【Docker】4.Docker私库Registry及Harbor搭建
**1. 获取Registry镜像 **$ sudo docker pull registry2. 启动Registry$ sudo docker run -d -p 8100:5000 -v /opt/registry:/var/lib/registry --restart=always --name registry registry:latest[wxt@localhost ~...
1. 获取Registry镜像
$ sudo docker pull registry
2. 启动Registry
$ sudo docker run -d -p 8100:5000 -v /opt/registry:/var/lib/registry --restart=always --name registry registry:latest
[wxt@localhost ~]$ sudo docker run -d -p 8100:8100 -v /opt/registry:/var/lib/registry --restart=always --name registry registry:latest
/usr/bin/docker-current: Error response from daemon: Conflict. The container name “/registry” is already in use by container 7d56c5eae33db32c1236c15c34160d404123e07154fea02881cd592a17b37a51. You have to remove (or rename) that container to be able to reuse that name…
See ‘/usr/bin/docker-current run --help’.
此时看到是错误的,不能启动容器,此时我们查看已停止的容器,并将停止的容器删除。
[wxt@localhost ~]$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7d56c5eae33d registry:latest “/entrypoint.sh /e…” About an hour ago Exited (2) 2 minutes ago registry
d605c070f7aa jdk-8u201:1.0 “/bin/bash” 19 hours ago Exited (137) 17 minutes ago fervent_kilby
查看是否启动成功
[wxt@localhost ~]$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7d56c5eae33d registry:latest "/entrypoint.sh /e..." 15 seconds ago Up 14 seconds 0.0.0.0:8100->5000/tcp registry
通过命令查看到现在Registry私库没有镜像文件
[wxt@localhost ~]$ curl http://10.168.xx.xx:8100/v2/_catalog
{"repositories":[]}
下面我们就将镜像上传到我们的私库。
#在本地host上面,给jdk-8u201添加新的tag
[wxt@localhost ~]$ sudo docker tag f1ee62462c0d 10.168.14.40:8100/jdk_8u201
[wxt@localhost ~]$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.168.xx.xx:8100/jdk_8u201 latest f1ee62462c0d 23 hours ago 598 MB
jdk-8u201 1.0 f1ee62462c0d 23 hours ago 598 MB
docker.io/registry latest d0eed8dad114 3 weeks ago 25.8 MB
docker.io/centos 7 1e1148e4cc2c 2 months ago 202 MB
3. 将镜像上传到私库中
#docker push <registry_ip>:<registry_port>/<image_name>:<image_tag>
sudo docker push 10.168.xx.xx:8100/jdk_8u201
若出现如下错误:
[wxt@localhost ~]$ sudo docker push 10.168.xx.xx:8100/jdk_8u201
The push refers to a repository [10.168.xx.xx:8100/jdk_8u201]
Get https://10.168.xx.xx:8100/v1/_ping: http: server gave HTTP response to HTTPS client
修改文件/usr/lib/systemd/system/docker.service,在ExecStart=/usr/bin/dockerd后面添加–insecure-registry 10.168.xx.xx:8100,然后重启docker服务
此时我们在查看Registry私库就可以看到我们上传的镜像文件。
[wxt@localhost ~]$ curl http://10.168.xx.xx:8100/v2/_catalog
{"repositories":["jdk_8u201"]}
4. 从私库拉取镜像
# docker pull <registry_ip>:<registry_port>/<image_name>:<image_tag>
sudo docker pull 10.168.xx.xx:8100/jdk_8u201
5.停止及删除Registry容器
$ sudo docker container stop registry && docker container rm -v registry
Harbor私库搭建
Harbor和Registry都是Docker的镜像仓库,但是Harbor作为更多企业的选择,是因为相比较于Regisrty来说,它具有很多的优势。
Docker的镜像的管理,出于各种考虑,很多企业会搭建自己的私有仓库。而为企业提供私有仓库的搭建,从商业的到开源的Harbor都不是第一个。Docker的V2也能方便的提供类似功能,但是原生态的V2给人感觉更接近于原始态,当然这个只是其将用户引导到收费的dockerhub上的工具,自然可以理解。而Vmware给出的开源的企业级Registry的解决方案,让人觉得使用起来更加方便。并且这似乎是vmware中国团队提供的功能,无形之中又有了更多的亲切感,看到越来越多的中国团队出现在开源的前沿,实在是很开心的一件事情
在实际生产运维的中,往往需要把镜像发布到几十或上百台集群节点上。这时,单个Registry已经无法满足大量节点的下载需求,因此要配置多个Registry实例做负载均衡。手工维护多个Registry实例上的镜像,将是十分繁琐的事情。Harbor可以支持一主多从的镜像发布模式,可以解决大规模镜像发布的难题。
优势 | 详细说明 |
---|---|
提供分层传输机制,优化网络传输 | Docker镜像是是分层的,而如果每次传输都使用全量文件(所以用FTP的方式并不适合),显然不经济。必须提供识别分层传输的机制,以层的UUID为标识,确定传输的对象 |
提供WEB界面,优化用户体验 | 只用镜像的名字来进行上传下载显然很不方便,需要有一个用户界面可以支持登陆、搜索功能,包括区分公有、私有镜像 |
镜像复制 | 在实例之间复制镜像 |
审计 | 所有访问Registry服务的操作均被记录,便于日后审计。 |
安全性 | 对于不同的职位人员,分配不同的权限,具有更好的安全性 |
1.下载Harbor安装包
harbor 最新版1.7.1在安装后无法登陆到harbor ui,而1.6.0版本安装后删除镜像后重新上传镜像提示已存在,并且harbor ui显示的镜像大小为0,经过验证harbor 1.5.0版本较为稳定。
安装有两种方式,一种是offline ,一种是online,即离线和在线安装。
$ tar -zxvf harbor-online-installer-v1.5.0.tgz
$ cd harbor
$ vi harbor.cfg
将hostname配置为服务器对应IP
hostname = 10.168.xx.xx
$ sudo ./prepare
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
执行安装
[wxt@localhost harbor]$ sudo ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 1.13.1
✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
需要换成另外一种安装方法docker-compose up -d
此提示需要我们安装docker-compose
$ sudo curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ sudo chmod +x /usr/local/bin/docker-compose
$ docker-compose --version
docker-compose version 1.23.2, build 1110ad01
安装完成docker-compose后我们执行docker-compose up -d
此时提示:
ERROR: Couldn't connect to Docker daemon at http+docker://localhost - is it running?
If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
原因在于当前用户没有docker的使用权限,需要使用sudo,我们修改docker权限。
$ sudo chmod 666 /var/run/docker.sock
现在就可以在非root用户下运行docker了,此时我们可以看到正在下载harbor相关文件
[wxt@localhost harbor]$ docker-compose up -d
Creating network "harbor_harbor" with the default driver
Pulling log (goharbor/harbor-log:v1.5.0)...
Trying to pull repository docker.io/goharbor/harbor-log ...
sha256:27f9e24f28393a6052b71c93b1571f2269e1d3c489f4081996a099ac88ff56ff: Pulling from docker.io/goharbor/harbor-log
51be32cd3c9d: Downloading [==================================> ] 34.06 MB/49.28 MB
fd9cdcfcef45: Download complete
4167b797c339: Download complete
b22d11b0e478: Download complete
d5aad3df7cee: Download complete
bd43de1bbd44: Download complete
7494eff3da48: Download complete
修改harbor默认端口80为8101
$ vi docker-compose.yml
proxy:
image: goharbor/nginx-photon:v1.5.0
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 8101:80
- 443:443
- 4443:4443
depends_on:
- postgresql
- registry
- ui
- log
$ vi common/templates/registry/config.yml
auth:
token:
issuer: harbor-token-issuer
realm: $public_url:8101/service/token
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
启动harbor
$ docker-compose start
$ docker-compose stop
或者
$ docker-compose up -d
$ docker-compose down -v
浏览器访问就可以进入我们的harbor页面
>默认用户名是admin,密码是Harbor12345
3.向Harbor上传镜像
在项目中标记镜像:
#docker tag SOURCE_IMAGE[:TAG] 10.168.xx.xx/yrz/IMAGE[:TAG]
$ sudo docker tag jdk-8u201:1.0 10.168.xx.xx/yrz/jdk-8u201:1.0
推送镜像到当前项目:
# docker push 10.168.xx.xx/yrz/IMAGE[:TAG]
$ sudo docker push 10.168.xx.xx:8101/yrz/jdk-8u201:1.0
此时出现如下异常:
The push refers to a repository [10.168.xx.xx:8101/yrz/jdk-8u201]
35b842b71126: Preparing
071d8bd76517: Preparing
denied: requested access to the resource is denied
解决方案:
登录harbor即可
$ docker login 10.168.xx.xx:8101
Username: admin
Password:
Login Succeeded
若出现如下错误:
Get https://10.168.xx.xx:8101/v1/_ping: http: server gave HTTP response to HTTPS client
解决方案:
1.在”/etc/docker/“目录下,创建”daemon.json“文件。在文件中写入:
{ "insecure-registries":["10.168.xx.xx:8101"] }
2.修改文件/usr/lib/systemd/system/docker.service,在ExecStart=/usr/bin/dockerd后面添加–insecure-registry 10.168.xx.xx:8100
ExecStart=/usr/bin/dockerd-current \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
--insecure-registry 10.168.xx.xx:8101
重启docker,问题解决。
重新推送镜像
$ sudo docker push 10.168.xx.xx:8101/yrz/jdk-8u201:1.0
登录harbor就可以看到我们上传的镜像文件
从harbor拉取镜像
$ sudo docker login 10.168.14.40:8101
$ sudo docker pull 10.168.14.40:8101/yrz/jdk-8u201:1.0
删除harbor镜像
1.删除harbor镜像时需先在Harbor UI图形界面中删除不需要的镜像。
2.停止Harbor服务,执行垃圾回收命令
$ sudo docker-compose stop
#通过带有–dry-run选项,可以查看到将要删除的镜像文件
$ docker run -it --name gc --rm --volumes-from registry docker.io/vmware/registry-photon:v2.6.2-v1.5.0 garbage-collect --dry-run /etc/registry/config.yml
#不带–dry-run选项,直接执行删除
$ docker run -it --name gc --rm --volumes-from registry docker.io/vmware/registry-photon:v2.6.2-v1.5.0 garbage-collect /etc/registry/config.yml
$ sudo docker-compose start
docker.io/vmware/registry-photon:v2.6.2-v1.5.0为当前harbor版本镜像。
通过运行sudo docker images
可以查看当前镜像
[wxt@localhost ~]$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.168.xx.xx:8101/yrz/centos 7 1e1148e4cc2c 2 months ago 202 MB
docker.io/centos 7 1e1148e4cc2c 2 months ago 202 MB
docker.io/goharbor/registry-photon v2.6.2-v1.6.0 1ec7d8d4f0fd 5 months ago 201 MB
docker.io/vmware/redis-photon v1.5.0 7c03076402d9 9 months ago 207 MB
docker.io/vmware/registry-photon v2.6.2-v1.5.0 3059f44f4b9a 9 months ago 198 MB
docker.io/vmware/nginx-photon v1.5.0 e100456182fc 9 months ago 135 MB
docker.io/vmware/harbor-log v1.5.0 62bb6b8350d9 9 months ago 200 MB
docker.io/vmware/harbor-jobservice v1.5.0 aca9fd2e867f 9 months ago 194 MB
docker.io/vmware/harbor-ui v1.5.0 1055166068d0 9 months ago 212 MB
docker.io/vmware/harbor-adminserver v1.5.0 019bc4544829 9 months ago 183 MB
docker.io/vmware/harbor-db v1.5.0 82354dcf564f 9 months ago 526 MB
更多推荐
所有评论(0)