Registry用於保存docker鏡像,包括鏡像的層次結構和元數據。用戶可以自建Registry,也可使用官方的Docker Hub。
Docker Registry 分類:
- Sponsor Registry: 第三方的registry,供客戶和Docker社區使用
- Mirror Registry: 第三方的registryy,只讓客戶使用
- Vendor Registry: 由發佈Docker鏡像的供應商提供的registry
- Private Registry: 通過設有防火牆和額外的安全層的私有實體提供的registry
私有Registry
使用前先要將服務部署到服務器上。
YUM安裝
可以通過yum安裝:
yum install docker-registry
yum install docker-distribution上面兩個命令都會安裝docker-distribution只要執行一個就好了。
軟件包的信息:
[root@Docker ~]# yum info docker-distribution
已加載插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
可安裝的軟件包
名稱 :docker-distribution
架構 :x86_64
版本 :2.6.2
發佈 :2.git48294d9.el7
大小 :3.5 M
源 :extras/7/x86_64
簡介 : Docker toolset to pack, ship, store, and deliver content
網址 :https://github.com/docker/distribution
協議 : ASL 2.0
描述 : Docker toolset to pack, ship, store, and deliver content
[root@Docker ~]# 這個就不裝了,因爲還可以將服務安裝在容器中運行。
容器安裝
docker官方也提供了容器,基於容器提供Registry服務。
下載鏡像:
[root@Docker ~]# docker image pull registry
Using default tag: latest
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:latest
[root@Docker ~]# 啓動容器:
docker run -d -p 5000:5000 --restart always --name registry registry配置文件
查看registry的配置文件:
[root@Docker ~]# docker container exec -it registry cat /etc/docker/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
[root@Docker ~]# 這裏是默認的配置文件。配置文件是通過CMD命令指定的,默認的dockerfile的CMD指令如下:
CMD ["/etc/docker/registry/config.yml"]鏡像存放的位置
鏡像Dockerfile中有一條VOLUME指令,這個路徑就是容器是存放鏡像的路徑:
VOLUME ["/var/lib/registry"]啓動鏡像時,可以使用-v參數,指定宿主機的目錄。
上傳鏡像
上傳鏡像前,先要給鏡像打標:
[root@Docker ~]# docker push busybox loclhost:5000/busybox這裏要準備將本地的busybox推送到服務器loclhost:5000。這裏省略了倉庫的用戶名,沒有用戶名就是一個頂層倉庫。
推送:
[root@Docker ~]# docker push localhost:5000/busybox
The push refers to repository [localhost:5000/busybox]
0d315111b484: Pushed
latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527
[root@Docker ~]# 不往本機lo接口推,也就是服務器地址不使用localhost或127.0.0.1。而是向本機的網卡地址推。就像其他主機要向本機的registry推送一樣了。然後會產生如下的錯誤:
[root@Docker ~]# docker push 192.168.24.170:5000/busybox
The push refers to repository [192.168.24.170:5000/busybox]
Get https://192.168.24.170:5000/v2/: http: server gave HTTP response to HTTPS client
[root@Docker ~]# 這裏的問題是,docker默認是使用https協議工作的,而registry服務器的響應是http協議。解決的辦法有兩個。
第一個方法是修改registry來適應docker,registry服務器改爲https協議
第二個方法是修改docker來使用registry,將registry服務器地址加入到docker的insecure-registries中去
配置insecure-registries
修改配置文件,然後重啓加載後就可以推送上去了:
[root@Docker ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
"insecure-registries": ["192.168.24.170:5000"]
}
[root@Docker ~]# systemctl reload docker
[root@Docker ~]# docker push 192.168.24.170:5000/busybox
The push refers to repository [192.168.24.170:5000/busybox]
0d315111b484: Layer already exists
latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527
[root@Docker ~]# 下載鏡像
指定Registry下載之前上傳的鏡像:
[root@Docker ~]# docker pull 192.168.24.170:5000/busybox
Using default tag: latest
latest: Pulling from busybox
ee153a04d683: Pull complete
Digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649
Status: Downloaded newer image for 192.168.24.170:5000/busybox:latest
[root@Docker ~]# Harbor
Harbor是一個用於存儲和分發Docker鏡像的企業級Registry服務器。
Harbor特性
基於角色的訪問控制:用戶與Docker鏡像倉庫通過“項目”進行組織管理,一個用戶可以對多個鏡像倉庫在同一命名空間(project)裏有不同的權限。
鏡像複製:鏡像可以在多個Registry實例中複製(同步)。尤其適合於負載均衡,高可用,混合雲和多雲的場景。
圖形化用戶界面:用戶可以通過瀏覽器來瀏覽,檢索當前Docker鏡像倉庫,管理項目和命名空間。
AD/LDAP 支持:Harbor可以集成企業內部已有的AD/LDAP,用於鑑權認證管理。
審計管理:所有針對鏡像倉庫的操作都可以被記錄追溯,用於審計管理。
國際化:已擁有英文、中文、德文、日文和俄文的本地化版本。更多的語言將會添加進來。
RESTful API:RESTful API 提供給管理員對於Harbor更多的操控, 使得與其它管理軟件集成變得更容易。
部署簡單:提供在線和離線兩種安裝工具, 也可以安裝到vSphere平臺(OVA方式)虛擬設備。
安裝準備
github項目地址:
https://github.com/vmware/harbor
這是一個vmware的開源項目,實際會跳轉到下面這個地址:
https://github.com/goharbor/harbor
下載 harbor
查看項目的README,Features的內容上面提過了,這裏主要看Install & Run部分的內容。
首先是下載
Harbor release:
https://github.com/goharbor/harbor/releases
$ wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.2-rc1.tgz安裝配置嚮導
Installation & Configuration Guide:
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
硬件要求:
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
軟件要求:
| Software | Version | Description |
|---|---|---|
| Docker engine | version 17.06.0-ce+ or higher | For installation instructions, please refer to: docker engine doc |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: docker compose doc |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
安裝步驟:
- Download the installer;
- Configure harbor.yml;
- Run install.sh to install and start Harbor;
下載完之後,先解壓:
[root@Harbor ~]# tar xvf harbor-offline-installer-v1.8.1.tar -C /opt
harbor/harbor.v1.8.1.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/harbor.yml
[root@Harbor ~]# 下載的文件在解壓後就不需要了。解壓後的文件在安裝完成後也都是不需要的。所以下載到哪裏,解壓到哪裏其實都不重要。建議可以解壓到 /opt 或 /usr/local 這兩個目錄裏。
安裝包中的鏡像
解壓後的文件中,有一個文件harbor.v1.8.1.tar.gz。這個是被導出的docker鏡像。還記得docker save命令吧,可以打包導出多個鏡像並完成壓縮:
$ docker save myimg/httpd:v1 myimg/httpd:v2 | gzip > myimage_latest.tar.gz這個文件應該就是這麼來的。之後的安裝過程中,則是會把這個文件裏的所有鏡像做一次批量導入:
$ docker load -i myimage_latest.tar.gz在安裝時執行的install.sh腳本里有解壓並導入鏡像的語句:
if [ -f harbor*.tar.gz ]
then
h2 "[Step $item]: loading Harbor images ..."; let item+=1
docker load -i ./harbor*.tar.gz
fi安裝的依賴和過程
Harbor的安裝,就是給當前的主機安裝很多容器,並且把這些容器都啓動起來。啓動Harbor就是用docker-compose把這些容器的啓動起來,而關閉harbor也是通過docker-compose來把容器一次關閉。之所以需要藉助docker-compose,因爲harbor是由很多容器協同過程的,容器之間又依賴關係,這些都需要docker-compose這個單機編排工具來協調。
所以安裝harbor前,需要安裝好docker-compose,才能實現本地的容器的編排。需要安裝好docker,才能把本地的鏡像啓動起來。鏡像就在下載解壓的文件中。並且還需要啓動docker,這樣才能運行容器。
準備工作完成後,就是執行harbor準備的install.sh腳本,在本地加載好鏡像,通過docker-compose把這些鏡像依次啓動起來,並且運行在本地的docker上。
修改harbor.yml配置文件,主機名一定看改掉,最好使用本機的域名,如果沒有域名那麼就用本機的IP地址。沒改的話,會有如下的錯誤提示:
[root@Harbor harbor]# ./install.sh
➜ Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-clair if needs enable Clair in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@Harbor harbor]# 檢查發現沒有安裝docker:
[root@Harbor harbor]# ./install.sh
[Step 0]: checking installation environment ...
✖ Need to install docker(17.06.0+) first and run this script again.
[root@Harbor harbor]# 檢查發現沒有安裝docker-compose:
[root@Harbor harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.1
✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again.
[root@Harbor harbor]# 檢查發現docker沒有啓動:
[root@Harbor harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.1
Note: docker-compose version: 1.18.0
[Step 1]: loading Harbor images ...
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
[root@Harbor harbor]# Docker Compose
Docker的單機編排工具。官方文檔:
https://docs.docker.com/compose/
爲了簡化harbor的安裝和部署,所以harbor做成了在容器中運行的應用。但是harbor的運行還依賴很多其他的應用,所以需要編排幾個容器來協同工作。所以harbor的部署和使用時需要藉助Docker的單機編排工具Docker Compose。
安裝docker-compose,位於epel源中:
yum install docker-composeCompose模板文件
模板文件是使用Compose的核心,設計的指令關鍵字也有很多,默認的模板文件名稱爲docker-compose.yml,格式爲YAML格式。
這個不是重點,能安裝使用harbor就好了,不過還是簡單瞭解一下。
要使用docker-compose就要寫一個編排腳本,和dockerfile類似,也是有很多指令。定義要啓動的每一個容器,指明依賴關係,這樣被依賴的容器需要先啓動。關閉容器的時候也要對稱,先把沒有被依賴的容器關閉掉。
順便就來看下harbor的docker-compose.yml文件:
[root@Harbor harbor]# cat docker-compose.yml
version: '2.3' # docker-compose的版本
services: # 定義一個服務
log: # 服務的名稱,服務是通過容器來提供的,具體就是下面的設置
image: goharbor/harbor-log:v1.8.1 # 指定容器的鏡像,也可以用build指令通過dockerfile創建
container_name: harbor-log # 生成的容器的名稱
restart: always # 容器自動重啓
dns_search: .
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes: # 定義卷
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks: # 加入的網絡
- harbor
registry:
image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: /data/secret/registry/root.crt
target: /etc/registry/root.crt
networks:
- harbor
dns_search: .
depends_on: # 依賴的容器名稱
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
registryctl:
image: goharbor/harbor-registryctl:v1.8.1
container_name: registryctl
env_file:
- ./common/config/registryctl/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: ./common/config/registryctl/config.yml
target: /etc/registryctl/config.yml
networks:
- harbor
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registryctl"
postgresql:
image: goharbor/harbor-db:v1.8.1
container_name: harbor-db
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /data/database:/var/lib/postgresql/data:z
networks:
harbor:
dns_search: .
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "postgresql"
core:
image: goharbor/harbor-core:v1.8.1
container_name: harbor-core
env_file:
- ./common/config/core/env
restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
volumes:
- /data/ca_download/:/etc/core/ca/:z
- /data/psc/:/etc/core/token/:z
- /data/:/data/:z
- ./common/config/core/certificates/:/etc/core/certificates/:z
- type: bind
source: ./common/config/core/app.conf
target: /etc/core/app.conf
- type: bind
source: /data/secret/core/private_key.pem
target: /etc/core/private_key.pem
- type: bind
source: /data/secret/keys/secretkey
target: /etc/core/key
networks:
harbor:
dns_search: .
depends_on:
- log
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "core"
portal:
image: goharbor/harbor-portal:v1.8.1
container_name: harbor-portal
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
networks:
- harbor
dns_search: .
depends_on:
- log
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "portal"
jobservice:
image: goharbor/harbor-jobservice:v1.8.1
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/job_logs:/var/log/jobs:z
- type: bind
source: ./common/config/jobservice/config.yml
target: /etc/jobservice/config.yml
networks:
- harbor
dns_search: .
depends_on:
- redis
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
redis:
image: goharbor/redis-photon:v1.8.1
container_name: redis
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/redis:/var/lib/redis
networks:
harbor:
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: goharbor/nginx-photon:v1.8.1
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
dns_search: .
ports:
- 80:80
depends_on:
- postgresql
- registry
- core
- portal
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
[root@Harbor harbor]# 安裝 Harbor
安裝前,需要去修改一下harbor.yml這個文件的配置,至少要把主機名改掉,之前已經說過了。其他配置按需要修改,不改也能夠安裝了。
一切準備就行,就可以安裝了:
[root@Harbor harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.1
Note: docker-compose version: 1.18.0
[Step 1]: loading Harbor images ...
ba58b7bb3f17: Loading layer 33.32MB/33.32MB
......略過......
Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1
[Step 2]: preparing environment ...
prepare base dir is set to /opt/harbor
Generated configuration file: /config/log/logrotate.conf
......略過......
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secreCreating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating registry ... done
Creating harbor-core ... done
[Step 3]: starting Harbor ...
Creating harbor-portal ... done
Creating nginx ... done
Creating harbor-db ...
Creating redis ...
Creating registryctl ...
Creating registry ...
Creating harbor-core ...
Creating harbor-portal ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://HarborStudy.
For more details, please visit https://github.com/goharbor/harbor .
[root@Harbor harbor]# 安裝成功,可以看看監聽的端口,安裝了哪些鏡像,啓動了哪些容器:
$ ss -tnl
$ docker images
$ docker ps登錄 Harbor
默認的密碼在harbor.yml有設置的:
harbor_admin_password: Harbor12345用戶名是admin,密碼沒改的話就是默認的,可以登錄進去。
使用瀏覽器訪問Web頁面,可以看到一些管理界面。
另外要上傳或下載鏡像,需要在命令行使用docker命令,在那之前也需要登錄Harbor,使用docker login命令來完成登錄:
[root@Harbor harbor]# docker login localhost
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@Harbor harbor]# 登錄成功之後,才能推送鏡像。
停止 Harbor
要想停止或啓動harbor,需要通過docker-compose命令。
在操作之前,最好先切換目錄到要操作的docker-compose.yml所在的目錄,這樣docker-compose能夠自動找到模板文件並進行操作。
停止harbor:
[root@Harbor harbor]# cd /opt/harbor/
[root@Harbor harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-portal ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping redis ... done
Stopping harbor-log ... done
[root@Harbor harbor]# 然後再次啓動:
[root@Harbor harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
[root@Harbor harbor]#