一 鏡像倉庫介紹
1.1 簡介
- 鏡像倉庫用於存放 Docker鏡像
- Docker registry提供鏡像倉庫服務
- 一個 Docker registry可以包含多個鏡像倉庫
- 倉庫分為公共鏡像倉庫與私有鏡像倉庫
1.2 公共鏡像倉庫
- hub.docker.com
- quay.io
- gcr.io
1.3 使用官方倉庫的缺陷
- 需要 internet連接,上傳和下載速度慢
- 上傳到 docker hub的鏡像任何人都可以訪問,雖然可以用私有
- repository,但不是免費的
- 因安全原因很多組織不允許將鏡像放到外網
1.4 運行一個鏡像倉庫
[root@docker-server3 ~]# docker run -d -p 5000:5000 -v /data/registry:/var/lib/registry registry:2
registry:2:默認從官方拉取,版本是2
-p:默認端口是5000,映射到本地5000端口
-v:本地掛載到容器的倉庫存儲鏡像位置,持久化出來
Unable to find image 'registry:2' locally 2: Pulling from library/registry c87736221ed0: Pull complete 1cc8e0bb44df: Pull complete 54d33bcb37f5: Pull complete e8afc091c171: Pull complete b4541f6d3db6: Pull complete Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146 Status: Downloaded newer image for registry:2 feebef9a6ec69e63d5f97bfe93edeed14e15d32c979f5152bedb22f5069e4e4b
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 seconds ago Up 40 seconds 0.0.0.0:5000->5000/tcp funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Up 3 hours 80/tcp beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
1.5 推送鏡像
[root@docker-server3 ~]# docker tag nginx:v1.5 192.168.132.133:5000/library/nginx:v1.5
[root@docker-server3 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 7 hours ago 418MB nginx v1.5 ba600822f908 7 hours ago 418MB nginx v1.4 e51688c79109 8 hours ago 418MB nginx v1.3 80a81192811a 8 hours ago 418MB nginx v1.2 852fb29d5783 9 hours ago 418MB nginx v1.1 68354cda3d7b 9 hours ago 418MB nginx v1.0 cd520a2362fb 9 hours ago 418MB openssh v1.8 64e76b90e1fa 9 hours ago 306MB openssh v1.7 a208eefd515d 10 hours ago 306MB openssh v1.6 7c3b42276adb 10 hours ago 306MB openssh v1.5 90743d882696 17 hours ago 306MB openssh v1.3 0244c59bf444 2 days ago 306MB openssh v1.4 2412a6e26b9c 2 days ago 306MB openssh v1.2 c399a750ed03 2 days ago 361MB openssh v1.0 d98ba06569f3 2 days ago 361MB nginx latest f7bb5701a33c 5 days ago 126MB busybox latest 6d5fcfe5ff17 7 days ago 1.22MB hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB centos 7 5e35e350aded 7 weeks ago 203MB registry 2 f32a97de94e1 10 months ago 25.8MB
[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5
The push refers to repository [192.168.132.133:5000/library/nginx] Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client
發現需要使用https認證,而且之歌認證還必須是合法的認證證書
需要配置docker配置
[root@docker-server3 ~]# cat /etc/docker/daemon.json
{ "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.132.133:5000"] }
[root@docker-server3 ~]# systemctl restart docker
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 13 minutes ago Exited (2) 27 seconds ago funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 27 seconds ago beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
[root@docker-server3 ~]# docker start feebef9a6ec6
[root@docker-server3 ~]# docker push 192.168.132.133:5000/library/nginx:v1.5
The push refers to repository [192.168.132.133:5000/library/nginx] fc2a1b35c0a9: Pushed fdd515349bc6: Pushed 72838385a292: Pushed 77b174a6a187: Pushed v1.5: digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f size: 1155
鏡像推送成功,但是這種倉庫,無法直接看到倉庫的鏡像
1.6 安裝web控制的鏡像倉庫
[root@docker-server3 ~]# docker run -d -p 8080:8080 -v /etc/localtime:/etc/localtime --name registry-web -e REGISTRY_HOST=registry -e REGISTRY_PORT=5000 -e REGISTRY_URL=http://registry:5000/v2 --link funny_archimedes:registry hyper/docker-registry-web
-p:映射到8080端口
--name:取名微博registry-web
-e:傳遞參數
--link:使用link連接,funny_archimedes是上個私有倉庫的名字
Unable to find image 'hyper/docker-registry-web:latest' locally latest: Pulling from hyper/docker-registry-web 04c996abc244: Pull complete d394d3da86fe: Pull complete bac77aae22d4: Pull complete b48b86b78e97: Pull complete 09b3dd842bf5: Pull complete 69f4c5394729: Pull complete b012980650e9: Pull complete 7c7921c6fda1: Pull complete e20331c175ea: Pull complete 40d5e82892a5: Pull complete a414fa9c865a: Pull complete 0304ae3409f3: Pull complete 13effc1a664f: Pull complete e5628d0e6f8c: Pull complete 0b0e130a3a52: Pull complete d0c73ab65cd2: Pull complete 240c0b145309: Pull complete f1fd6f874e5e: Pull complete 40b5e021928e: Pull complete 88a8c7267fbc: Pull complete f9371a03010e: Pull complete Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae Status: Downloaded newer image for hyper/docker-registry-web:latest c3025c175eae0a1a28f3cf881c363a10688ca8e9170c9557e3fd70d903f2f99f
[root@docker-server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3025c175eae hyper/docker-registry-web "start.sh" 59 seconds ago Up 58 seconds 0.0.0.0:8080->8080/tcp registry-web feebef9a6ec6 registry:2 "/entrypoint.sh /etc…" 41 minutes ago Up 28 minutes 0.0.0.0:5000->5000/tcp funny_archimedes f97a5669c5d6 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Exited (0) 28 minutes ago beautiful_wilbur 10694bcf9b87 nginx:v1.5 "/build.sh nginx -g …" 3 hours ago Created practical_ritchie
訪問http://192.168.132.133:8080/
點進去
另一個機器下載鏡像
[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5
Error response from daemon: Get https://192.168.132.133:5000/v2/: http: server gave HTTP response to HTTPS client
[root@docker-server1 ~]# vi /etc/docker/daemon.json
{ "insecure-registries":["http://192.168.132.133:5000"], "registry-mirrors":["https://o0o4czij.mirror.aliyuncs.com"] }
[root@docker-server1 ~]# systemctl restart docker
[root@docker-server1 ~]# docker pull 192.168.132.133:5000/library/nginx:v1.5
v1.5: Pulling from library/nginx ab5ef0e58194: Pull complete 2a95ef35dfe4: Pull complete c7655bb407fc: Pull complete 95fb544c76c7: Pull complete Digest: sha256:2189ab9655b0dff8cecfa746ef2234bec36fb54114e971b6c15caf4f5eb36c6f Status: Downloaded newer image for 192.168.132.133:5000/library/nginx:v1.5 192.168.132.133:5000/library/nginx:v1.5
[root@docker-server1 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 Less than a second ago 418MB ubuntu 16.04 5f2bf26e3524 2 months ago 123MB httpd 2.4 d3017f59d5e2 2 months ago 165MB busybox latest 020584afccce 2 months ago 1.22MB nginx latest 540a289bab6c 2 months ago 126MB hub.darren.com/library/nginx version1 540a289bab6c 2 months ago 126MB centos latest 0f3e07c0138f 3 months ago 220MB centos 6 d0957ffdf8a2 9 months ago 194MB registry.cn-hangzhou.aliyuncs.com/google_containers/coredns 1.1.3 b3b94275d97c 19 months ago 45.6MB
1.8 缺點
這個鏡像倉庫配置成功,但是缺陷很明顯
- 缺少認證機制,任何人都可以隨意拉取及上傳鏡像,安全性缺失
- 缺乏鏡像清理機制,鏡像可以push卻不能刪除,日積月累,占用空間會越來越大
- 缺乏相應的擴展機制
私有倉庫:
- harbor:vmware中國社區
- quay:紅帽收購后開源
二 harbor介紹
2.1 harbor簡介
Harbor是一個用於存儲和分發Docker鏡像的企業級Registry服務器,通過添加一些企業必需的功能特性,例如安全、標識和管理等,擴展了開源Docker Distribution。作為一個企業級私有Registry服務器,Harbor提供了更好的性能和安全。提升用戶使用Registry構建和運行環境傳輸鏡像的效率。Harbor支持安裝在多個Registry節點的鏡像資源復制,鏡像全部保存在私有Registry中,確保數據和知識產權在公司內部網絡中管控。另外,Harbor也提供了高級的安全特性,諸如用戶管理,訪問控制和活動審計等。
Harbor官方網站:http://vmware.github.io/harbor/
Harbor源碼地址:https://github.com/vmware/harbor
harbor的二進制包同時提供online和offline版本,我們這里直接使用online版本。
官方位置:https://github.com/goharbor/harbor
2.2 harbor架構
2.3 harbor六大模塊
- Proxy: Harbor的registry、UI、token services等組件,都處在一個反向代理后邊。該代理將來自瀏覽器、docker clients的請求轉發到后端服務上。
- Registry: 負責存儲Docker鏡像,以及處理Docker push/pull請求。因為Harbor強制要求對鏡像的訪問做權限控制, 在每一次push/pull請求時,Registry會強制要求客戶端從token service那里獲得一個有效的token。
- Core services: Harbor的核心功能,主要包括如下3個服務:
- UI: 作為Registry Webhook, 以圖像用戶界面的方式輔助用戶管理鏡像。1) WebHook是在registry中配置的一種機制, 當registry中鏡像發生改變時,就可以通知到Harbor的webhook endpoint。Harbor使用webhook來更新日志、初始化同步job等。 2) Token service會根據該用戶在一個工程中的角色,為每一次的push/pull請求分配對應的token。假如相應的請求並沒有包含token的話,registry會將該請求重定向到token service。 3) Database 用於存放工程元數據、用戶數據、角色數據、同步策略以及鏡像元數據。
- Job services: 主要用於鏡像復制,本地鏡像可以被同步到遠程Harbor實例上。
- Log collector: 負責收集其他模塊的日志到一個地方
2.4 harbor組件說明
需要說明的是,harbor的每個組件都是以Docker容器的形式構建的,可以使用Docker Compose來進行部署,當然,如果環境中使用了kubernetes,harbor也提供了kubernetes的配置文件。
harbor共有8個容器組成:
- ui:harbor的核心服務。
- log:運行着rsyslog的容器,進行日志收集。
- mysql:由官方mysql鏡像構成的數據庫容器,現在使用postgresql
- nginx:使用Nginx做反向代理
- registry:官方的Docker registry
- adminserver:harbor的配置數據管理器
- jobservice:Harbor的任務管理服務。
- redis:用於存儲session
2.5 hatbor工作原理
Docker Login
- 首先,登錄請求會被 Proxy容器接收到,根據預先設置的匹配規則,該請求會被轉發給后端 Registry容器。
- 2Registry接收到請求后,解析請求,因為配置了基於 token的認證,所以會查扌 token,發現請求沒有 token后,返回錯誤代碼401以及 token服努的地URL
- Docker客戶端接收到錯誤請求后,轉而向token服努地址發送請求,並根據HTTP協議的BasicAuthentication規范,將用戶名密碼組合並編碼,放在請求頭部( header)
- 同樣,該請求會先發到 Proxy容器,繼而轉發給ui/ token的咨器該薈最接受請求,將請求頭解碼,獲取到用戶名密碼
- ui/ token的吝器獲取到用戶名密碼后,通過重詢數據庫進行比對驗證(如果是LDAP的認證方式就是引LDAP服務進行校驗),比對成功后,返回成功的狀碼,並用密鑰生成 token,一並發送紿 Docker客戶端
Docker push
- 同樣,首先與 Registery通信,返回個 token服務的地址URL
- Docker客戶端會與 token服務通信,指明要申請一個 push image操作的 token
- 3token服努訪問數據庫驗證當前用戶是否有該操作的權限,如果有,會將 rImage信息以及push操作進行編碼,用私鑰簽名,生成 token返回給 Docker客戶
- Docker客戶端再次與 Registry通信,不過這次會將 token放到請求 header中, Registry收到請求后利用公鑰解碼並核對,核對成功,便可以開始push操作
三 HARBOR安裝
使用v1.9.3版本實驗
刪掉所有容器
[root@docker-server3 ~]# docker ps -aq |xargs docker rm -fv
3.1 下載包
下載在線的harbor包:https://github.com/goharbor/harbor/releases/tag/v1.9.3
[root@docker-server3 ~]# wget https://github.com/goharbor/harbor/releases/download/v1.9.3/harbor-online-installer-v1.9.3.tgz
[root@docker-server3 ~]# tar -xf harbor-online-installer-v1.9.3.tgz
[root@docker-server3 ~]# mv harbor /usr/local/
[root@docker-server3 ~]# cd /usr/local/harbor/
[root@docker-server3 harbor]# ll
-rw-r--r-- 1 root root 5805 Nov 18 03:37 harbor.yml -rwxr-xr-x 1 root root 5088 Nov 18 03:37 install.sh -rw-r--r-- 1 root root 11347 Nov 18 03:37 LICENSE -rwxr-xr-x 1 root root 1748 Nov 18 03:37 prepare
3.2 生成證書
[root@docker-server3 harbor]# mkdir pki
[root@docker-server3 harbor]# cd pki
[root@docker-server3 pki]# openssl genrsa -des3 -out server.key 1024
[root@docker-server3 pki]# openssl rsa -in server.key -out server.key
[root@docker-server3 pki]# openssl req -new -key server.key -out server.csr
[root@docker-server3 pki]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[root@docker-server3 pki]# ll
-rw-r--r-- 1 root root 920 Jan 3 03:06 server.crt -rw-r--r-- 1 root root 684 Jan 3 03:04 server.csr -rw-r--r-- 1 root root 887 Jan 3 03:03 server.key
3.3 harbor配置
[root@docker-server3 pki]# cd ../
[root@docker-server3 harbor]# grep -Ev "^$|[;#]" harbor.yml
hostname: darren.test.com https: port: 443 certificate: /usr/local/harbor/pki/server.crt private_key: /usr/local/harbor/pki/server.key harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 50 max_open_conns: 100 data_volume: /data clair: updaters_interval: 12 jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 1.9.0 proxy: http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair components: - core - jobservice - clair
[root@docker-server3 harbor]# ./prepare
prepare base dir is set to /usr/local/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir
[root@docker-server3 harbor]# ./install.sh
[Step 0]: checking installation environment ... Note: docker version: 19.03.5 ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again.
3.4 安裝docker-compose
docker-compose是一個容器編排工具,https://github.com/docker/compose
下載最新版本
[root@docker-server3 harbor]# wget https://github.com/docker/compose/releases/download/1.25.0/docker-compose-Linux-x86_64
[root@docker-server3 harbor]# chmod +x docker-compose-Linux-x86_64
[root@docker-server3 harbor]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
3.5 安裝
[root@docker-server3 harbor]# ./install.sh
[Step 0]: checking installation environment ... Note: docker version: 19.03.5 Note: docker-compose version: 1.25.0 [Step 1]: preparing environment ... prepare base dir is set to /usr/local/harbor Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 2]: starting Harbor ... Creating network "harbor_harbor" with the default driver Pulling log (goharbor/harbor-log:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-log b950b5dd94ab: Already exists 1fefec4d6309: Pull complete fbbcfef46e70: Pull complete 459a9232cb22: Pull complete a5ae36915def: Pull complete 46f9c2f74703: Pull complete 9deb3de04c54: Pull complete 909a05fc4700: Pull complete Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 Status: Downloaded newer image for goharbor/harbor-log:v1.9.3 Pulling registry (goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3)... v2.7.1-patch-2819-2553-v1.9.3: Pulling from goharbor/registry-photon b950b5dd94ab: Already exists 1f4568af817f: Pull complete be92c4733d10: Pull complete 1d666391d7e5: Pull complete 71b9f2abeafa: Pull complete d855fea51058: Pull complete Digest: sha256:78bf8ca6c84e58f11369d07817589391c72b07ac2528b898332d2d5ffe554f8c Status: Downloaded newer image for goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 Pulling registryctl (goharbor/harbor-registryctl:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-registryctl b950b5dd94ab: Already exists 63505c20b7ca: Pull complete 8f807bf00d34: Pull complete 8e9de15b00b6: Pull complete ea11b966c1d1: Pull complete b4cf4b6f96d5: Pull complete cee638fc0ad7: Pull complete Digest: sha256:a5141c71bc6e5d541c9ee3459ea100c14b2b84d3897a99e02d4cff090dacd721 Status: Downloaded newer image for goharbor/harbor-registryctl:v1.9.3 Pulling postgresql (goharbor/harbor-db:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-db b950b5dd94ab: Already exists 06fad8ffb3f8: Pull complete 2b68b32f8088: Pull complete d7c46e659a6a: Pull complete 6a67b71cc8b5: Pull complete fe8a70af51fb: Pull complete 3b5d884187b3: Pull complete 2d1536f2a1d3: Pull complete dc417e3b633a: Pull complete Digest: sha256:0fc09367feed82cdcc558823bd848752f155d65e52c245f1429d1a53915a4c1b Status: Downloaded newer image for goharbor/harbor-db:v1.9.3 Pulling portal (goharbor/harbor-portal:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-portal b950b5dd94ab: Already exists 043df33993ba: Pull complete d8d460d2082b: Pull complete 11b3c3c9b803: Pull complete 198c8fefbd72: Pull complete 5b2f09f123e1: Pull complete 86acd987157f: Pull complete Digest: sha256:d96d934dab47bfe426c33b37533094289e8f4111d0e3e0b1517c341831ff8466 Status: Downloaded newer image for goharbor/harbor-portal:v1.9.3 Pulling redis (goharbor/redis-photon:v1.9.3)... v1.9.3: Pulling from goharbor/redis-photon b950b5dd94ab: Already exists b8fbe9dc9dde: Pull complete e19904d63c6a: Pull complete 7cae1df3c795: Pull complete 93a7821ea4c9: Pull complete Digest: sha256:893bed91214737244c1bc43005fa7f72c10d94b599a272e2982e22fa5b49757d Status: Downloaded newer image for goharbor/redis-photon:v1.9.3 Pulling core (goharbor/harbor-core:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-core b950b5dd94ab: Already exists 841d1d9cb8fd: Pull complete a7452e6907b4: Pull complete 3163e443b06b: Pull complete 7f2a5aff198c: Pull complete c240a35553e3: Pull complete Digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88 Status: Downloaded newer image for goharbor/harbor-core:v1.9.3 Pulling jobservice (goharbor/harbor-jobservice:v1.9.3)... v1.9.3: Pulling from goharbor/harbor-jobservice b950b5dd94ab: Already exists 089caec5e122: Pull complete 3de3c64f442a: Pull complete Digest: sha256:4fbf1ea5553d61fd6cbf58b5db9a2dc44cc1ff3d2704902e920f79b76e3a17ce Status: Downloaded newer image for goharbor/harbor-jobservice:v1.9.3 Pulling proxy (goharbor/nginx-photon:v1.9.3)... v1.9.3: Pulling from goharbor/nginx-photon b950b5dd94ab: Already exists 3b5b95273977: Pull complete Digest: sha256:4facb727a4abfdb0b1c64eab2ef3c85b461c8201cdd5cf9a5c07a41704f89793 Status: Downloaded newer image for goharbor/nginx-photon:v1.9.3 Creating harbor-log ... done Creating harbor-db ... done Creating registryctl ... done Creating harbor-portal ... done Creating redis ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://darren.test.com. For more details, please visit https://github.com/goharbor/harbor .
[root@docker-server3 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3582c06fad6f goharbor/harbor-jobservice:v1.9.3 "/harbor/harbor_jobs…" About a minute ago Up About a minute (healthy) harbor-jobservice 28dc54458c79 goharbor/nginx-photon:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx 3c4a4e6810b2 goharbor/harbor-core:v1.9.3 "/harbor/harbor_core" About a minute ago Up About a minute (healthy) harbor-core 234f0e80a188 goharbor/redis-photon:v1.9.3 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) 6379/tcp redis 42155f90c422 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 "/entrypoint.sh /etc…" About a minute ago Up About a minute (healthy) 5000/tcp registry 5aea0ad776ad goharbor/harbor-registryctl:v1.9.3 "/harbor/start.sh" About a minute ago Up About a minute (healthy) registryctl b5ef61bcb28b goharbor/harbor-portal:v1.9.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 8080/tcp harbor-portal 2a8fc240e768 goharbor/harbor-db:v1.9.3 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 5432/tcp harbor-db 47a172fa7361 goharbor/harbor-log:v1.9.3 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
3.6 訪問測試
登陸后
這里的訪問級別是公開,意味着其他奇跡不用登陸,就可以直接pull鏡像
[root@docker-server3 harbor]# ll /data/
drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 ca_download drwx------ 19 polkitd ssh_keys 4096 Jan 3 03:58 database -rw-r--r-- 1 root root 12 Jan 2 19:02 index.html drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 job_logs drwxr-xr-x 2 10000 10000 6 Jan 3 03:35 psc drwxr-xr-x 2 polkitd ssh_keys 22 Jan 3 04:03 redis drwxr-xr-x 3 10000 10000 20 Jan 3 01:03 registry drwxr-xr-x 6 root root 58 Jan 3 03:57 secret
這個目錄幾乎可以對接所有的對象存儲,這是官方的一個配置實例
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md#backend
storage_service: ca_bundle: swift: username: admin password: ADMIN_PASS authurl: http://keystone_addr:35357/v3/auth tenant: admin domain: default region: regionOne container: docker_images" redirect: disable: false
更完整實例https://docs.docker.com/registry/configuration/#storage
[root@docker-server3 harbor]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.132.133:5000/library/nginx v1.5 ba600822f908 10 hours ago 418MB nginx v1.5 ba600822f908 10 hours ago 418MB nginx v1.4 e51688c79109 11 hours ago 418MB nginx v1.3 80a81192811a 11 hours ago 418MB nginx v1.2 852fb29d5783 12 hours ago 418MB nginx v1.1 68354cda3d7b 12 hours ago 418MB nginx v1.0 cd520a2362fb 12 hours ago 418MB openssh v1.8 64e76b90e1fa 13 hours ago 306MB openssh v1.7 a208eefd515d 13 hours ago 306MB openssh v1.6 7c3b42276adb 13 hours ago 306MB openssh v1.5 90743d882696 20 hours ago 306MB openssh v1.4 2412a6e26b9c 2 days ago 306MB openssh v1.3 0244c59bf444 2 days ago 306MB openssh v1.2 c399a750ed03 2 days ago 361MB openssh v1.0 d98ba06569f3 2 days ago 361MB nginx latest f7bb5701a33c 5 days ago 126MB busybox latest 6d5fcfe5ff17 7 days ago 1.22MB hub.darren.com/library/alpine 3.7 cc0abc535e36 9 days ago 5.59MB goharbor/redis-photon v1.9.3 33aaebc86b13 7 weeks ago 111MB goharbor/harbor-registryctl v1.9.3 27af14c21462 7 weeks ago 103MB goharbor/registry-photon v2.7.1-patch-2819-2553-v1.9.3 4c51bdb781e2 7 weeks ago 85.7MB goharbor/nginx-photon v1.9.3 c6934119da35 7 weeks ago 44MB goharbor/harbor-log v1.9.3 00a3acdb5d11 7 weeks ago 82.3MB goharbor/harbor-jobservice v1.9.3 a3288107fff4 7 weeks ago 141MB goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB goharbor/harbor-portal v1.9.3 6f5b0504c96b 7 weeks ago 51.4MB goharbor/harbor-db v1.9.3 6004d1d5f272 7 weeks ago 148MB goharbor/prepare v1.9.3 272365739d13 7 weeks ago 149MB centos 7 5e35e350aded 7 weeks ago 203MB registry 2 f32a97de94e1 10 months ago 25.8MB hyper/docker-registry-web latest 0db5683824d8 3 years ago 599MB
3.7 簡單管理
[root@docker-server3 harbor]# docker tag goharbor/harbor-log:v1.9.3 darren.yutian.com/library/harbor-log:v1.9.3
[root@docker-server3 harbor]# docker image ls
darren.yutian.com/library/harbor-log v1.9.3 00a3acdb5d11 7 weeks ago 82.3MB
[root@docker-server3 harbor]# vi /etc/docker/daemon.json
{ "log-driver":"journald", "bip":"192.168.0.1/24", "insecure-registries":["http://192.168.132.133:5000","https://darren.yutian.com"] }
[root@docker-server3 harbor]# vi /etc/hosts
192.168.132.133 darren.yutian.com
訪問和推送的都需要做以上操作,修改daoker配置和hots文件
推送鏡像
[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3
The push refers to repository [darren.yutian.com/library/harbor-log]
2e2e439cb618: Preparing
f14e11ea2c25: Preparing
c684117da188: Preparing
a94dcd551900: Preparing
12a81f321c68: Preparing
fa60bb5fba7f: Waiting
4bb3c8da2619: Waiting
47a4bb1cfbc7: Waiting
denied: requested access to the resource is denied
被拒絕,是因為可以拉取,但是推送就必須登陸
登陸harbor
[root@docker-server3 harbor]# docker login https://darren.yutian.com
Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
再次推送成功
[root@docker-server3 harbor]# docker push darren.yutian.com/library/harbor-log:v1.9.3
The push refers to repository [darren.yutian.com/library/harbor-log] 2e2e439cb618: Pushed f14e11ea2c25: Pushed c684117da188: Pushed a94dcd551900: Pushed 12a81f321c68: Pushed fa60bb5fba7f: Pushed 4bb3c8da2619: Pushed 47a4bb1cfbc7: Pushed v1.9.3: digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 size: 1984
查看web界面
拉取鏡像
[root@docker-server2 ~]# docker pull darren.yutian.com/library/harbor-log:v1.9.3
v1.9.3: Pulling from library/harbor-log b950b5dd94ab: Pull complete 1fefec4d6309: Pull complete fbbcfef46e70: Pull complete 459a9232cb22: Pull complete a5ae36915def: Pull complete 46f9c2f74703: Pull complete 9deb3de04c54: Pull complete 909a05fc4700: Pull complete Digest: sha256:274cabd3949066b316a1cc0d73b561a82a5e404812dbd40f8843f35b1b07fd07 Status: Downloaded newer image for darren.yutian.com/library/harbor-log:v1.9.3 darren.yutian.com/library/harbor-log:v1.9.3
這個就不需要登陸就可以拉取鏡像,是因為lirary是公開
創建一個新的私有倉庫
新建項目
項目名稱:自己取名
存儲數量:-1表示不限制
存儲容量:-1表示不限制
點擊確定
上傳一個鏡像
[root@docker-server3 ~]# docker image ls
goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB
[root@docker-server3 ~]# docker tag goharbor/harbor-core:v1.9.3 darren.yutian.com/docker/harbor-core:v1.9.3
[root@docker-server3 ~]# docker image ls
goharbor/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB darren.yutian.com/docker/harbor-core v1.9.3 9d394b9f6b49 7 weeks ago 155MB
已經是登陸狀態會有一個隱藏文件
[root@docker-server3 ~]# ll ~/.docker/config.json
-rw------- 1 root root 155 Jan 3 04:32 /root/.docker/config.json
[root@docker-server3 ~]# cat ~/.docker/config.json
{ "auths": { "darren.yutian.com": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.5 (linux)" }
[root@docker-server3 ~]# docker push darren.yutian.com/docker/harbor-core:v1.9.3
The push refers to repository [darren.yutian.com/docker/harbor-core] 376871497fae: Pushed 5fb810768754: Pushed 3c10f4815fc0: Pushed 17c27eb4f7f8: Pushed b2329d5f99cf: Pushed 47a4bb1cfbc7: Mounted from library/harbor-log v1.9.3: digest: sha256:bc491975633fb845e593f4d0637cdaff9620b51a1a2a7924c6780275005cda88 size: 1580
然后再去其他的機器拉取
[root@docker-server1 ~]# docker pull darren.yutian.com/docker/harbor-core:v1.9.3
Error response from daemon: pull access denied for darren.yutian.com/docker/harbor-core, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
這時這個私有倉庫的鏡像,也必須有登錄的用戶才能有權限拉取
博主聲明:本文的內容來源主要來自譽天教育晏威老師,由本人實驗完成操作驗證,需要的博友請聯系譽天教育(http://www.yutianedu.com/),獲得官方同意或者晏老師(https://www.cnblogs.com/breezey/)本人同意即可轉載,謝謝!