一 镜像仓库介绍
1.1 简介
- 镜像仓库用于存放 Docker镜像
- Docker registry提供镜像仓库服务
- 一个 Docker registry可以包含多个镜像仓库
- 仓库分为公共镜像仓库与私有镜像仓库
1.2 公共镜像仓库
- hub.docker.com
- quay.io
- gcr.io
1.3 使用官方仓库的缺陷
- 需要 internet连接,上传和下载速度慢
- 上传到 docker hub的镜像任何人都可以访问,虽然可以用私有
- repository,但不是免费的
- 因安全原因很多组织不允许将镜像放到外网
1.4 运行一个镜像仓库
[root@docker-server3 ~]# docker run -d -p 5000:5000 -v /data/registry:/var/lib/registry registry:2
registry:2:默认从官方拉取,版本是2
-p:默认端口是5000,映射到本地5000端口
-v:本地挂载到容器的仓库存储镜像位置,持久化出来
Unable to find image 'registry:2' locally 2: Pulling from library/registry c87736221ed0: Pull complete 1cc8e0bb44df: Pull complete 54d33bcb37f5: Pull complete e8afc091c171: Pull complete b4541f6d3db6: Pull complete Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146 Status: Downloaded newer image for registry:2 feebef9a6ec69e63d5f97bfe93edeed14e15d32c979f5152bedb22f5069e4e4b
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 seconds ago Up 40 seconds 0.0.0.0:5000->5000/tcp funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Up 3 hours 80/tcp beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
1.5 推送镜像
[root@docker-server3 ~]# docker tag nginx:v1.5 192.168.132.133:5000/library/nginx:v1.5
[root@docker-server3 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 7 hours ago 418MB nginx v1.5 ba600822f908 7 hours ago 418MB nginx v1.4 e51688c79109 8 hours ago 418MB nginx v1.3 80a81192811a 8 hours ago 418MB nginx v1.2 852fb29d5783 9 hours ago 418MB nginx v1.1 68354cda3d7b 9 hours ago 418MB nginx v1.0 cd520a2362fb 9 hours ago 418MB openssh v1.8 64e76b90e1fa 9 hours ago 306MB openssh v1.7 a208eefd515d 10 hours ago 306MB openssh v1.6 7c3b42276adb 10 hours ago 306MB openssh v1.5 90743d882696 17 hours ago 306MB openssh v1.3 0244c59bf444 2 days ago 306MB openssh v1.4 2412a6e26b9c 2 days ago 306MB openssh v1.2 c399a750ed03 2 days ago 361MB openssh v1.0 d98ba06569f3 2 days ago 361MB nginx latest f7bb5701a33c 5 days ago 126MB busybox latest 6d5fcfe5ff17 7 days ago 1.22MB hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB centos 7 5e35e350aded 7 weeks ago 203MB registry 2 f32a97de94e1 10 months ago 25.8MB
[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5
The push refers to repository [192.168.132.133:5000/library/nginx] Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client
发现需要使用https认证,而且之歌认证还必须是合法的认证证书
需要配置docker配置
[root@docker-server3 ~]# cat /etc/docker/daemon.json
{ "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.132.133:5000"] }
[root@docker-server3 ~]# systemctl restart docker
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 13 minutes ago Exited (2) 27 seconds ago funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 27 seconds ago beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
[root@docker-server3 ~]# docker start feebef9a6ec6
[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5
The push refers to repository [192.168.132.133:5000/library/nginx] fc2a1b35c0a9: Pushed fdd515349bc6: Pushed 72838385a292: Pushed 77b174a6a187: Pushed v1.5: digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f size: 1155
镜像推送成功,但是这种仓库,无法直接看到仓库的镜像
1.6 安装web控制的镜像仓库
[root@docker-server3 ~]# docker run -d -p 8080:8080 -v /etc/localtime:/etc/localtime --name registry-web -e REGISTRY_HOST=registry -e REGISTRY_PORT=5000 -e REGISTRY_URL=http://registry:5000/v2 --link funny_archimedes:registry hyper/docker-registry-web
-p:映射到8080端口
--name:取名微博registry-web
-e:传递参数
--link:使用link连接,funny_archimedes是上个私有仓库的名字
Unable to find image 'hyper/docker-registry-web:latest' locally latest: Pulling from hyper/docker-registry-web 04c996abc244: Pull complete d394d3da86fe: Pull complete bac77aae22d4: Pull complete b48b86b78e97: Pull complete 09b3dd842bf5: Pull complete 69f4c5394729: Pull complete b012980650e9: Pull complete 7c7921c6fda1: Pull complete e20331c175ea: Pull complete 40d5e82892a5: Pull complete a414fa9c865a: Pull complete 0304ae3409f3: Pull complete 13effc1a664f: Pull complete e5628d0e6f8c: Pull complete 0b0e130a3a52: Pull complete d0c73ab65cd2: Pull complete 240c0b145309: Pull complete f1fd6f874e5e: Pull complete 40b5e021928e: Pull complete 88a8c7267fbc: Pull complete f9371a03010e: Pull complete Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae Status: Downloaded newer image for hyper/docker-registry-web:latest c3025c175eae0a1a28f3cf881c363a10688ca8e9170c9557e3fd70d903f2f99f
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3025c175eae hyper/docker-registry-web "start.sh" 59 seconds ago Up 58 seconds 0.0.0.0:8080->8080/tcp registry-web feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 minutes ago Up 28 minutes 0.0.0.0:5000->5000/tcp funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 28 minutes ago beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
访问http://192.168.132.133:8080/
点进去
另一个机器下载镜像
[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5
Error response from daemon: Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client
[root@docker-server1 ~]# vi /etc/docker/daemon.json
{ "insecure-registries":["http://192.168.132.133:5000"], "registry-mirrors":["https://o0o4czij.mirror.aliyuncs.com"] }
[root@docker-server1 ~]# systemctl restart docker
[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5
v1.5: Pulling from library/nginx ab5ef0e58194: Pull complete 2a95ef35dfe4: Pull complete c7655bb407fc: Pull complete 95fb544c76c7: Pull complete Digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f Status: Downloaded newer image for 192.168.132.133:5000/library/nginx:v1.5 192.168.132.133:5000/library/nginx:v1.5
[root@docker-server1 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 Less than a second ago 418MB ubuntu 16.04 5f2bf26e3524 2 months ago 123MB httpd 2.4 d3017f59d5e2 2 months ago 165MB busybox latest 020584afccce 2 months ago 1.22MB nginx latest 540a289bab6c 2 months ago 126MB hub.darren.com/library/nginx version1 540a289bab6c 2 months ago 126MB centos latest 0f3e07c0138f 3 months ago 220MB centos 6 d0957ffdf8a2 9 months ago 194MB registry.cn-hangzhou.aliyuncs.com/google_containers/coredns 1.1.3 b3b94275d97c 19 months ago 45.6MB
1.8 缺点
这个镜像仓库配置成功,但是缺陷很明显
- 缺少认证机制,任何人都可以随意拉取及上传镜像,安全性缺失
- 缺乏镜像清理机制,镜像可以push却不能删除,日积月累,占用空间会越来越大
- 缺乏相应的扩展机制
私有仓库:
- harbor:vmware中国社区
- quay:红帽收购后开源
二 harbor介绍
2.1 harbor简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
Harbor官方网站:http://vmware.github.io/harbor/
Harbor源码地址:https://github.com/vmware/harbor
harbor的二进制包同时提供online和offline版本,我们这里直接使用online版本。
官方位置:https://github.com/goharbor/harbor
2.2 harbor架构
2.3 harbor六大模块
- Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
- Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
- Core services: Harbor的核心功能,主要包括如下3个服务:
- UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。1) WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。 2) Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service。 3) Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
- Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
- Log collector: 负责收集其他模块的日志到一个地方
2.4 harbor组件说明
需要说明的是,harbor的每个组件都是以Docker容器的形式构建的,可以使用Docker Compose来进行部署,当然,如果环境中使用了kubernetes,harbor也提供了kubernetes的配置文件。
harbor共有8个容器组成:
- ui:harbor的核心服务。
- log:运行着rsyslog的容器,进行日志收集。
- mysql:由官方mysql镜像构成的数据库容器,现在使用postgresql
- nginx:使用Nginx做反向代理
- registry:官方的Docker registry
- adminserver:harbor的配置数据管理器
- jobservice:Harbor的任务管理服务。
- redis:用于存储session
2.5 hatbor工作原理
Docker Login
- 首先,登录请求会被 Proxy容器接收到,根据预先设置的匹配规则,该请求会被转发给后端 Registry容器。
- 2Registry接收到请求后,解析请求,因为配置了基于 token的认证,所以会查扌 token,发现请求没有 token后,返回错误代码401以及 token服努的地URL
- Docker客户端接收到错误请求后,转而向token服努地址发送请求,并根据HTTP协议的BasicAuthentication规范,将用户名密码组合并编码,放在请求头部( header)
- 同样,该请求会先发到 Proxy容器,继而转发给ui/ token的咨器该荟最接受请求,将请求头解码,获取到用户名密码
- ui/ token的吝器获取到用户名密码后,通过重询数据库进行比对验证(如果是LDAP的认证方式就是引LDAP服务进行校验),比对成功后,返回成功的状码,并用密钥生成 token,一并发送绐 Docker客户端
Docker push
- 同样,首先与 Registery通信,返回个 token服务的地址URL
- Docker客户端会与 token服务通信,指明要申请一个 push image操作的 token
- 3token服努访问数据库验证当前用户是否有该操作的权限,如果有,会将 rImage信息以及push操作进行编码,用私钥签名,生成 token返回给 Docker客户
- Docker客户端再次与 Registry通信,不过这次会将 token放到请求 header中, Registry收到请求后利用公钥解码并核对,核对成功,便可以开始push操作
三 HARBOR安装
使用v1.9.3版本实验
删掉所有容器
[root@docker-server3 ~]# docker ps -aq |xargs docker rm -fv
3.1 下载包
下载在线的harbor包:https://github.com/goharbor/harbor/releases/tag/v1.9.3
[root@docker-server3 ~]# wget https://github.com/goharbor/harbor/releases/download/v1.9.3/harbor-online-installer-v1.9.3.tgz
[root@docker-server3 ~]# tar -xf harbor-online-installer-v1.9.3.tgz
[root@docker-server3 ~]# mv harbor /usr/local/
[root@docker-server3 ~]# cd /usr/local/harbor/
[root@docker-server3 harbor]# ll
-rw-r--r-- 1 root root 5805 Nov 18 03:37 harbor.yml -rwxr-xr-x 1 root root 5088 Nov 18 03:37 install.sh -rw-r--r-- 1 root root 11347 Nov 18 03:37 LICENSE -rwxr-xr-x 1 root root 1748 Nov 18 03:37 prepare
3.2 生成证书
[root@docker-server3 harbor]# mkdir pki
[root@docker-server3 harbor]# cd pki
[root@docker-server3 pki]# openssl genrsa -des3 -out server.key 1024
[root@docker-server3 pki]# openssl rsa -in server.key -out server.key
[root@docker-server3 pki]# openssl req -new -key server.key -out server.csr
[root@docker-server3 pki]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[root@docker-server3 pki]# ll
-rw-r--r-- 1 root root 920 Jan 3 03:06 server.crt -rw-r--r-- 1 root root 684 Jan 3 03:04 server.csr -rw-r--r-- 1 root root 887 Jan 3 03:03 server.key
3.3 harbor配置
[root@docker-server3 pki]# cd ../
[root@docker-server3 harbor]# grep -Ev "^$|[;#]" harbor.yml
hostname: darren.test.com https: port: 443 certificate: /usr/local/harbor/pki/server.crt private_key: /usr/local/harbor/pki/server.key harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 50 max_open_conns: 100 data_volume: /data clair: updaters_interval: 12 jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 1.9.0 proxy: http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair components: - core - jobservice - clair
[root@docker-server3 harbor]# ./prepare
prepare base dir is set to /usr/local/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir
[root@docker-server3 harbor]# ./install.sh
[Step 0]: checking installation environment ... Note: docker version: 19.03.5 ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again.
3.4 安装docker-compose
docker-compose是一个容器编排工具,https://github.com/docker/compose
下载最新版本
[root@docker-server3 harbor]# wget https://github.com/docker/compose/releases/download/1.25.0/docker-compose-Linux-x86_64
[root@docker-server3 harbor]# chmod +x docker-compose-Linux-x86_64
[root@docker-server3 harbor]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
3.5 安装
[root@docker-server3 harbor]# ./install.sh
[Step 0]: checking installation environment ... Note: docker version: 19.03.5 Note: docker-compose version: 1.25.0 [Step 1]: preparing environment ... prepare base dir is set to /usr/local/harbor Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 2]: starting Harbor ... Creating network "harbor_harbor" with the default driver Pulling log (goharbor/harbor-log:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-log b950b5dd94ab: Already exists 1fefec4d6309: Pull complete fbbcfef46e70: Pull complete 459a9232cb22: Pull complete a5ae36915def: Pull complete 46f9c2f74703: Pull complete 9deb3de04c54: Pull complete 909a05fc4700: Pull complete Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 Status: Downloaded newer image for goharbor/harbor-log:v1.9.3 Pulling registry (goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3)... v2.7.1-patch-2819-2553-v1.9.3: Pulling from goharbor/registry-photon b950b5dd94ab: Already exists 1f4568af817f: Pull complete be92c4733d10: Pull complete 1d666391d7e5: Pull complete 71b9f2abeafa: Pull complete d855fea51058: Pull complete Digest: sha256:78bf8ca6c84e58f11369d07817589391c72b07ac2528b898332d2d5ffe554f8c Status: Downloaded newer image for goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 Pulling registryctl (goharbor/harbor-registryctl:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-registryctl b950b5dd94ab: Already exists 63505c20b7ca: Pull complete 8f807bf00d34: Pull complete 8e9de15b00b6: Pull complete ea11b966c1d1: Pull complete b4cf4b6f96d5: Pull complete cee638fc0ad7: Pull complete Digest: sha256:a5141c71bc6e5d541c9ee3459ea100c14b2b84d3897a99e02d4cff090dacd721 Status: Downloaded newer image for goharbor/harbor-registryctl:v1.9.3 Pulling postgresql (goharbor/harbor-db:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-db b950b5dd94ab: Already exists 06fad8ffb3f8: Pull complete 2b68b32f8088: Pull complete d7c46e659a6a: Pull complete 6a67b71cc8b5: Pull complete fe8a70af51fb: Pull complete 3b5d884187b3: Pull complete 2d1536f2a1d3: Pull complete dc417e3b633a: Pull complete Digest: sha256:0fc09367feed82cdcc558823bd848752f155d65e52c245f1429d1a53915a4c1b Status: Downloaded newer image for goharbor/harbor-db:v1.9.3 Pulling portal (goharbor/harbor-portal:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-portal b950b5dd94ab: Already exists 043df33993ba: Pull complete d8d460d2082b: Pull complete 11b3c3c9b803: Pull complete 198c8fefbd72: Pull complete 5b2f09f123e1: Pull complete 86acd987157f: Pull complete Digest: sha256:d96d934dab47bfe426c33b37533094289e8f4111d0e3e0b1517c341831ff8466 Status: Downloaded newer image for goharbor/harbor-portal:v1.9.3 Pulling redis (goharbor/redis-photon:v1.9.3)... v1.9.3: Pulling from goharbor/redis-photon b950b5dd94ab: Already exists b8fbe9dc9dde: Pull complete e19904d63c6a: Pull complete 7cae1df3c795: Pull complete 93a7821ea4c9: Pull complete Digest: sha256:893bed91214737244c1bc43005fa7f72c10d94b599a272e2982e22fa5b49757d Status: Downloaded newer image for goharbor/redis-photon:v1.9.3 Pulling core (goharbor/harbor-core:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-core b950b5dd94ab: Already exists 841d1d9cb8fd: Pull complete a7452e6907b4: Pull complete 3163e443b06b: Pull complete 7f2a5aff198c: Pull complete c240a35553e3: Pull complete Digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88 Status: Downloaded newer image for goharbor/harbor-core:v1.9.3 Pulling jobservice (goharbor/harbor-jobservice:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-jobservice b950b5dd94ab: Already exists 089caec5e122: Pull complete 3de3c64f442a: Pull complete Digest: sha256:4fbf1ea5553d61fd6cbf58b5db9a2dc44cc1ff3d2704902e920f79b76e3a17ce Status: Downloaded newer image for goharbor/harbor-jobservice:v1.9.3 Pulling proxy (goharbor/nginx-photon:v1.9.3)... v1.9.3: Pulling from goharbor/nginx-photon b950b5dd94ab: Already exists 3b5b95273977: Pull complete Digest: sha256:4facb727a4abfdb0b1c64eab2ef3c85b461c8201cdd5cf9a5c07a41704f89793 Status: Downloaded newer image for goharbor/nginx-photon:v1.9.3 Creating harbor-log ... done Creating harbor-db ... done Creating registryctl ... done Creating harbor-portal ... done Creating redis ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://darren.test.com. For more details, please visit https://github.com/goharbor/harbor .
[root@docker-server3 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3582c06fad6f goharbor/harbor-jobservice:v1.9.3 "/harbor/harbor_jobs…" About a minute ago Up About a minute (healthy) harbor-jobservice 28dc54458c79 goharbor/nginx-photon:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx 3c4a4e6810b2 goharbor/harbor-core:v1.9.3 "/harbor/harbor_core" About a minute ago Up About a minute (healthy) harbor-core 234f0e80a188 goharbor/redis-photon:v1.9.3 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) 6379/tcp redis 42155f90c422 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 "/entrypoint.sh /etc…" About a minute ago Up About a minute (healthy) 5000/tcp registry 5aea0ad776ad goharbor/harbor-registryctl:v1.9.3 "/harbor/start.sh" About a minute ago Up About a minute (healthy) registryctl b5ef61bcb28b goharbor/harbor-portal:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 8080/tcp harbor-portal 2a8fc240e768 goharbor/harbor-db:v1.9.3 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 5432/tcp harbor-db 47a172fa7361 goharbor/harbor-log:v1.9.3 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
3.6 访问测试
登陆后
这里的访问级别是公开,意味着其他奇迹不用登陆,就可以直接pull镜像
[root@docker-server3 harbor]# ll /data/
drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 ca_download drwx------ 19 polkitd ssh_keys 4096 Jan 3 03:58 database -rw-r--r-- 1 root root 12 Jan 2 19:02 index.html drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 job_logs drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 psc drwxr-xr-x 2 polkitd ssh_keys 22 Jan 3 04:03 redis drwxr-xr-x 3 10000 10000 20 Jan 3 01:03 registry drwxr-xr-x 6 root root 58 Jan 3 03:57 secret
这个目录几乎可以对接所有的对象存储,这是官方的一个配置实例
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md#backend
storage_service: ca_bundle: swift: username: admin password: ADMIN_PASS authurl: http://keystone_addr:35357/v3/auth tenant: admin domain: default region: regionOne container: docker_images" redirect: disable: false
更完整实例https://docs.docker.com/registry/configuration/#storage
[root@docker-server3 harbor]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 10 hours ago 418MB nginx v1.5 ba600822f908 10 hours ago 418MB nginx v1.4 e51688c79109 11 hours ago 418MB nginx v1.3 80a81192811a 11 hours ago 418MB nginx v1.2 852fb29d5783 12 hours ago 418MB nginx v1.1 68354cda3d7b 12 hours ago 418MB nginx v1.0 cd520a2362fb 12 hours ago 418MB openssh v1.8 64e76b90e1fa 13 hours ago 306MB openssh v1.7 a208eefd515d 13 hours ago 306MB openssh v1.6 7c3b42276adb 13 hours ago 306MB openssh v1.5 90743d882696 20 hours ago 306MB openssh v1.4 2412a6e26b9c 2 days ago 306MB openssh v1.3 0244c59bf444 2 days ago 306MB openssh v1.2 c399a750ed03 2 days ago 361MB openssh v1.0 d98ba06569f3 2 days ago 361MB nginx latest f7bb5701a33c 5 days ago 126MB busybox latest 6d5fcfe5ff17 7 days ago 1.22MB hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB goharbor/redis-photon v1.9.3 33aaebc86b13 7 weeks ago 111MB goharbor/harbor-registryctl v1.9.3 27af14c21462 7 weeks ago 103MB goharbor/registry-photon v2.7.1-patch-2819-2553-v1.9.3 4c51bdb781e2 7 weeks ago 85.7MB goharbor/nginx-photon v1.9.3 c6934119da35 7 weeks ago 44MB goharbor/harbor-log v1.9.3 00a3acdb5d11 7 weeks ago 82.3MB goharbor/harbor-jobservice v1.9.3 a3288107fff4 7 weeks ago 141MB goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB goharbor/harbor-portal v1.9.3 6f5b0504c96b 7 weeks ago 51.4MB goharbor/harbor-db v1.9.3 6004d1d5f272 7 weeks ago 148MB goharbor/prepare v1.9.3 272365739d13 7 weeks ago 149MB centos 7 5e35e350aded 7 weeks ago 203MB registry 2 f32a97de94e1 10 months ago 25.8MB hyper/docker-registry-web latest 0db5683824d8 3 years ago 599MB
3.7 简单管理
[root@docker-server3 harbor]# docker tag goharbor/harbor-log:v1.9.3 darren.yutian.com/library/harbor-log:v1.9.3
[root@docker-server3 harbor]# docker image ls
darren.yutian.com/library/harbor-log v1.9.3 00a3acdb5d11 7 weeks ago 82.3MB
[root@docker-server3 harbor]# vi /etc/docker/daemon.json
{ "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.132.133:5000","https://darren.yutian.com"] }
[root@docker-server3 harbor]# vi /etc/hosts
192.168.132.133 darren.yutian.com
访问和推送的都需要做以上操作,修改daoker配置和hots文件
推送镜像
[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3
The push refers to repository [darren.yutian.com/library/harbor-log]
2e2e439cb618: Preparing
f14e11ea2c25: Preparing
c684117da188: Preparing
a94dcd551900: Preparing
12a81f321c68: Preparing
fa60bb5fba7f: Waiting
4bb3c8da2619: Waiting
47a4bb1cfbc7: Waiting
denied: requested access to the resource is denied
被拒绝,是因为可以拉取,但是推送就必须登陆
登陆harbor
[root@docker-server3 harbor]# docker login https://darren.yutian.com
Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
再次推送成功
[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3
The push refers to repository [darren.yutian.com/library/harbor-log] 2e2e439cb618: Pushed f14e11ea2c25: Pushed c684117da188: Pushed a94dcd551900: Pushed 12a81f321c68: Pushed fa60bb5fba7f: Pushed 4bb3c8da2619: Pushed 47a4bb1cfbc7: Pushed v1.9.3: digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 size: 1984
查看web界面
拉取镜像
[root@docker-server2 ~]# docker pull darren.yutian.com/library/harbor-log:v1.9.3
v1.9.3: Pulling from library/harbor-log b950b5dd94ab: Pull complete 1fefec4d6309: Pull complete fbbcfef46e70: Pull complete 459a9232cb22: Pull complete a5ae36915def: Pull complete 46f9c2f74703: Pull complete 9deb3de04c54: Pull complete 909a05fc4700: Pull complete Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 Status: Downloaded newer image for darren.yutian.com/library/harbor-log:v1.9.3 darren.yutian.com/library/harbor-log:v1.9.3
这个就不需要登陆就可以拉取镜像,是因为lirary是公开
创建一个新的私有仓库
新建项目
项目名称:自己取名
存储数量:-1表示不限制
存储容量:-1表示不限制
点击确定
上传一个镜像
[root@docker-server3 ~]# docker image ls
goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB
[root@docker-server3 ~]# docker tag goharbor/harbor-core:v1.9.3 darren.yutian.com/docker/harbor-core:v1.9.3
[root@docker-server3 ~]# docker image ls
goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB darren.yutian.com/docker/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB
已经是登陆状态会有一个隐藏文件
[root@docker-server3 ~]# ll ~/.docker/config.json
-rw------- 1 root root 155 Jan 3 04:32 /root/.docker/config.json
[root@docker-server3 ~]# cat ~/.docker/config.json
{ "auths": { "darren.yutian.com": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.5 (linux)" }
[root@docker-server3 ~]# docker push darren.yutian.com/docker/harbor-core:v1.9.3
The push refers to repository [darren.yutian.com/docker/harbor-core] 376871497fae: Pushed 5fb810768754: Pushed 3c10f4815fc0: Pushed 17c27eb4f7f8: Pushed b2329d5f99cf: Pushed 47a4bb1cfbc7: Mounted from library/harbor-log v1.9.3: digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88 size: 1580
然后再去其他的机器拉取
[root@docker-server1 ~]# docker pull darren.yutian.com/docker/harbor-core:v1.9.3
Error response from daemon: pull access denied for darren.yutian.com/docker/harbor-core, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
这时这个私有仓库的镜像,也必须有登录的用户才能有权限拉取
博主声明:本文的内容来源主要来自誉天教育晏威老师,由本人实验完成操作验证,需要的博友请联系誉天教育(http://www.yutianedu.com/),获得官方同意或者晏老师(https://www.cnblogs.com/breezey/)本人同意即可转载,谢谢!