容器云平台No.5~企业级私有镜像仓库Harbor V2.02
镜像仓库
仓库,顾名思义,就是存放东西的地方,Docker仓库,理所固然,就是存放docker镜像的地方了。
Docker仓库分公有仓库和私有仓库。共有仓库有hub.docker.com、gcr.io、k8s.gcr.io等,通常经常使用开源应用程序的官方镜像都存放于共有仓库,可是鉴于这些仓库都在国外,下载速度比较慢。尤为k8s相关的镜像。
私有仓库通常是公司内部自行搭建,用于存放内部构建的docker镜像,部署服务时从私有仓库下载,分发速度快。nginx
Docker 官方提供了一个搭建私有仓库的镜像 registry ,只需把镜像下载下来,运行容器并暴露5000端口,就可使用了。这里不作详细介绍。
###harbor
一个用于存储docker镜像的企业级Registry服务。相比较于原生的Regisrty来讲,它具备不少的优点。git
- 提供分层传输机制,优化网络传输
- 提供WEB界面,优化用户体验
- 支持水平扩展集群
- 良好的安全机制
- Harbor提供了基于角色的访问控制机制,并经过项目来对镜像进行组织和访问权限的控制
harbor架构图
安装harbor
PS:由于镜像仓库属于基础服务,建议使用单独的服务器部署。github
一、下载离线安装包redis
# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz
二、解压并根据需求自行修改harbor.yml配置文件,这里直接是用默认docker
# tar -zxf harbor-offline-installer-v2.0.2.tgz # cd harbor/ # mv harbor.yml.tmpl harbor.yml
三、执行安装命令
这里使用默认安装,感兴趣的能够安装更多Notary, Clair, or Chart Repository Service等服务。使用./install.sh --with-notary --with-clair --with-chartmuseumjson
./install.sh Note: docker version: 19.03.12 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.26.2 [Step 2]: loading Harbor images ... Loaded image: goharbor/prepare:v2.0.2 Loaded image: goharbor/harbor-jobservice:v2.0.2 Loaded image: goharbor/harbor-registryctl:v2.0.2 Loaded image: goharbor/registry-photon:v2.0.2 Loaded image: goharbor/harbor-core:v2.0.2 Loaded image: goharbor/notary-signer-photon:v2.0.2 Loaded image: goharbor/clair-photon:v2.0.2 Loaded image: goharbor/trivy-adapter-photon:v2.0.2 Loaded image: goharbor/harbor-log:v2.0.2 Loaded image: goharbor/nginx-photon:v2.0.2 Loaded image: goharbor/clair-adapter-photon:v2.0.2 Loaded image: goharbor/chartmuseum-photon:v2.0.2 Loaded image: goharbor/harbor-portal:v2.0.2 Loaded image: goharbor/harbor-db:v2.0.2 Loaded image: goharbor/redis-photon:v2.0.2 Loaded image: goharbor/notary-server-photon:v2.0.2 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /opt/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-portal ... done Creating registry ... done Creating registryctl ... done Creating redis ... done Creating harbor-db ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ----Harbor has been installed and started successfully.----
查看下运行了哪些服务?vim
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8d746c430f3e goharbor/harbor-jobservice:v2.0.2 "/harbor/entrypoint." 4 minutes ago Up 4 minutes (healthy) harbor-jobservice 388f24831ec9 goharbor/nginx-photon:v2.0.2 "nginx -g 'daemon of" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:80->8080/tcp nginx 15bc12fd3826 goharbor/harbor-core:v2.0.2 "/harbor/entrypoint." 4 minutes ago Up 4 minutes (healthy) harbor-core bb48e39130e5 goharbor/harbor-db:v2.0.2 "/docker-entrypoint." 4 minutes ago Up 4 minutes (healthy) 5432/tcp harbor-db 1bcd0ffcae82 goharbor/harbor-registryctl:v2.0.2 "/home/harbor/start." 4 minutes ago Up 4 minutes (healthy) registryctl 8ef9f3d3a668 goharbor/redis-photon:v2.0.2 "redis-server /etc/r" 4 minutes ago Up 4 minutes (healthy) 6379/tcp redis e05d4d845f3f goharbor/harbor-portal:v2.0.2 "nginx -g 'daemon of" 4 minutes ago Up 4 minutes (healthy) 8080/tcp harbor-portal c5fcd2369931 goharbor/registry-photon:v2.0.2 "/home/harbor/entryp" 4 minutes ago Up 4 minutes (healthy) 5000/tcp registry 61e69b171b33 goharbor/harbor-log:v2.0.2 "/bin/sh -c /usr/loc" 4 minutes ago Up 4 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
从输出信息能够看出,安装不服务组件仍是挺多的,能够参考架构图。
至此,harbor安装好了,如今来测试下往这个仓库上传镜像、从这个私有仓库下载镜像安全
上传镜像
首先登录私有仓库bash
docker login 10.26.27.106 Username: admin Password: Error response from daemon: Get https://10.26.27.106/v2/: dial tcp 10.26.27.106:443: connect: connection refused
发现,登录失败,由于这里仓库没有配置https,docker默认只容许登录https的服务,http认为是不安全的。
如今咱们来修改docker的配置,容许docker登录不安全的仓库
vim /etc/docker/daemon.json,添加"insecure-registries":["10.26.27.106"]服务器
{
"registry-mirrors": ["https://ci7pm4nx.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com"],
"insecure-registries":["10.26.27.106"]
}
再次登录
# systemctl restart docker # docker login http://10.26.27.106 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
如今看到,已经登录成功了,让咱们从公有仓库下载一个镜像,而后传到私有仓库中
docker pull busybox Using default tag: latest latest: Pulling from library/busybox df8698476c65: Pull complete Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a Status: Downloaded newer image for busybox:latest docker.io/library/busybox:latest
使用tag个给刚才下载的busybox镜像打标签,改成10.26.27.106/library/busybox:latest
# docker tag busybox:latest 10.26.27.106/library/busybox:latest # docker push 10.26.27.106/library/busybox:latest The push refers to repository [10.26.27.106/library/busybox] be8b8b42328a: Pushed latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527
能够看到,已经上传成功。
下载镜像
首先咱们删除因此的busybox镜像
docker images|grep busybox 10.26.27.106/libary/busybox latest 6858809bf669 4 days ago 1.23MB 10.26.27.106/library/busybox latest 6858809bf669 4 days ago 1.23MB busybox latest 6858809bf669 4 days ago 1.23MB
docker rmi busybox 10.26.27.106/library/busybox 10.26.27.106/libary/busybox Untagged: busybox:latest Untagged: busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a Untagged: 10.26.27.106/library/busybox:latest Untagged: 10.26.27.106/library/busybox@sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 Untagged: 10.26.27.106/libary/busybox:latest Deleted: sha256:6858809bf669cc5da7cb6af83d0fae838284d12e1be0182f92f6bd96559873e3 Deleted: sha256:be8b8b42328a15af9dd6af4cba85821aad30adde28d249d1ea03c74690530d1c
下载镜像
docker pull 10.26.27.106/library/busybox Using default tag: latest latest: Pulling from library/busybox df8698476c65: Pull complete Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 Status: Downloaded newer image for 10.26.27.106/library/busybox:latest 10.26.27.106/library/busybox:latest
能够看到,下载成功,收工¥#@¥#@¥@
注:文中图片来源于网络,若有侵权,请联系我及时删除。