docker|Docker镜像的仓库(Harbor)

一、简介 1、镜像的仓库

镜像仓库用于存放 Docker镜像
Docker registry提供镜像仓库服务
一个 Docker registry可以包含多个镜像仓库
仓库分为公共镜像仓库与私有镜像仓库
搭建私有仓库的两种方式:Registry、Harbor
2、使用官方仓库的缺陷
需要 internet连接,上传和下载速度慢
上传到 docker hub的镜像任何人都可以访问,虽然可以用私有
repository,但不是免费的
因安全原因很多组织不允许将镜像放到外网
二、registry 仓库
系统 IP 主机名 角色
CentOS 7.4 192.168.2.17 Docker1 Docker、registry、harbor
CentOS 7.4 192.168.2.1 Docker2 Docker、
1、启动registry容器仓库
Docker 官方提供了一个搭建私有仓库的镜像 registry ,只需把镜像下载下来,运行容器并暴露5000端口,就可以使用了
-p:默认端口是5000,映射到本地5000端口 -v:将本地的/data/registry文件目录挂载到容器的/var/lib/registry目录下 [root@Docker1 ~]# docker run -d -p 5000:5000 -v /data/registry:/var/lib/registryregistry:2

[root@Docker1 ~]# docker ps CONTAINER IDIMAGECOMMANDCREATEDSTATUSPORTSNAMES dba2d52fda19registry:2"/entrypoint.sh /etc…"13 seconds agoUp 12 seconds0.0.0.0:5000->5000/tcp, :::5000->5000/tcpbusy_bouman

可以访问查看192.168.2.17:5000/v2
docker|Docker镜像的仓库(Harbor)
文章图片

2、推送镜像
[root@Docker1 ~]# docker tag nginx:latest 192.168.2.17:5000/librar/nginx:latest[root@Docker1 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE registry29c97225e83c83 weeks ago24.2MB 192.168.2.17:5000/librar/nginxlatestc316d5a335a55 weeks ago142MB nginxlatestc316d5a335a55 weeks ago142MB

[root@Docker1 ~]# vim /etc/docker/daemon.json#配置docker { "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.2.17:5000"] }保存[root@Docker1 ~]# systemctl restart docker[root@Docker1 ~]# docker ps -a CONTAINER IDIMAGECOMMANDCREATEDSTATUSPORTSNAMES dba2d52fda19registry:2"/entrypoint.sh /etc…"18 minutes agoExited (2) 35 seconds agobusy_bouman [root@Docker1 ~]# docker start dba2d52fda19 dba2d52fda19

[root@Docker1 ~]# docker push 192.168.2.17:5000/librar/nginx:latest The push refers to repository [192.168.2.17:5000/librar/nginx] 762b147902c0: Pushed 235e04e3592a: Pushed 6173b6fa63db: Pushed 9a94c4a55fe4: Pushed 9a3a6af98e18: Pushed 7d0ebbe3f5d2: Pushed latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

可以访问查看我们推送的镜像
docker|Docker镜像的仓库(Harbor)
文章图片

我们也可以下载到本地
[root@Docker1 ~]# docker rmi 192.168.2.17:5000/librar/nginx:latest Untagged: 192.168.2.17:5000/librar/nginx:latest Untagged: 192.168.2.17:5000/librar/nginx@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee [root@Docker1 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE registry29c97225e83c83 weeks ago24.2MB nginxlatestc316d5a335a55 weeks ago142MB ———————————————————————————————————————————— [root@Docker1 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest latest: Pulling from librar/nginx Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest 192.168.2.17:5000/librar/nginx:latest ———————————————————————————————————————————— [root@Docker1 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE registry29c97225e83c83 weeks ago24.2MB 192.168.2.17:5000/librar/nginxlatestc316d5a335a55 weeks ago142MB nginxlatestc316d5a335a55 weeks ago142MB

在Docker2上下载推送(安装省略..)
[root@Docker2 ~]# vim /etc/docker/daemon.json#配置docker { "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.2.17:5000"] }保存[root@Docker2 ~]# systemctl restart docker[root@Docker2 ~]# docker pull 192.168.2.17:5000/librar/nginx:latest latest: Pulling from librar/nginx 5eb5b503b376: Pull complete 1ae07ab881bd: Pull complete 78091884b7be: Pull complete 091c283c6a66: Pull complete 55de5851019b: Pull complete b559bad762be: Pull complete Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee Status: Downloaded newer image for 192.168.2.17:5000/librar/nginx:latest 192.168.2.17:5000/librar/nginx:latest[root@Docker2 ~]# docker images#下载到本地了 REPOSITORYTAGIMAGE IDCREATEDSIZE 192.168.2.17:5000/librar/nginxlatestc316d5a335a55 weeks ago142MB

[root@Docker2 ~]# docker tag 192.168.2.17:5000/librar/nginx:latest 192.168.2.17:5000/librar/nginx2:latest [root@Docker2 ~]# docker push 192.168.2.17:5000/librar/nginx2:latest The push refers to repository [192.168.2.17:5000/librar/nginx2] 762b147902c0: Mounted from librar/nginx 235e04e3592a: Mounted from librar/nginx 6173b6fa63db: Mounted from librar/nginx 9a94c4a55fe4: Mounted from librar/nginx 9a3a6af98e18: Mounted from librar/nginx 7d0ebbe3f5d2: Mounted from librar/nginx latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

可以看到已经上传上去了
【docker|Docker镜像的仓库(Harbor)】docker|Docker镜像的仓库(Harbor)
文章图片

三、搭建harbor私有镜像仓库 1、Harbor简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等
Harbor官方网站:Harbor
Harbor源码地址:GitHub - goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content.
2、harbor架构
docker|Docker镜像的仓库(Harbor)
文章图片

3、harbor六大模块
Proxy:Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上
Registry:负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token
Core services:Harbor的核心功能,主要包括如下3个服务:
UI:作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像
1)、WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等
2)、Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service
3)、Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据
Job services:主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上
Log collector:负责收集其他模块的日志到一个地方
4、hatbor工作原理
Docker Login
docker|Docker镜像的仓库(Harbor)
文章图片

1)、首先,登录请求会被 Proxy容器接收到,根据预先设置的匹配规则,该请求会被转发给后端 Registry容器。
2)、Registry接收到请求后,解析请求,因为配置了基于 token的认证,所以会查找 token,发现请求没有 token后,返回错误代码401以及 token服努的地URL
3)、Docker客户端接收到错误请求后,转而向token服努地址发送请求,并根据HTTP协议的BasicAuthentication规范,将用户名密码组合并编码,放在请求头部( header)
4)、同样,该请求会先发到 Proxy容器,继而转发给ui/ token的咨器该荟最接受请求,将请求头解码,获取到用户名密码
5)、ui/ token的吝器获取到用户名密码后,通过重询数据库进行比对验证(如果是LDAP的认证方式就是引LDAP服务进行校验),比对成功后,返回成功的状码,并用密钥生成 token,一并发送绐 Docker客户端
Docker push
docker|Docker镜像的仓库(Harbor)
文章图片

1)、同样,首先与 Registery通信,返回个 token服务的地址URL
2)、Docker客户端会与 token服务通信,指明要申请一个 push image操作的 token
3)、token服努访问数据库验证当前用户是否有该操作的权限,如果有,会将 rImage信息以及push操作进行编码,用私钥签名,生成 token返回给 Docker客户
4)、Docker客户端再次与 Registry通信,不过这次会将 token放到请求 header中, Registry收到请求后利用公钥解码并核对,核对成功,便可以开始push操作
5、HARBOR安装
[root@Docker1 ~]# ls harbor-offline-installer-v1.10.4.tgz harbor-offline-installer-v1.10.4.tgz[root@Docker1 ~]# tar xf harbor-offline-installer-v1.10.4.tgz -C /usr/local/

修改Harbor的配置文件
[root@Docker1 ~]# vi /usr/local/harbor/harbor.yml .. 5 hostname: 192.168.2.17#修改成本地IP 6 7 # http related config 8 #http: 9# port for http, default is 80. If https enabled, this port will redirect to httpsport 10port: 80 11 12 # https related config 13 #https:#注释掉https 14# https port for harbor, default is 443 15#port: 443#注释 16# The path of cert and key files for nginx 17#certificate: /your/certificate/path#注释 18#private_key: /your/private/key/path#注释 ..... ...保存

安装docker-compose:下载docker-compose文件
[root@Docker1 ~]# cd /usr/bin/ [root@Docker1 bin]# chmod a+x docker-compose

启动Harbor
[root@Docker1 bin]# cd /usr/local/harbor/ [root@Docker1 harbor]# sh install.sh[Step 0]: checking if docker is installed ...Note: docker version: 20.10.12[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.23.2[Step 2]: loading Harbor images ... ......................... ....... ..[Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db... done Creating registry... done Creating redis... done Creating harbor-portal ... done Creating registryctl... done Creating harbor-core... done Creating nginx... done Creating harbor-jobservice ... done ? ----Harbor has been installed and started successfully.----

启动关闭命令
docker-compose up -d启动 Harbor docker-compose stop关闭 Harbor

访问:192.168.2.17用户名:admin密码:Harbor12345(注意密码H是大写)
docker|Docker镜像的仓库(Harbor)
文章图片

docker|Docker镜像的仓库(Harbor)
文章图片

6、从docker2上给docker1上传镜像
修改点docker配置文件
[root@Docker2 ~]# vim /etc/docker/daemon.json{ "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.2.17"] }保存[root@Docker2 ~]# systemctl restart docker

[root@Docker2 ~]# docker login -u admin -p Harbor12345 192.168.2.17#登录hardor WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

[root@Docker2 ~]# docker tag nginx2:latest 192.168.2.17/library/nginx2:latest [root@Docker2 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE nginx2latestc316d5a335a55 weeks ago142MB 192.168.2.17/library/nginx2latestc316d5a335a55 weeks ago142MB —————————— [root@Docker2 ~]# docker push 192.168.2.17/library/nginx2:latest The push refers to repository [192.168.2.17/library/nginx2] 762b147902c0: Pushed 235e04e3592a: Pushed 6173b6fa63db: Pushed 9a94c4a55fe4: Pushed 9a3a6af98e18: Pushed 7d0ebbe3f5d2: Pushed latest: digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee size: 1570

查看上传结果
docker|Docker镜像的仓库(Harbor)
文章图片

docker|Docker镜像的仓库(Harbor)
文章图片

上传成功,接下来进行下载
[root@Docker2 ~]# docker rmi 192.168.2.17/library/nginx2:latest Untagged: 192.168.2.17/library/nginx2:latest Untagged: 192.168.2.17/library/nginx2@sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee [root@Docker2 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE nginx2latestc316d5a335a55 weeks ago142MB

[root@Docker2 ~]# docker pull 192.168.2.17/library/nginx2:latest latest: Pulling from library/nginx2 Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee Status: Downloaded newer image for 192.168.2.17/library/nginx2:latest 192.168.2.17/library/nginx2:latest[root@Docker2 ~]# docker images REPOSITORYTAGIMAGE IDCREATEDSIZE nginx2latestc316d5a335a55 weeks ago142MB 192.168.2.17/library/nginx2latestc316d5a335a55 weeks ago142MB

也可以创建一个新用户进行上传下载

    推荐阅读