本地镜像上传至官方docker仓库
docker仓库:https://hub.docker.com/
#登陆
docker login https://hub.docker.com/
cat .docker/config.json
docker images
docker tag 镜像Id docker.io/taowenwu/centos-nginx
docker push docker.io/taowenwu/centos-nginx
docker-分布式harbor(https)安装
安装参考:https://blog.51cto.com/u_14814545/5052617
harbor是一个用于存储和分发docker镜像的企业级registry(注册)服务器,由vmware开源
作为一个企业级私有registry服务器
harbor支持安装在多个registry节点的镜像资源复制。
官网地址:https://vmware.github.io/harbor/cn/
官方github :https://github.com/vmware/harbor
#功能:
1.基于角色的访问控制: 用户与docker镜像仓库通过"项目"进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限
2.镜像复制: 镜像可以在多个registry实例中复制(同步)
3.图形化用户界面
4.ad/ldap: harbor可以集成企业内部已有的ad/ldap,用于鉴权认证管理
5.审计管理: 所有针对镜像仓库的操作都可以被记录追溯
6.国际化
7.restful api: 提供给管理员对于harbor更多的操控,使得与其他管理软件集成变得更容易部署简单
单机docker registry
docker registry作为docker的核心组件之一,负责镜像内容的存储与分发,
docker pull 以及push命令都是将直接与registry进行交互
docker1.6 版本开始支持registry2.0
docker1.8 发布,docker hub 正式启用2.1版本registry
docker1.5和之前的版本无法读取2.0的镜像
registry2.4版本之后支持回收站机制,也就是可以删除镜像
基于官方registry搭建本地私有仓库
直接启动容器
#1.拉取镜像
docker pull registry:2
#2.启动容器
docker run -d -p 5000:5000 --restart=always --name registry1 \
-v /usr/local/registry:/var/lib/registry registry:2
#3.测试上传
root@ubuntu:/docker# docker push 192.168.47.105:5000/hello-world
-----------------------------------------------------------------------------
Using default tag: latest
The push refers to repository [192.168.47.105:5000/hello-world]
e07ee1baac5f: Pushed
latest: digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 size: 525
root@ubuntu:/docker# ll /usr/local/registry/docker/registry/v2/repositories/
total 12
drwxr-xr-x 3 root root 4096 Jan 26 16:42 ./
drwxr-xr-x 4 root root 4096 Jan 26 16:42 ../
drwxr-xr-x 5 root root 4096 Jan 26 16:42 hello-world/
root@ubuntu:~# docker exec -it 7deea1692bb4 sh
/ # ls /var/lib/registry/docker/registry/v2/
blobs/ repositories/
/ # ls /var/lib/registry/docker/registry/v2/repositories/
hello-world
#4.测试下载
root@ubuntu:~# docker pull 192.168.47.105:5000/hello-world
Using default tag: latest
latest: Pulling from hello-world
2db29710123e: Pull complete
Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
Status: Downloaded newer image for 192.168.47.105:5000/hello-world:latest
192.168.47.105:5000/hello-world:latest
#5.其他机器上测试下载
vim /lib/systemd/system/docker.service
---------------------------------------------
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.47.105:5000
---------------------------------------------
root@ubuntu:~# docker pull 192.168.47.105:5000/hello-world
Using default tag: latest
latest: Pulling from hello-world
2db29710123e: Pull complete
Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
Status: Downloaded newer image for 192.168.47.105:5000/hello-world:latest
192.168.47.105:5000/hello-world:latest
设置有登录名及密码
参考:https://blog.csdn.net/weixin_46380571/article/details/108771308
#1.创建登录用户及密码
mkdir /docker/auth -p
cd /docker
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin password > auth/htpasswd #注意这里,高版本的有问题,会出现下面问题1的情况
问题1:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "htpasswd": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
-----------------------
#2.启动docker registry
docker run -d -p 5000:5000 --restart=always --name registry1 \
-v /docker/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2.6.2
#3.测试登录
root@ubuntu:/docker# docker login 192.168.47.105:5000
Username: testuser
Password:
Error response from daemon: Get "https://192.168.47.105:5000/v2/": http: server gave HTTP response to HTTPS client
出现这问题的原因是:Docker自从1.3.X之后docker registry交互默认使用的是HTTPS,但是搭建私有镜像默认使用的是HTTP服务,所以与私有镜像交时出现以上错误
vim /lib/systemd/system/docker.service
---------------------------------------------
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.47.105:5000
---------------------------------------------
或
vim /etc/docker/daemon.json
{ "insecure-registries":["192.168.47.105:5000"] }
root@ubuntu:/docker# systemctl daemon-reload && systemctl restart docker
登录成功
root@ubuntu:/docker# docker login 192.168.47.105:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#4.测试上传与下载
#4.1测试上传
docker tag hello-world 192.168.47.105:5000/hello-world
docker push 192.168.47.105:5000/hello-world
#4.2另一台下载
vim /lib/systemd/system/docker.service
---------------------------------------------
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.47.105:5000
---------------------------------------------
docker login 192.168.47.105:5000
docker pull 192.168.47.105:5000/hello-world
设置有登录名及密码和证书
参考:https://blog.csdn.net/weixin_46380571/article/details/108771308
vim /etc/hosts
----------------------------------
192.168.47.105 myrepo.com
----------------------------------
#1.配置证书
mkdir -p /opt/docker/certs
cd /opt/docker/certs
root@ubuntu:/opt/docker/certs# openssl req -newkey rsa:4096 -nodes -sha256 -keyout myrepo.key -x509 -days 365 -out myrepo.crt
Generating a 4096 bit RSA private key
...............................................................................................................................++++
..............................................................................++++
writing new private key to 'myrepo.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:myrepo.com
Email Address []:
root@ubuntu:/opt/docker/certs# ls
myrepo.crt myrepo.key
#2.生成鉴权密码文件
root@ubuntu:/opt/docker# mkdir auth
root@ubuntu:/opt/docker# ls
auth certs
root@ubuntu:/opt/docker# docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin password > auth/htpasswd
root@ubuntu:/opt/docker# cat auth/htpasswd
admin:$2y$05$urC8/bpsTEGrbPlR.YxIdup2zacgCvbJCGpS58Y276PqHq8DvGjjm
#3.启动容器
docker run -d \
--restart=always \
--name registry \
-v /opt/docker/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/myrepo.key \
-v /opt/data/registry:/var/lib/registry \
-v /opt/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-p 5000:5000 \
registry:2.6.2
root@ubuntu:/opt# tree /opt/docker/
/opt/docker/
├── auth
│ └── htpasswd
└── certs
├── myrepo.crt
└── myrepo.key
mkdir /opt/data/registry
#4.拷贝证书
root@ubuntu:/opt# mkdir -p /etc/docker/certs.d/myrepo.com:5000
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# cp /opt/docker/certs/myrepo.crt .
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# mv myrepo.crt ca.crt
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# ls
ca.crt
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# systemctl restart docker
#5.修改配置
vim /lib/systemd/system/docker.service
---------------------------------------------
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry myrepo.com:5000
---------------------------------------------
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# systemctl daemon-reload && systemctl restart docker
6.测试
root@ubuntu:/opt# docker pull busybox
root@ubuntu:/opt# docker tag busybox:latest myrepo.com:5000/busybox
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker login myrepo.com:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker push myrepo.com:5000/busybox
Using default tag: latest
The push refers to repository [myrepo.com:5000/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# tree /opt/data/registry
/opt/data/registry
└── docker
└── registry
└── v2
├── blobs
│ └── sha256
│ ├── 5c
│ │ └── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa
│ │ └── data
│ ├── 62
│ │ └── 62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
│ │ └── data
│ └── be
│ └── beae173ccac6ad749f76713cf4440fe3d21d1043fe616dfbe30775815d1d0f6a
│ └── data
└── repositories
└── busybox
├── _layers
│ └── sha256
│ ├── 5cc84ad355aaa64f46ea9c7bbcc319a9d808ab15088a27209c9e70ef86e5a2aa
│ │ └── link
│ └── beae173ccac6ad749f76713cf4440fe3d21d1043fe616dfbe30775815d1d0f6a
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ └── 62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
│ │ └── link
│ └── tags
│ └── latest
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
│ └── link
└── _uploads
7.在其他机器上测试下载
root@ubuntu:~# vim /etc/hosts
--------------------------------
192.168.47.105 myrepo.com
--------------------------------
#拷贝证书
mkdir -p /etc/docker/certs.d/myrepo.com:5000
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# cd /etc/docker/certs.d/myrepo.com:5000
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# scp ca.crt 192.168.47.112:/etc/docker/certs.d/myrepo.com:5000
#修改配置
vim /lib/systemd/system/docker.service
---------------------------------------------
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry myrepo.com:5000
---------------------------------------------
root@ubuntu:/etc/docker/certs.d/myrepo.com:5000# systemctl daemon-reload && systemctl restart docker
#拉取镜像
root@ubuntu:~# docker login myrepo.com:5000
root@ubuntu:~# docker pull myrepo.com:5000/busybox
Using default tag: latest
latest: Pulling from busybox
5cc84ad355aa: Pull complete
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for myrepo.com:5000/busybox:latest
myrepo.com:5000/busybox:latest
root@ubuntu:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myrepo.com:5000/busybox latest beae173ccac6 3 weeks ago 1.24MB
192.168.47.105:5000/hello-world latest feb5d9fea6a5 4 months ago 13.3kB