① Save network bandwidth. For each image, everyone does not need to go to the central warehouse to download it, but only needs to download it from the private warehouse;

②Provide the use of mirror resources, and push the mirror images used within the company to the local private warehouse for use by relevant personnel within the company

2. Build a local private warehouse

docker pull registry 
#下载registry镜像
vim /etc/docker/daemon.json
#daemon.json中添加私有镜像仓库地址，内容如下

{

	"insecure-registries":["192.168.30.11:5000"],
#此行注意填写自己的ip注意最后有逗号

     "registry-mirrors": ["https://b0u3e8x4.mirror.aliyuncs.com"]

}
systemctl   restart  docker.service
#重启docker服务使本地私有仓库生效
docker run -itd -v /data/registry:/var/lib/registry  -p  5000:5000 --restart=always  --name registry registry:latest
#运行registry容器，-v指定数据卷挂载目录，-p指定映射端口号，--restart=always容器重启策略即开机自启此容器
docker tag centos:7 192.168.30.11:5000/centos:v1  
#为镜像重新打私有仓库标签
docker  push  192.168.30.11:5000/centos:v1  
#将v1版本上传到私有仓库中
curl   192.168.30.11:5000/v2/_catalog    
#列出私有仓库的所有镜像
curl    192.168.30.11:5000/v2/centos/tags/list   
#李处私有仓库中centos的所有标签镜像
docker  rmi    192.168.30.11:5000/centos:v1  
#删除本地原有v1镜像
docker pull     192.168.30.11:5000/centos:v1  
#测试从私有仓库下载v1镜像

3. Introduction to Container Restart Strategy

--restart=always restart strategy:

no: the default policy, the container exits without restarting

on-failure: The container exits abnormally and restarts the container

on-failure: 3: The container exits abnormally and restarts the container up to 4 times

always: Exit always restarts the container

unless-stopped: Always restart the container when the container exits, but does not consider containers that have been stopped when the Docker daemon starts

2. Harbor private warehouse deployment and management

1. What is harbor

Harbor is an open source enterprise-level Docker Registry project of VMware, whose goal is to help users quickly build an enterprise-level Docker Registry service.

Based on Docker's open-source Registry, Harbor provides graphical management UI, role-based access control (Role Based AccessControl), AD/LDAP integration, and audit logging (Audit logging) and other functions required by enterprise users, and restores native Chinese support .

Each component of Harbor is built as a Docker container, which is deployed using docker-compose. The docker-compose template for deploying Harbor is located at harbor/docker-compose.yml.

2. The characteristics of Harbor

①. Role-based control: Users and warehouses are organized based on projects, and users can have different permissions in projects. ②. Mirror-based replication strategy: Mirrors can be replicated (synchronized) between multiple Harbor instances. ③. Support LDAP/AD: Harbor can integrate the existing AD/LDAP (similar to a table in a database) within the enterprise to authenticate and manage existing users. ④. Image deletion and garbage collection: The image can be deleted, and the space occupied by the image can also be reclaimed. ⑤. Graphical user interface: Users can browse through a browser, search mirror warehouses and manage projects. ⑥ Audit management: All operations on the mirror warehouse can be recorded and traced for audit management. ⑦. Support RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software. ⑧. The relationship between Harbor and docker registry: Harbor essentially encapsulates the docker registry and expands its own business template.

3. The composition of Harbor

In terms of architecture, Harbor mainly has six components: Proxy, Registry, Core services, Database (Harbor-db), Log collector (Harbor-log), and Job services.

①Proxy: It is a front-end proxy of nginx. Registry, UI, Token service and other components of Harbor are all behind the reverse proxy of nginx. The proxy forwards requests from browsers and docker clients to different backend services.

②Registry: Responsible for storing Docker images and processing Docker push/pull commands. Due to the need to control user access, that is, different users have different read and write permissions for Docker images, the Registry will point to a Token service, forcing users to carry a legal Token for each Docker pull/push request, and the Registry will pass public Key to decrypt and verify Token.

③Core services: The core functions of Harbor mainly provide the following three services: 1) UI (harbor-ui): Provides a graphical interface to help users manage images on the Registry and authorize users. 2) WebHook: In order to obtain the status change of the image on the Registry in time, configure a Webhook on the Registry to pass the status change to the UI module. 3) Token service: Responsible for issuing Tokens for each Docker push/pull command according to user permissions. If the request initiated by the Docker client to the Registry service does not contain a Token, it will be redirected to the Token service, and after obtaining the Token, it will make a new request to the Registry.

④Database (harbor-db): Provides database services for core services and is responsible for storing data such as user permissions, audit logs, and Docker image grouping information.

⑤Job services: Mainly used for mirror replication, the local mirror can be synchronized to the remote Harbor instance.

⑥Log collector (harbor-log): Responsible for collecting logs of other components to one place.

4. Harbor deployment and configuration

①Deploy docker-compose

curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#下载docker-compose包
chmod +x /usr/local/bin/docker-compose
#添加权限
docker-compose --version
#查看版本

②Deploy Harbor service

cd /opt
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
#将harbor压缩包传到/opt目录下，解压到/usr/local目录下
vim /usr/local/harbor/harbor.cfg
#修改harbor配置文件内容如下
hostname = 192.168.10.23
#第5行修改，设置为Harbor服务器的IP地址或者域名
harbor_admin_password = Harbor12345
第59行指定管理员的初始密码，默认的用户名/密码是admin/Harbor12345可不修改，保存退出
cd /usr/local/harbor/
./prepare
./install.sh
#进入harbor目录执行脚本检查安装harbor
docker-compose ps
#安装成功够在本目录查看

③Log in to create a project

1) Browser access http://192.168.30.11 to log in Harbor WEB UI interface, the default administrator username and password are admin/Harbor12345

2) Create a new project after successful login

④Log in to the warehouse and upload the image

#192.168.30.11上操作即搭建私有仓库的服务端
docker login -u admin -p Harbor12345  http://127.0.0.1
#登录到私有仓库中
docker images
#查看本机有哪些镜像
ocker tag nginx:latest  127.0.0.1/myproject-kgc/nginx:v1
#nginx重新打标签为私有仓库项目下的nginx:v1版本
docker push 127.0.0.1/myproject-kgc/nginx:v1
#将此镜像上传到私有仓库的myproject-kgc项目

5. Client testing

① Login error solution

When other clients log in to Harbor, the following error will be reported. The reason for this problem is that the Docker Registry interaction uses HTTPS by default, but the default HTTP service is used to build a private image, so the following error occurs when interacting with a private image.

docker login -u admin -p Harbor12345 http://192.168.30.11 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://192.168.30.11/v2/: dial tcp 192.168.10.23:443: connect: connection refused

解决方法：
1）在 Docker server 启动的时候，增加启动参数，默认使用 HTTP 访问。 vim /usr/lib/systemd/system/docker.service --13行--修改为
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.30.11 --containerd=/run/containerd/containerd.sock
2）ExecStart=/usr/bin/dockerd --insecure-registry 192.168.30.11
3）重新加载system并重启docker
systemctl daemon-reload
systemctl restart docker.service

② Client private warehouse pull image

docker login -u admin -p Harbor12345 http://192.168.30.11
#登录私有仓库，将自动保存凭据到/root/.docker/config.json，下次登录时可直接使用凭据登录 Harbor
docker pull 192.168.10.23/myproject-kgc/nginx:v1

③ Client private warehouse push image

docker pull tomcat
#下载一个tomcat镜像
docker tag tomcat:latest 192.168.30.11/myproject-kgc/tomcat:v2
#重新给tomcat进行打标签为私有仓库myproject-kgc项目中的镜像
docker push 192.168.30.11/myproject-kgc/tomcat:v2 
#将重新打标签的镜像上传到私有仓库中

6. harbor maintenance

① Create a user

② Add project members

③ Ordinary users operate private warehouses

#客户端操作192.168.30.12客户端执行
docker logout
#退出之前的登录用户
docker login -u lhj -p Harbor12345 http://192.168.30.11
#使用创建的用户登录私有仓库，若为公开库下载镜像时不需要登录
docker images
docker rmi 192.168.30.11/myproject-kgc/nginx:v1
#查看有哪些镜像，删除本地的v1镜像
docker pull 192.168.30.11/myproject-kgc/nginx:v1
#创建的用户从私有仓库pull下载v1镜像
docker tag 192.168.30.11/myproject-kgc/nginx:v1 192.168.30.11/myproject-kgc/nginx:v10
#重新打标签给v1
docker push 192.168.30.11/myproject-kgc/nginx:v10
#创建的用户上传镜像到私有仓库push

④Log view operation records

7. Required and optional parameters of Harbor.cfg

①Required parameters

Required parameters: These parameters need to be set in the configuration file Harbor.cfg. The parameters will take effect if the user updates them and runs the install.sh script to reinstall Harbor. The specific parameters are as follows:

1) hostname: used to access user interface and register service. It should be the target machine's IP address or a fully qualified domain name (FQDN), such as 192.168.10.23 or hub.kgc.cn. Do not use localhost or 127.0.0.1 as the hostname

2) ui_url_protocol: (http or https, default is http) protocol for accessing UI and token/notification services. If notarization is enabled, this parameter must be https

3) max_job_workers: mirror copy job threads.

4) db_password: MySQL database root user password for db_auth.

5) customize_crt: This attribute can be set to on or off, and it is on by default. When this property is turned on, the prepare script creates a private key and root certificate, which are used to generate/verify registry tokens. Set this property to off when the key and root certificate are provided by an external source.

6) ssl_cert: The path of the SSL certificate, which is only applied when the protocol is set to https.

7) secretkey_path: The key path used to encrypt or decrypt the remote register password in the replication strategy.

②Optional parameters

Optional Parameters: These parameters are optional for update, i.e. user can leave it as default and update it on Web UI after launching Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time, and Harbor.cfg will be ignored for subsequent updates to these parameters.

Note: If you choose to set these parameters through the UI, make sure to do so immediately after launching Harbor. Specifically, the desired auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be changed. The specific parameters are as follows:

1) Email: Harbor needs this parameter to send "password reset" emails to users, and it should only be enabled when this feature is required. Note that SSL connections are not enabled by default. If the SMTP server requires SSL, but does not support STARTTLS, then SSL should be enabled by setting email_ssl=TRUE.

2) harbor_admin_password: The administrator's initial password, which only takes effect when Harbor starts for the first time. Afterwards, this setting will be ignored and the administrator's password should be set in the UI. Note that the default username/password is admin/Harbor12345.

3) auth_mode: The type of authentication used, by default it is db_auth, i.e. the credentials are stored in the database. For LDAP authentication, set this to ldap_auth.

4) self_registration: enable/disable user registration function. When disabled, new users can only be created by Admin users, and only admin users can create new users in Harbor. NOTE: When auth_mode is set to ldap_auth, self-registration is always disabled and this flag is ignored.

5) Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes.

6) project_creation_restriction: A flag used to control which users have the right to create projects. By default, everyone can create a project. If its value is set to "adminonly", only admins can create projects.

7) verify_remote_cert: open or close, default open. This flag determines whether to verify SSL/TLS certificates when Harbor communicates with remote register instances. Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate.

Docker container: local private warehouse, harbor private warehouse deployment and management

1. Local private warehouse

1. Introduction to local private warehouse