Linux操作文档——Docker私有仓库
文章目录
一、Docker Hub公共仓库
Docker Hub官网:https://hub.docker.com/
[root@localhost ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: gaoyufu
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost ~]# docker push centos:test
二、Registry私有仓库
1、用docker容器运行registry私有仓库服务
[root@localhost ~]# docker pull registry:2
2: Pulling from library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for registry:2
2、运行私有仓库服务
[root@localhost ~]# docker run -itd --name registry --restart=always -p 5000:5000 -v /registry:/var/lib/registry registry:2
b94d47e57026c239509e3dea3b4b107332c450f0bc775095660f2154275f94e1
| 参数 | 说明 |
|---|---|
| -p | 端口映射。宿主机端口:容器暴露的端口 |
| -p 80 | 如果-p选项后边只写了一个端口,那么这个端口是指容器暴露的端口号随机映射到宿主机(32768开始…) |
| -P | 后边没有接任何的端口参数。那么它会把容器暴露的端口,全部随机的映射到宿主机 |
| -v | 挂载目录。 宿主机的目录:容器内的目录 |
3、镜像重命名
[root@localhost ~]# docker tag web:centos 192.168.1.10:5000/web
4、编辑docker配置文件
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H unix:// //修改此行为以下内容
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.10:5000 //其中192.168.1.10的IP地址是作为私有仓库服务器的IP地址
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
5、上传私有仓库用
[root@localhost ~]# docker push 192.168.1.10:5000/web
The push refers to repository [192.168.1.10:5000/web]
d2c6afabab1c: Pushed
0086b2c72a31: Pushed
bce59d767f25: Pushed
5b20514ca564: Pushed
d080a77574aa: Pushed
9c30307b4a72: Pushed
a7b6955a7df9: Pushed
b42bd86910be: Pushed
2aa965e5fa60: Pushed
613be09ab3c0: Pushed
latest: digest: sha256:caf5eb847cc83a90e93d6490e1e0b513c0af78e269272d993a56d90830ad4c0c size: 2409
[root@localhost ~]# curl -XGET http://192.168.1.10:5000/v2/_catalog //查看上传的镜像
{"repositories":["web"]}
[root@localhost ~]# curl -XGET http://192.168.1.10:5000//v2/busybox/tags/list
三、Harbor私有仓库
1、下载docker-compse工具
[root@localhost ~]# wget https://github.com/docker/compose/releases/download/1.26.2/docker-compose-Linux-x86_64
[root@localhost ~]# mv docker-compose-Linux-x86_64 docker-compose
[root@localhost ~]# mv docker-compose /usr/local/sbin/
[root@localhost ~]# chmod +x /usr/local/sbin/docker-compose
[root@localhost ~]# docker-compose -v
docker-compose version 1.26.2, build eefe0d31
[root@localhost ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
2、下载harbor
[root@localhost ~]# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz
[root@localhost ~]# tar -zxf harbor-offline-installer-v2.0.2.tgz -C /usr/local/
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# vim harbor.yml
hostname: harbor.gyf.com #harbor服务器主机IP或域名
harbor_admin_password: 123456 #harbor管理员登录密码
certificate: /usr/local/harbor/certs/harbor.gyf.com.crt #证书路径
private_key: /usr/local/harbor/certs/harbor.gyf.com.key #私钥路径
3、更改docker配置文件
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.10
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
4、启动Harbor
[root@localhost certs]# cd /usr/local/harbor/
[root@localhost harbor]# ./install.sh
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
761b777135e1 goharbor/harbor-jobservice:v2.0.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
04cf6322d8ac goharbor/nginx-photon:v2.0.2 "nginx -g 'daemon of…" About a minute ago Restarting (1) 30 seconds ago nginx
208ec9162ec5 goharbor/harbor-core:v2.0.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
24dc3d4f2326 goharbor/registry-photon:v2.0.2 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) 5000/tcp registry
66511aeb434a goharbor/harbor-registryctl:v2.0.2 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
8ac92be8562a goharbor/harbor-portal:v2.0.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 8080/tcp harbor-portal
bc1b66eb1eac goharbor/harbor-db:v2.0.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 5432/tcp harbor-db
42d78c8cb4db goharbor/redis-photon:v2.0.2 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) 6379/tcp redis
7b9a01a003e7 goharbor/harbor-log:v2.0.2 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@localhost ~]# docker tag httpd:latest harbor.gyf.com/test/web:v1
[root@localhost ~]# docker login -u admin -p 123456 192.168.1.10
[root@localhost ~]# docker push harbor.gyf.com/test/web:v1
docker-compose这个命令可以管理harbor服务,不过需要注意的是想使用以下命令,必须是和 docker-compose.yml 这个文件在同一个目录下
[root@localhost harbor]# docker-compose start | stop | restart //启动|停止|重启
使用IP或者域名登录皆可
默认用户名:admin 密码:123456
5、使用HTTPS访问harbor
将这里的harbor.gyf.com替换成你的域名即可
1、安装openssl证书工具
[root@localhost ~]# yum -y install openssl
2、创建证书存放文件夹
[root@localhost ~]# mkdir /usr/local/harbor/certs
3、生成无加密的根证书私钥(注意一定要进到证书目录)
[root@localhost ~]# cd /usr/local/harbor/certs/
[root@localhost certs]# openssl genrsa -out ca.key 4096
4、使用刚才生成的私钥制作自签名证书
[root@localhost certs]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=harbor.gyf.com/OU=harbor.gyf.com/CN=harbor.gyf.com" -key ca.key -out ca.crt
5、生成服务器端自己域名的key
[root@localhost certs]# openssl genrsa -out harbor.gyf.com.key 4096
6、生成服务器端自己域名的CSR签名请求
[root@localhost certs]# openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=harbor.gyf.com/OU=harbor.gyf.com/CN=harbor.gyf.com" -key harbor.gyf.com.key -out harbor.gyf.com.csr
7、生成一个 openssl 命令需要的外部配置文件 xexternalfile.ext
[root@localhost certs]# cat > xexternalfile.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.gyf.com
EOF
8、通过外部配置文件 xexternalfile.ext和 csr 生成 crt
[root@localhost certs]# openssl x509 -req -sha512 -days 3650 -extfile xexternalfile.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.gyf.com.csr -out harbor.gyf.com.crt
9、将服务端的 crt 转换成客户端用的 cert
[root@localhost certs]# openssl x509 -inform PEM -in harbor.gyf.com.crt -out harbor.gyf.com.cert
[root@localhost certs]# ls
ca.crt ca.srl harbor.gyf.com.crt harbor.gyf.com.key
ca.key harbor.gyf.com.cert harbor.gyf.com.csr xexternalfile.ext
10、启动服务后访问
[root@localhost certs]# cd /usr/local/harbor/
[root@localhost harbor]# ./install.sh
[root@localhost ~]# mkdir -p /etc/docker/certs.d/harbor.gyf.com
[root@localhost ~]# cd /etc/docker/certs.d/harbor.gyf.com/
[root@localhost harbor.gyf.com]# cp /usr/local/harbor/certs/harbor.gyf.com.crt .
[root@localhost ~]# docker login https://harbor.gyf.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost ~]# docker push harbor.gyf.com/test/web:v1
The push refers to repository [harbor.gyf.com/test/web]
88b680b1fdfc: Pushed
843c3701e622: Pushed
3ba8a4f66ba2: Pushed
c865989f86f7: Pushed
d0f104dc0a1f: Pushed
v1: digest: sha256:fc717ed0d0b55ada05af1c1a95a2d4ee1153a5858fd65b654644a1a5add0c28b size: 1367
浙公网安备 33010602011771号