docker搭建私有仓库
一、私有仓库
-
个人可以自己搭建一个容器仓库,用户可以自己上传或者拉取镜像
-
后面以这个阿里云上面的镜像仓库为案例
-
需要去开通个人版
-
需要创建命名空间和创建容器仓库
-
这个就相当于是用了一个公共的仓库,阿里云上面搭建好了的,可以直接使用,推送或者拉取
-
提高从dockerhub拉取镜像的速度
二、阿里云仓库案例
- 登录
docker login --username=仓库名 registry.cn-hangzhou.aliyuncs.com
# 输入密码即可
1、上传镜像到仓库
- 首先需要将自己的镜像带上标签
# 格式
docker tag 镜像 网址/命令空间/容器仓库:镜像标签
docker tag alpine:latest registry.cn-hangzhou.aliyuncs.com/uu7/docker:alpine-l
- 推送到阿里云容器仓库上面去
[root@docker ~]# docker push registry.cn-hangzhou.aliyuncs.com/uu7/docker:alpine-l
The push refers to repository [registry.cn-hangzhou.aliyuncs.com/uu7/docker]
fd2758d7a50e: Layer already exists
alpine-l: digest: sha256:e9e9d51e25e4343f56b64d5ef1717234ec62241d93bf59734c53b4108b5c19ca size: 527
2、从仓库拉取镜像
- 可以不需要登录,任何人都能拉取到镜像
# 格式
docker pull 网址/命名空间/容器仓库地址/镜像
[root@docker ~]# docker pull registry.cn-hangzhou.aliyuncs.com/uu7/docker:alpine-l
alpine-l: Pulling from uu7/docker
Digest: sha256:e9e9d51e25e4343f56b64d5ef1717234ec62241d93bf59734c53b4108b5c19ca
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/uu7/docker:alpine-l
registry.cn-hangzhou.aliyuncs.com/uu7/docker:alpine-l
# 这样就可以进行拉取了
三、使用Harbor构建企业级私有镜像仓库
-
直接搜索harbor官网,然后点击下载,使用离线下载,下载软件包
# 解压这个软件包
[root@docker harbor-2.7]# tar -xzvf harbor-offline-v2.7.1.tar.gz
harbor/harbor.v2.7.1.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
- 编写yml文件
[root@docker harbor]# cp harbor.yml.tmpl harbor.yml
# 编写yml文件
hostname: 192.168.50.10
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 5000
# 注释掉https不需要这个
# harbor仓库的密码
harbor_admin_password: 12345
-
修改docker.service
-
否则运行yml文件的时候,docker会报https的错误
[root@docker system]# pwd
/usr/lib/systemd/system
[root@docker system]# vim docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=192.168.50.10:5000
# 重启docker服务
- 导入harbor使用的镜像
[root@docker harbor]# docker load -i harbor.v2.7.1.tar.gz
- 执行prepare脚本
[root@docker harbor]# ./prepare
prepare base dir is set to /root/harbor-2.7/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
# 生成了很多的配置文件,docker-compose.yml这个文件很重要
[root@docker harbor]# ls
common harbor.v2.7.1.tar.gz install.sh
common.sh harbor.yml LICENSE
docker-compose.yml harbor.yml.tmpl prepare
-
common.sh和install.sh运行会报错,因为没有安装docker-compose
-
并且会运行docker-compose version命令,这个是7版本的命令,需要修改为docker compose version才行
-
修改这2个脚本文件即可
# 修改119行
119 elif [[ $(docker compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
# 修改install.sh
26 DOCKER_COMPOSE="docker compose"
# 执行install.sh脚本,会调用common.sh
[root@docker harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 26.1.3
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.27.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/notary-signer-photon:v2.7.1
Loaded image: goharbor/notary-server-photon:v2.7.1
Loaded image: goharbor/prepare:v2.7.1
Loaded image: goharbor/harbor-portal:v2.7.1
Loaded image: goharbor/harbor-db:v2.7.1
Loaded image: goharbor/harbor-jobservice:v2.7.1
Loaded image: goharbor/harbor-exporter:v2.7.1
Loaded image: goharbor/nginx-photon:v2.7.1
Loaded image: goharbor/registry-photon:v2.7.1
Loaded image: goharbor/trivy-adapter-photon:v2.7.1
Loaded image: goharbor/chartmuseum-photon:v2.7.1
Loaded image: goharbor/harbor-core:v2.7.1
Loaded image: goharbor/harbor-log:v2.7.1
Loaded image: goharbor/harbor-registryctl:v2.7.1
Loaded image: goharbor/redis-photon:v2.7.1
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor-2.7/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
WARN[0000] /root/harbor-2.7/harbor/docker-compose.yml: `version` is obsolete
[Step 5]: starting Harbor ...
WARN[0000] /root/harbor-2.7/harbor/docker-compose.yml: `version` is obsolete
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.7s
✔ Container registryctl Started 2.4s
✔ Container redis Started 2.3s
✔ Container registry Started 2.6s
✔ Container harbor-db Started 2.0s
✔ Container harbor-portal Started 2.1s
✔ Container harbor-core Started 3.5s
✔ Container nginx Started 4.5s
✔ Container harbor-jobservice Started 4.8s
✔ ----Harbor has been installed and started successfully.----
- 查看容器
[root@docker harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a867e022121b goharbor/nginx-photon:v2.7.1 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:5000->8080/tcp, :::5000->8080/tcp nginx
07f84ad91b03 goharbor/harbor-jobservice:v2.7.1 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
ec3ea7e72689 goharbor/harbor-core:v2.7.1 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
465f952b1ac5 goharbor/harbor-db:v2.7.1 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
c499391c8eb3 goharbor/registry-photon:v2.7.1 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
aa3fc8870e82 goharbor/redis-photon:v2.7.1 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
8f029c7e370c goharbor/harbor-registryctl:v2.7.1 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
5201c38e6143 goharbor/harbor-portal:v2.7.1 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
d36c2fd45230 goharbor/harbor-log:v2.7.1 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
-
访问harbor页面
-
浏览器访问192.168.50.10:5000
-
用户名为admin,密码为12345
1、上传镜像到harbor仓库
# 首先登录harbor仓库
[root@docker harbor]# docker login 192.168.50.10:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 给镜像打一个标签
[root@docker harbor]# docker tag alpine:latest 192.168.50.10:5000/test/alpine:latest
[root@docker harbor]# docker push 192.168.50.10:5000/test/alpine
Using default tag: latest
The push refers to repository [192.168.50.10:5000/test/alpine]
fd2758d7a50e: Pushed
latest: digest: sha256:e9e9d51e25e4343f56b64d5ef1717234ec62241d93bf59734c53b4108b5c19ca size: 527
2、从harbor拉取镜像
# 将后面sha256加密去掉,加上镜像标签
[root@docker harbor]# docker pull 192.168.50.10:5000/test/alpine:latest
latest: Pulling from test/alpine
fe07684b16b8: Pull complete
Digest: sha256:e9e9d51e25e4343f56b64d5ef1717234ec62241d93bf59734c53b4108b5c19ca
Status: Downloaded newer image for 192.168.50.10:5000/test/alpine:latest
192.168.50.10:5000/test/alpine:latest
四、容器资源限制
- 对cpu和内存的限制
1、为什么
- 容器是在Linux上面创建出来的,需要占用一些资源,如果没有限制的话,理论上可以使用物理机上面的所有资源
2、操作
1、查看容器使用量
[root@docker ~]# docker stats --no-stream
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
44a0083dd80d os1 0.00% 5.328MiB / 3.799GiB 0.14% 1.11kB / 0B 23.3MB / 0B 1
1、设置内存和cpu
- -m参数
[root@docker ~]# docker run -tid --name os2 -m 512m centos:8
03d2ebd41aadd44de118ce99ee1c6d46c9fecae5b9b08aa02db2cec955b6c83d
[root@docker ~]# docker stats --no-stream
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
03d2ebd41aad os2 0.00% 1.551MiB / 512MiB 0.30% 586B / 0B 0B / 0B 1
44a0083dd80d os1 0.00% 6.172MiB / 3.799GiB 0.16% 1.39kB / 0B 23.3MB / 0B 1
2、设置cpu
- 让这个容器的进程固定在某个cpu上面
# 这个可以看到cpu的颗数
[root@docker ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
# 创建一个容器,设置这个里面的进程都跑在0号cpu上面
[root@docker ~]# docker run -tid --name os3 --cpuset-cpus 0 centos:8
07e5f3e76959bf3f966e0022646415ec8ebedfa7f573e7c19b668b154f05741b
[root@07e5f3e76959 /]# cat /dev/zero > /dev/null &
[1] 32
[root@07e5f3e76959 /]# exit
exit
[root@docker ~]# ps mo pid,comm,psr $(pgrep cat)
PID COMMAND PSR
2793 cat -
- - 0
浙公网安备 33010602011771号