Docker,Containerd配置私有Harbor仓库和Notary服务器

Docker 配置 Harbor

修改 Docker 配置

Linux 虚拟机中可以这么配置:

# 由于docker默认不允许使用非https方式推送镜像,所以在需要pull镜像的服务器配置访问地址
vim /etc/docker/daemon.json
#添加如下内容(客户端访问的网址):
    "insecure-registries" :[
           "10.211.55.2:80"
    ]
​
# 重启docker
systemctl restart docker
# 重启harbor容器,要在harbor目录下操作
docker-compose stop
docker-compose up -d

Mac 上直接在 Docker Desktop 配置:
image.png

推送镜像(以官方 nginx 镜像为例)

  1. 准备工作:登陆 harbor,打标签
# docker登陆harbor
docker login 10.211.55.2:80 -u admin
# 给nginx镜像打一个标签
# 格式: docker tag 镜像名:版本 your-ip:端口/项目名称/新的镜像名:版本
docker tag nginx:latest 10.211.55.2:80/library/nginx:latest

结果如下:

➜ harbor docker images
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
10.211.55.2:80/library/nginx   latest    47ef8710c9f5   3 weeks ago   198MB
nginx                            latest    47ef8710c9f5   3 weeks ago   198MB
  1. 开始推送
➜ harbor docker push 10.211.55.2.48:80/library/nginx:latest
The push refers to repository [10.211.55.2:80/library/nginx]
be61b0da9648: Pushed
58d58d2ade95: Pushed
beb3bb225b88: Pushed
bdc4a6d15284: Pushed
4b950e3c58cf: Pushed
e0ed4995377a: Pushed
f0f023a63482: Pushed
latest: digest: sha256:148cb3109165d936620429e68a78b0880009148826cc0900c5de1d04f5694061 size: 1778

image.png

Docker 配置 Notary

  1. 创建目录存放 docker 连接 notary 服务端的证书: mkdir -p ~/.docker/tls/<notary-server ip>:<ntotary-server port>
  2. 把之前用 openssl 生成的 .crt 文件移动到上一步创建的目录,并且改名为 root-ca.crt
  3. 打开 DCT 开关: export DOCKER_CONTENT_TRUST=1
  4. 设置私有 Notary Server 地址: export DOCKER_CONTENT_TRUST_SERVER="https://10.211.55.2:4443"
  5. 推送镜像,第一次推送会创建密钥,存储在 ~/.docker/trust 目录下

image.png

Containerd 配置 Harbor

打开 /etc/containerd/config.toml 文件,找到 plugins.'io.containerd.cri.v1.images'.registry 配置项,添加 config_path 配置

[plugins.'io.containerd.cri.v1.images'.registry]
      config_path = '/etc/containerd/certs.d'

不同版本插件名称不一样,可参考这篇博客末尾提到的内容。

创建 /etc/containerd/certs.d 目录,添加 hosts.toml 文件

# 10.211.55.2:80要改成自己harbor的IP和端口
sudo mkdir -p /etc/containerd/certs.d/10.211.55.2:80
cd /etc/containerd/certs.d/10.211.55.2:80
# 创建hosts.toml
sudo touch hosts.toml

hosts.toml 的文件内容如下(注意改成自己的 IP 和端口,以及此处采用的是 http):

server = "http://10.211.55.2:80"

[host."http://10.211.55.2:80"]
  username = "admin"
  password = "Harbor12345"
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true
  [host."http://10.211.55.2:80".header]
    authorization = "Basic YWRtaW46SGFyYm9yMTIzNDU="

重启 containerd

sudo systemctl restart containerd

拉取:

sudo ctr image pull --hosts-dir "/etc/containerd/certs.d" 10.211.55.2:80/library/nginx:latest
posted @ 2025-09-09 20:45  Miaops  阅读(4)  评论(0)    收藏  举报