簡述:
Docker 官方鏡像倉庫是用于管理公共鏡像的地方,大家可以在上面找到想要的鏡像,也可以把自己的鏡像推送上去。但是有時候服務器無法訪問互聯網,或者不希望將自己的鏡像放到互聯網上,那么就需要用到 Docker Registry 私有倉庫,它可以用來存儲和管理自己的鏡像。最近公司將項目全部打包成鏡像有部署私有倉庫服務的需求,經過幾輪商討,最終選擇 Docker Harbor,Docker Harbor 有可視化的 Web 管理界面可以方便管理Docker 鏡像操作也很方便簡單,又提供了多個項目的鏡像權限管理控制功能等。
Harbor 架構構成
- Proxy:Harbor 的 Registry、UI、token 等服務。通過一個前置的反向代理統一接收瀏覽器Docker 客戶端的請求,并將請求轉發給后端不同的服務。
- Registry:負責儲存Docker鏡像,并處理 Docker push/pull 命令。由于要對用戶進行訪問控制,即不同用戶對Docker image有不同的讀寫權限,Registry會指向一個 token服務,強制用戶的每次 Docker pull/push 請求都要攜帶一個合法的token,Registry會通過公鑰對 token 進行解密驗證。
環境:
兩臺主機:
192.168.50.66????? master??????? 服務端
192.168.50.53????? lbin-nfs?????? 客戶端
兩臺主機同樣操作
關閉防火墻
[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
更改主機名
[root@localhost ~]# hostname master
[root@localhost ~]# bash
創建dockers? rpm包目錄
[root@master ~]# mkdir docker
導入docker -ce
[root@master docker]# ll
總用量 97596
-rw-r--r--. 1 root root 30374084 9月 ?18 2020 containerd.io-1.3.7-3.1.el7.x86_64.rpm
-rw-r--r--. 1 root root ???40816 7月 ??6 2020 container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm
-rw-r--r--. 1 root root ??302564 5月 ?14 2020 device-mapper-1.02.164-7.el7_8.2.x86_64.rpm
-rw-r--r--. 1 root root ??195448 5月 ?14 2020 device-mapper-event-1.02.164-7.el7_8.2.x86_64.rpm
-rw-r--r--. 1 root root ??195004 5月 ?14 2020 device-mapper-event-libs-1.02.164-7.el7_8.2.x86_64.rpm
-rw-r--r--. 1 root root ??331908 5月 ?14 2020 device-mapper-libs-1.02.164-7.el7_8.2.x86_64.rpm
-rw-r--r--. 1 root root ??432624 4月 ??4 2020 device-mapper-persistent-data-0.8.5-2.el7.x86_64.rpm
-rw-r--r--. 1 root root 25268380 9月 ?18 2020 docker-ce-19.03.13-3.el7.x86_64.rpm
-rw-r--r--. 1 root root 40247476 10月 ?9 2020 docker-ce-cli-19.03.13-3.el7.x86_64.rpm
-rw-r--r--. 1 root root ?1384208 5月 ?14 2020 lvm2-2.02.186-7.el7_8.2.x86_64.rpm
-rw-r--r--. 1 root root ?1143916 5月 ?14 2020 lvm2-libs-2.02.186-7.el7_8.2.x86_64.rpm
[root@localhost docker]# yum -y install *.rpm
[root@localhost docker]# cd
重啟
[root@localhost ~]# ?systemctl start docker
[root@localhost ~]# ?systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
配置阿里云鏡像加速
[root@localhost ~]# ?cat << END > /etc/docker/daemon.json
> {
> ????????"registry-mirrors":[ "https://nyakyfun.mirror.aliyuncs.com" ]
> }
> END
重啟服務
?
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
獲取Docker Compose容器的工具。
[root@localhost ~]# rz
[root@localhost ~]# mv docker-compose /usr/bin
[root@localhost ~]# ?chmod +x /usr/bin/docker-compose
[root@localhost ~]# docker-compose --version
docker-compose version 1.21.1, build 5a3f1a3
Harbor配置?? 服務端
?
[root@master ~]# tar xf harbor-offline-installer-v1.6.1.tgz
[root@master ~]# cd harbor
[root@master harbor]# tree
bash: tree: 未找到命令
[root@master harbor]# yum -y install tree
[root@master harbor]# tree ha
ha
├── docker-compose.clair.tpl
├── docker-compose.clair.yml
├── docker-compose.tpl
├── docker-compose.yml
├── initial-registry.sql
└── sample
??? ├── active_active
??? │?? ├── check.sh
??? │?? └── keepalived_active_active.conf
??? └── active_standby
??????? ├── check_harbor.sh
??????? └── keepalived_active_standby.conf[root@master ]#? vim /root/harbor/harbor.cfg
?7 hostname = 192.168.50.66
[root@master harbor]#? sh install.sh
如果報錯就更改下面文件
[root@master harbor]# cat ha/initial-registry.sql
CREATE DATABASE IF NOT EXISTS `registry` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';
成功
?查看
[root@master harbor]# docker-compose ps
???????Name ????????????????????Command ?????????????????State ???????????????????Ports ????????????
----------------------------------------------------------------------------------------------------
harbor-adminserver ??/harbor/start.sh ????????????????Up (healthy) ?????????????????????????????????
harbor-db ???????????/entrypoint.sh postgres ?????????Up (healthy) ??5432/tcp ??????????????????????
harbor-jobservice ???/harbor/start.sh ????????????????Up ???????????????????????????????????????????
harbor-log ??????????/bin/sh -c /usr/local/bin/ ... ??Up (healthy) ??127.0.0.1:1514->10514/tcp ?????
harbor-ui ???????????/harbor/start.sh ????????????????Up (healthy) ?????????????????????????????????
nginx ???????????????nginx -g daemon off; ????????????Up (healthy) ??0.0.0.0:443->443/tcp, ?????????
?????????????????????????????????????????????????????????????????????0.0.0.0:4443->4443/tcp, ???????
?????????????????????????????????????????????????????????????????????0.0.0.0:80->80/tcp ????????????
redis ???????????????docker-entrypoint.sh redis ... ??Up ????????????6379/tcp ??????????????????????
registry ????????????/entrypoint.sh /etc/regist ... ??Up (healthy) ??5000/tcp ?
瀏覽器訪問
如果一切都正常,應該可以打開瀏覽器訪問192.168.50.66的管理頁面,默認的管理員用戶名和密碼是 admin/Harbor12345
創建一個新項目
- 輸入用戶名和密碼登錄界面后可以創建一個新項目。點擊“+項目”按鈕。
?
?點擊“確定”按鈕,成功創建
?
?可以使用 Docker 命令在Harbor本地通過 127.0.0.1 來登錄和推送鏡像了。默認情況下, Register 服務器在端口 80 上
登陸 harbor
[root@master harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下載鏡像準備測試
[root@master harbor]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
給鏡像打tag
[root@master harbor]# docker tag cirros 127.0.0.1/cccoooo/cirros:v1
上傳到 harbor
[root@master harbor]# docker push 127.0.0.1/cccoooo/cirros:v1
The push refers to repository [127.0.0.1/cccoooo/cirros]
984ad441ec3d: Pushed
f0a496d92efa: Pushed
e52d19c3bee2: Pushed
v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
查看一下有沒有
[root@master harbor]# docker images
REPOSITORY ?????????????????????TAG ????????????????IMAGE ID ???????????CREATED ????????????SIZE
127.0.0.1/cccoooo/cirros ???????v1 ?????????????????f9cae1daf5f6 ???????2 years ago ????????12.6MB
刷新查看
客戶端上傳鏡像
?修改配置文件
?vim /usr/lib/systemd/system/docker.service
?14 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ?--insecure-reg istry192.168.50.66
重啟服務
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
登陸訪問
第一種
[root@lbin-nfs ~]# ?docker login -u admin -p Harbor12345 http://192.168.50.66
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
第二種
[root@lbin-nfs ~]# docker login -u admin -p Harbor12345 192.168.50.66
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下載鏡像準備測試
[root@lbin-nfs ~]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
打標簽
[root@lbin-nfs ~]# docker tag cirros 192.168.50.66/cccoooo/cirros:v22
上傳
[root@lbin-nfs ~]# docker push 192.168.50.66/cccoooo/cirros:v22
The push refers to repository [192.168.50.66/cccoooo/cirros]
984ad441ec3d: Layer already exists
f0a496d92efa: Layer already exists
e52d19c3bee2: Layer already exists
v22: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
瀏覽器查看
?Harbor 日常操作管理
點擊“+項目”時按規范填寫項目名稱。項目級別:私有即不勾選(勾選后會變為"公開")。如果設置為公共倉庫,則所有人對此項目下的鏡像擁有讀權限,命令行中不需要執行"Docker login"即可下載鏡像,鏡像操作與Docker hub 一致。
創建用戶
?
設置權限
?首先退出當前用戶,然后使用上述創建的賬戶 登錄。
退出
[root@lbin-nfs ~]# ?docker logout 192.168.50.66
Removing login credentials for 192.168.50.66
登陸
[root@lbin-nfs ~]# docker login 192.168.50.66
Username: asd
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下載v1鏡像
[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1
Error response from daemon: pull access denied for 192.168.50.66/cccoooo/cirros, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1
v1: Pulling from cccoooo/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for 192.168.50.66/cccoooo/cirros:v1
192.168.50.66/cccoooo/cirros:v1
查看
[root@lbin-nfs ~]# docker images
REPOSITORY ????????????????????TAG ????????????????IMAGE ID ???????????CREATED ????????????SIZE
postgres ??????????????????????latest ?????????????07e2ee723e2d ???????19 months ago ??????374MB
mysql ?????????????????????????5.6 ????????????????dd3b2a5dcb48 ???????19 months ago ??????303MB
redis ?????????????????????????alpine ?????????????3900abf41552 ???????20 months ago ??????32.4MB
192.168.50.66/cccoooo/cirros ??v1 ?????????????????f9cae1daf5f6 ???????2 years ago ????????12.6MB
?查看日志
?
管理 Harbor
可以使用 docker-compose來管理Harbor。一些有用的命令如下所示(必須在與docker-compose.yml 相同的目錄中運行)。
停止/啟動/重啟 Harbor
[root@master harbor]# ?docker-compose stop | start | restart
)
)
