Docker仓库和网络、harbor仓库

1、docker搭建私有仓库

Docker 仓库是用来包含镜像的位置,Docker提供一个注册服
务器(Register)来保存多个仓库,每个仓库又可以包含多个
具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
Docker Registry有三个角色,分别是index、registry和registry
client

##下载registry镜像
[root@server1 ~]# docker search registry
[root@server1 ~]# docker pull registry  
[root@server1 ~]# docker images registry
[root@server1 ~]# docker ps -a
[root@server1 ~]# docker stop webserver
webserver
[root@server1 ~]# docker rm webserver
[root@server1 ~]# docker history registry:latest 

##运行registry容器
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry  
[root@server1 ~]# docker ps
[root@server1 ~]# netstat -antlp
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 2 root root 6 Jan 26 23:11 /opt/registry/

上传镜像到本地仓库,本地镜像在命名时需要加上仓库的ip和端口
[root@server1 ~]# docker tag webserver:v4 localhost:5000/webserver:latest
[root@server1 ~]# docker images
REPOSITORY                        TAG       IMAGE ID       CREATED        SIZE
webserver                         v4        047ab2e35274   15 hours ago   31.7MB
localhost:5000/webserver          lastest   047ab2e35274   15 hours ago   31.7MB
[root@server1 ~]# docker push localhost:5000/webserver
[root@server1 ~]# tree /opt/registry/
[root@server1 ~]# curl localhost:5000/v2/_catalog
{"repositories":["webserver"]}

2、docker仓库加密 认证

远程拉取仓库

[root@server2 yum.repos.d]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
{
  "insecure-registries" : ["192.168.0.1:5000"]
}

[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker pull 192.168.0.1:5000/webserver
[root@server2 docker]# docker images
[root@server2 docker]# docker tag 192.168.0.1:5000/webserver webserver
[root@server2 docker]# docker run -d webserver

签名加密

[root@server1 ~]# mkdir -p certs
[root@server1 ~]# docker stop registry
registry
[root@server1 ~]# docker ps
[root@server1 ~]# docker rm registry 
registry
[root@server1 ~]# ll /opt/registry/
total 0
drwxr-xr-x 3 root root 22 Jan 27 00:31 docker
[root@server2 docker]# rm -f daemon.json 
[root@server2 docker]# systemctl reload docker

[root@server1 ~]# docker rmi localhost:5000/webserver:latest
[root@server1 ~]# docker rm -f registry 
registry
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
domain.key  westos.crt
[root@server1 certs]# rm -fr *
[root@server1 certs]# cd
[root@server1 ~]#  openssl req   -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt

[root@server1 ~]# vim /etc/hosts
192.168.0.1 server1 reg.westos.org
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server1 ~]# docker tag game2048:latest reg.westos.org/game2048:latest
[root@server1 ~]# docker push reg.westos.org/game2048:latest

[root@server1 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server1 ~]# ls certs/
westos.org.crt  westos.org.key
[root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# ll /etc/docker/certs.d/reg.westos.org/ca.crt
-rw-r--r-- 1 root root 2106 Jan 27 02:46 /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# docker push reg.westos.org/game2048:latest

[root@server1 reg.westos.org]# scp ca.crt server2:/etc/docker/certs.d/reg.westos.org/
[root@server2 docker]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server2 docker]# vim /etc/hosts
192.168.0.1 server1 reg.westos.org
[root@server2 docker]# cd /etc/docker/certs.d/reg.westos.org/
[root@server2 reg.westos.org]# ls
ca.crt
[root@server2 ~]# docker pull reg.westos.org/game2048

认证

[root@server1 ~]# curl -k https://192.168.0.1/v2/_catalog
{"repositories":["game2048","webserver"]}
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 Jan 27 00:31 /opt/registry/
[root@server1 ~]# mkdir auth
[root@server1 ~]# yum provides */htpasswd
[root@server1 ~]# yum install -y httpd-tools
[root@server1 ~]# htpasswd -c -B auth/htpasswd linux
[root@server1 ~]# htpasswd -B auth/htpasswd admin
[root@server1 ~]# cat auth/htpasswd 
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
[root@server1 ~]# ls certs/
westos.org.crt  westos.org.key
[root@server1 ~]# docker ps
[root@server1 ~]# docker tag ubuntu:latest reg.westos.org/ubuntu:latest

3、harbor仓库

建立公共仓库

[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# cd harbor/
[root@server1 harbor]# docker rm -f registry 
[root@server1 ~]# mkdir /data
[root@server1 ~]# cp -r certs/ /
[root@server1 ~]# cd /certs/
[root@server1 ~]# cd harbor/
[root@server1 harbor]# vim harbor.yml 
 hostname: reg.westos.org
 certificate: /certs/westos.org.crt
 private_key: /certs/westos.org.key
 harbor_admin_password: westos
[root@server1 harbor]# ./install.sh --help
[root@server1 harbor]# ./install.sh 
[root@server1 harbor]# docker ps

[root@server1 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server1 harbor]# cat ~/.docker/config.json 
{
	"auths": {}
[root@server1 harbor]#docker login reg.westos.org
Username: admin
[root@server1 harbor]# docker tag busybox:latest reg.westos.org/library/busybox:latest
[root@server1 harbor]# docker push reg.westos.org/library/busybox:latest

[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# vim daemon.json
{
  "registry-mirrors": ["https://reg.westos.org"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker pull busybox
[root@server1 docker]# docker tag game2048:latest reg.westos.org/library/game2048:latest
[root@server1 docker]# docker push reg.westos.org/library/game2048:latest
[root@server1 docker]# cd /data/
[root@server1 data]# ls

建立私有仓库

[root@server1 data]# docker logout reg.westos.org
[root@server1 data]# docker login reg.westos.org
Username: linux  ##维护人员
[root@server1 data]# docker tag ubuntu:latest reg.westos.org/westos/ubuntu:latest
[root@server1 data]# docker push reg.westos.org/westos/ubuntu:latest

[root@server2 docker]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server2 docker]# docker login reg.westos.org
Usern[root@server2 docker]# docker tag webserver:latest reg.westos.org/westos/webserver:latest
[root@server2 docker]# docker push reg.westos.org/westos/webserver:latest
ame: demo ##访客
[root@server2 docker]# docker tag webserver:latest reg.westos.org/westos/webserver:latest
[root@server2 docker]# docker push reg.westos.org/westos/webserver:latest

[root@server2 docker]# docker rmi reg.westos.org/ubuntu
[root@server2 docker]# docker rmi 192.168.0.1:5000/webserver
[root@server2 docker]# docker pull reg.westos.org/westos/ubuntu

镜像签名

[root@server1 harbor]# docker-compose down 
[root@server1 harbor]# ./prepare  #清理
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server1 harbor]# docker-compose ps

[root@server1 harbor]# docker login reg.westos.org
Username: admin
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest

启用docker内容信任

[root@server1 harbor]# docker images webserver
[root@server1 harbor]# docker tag webserver:v4 reg.westos.org/library/webserver:latest
[root@server1 harbor]# docker push reg.westos.org/library/webserver:latest
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server2 docker]# docker rmi reg.westos.org/westos/ubuntu:latest
[root@server2 docker]# docker pull reg.westos.org/westos/ubuntu:latest
[root@server2 docker]# docker rmi reg.westos.org/westos/ubuntu:latest

[root@server1 harbor]# docker tag game2048:latest reg.westos.org/westos/game2048:latest
[root@server1 ~]# cd .docker/
[root@server1 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server1 .docker]# cd tls/reg.westos.org\:4443/
[root@server1 reg.westos.org:443]# cp /certs/westos.org.crt ca.crt
[root@server1 ~]# docker push reg.westos.org/westos/game2048:latest
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest

[root@server1 ~]# docker tag nginx:latest reg.westos.org/westos/game2048:v1
[root@server1 ~]# docker push reg.westos.org/westos/game2048:v1

4、docker网络

基本网络配置

[root@server1 harbor]# docker-compose stop
[root@server2 ~]# docker run -it --rm busybox
pq
[root@[root@server2 ~]# brctl show
[root@server2 ~]# brctl show
[root@server2 ~]# docker run -d --name demo webserver
57180e07485ad1a0e9457b766910359b8d32869dde12dc5d98d82849a1ba3ee5
[root@server2 ~]# docker ps
[root@server2 ~]# docker attach b404b959e51e
/ # route -n

## host网络模式需要在容器创建时指定--network=host
[root@server2 ~]# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
[root@server2 ~]# docker run -d --name demo --network=host webserver
[root@server2 ~]# brctl show
[root@server2 ~]# docker run -it --rm --network=none busybox

none模式是指禁用网络功能,只有lo接口,在容器创建时使用
–network=none指定。

自定义网络

[root@server2 ~]# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
[root@server2 ~]# docker network create mynet1
979f4aa7daf9dcfa986b0b29bc2e561d81b11d2e01e00da9f994fb73c43849db
[root@server2 ~]# docker network ls
979f4aa7daf9   mynet1    bridge    local

[root@server2 ~]# docker inspect demo
 "IPAddress": "172.18.0.2",
[root@server2 ~]# docker run -d --name demo2 --network=mynet1 webserver
[root@server2 ~]# docker run -it --rm --network=mynet1 busybox

[root@server2 ~]# docker stop demo
demo
[root@server2 ~]# docker stop demo2
demo2
[root@server2 ~]# docker start demo2
demo2
[root@server2 ~]# docker start demo
demo