools-39.2.0-6.el8.noarch
python36-3.6.8-2.module_el8.3.0+562+e162826a.x86_64
Complete!
[root@vm1 soft]# which pip3
/usr/bin/pip3
[root@vm1 soft]# pip3 install docker-compose
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting docker-compose
...............................................
Successfully installed PyYAML-5.3.1 attrs-20.3.0 bcrypt-3.2.0 cached-property-1.5.2 certifi-2020.12.5 cffi-1.14.4 chardet-4.0.0 cryptography-3.3.1 distro-1.5.0 docker-4.4.1 docker-compose-1.27.4 dockerpty-0.4.1 docopt-0.6.2 idna-2.10 importlib-metadata-3.4.0 jsonschema-3.2.0 paramiko-2.7.2 pycparser-2.20 pynacl-1.4.0 pyrsistent-0.17.3 python-dotenv-0.15.0 requests-2.25.1 texttable-1.6.3 typing-extensions-3.7.4.3 urllib3-1.26.2 websocket-client-0.57.0 zipp-3.4.0
[root@vm1 soft]#
离线安装harbor
[root@vm1 opt]# ls
harbor-offline-installer-v2.1.2.tgz
- 解压harbor
[root@vm1 opt]# tar xvf harbor-offline-installer-v2.1.2.tgz -C /usr/local/
harbor/harbor.v2.1.2.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
[root@vm1 opt]# cd /usr/local/
[root@vm1 local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
[root@vm1 local]# cd harbor/
[root@vm1 harbor]# ls
common.sh harbor.v2.1.2.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
- 安装前修改harbor配置
[root@vm1 harbor]# cp harbor.yml.tmpl harbor.yml
[root@vm1 harbor]# ls
common.sh harbor.v2.1.2.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@vm1 harbor]# vim harbor.yml
..................................................
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.225.127
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https: //这里关闭了https服务,需要时可以开启,并添加证书相关文件
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
................
harbor_admin_password: Harbor12345 ##harborweb端admin账户密码
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
........................................
# The default data volume
data_volume: /data
- 安装harbor
[root@vm1 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.1
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.27.4
[Step 2]: loading Harbor images ...
52ba3ba61de4: Loading layer [==================================================>] 34.51MB/34.51MB
94095a8e8b3f: Loading layer [==================================================>] 4.833MB/4.833MB
.............................................
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-db ... done
Creating registry ... done
Creating harbor-portal ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@vm1 harbor]# ls
common common.sh docker-compose.yml harbor.v2.1.2.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
- 在docker的daemon.json中添加http支持
[root@vm1 harbor]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://mirror.baidubce.com"],
"insecure-registries": ["http://192.168.225.127"]
}
[root@vm1 harbor]# systemctl daemon-reload
[root@vm1 harbor]# systemctl restart docker
- Harbor的启动和停止是通过docker-compose命令来管理的
[root@vm1 harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-log ... done
[root@vm1 harbor]# cd ../
[root@vm1 local]# docker-compose start
ERROR:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml
[root@vm1 local]# cd harbor/
[root@vm1 harbor]# ls
common docker-compose.yml harbor.yml install.sh prepare
common.sh harbor.v2.1.2.tar.gz harbor.yml.tmpl LICENSE
[root@vm1 harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
[root@vm1 harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:80 *:*
[root@vm1 harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4897e5114605 goharbor/harbor-jobservice:v2.1.2 "/harbor/entrypoint.…" 11 minutes ago Up 11 minutes (healthy) harbor-jobservice
890e43f70549 goharbor/nginx-photon:v2.1.2 "nginx -g 'daemon of…" 11 minutes ago Up 11 minutes (healthy) 0.0.0.0:80->8080/tcp nginx
0a2cfff1d801 goharbor/harbor-core:v2.1.2 "/harbor/entrypoint.…" 11 minutes ago Up 11 minutes (healthy) harbor-core
c92556ab81b1 goharbor/harbor-registryctl:v2.1.2 "/home/harbor/start.…" 11 minutes ago Up 11 minutes (healthy) registryctl
0de3f483dc0d goharbor/registry-photon:v2.1.2 "/home/harbor/entryp…" 11 minutes ago Up 11 minutes (healthy) registry
b74e1db94ff0 goharbor/harbor-portal:v2.1.2 "nginx -g 'daemon of…" 11 minutes ago Up 11 minutes (healthy) harbor-portal
d71771de0be4 goharbor/harbor-db:v2.1.2 "/docker-entrypoint.…" 11 minutes ago Up 11 minutes (healthy) harbor-db
a753dc2fc2d4 goharbor/redis-photon:v2.1.2 "redis-server /etc/r…" 11 minutes ago Up 11 minutes (healthy) redis
053d38fa42b9 goharbor/harbor-log:v2.1.2 "/bin/sh -c /usr/loc…" 11 minutes ago Up 11 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
35e0e8332421 alpine "/bin/sh" 2 hours ago Up 2 hours interesting_babbage
2.3 管理harbor
- 访问http://192.168.225.127
- 用户名为admin,密码为harbor.yml配置文件中配置的
添加用户
添加项目
- 给用户项目的权限
推送镜像
- 给需要上传的镜像打tag
[root@vm1 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
xpengzong/httpd latest 8f2e1efd24d8 8 days ago 82.7MB
....................................................
[root@vm1 harbor]# docker tag xpengzong/httpd:latest 192.168.225.127/web/httpd:latest
- 登录到私有仓库(账号需要注册,并给予账号访问项目的权限)
##这里通过管理员账号登录
[root@vm1 harbor]# docker login 192.168.225.127
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 推送镜像
[root@vm1 harbor]# docker push 192.168.225.127/web/httpd:latest
The push refers to repository [192.168.225.127/web/httpd]
98d496280624: Pushed
936fde1556ca: Pushed
777b2c648970: Pushed
latest: digest: sha256:bbf76cb05487af75bdf0409dab6b242ae04b1433ff80106ffa35cb4675a49a5f size: 952
拉取镜像
[root@vm1 harbor]# docker pull 192.168.225.127/web/httpd:latest
latest: Pulling from web/httpd
Digest: sha256:bbf76cb05487af75bdf0409dab6b242ae04b1433ff80106ffa35cb4675a49a5f
Status: Downloaded newer image for 192.168.225.127/web/httpd:latest
192.168.225.127/web/httpd:latest
[root@vm1 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.225.127/web/httpd latest 8f2e1efd24d8 8 days ago 82.7MB
xpengzong/httpd latest 8f2e1efd24d8 8 days ago 82.7MB
日志查看
搜索
2.4 harbor同步复制
- 实现双向同步则需要在双方仓库进行配置
编辑同步的对端仓库
编辑复制规则
- 其中触发模式可选,支持cron计划任务
同步
- 勾选规则,点击复制,则将本项目镜像同步至对端