08-Docker私有仓库¶
测试环境标准¶
简单的仓库搭建¶
切换到指定目录并创建一个目录
cd /opt
mkdir auth
生成密钥
[root@192e168e56e11 opt]# docker run --entrypoint htpasswd registry:2 -Bbn chris 123456 > auth/htpasswd
查看生成的密钥
[root@192e168e56e11 opt]# cat auth/htpasswd
chris:$2y$05$Dbtqc6Te9UxwIKC96QGUcuFPcxmvV1s3LIAlkjX9KKie7YkRJWBs.
运行容器
[root@192e168e56e11 opt]# docker run -d -p 6000:5000 --restart=always --name registry1 -v `pwd`/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
查看容器是否创建成功
[root@192e168e56e11 opt]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9b25800432ad registry "/entrypoint.sh /etc/" 14 seconds ago Up 13 seconds 0.0.0.0:6000->5000/tcp registry1
进入容器
[root@192e168e56e11 ~]# docker login 127.0.0.1:6000
Username: chris
Password:
Login Succeeded
将nginx镜像加入本地库
[root@192e168e56e11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest b8efb18f159b 5 days ago 107.5 MB
docker.io/registry 2 751f286bc25e 10 days ago 33.19 MB
docker.io/registry latest 751f286bc25e 10 days ago 33.19 MB
[root@192e168e56e11 ~]# docker tag b8efb18f159b 127.0.0.1:6000/chris/nginx
下载镜像测试
[root@192e168e56e11 ~]# docker push 127.0.0.1:6000/chris/nginx
The push refers to a repository [127.0.0.1:6000/chris/nginx]
af5bd3938f60: Pushed
29f11c413898: Pushed
eb78099fbf7f: Pushed
latest:
digest: sha256:788fa27763db6d69ad3444e8ba72f947df9e7e163bad7c1f5614f8fd27a311c3 size: 948
查看镜像是否下载成功
[root@192e168e56e11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:6000/chris/nginx latest b8efb18f159b 5 days ago 107.5 MB
docker.io/nginx latest b8efb18f159b 5 days ago 107.5 MB
docker.io/registry 2 751f286bc25e 10 days ago 33.19 MB
docker.io/registry latest 751f286bc25e 10 days ago 33.19 MB
现在找个其他的机器去尝试下载镜像测试,并进行检查查看
因为Docker从1.3.X之后默认docker registry使用的是https,所以当用docker pull命令下载远程镜像时,如果远程docker registry是非https的时候就会报上面的错误。
为了解决这个问题需要在启动docker server时增加启动参数
修改docker启动配置文件(此处是修改132机器的配置)Ubuntu下配置文件地址为:/etc/init/docker.conf
在其中增加--insecure-registry 192.168.56.11:6000如下所示:
[root@192e168e56e12 ~]# systemctl daemon-reload
[root@192e168e56e12 ~]# systemctl restart docker
简单仓库管理部署¶
参考链接:https://www.cnblogs.com/bowendown/p/12623756.html
启动私有仓库容器
docker run -di --name=registry -p 5000:5000 registry
浏览器访问:http://ip:端口/v2/_catalog
看到{"repositories":[]} 表示私有仓库搭建成功
此时仓库内容为空
修改deamon.json
vi /etc/docker/daemon.json
添加以下内容,保存退出。
{"insecure-registries":["ip:端口"]}
此步用于让 docker信任私有仓库地址
重启docker 让deamon.json配置生效
systemctl restart docker
简单仓库上传镜像¶
1.给镜像打tag
docker tag 0901fa9da894 10.0.194.213:5000/nginx:latest
2.将打tag得镜像上传
docker push 10.0.194.213:5000/nginx:latest
生产环境部署-HTTP¶
什么是Harbor¶
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
Harbor是一个企业级的注册服务器(registry),用于保存和管理docker的镜像文件。Harbor主要提供 Dcoker Registry 的WEB管理界面,同时支持多个注册服务器之间进行镜像同步,还提供了高级的安全特性,如用户管理、访问控制和活动审计。
官网地址:https://github.com/goharbor/harbor
Harbor环境准备¶
配置yum仓库
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all ; yum repolist
echo
挂载磁盘
mkfs.xfs -f /dev/sdb
mkdir -p /data
mount /dev/sdb /data/
echo "/dev/sdb /data xfs defaults 0 0" >>/etc/fstab ; cat /etc/fstab |grep data
Harbor安装部署¶
参考链接:https://www.cnblogs.com/panwenbin-logs/p/10218099.html
安装docker软件
yum install -y docker vim
配置镜像加速器
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://1v0q5mvy.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
echo
开始安装docker-compose编排工具
yum -y install python-pip
mkdir ~/.pip/ -p
cat >~/.pip/pip.conf<<EOF
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple
[install]
trusted-host=mirrors.aliyun.com
EOF
yum -y install python36-pip python36
pip3.6 install --upgrade pip
pip3.6 install docker-compose
echo
准备好harbor-offline-installer-v1.8.1.tgz安装包,并解压
tar xf harbor-offline-installer-v1.8.1.tgz
切换到harbor目录并开始配置
[root@linux-node0 ]# cd harbor
[root@linux-node0 harbor]# vim harbor.yml
hostname = 192.168.56.10 #修改为服务器ip即可
开始安装harbor
[root@linux-node0 harbor]# ./install.sh # 安装过程省略
检查harbor是否安装完成
遇到报错:
[root@linux-node78 harbor]# ./install.sh
[Step 0]: checking installation environment ...
✖ Need to upgrade docker package to 17.06.0+.
注释install.sh 脚本以下行
#check_docker
Harborweb登录¶
访问web界面进行检查 http://10.0.190.163/
默认账户密码为:admin Harbor12345
登录以后得效果
Harbor仓库配置¶
Docker (error getsockopt: connection refused ,使用http无法使用 docker login 登录的问题)
因部署Harbor 镜像仓库,部署完了之后根据提示上传 images,需要使用docker login ip:port 进行登录,
登录的时候发现因为docker 默认是https,因为测试环境就没有配置证书,所以必须添加非安全的registry,
下面就是开始在各种找教程。。。。解决方法试了N种都不行
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://1v0q5mvy.mirror.aliyuncs.com"],
"insecure-registries": ["10.0.194.212"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
Harbor上传镜像¶
给镜像打tag
登录harbor仓库
默认账户密码为:admin Harbor12345
[root@10e0e194e211 ~]# docker login 10.0.194.212
Username (admin): admin
Password:
Login Succeeded
给镜像打tag
docker tag docker.io/nginx:latest 192.168.56.78/library/nginx:v.0.0.1
登录成功后,将打tag得镜像上传harbor仓库
docker push 192.168.56.78/library/nginx:v.0.0.1
检查harbor仓库是否上传成功
这时我们可以看到harbor仓库已经将docker镜像上传成功
上传一个centos镜像到harbor仓库
docker pull centos:7.6.1810
docker tag docker.io/centos:7.6.1810 192.168.1.111/library/centos:7.6.1810.0
[root@10e0e194e211 ~]# docker login 192.168.1.111
Username (admin): admin
Password: Harbor12345
Login Succeeded
docker push 192.168.1.111/library/centos:7.6.1810.0
上传一个bkci构建机镜像到harbor仓库
docker pull bkci/ci:latest
docker tag bkci/ci:latest 192.168.1.111/library/bkci/ci:v0
[root@10e0e194e211 ~]# docker login 192.168.1.111
Username (admin): admin
Password: Harbor12345
Login Succeeded
docker push 192.168.1.111/library/bkci/ci:v0
检查是否上传成功
Harbor获取镜像¶
此时我们可以从自己搭建得私有仓库获取镜像,首先删除本地得镜像
docker rmi -f 0901fa9da894 先强制删除本地得镜像
登录harbor仓库
默认账户密码为:admin Harbor12345
[root@10e0e194e211 ~]# docker login 10.0.194.212
Username (admin): admin
Password:
Login Succeeded
开始从本地仓库获取镜像
docker pull 10.0.194.212/library/nginx:latest
Harbor运行镜像¶
现在开始使用获取到得镜像运行一个实例
[root@10e0e194e211 ~]# docker run -d -p 192.168.1.104:81:80 --name mynginx 605c77e624dd
41300cf3904f0d2f22ff00fe754a9249d25597bf376a7a362229146408f30649
查看运行得镜像
[root@10e0e194e211 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
41300cf3904f 10.0.194.212/library/nginx "/docker-entrypoin..." 22 seconds ago Up 21 seconds 0.0.0.0:20000->80/tcp goofy_hawking
Web界面检查nginx镜像是否运行
Harbor对接openldap¶
生产环境部署-HTTPS¶
什么是Harbor¶
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
Harbor是一个企业级的注册服务器(registry),用于保存和管理docker的镜像文件。Harbor主要提供 Dcoker Registry 的WEB管理界面,同时支持多个注册服务器之间进行镜像同步,还提供了高级的安全特性,如用户管理、访问控制和活动审计。
官网地址:https://github.com/goharbor/harbor
Harbor环境准备¶
配置yum仓库
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all ; yum repolist
echo
挂载数据盘
mkfs.xfs -f /dev/sdb
mkdir -p /data
mount /dev/sdb /data/
echo "/dev/sdb /data xfs defaults 0 0" >>/etc/fstab ; cat /etc/fstab |grep data
安装基础软件包
yum install -y wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel python-devel epel-release openssh-server socat ipvsadm conntrack
准备软件包(将软件包放到/data/install/目录)
mkdir -p /data/install/
docker-harbor-2-3-0.tar.gz
harbor-offline-installer-v2.3.0-rc3.tgz
docker-compose-Linux-x86_64.64
Harbor自签发证书¶
设置habor仓库主机名称
hostnamectl set-hostname harbor01 && bash
创建证书目录
mkdir /data/ssl -p
cd /data/ssl/
生成 ca 证书:
openssl genrsa -out ca.key 3072
生成一个 3072 位的 key,也就是私钥
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
生成一个数字证书 ca.pem,3650 表示证书的有效时间是 3 年,按箭头提示填写即可,没有箭头标注的为空:
生成域名的证书:
openssl genrsa -out harbor01.key 3072
生成一个 3072 位的 key,也就是私钥
openssl req -new -key harbor01.key -out harbor01.csr
生成一个证书请求,一会签发证书时需要的,标箭头的按提示填写,没有箭头标注的为空:
签发证书:
openssl x509 -req -in harbor01.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor01.pem -days 3650
显示如下,说明证书签发好了:
Docker安装部署¶
配置docker源
cd /etc/yum.repos.d/
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum repolist
安装 docker 依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2
安装 docker-ce
yum install docker-ce -y
启动 docker 服务
systemctl start docker && systemctl enable docker
systemctl status docker
开启包转发功能和修改内核参数
modprobe br_netfilter
cat > /etc/sysctl.d/docker.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl -p /etc/sysctl.d/docker.conf
重启 docker
systemctl daemon-reload
systemctl restart docker
配置国内镜像加速器
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://1v0q5mvy.mirror.aliyuncs.com"]
}
EOF
systemctl daemon-reload
systemctl restart docker
systemctl status docker
Harbor安装部署¶
创建安装目录
把 harbor 的离线包 harbor-offline-installer-v2.3.0-rc3.tgz 上传到/data/install/这个目录,离线包在课件里提供了
下载 harbor 离线包的地址:
https://github.com/goharbor/harbor/releases/tag/
解压:
cd /data/install
tar zxvf harbor-offline-installer-v2.3.0-rc3.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
修改配置文件:
hostname: harbor
#修改 hostname,跟上面签发的证书域名保持一致
#协议用 https
certificate: /data/ssl/harbor01.pem
private_key: /data/ssl/harbor01.key
注:harbor 默认的账号密码:admin/Harbor12345
安装 docker-compose上传课件里的 docker-compose-Linux-x86_64 文件到 harbor 机器
cd /data/install/
mv docker-compose-Linux-x86_64.64 /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose
安装 harbor 需要的离线镜像包 docker-harbor-2-3-0.tar.gz 在课件,可上传到 harbor 机器,通过
docker load -i docker-harbor-2-3-0.tar.gz
cd /data/install/harbor
./install.sh
看到下面内容,说明安装成功:
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating redis ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Harbor仓库配置¶
Docker (error getsockopt: connection refused ,使用http无法使用 docker login 登录的问题)
因部署Harbor 镜像仓库,部署完了之后根据提示上传 images,需要使用docker login ip:port 进行登录,
登录的时候发现因为docker 默认是https,因为测试环境就没有配置证书,所以必须添加非安全的registry,
下面就是开始在各种找教程。。。。解决方法试了N种都不行
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://1v0q5mvy.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.22"]
}
EOF
systemctl daemon-reload
systemctl restart docker
Harborweb登录¶
访问web界面进行检查 https://192.168.1.22/
默认账户密码为:admin Harbor12345
harbor上传镜像¶
给镜像打tag 登录harbor仓库 默认账户密码为:admin Harbor12345
[root@10e0e194e211 ~]# docker login 192.168.1.22
Username (admin): admin
Password: Harbor12345
Login Succeeded
给镜像打tag
docker tag docker.io/nginx:latest 192.168.1.22/library/nginx:v.0.0.1
登录成功后,将打tag得镜像上传harbor仓库
docker push 192.168.1.22/library/nginx:v.0.0.1
检查harbor仓库是否上传成功
这时我们可以看到harbor仓库已经将docker镜像上传成功
Harbor获取镜像¶
此时我们可以从自己搭建得私有仓库获取镜像,首先删除本地得镜像
docker rmi 192.168.1.22/library/nginx:v.0.0.1 先强制删除本地得镜像
登录harbor仓库
默认账户密码为:admin Harbor12345
[root@10e0e194e211 ~]# docker login 192.168.1.22
Username (admin): admin
Password:
Login Succeeded
开始从本地仓库获取镜像
docker pull 192.168.1.22/library/nginx:v.0.0.1
Harbor镜像复制¶
首先我们需要部署一个备用 的harbor仓库,并登录上去,选择仓库管理-新建目标
配置目标属性 默认账户密码为:admin Harbor12345
点击确认
点击复制管理--新建规则
设置规则属性
选中规则开始复制
复制进行中
验证复制结果
https仓库搭建¶
Docker的Registry私有仓库构建
1.准备环境,申请一个证书
http://buy.wosign.com/free/ #申请数字证书的网站
http://freessl.wosign.com/guide #SSL证书部署指南
比较好的Registry
(1)docker的web管理界面admiral
https://github.com/vmware/admiral
(2)Mesos+Zookeeper+Marathon+Docker分布式集群管理最佳实践
http://www.xuliangwei.com/xubusi/422.html
run一个registry
[root@docker ~]# docker run -d -p 5000:5000 registry
[root@docker ~]# docker run -d -p 5000:5000 registry:2
bf2156a9b00e9f2e49ebbd7b79a26ec196886b4f9cd573b6385786cd1207dd77
[root@docker ~]# curl 192.168.56.123:5000/v1/search
{"num_results": 0, "query": "", "results": []}
给registry打一个新的tag
[root@docker ~]# docker tag chuck/mynginx:v2 192.168.56.123:5000/chuck/mynginx:lastest
配置nginx,使用用户认证https的方式将镜像push到仓库中,必须使用https!!
增加一个nginx-registry的配置文件
[root@docker conf.d]# pwd
/etc/nginx/conf.d
[root@docker conf.d]# cat docker-registry.conf
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name registry.oldboyedu.com;
ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "Docker";
auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
生成一个个根证书,生产环境最好是买一个证书
[root@docker CA]# cd /etc/pki/CA/
[root@docker CA]# touch ./{serial,index.txt}
[root@docker CA]# echo 00 >serial
[root@docker CA]# openssl genrsa -out private/cake.pem 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................+++
..........................+++
e is 65537 (0x10001)
[root@docker CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:chuck
Organizational Unit Name (eg, section) []:chuck
Common Name (eg, your name or your server's hostname) []:chuck-blog.com
Email Address []:admin@chuck-blog.com
生成nginx的key和证书
[root@docker CA]# cd /etc/ssl
[root@docker ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
...........................+++
e is 65537 (0x10001)
[root@docker ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:chuck
Organizational Unit Name (eg, section) []:chuck
Common Name (eg, your name or your server's hostname) []:chuck-blog.com
Email Address []:admin@chuck-blog.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chuck
签发证书
[root@docker CA]# openssl ca -in nginx.csr -days 3650 -out nginx.crt
让系统接收签发的证书
[root@docker ssl]# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
创建密码
[root@docker CA]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd chuck
New password:
Re-type new password:
Adding password for user chuck
启动nginx
[root@docker ssl]# systemctl start nginx
[root@docker nginx]# netstat -lntup|grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 54093/nginx: master
登录认证并push上打tag的lastest的镜像
[root@docker nginx]#docker login -u chuck -p 123456 -e admin@chuck-blog.com chuck-blog.com
[root@docker nginx]#docker push registry.chuck.com/chuck/mynginx:lastest
浏览器登录
openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
yum install -y wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel python-devel epel-release openssh-server socat ipvsadm conntrack
https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo