Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
二、Docker Hubdocker hub是docker公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库。
https://hub.docker.com 可以去注册一个!再看它的官方文档去了解了解。
三、本地仓库搭建及其Registry 工作原理 1.先清理之前的实验[root@server8 ~]# docker image prune WARNING! This will remove all dangling images. Are you sure you want to continue? [y/N] y Deleted Images: deleted: sha256:47609cc5dc95da2f95d52e0bdfa1c2de4f3b9e66596900511ce4117c42c68d4a deleted: sha256:4483e250ab6b9a13d650bd56b2c69b72473f4b63389e3b78e3bc395a183f0e0a deleted: sha256:e34c9197c25176013bfb2c5a20319caee0838790599ac547a4f3d28db276414a Total reclaimed space: 12.85MB [root@server8 ~]# docker container prune WARNING! This will remove all stopped containers. Are you sure you want to continue? [y/N] y Deleted Containers: a5c35403de51a36adcee7a74025bc2d4dc7a86ad415de6f55c1bae9933576210 Total reclaimed space: 0B [root@server8 ~]# docker pull registry [root@server8 ~]# docker run -d --name registry -p 5000:5000 registry #启动本地仓库,端口映射为5000 b87d25a0bee9d58a7b74ab401aae826f343b5aeca44daa79306c4e8ff3984099 [root@server8 ~]# docker ps #查看进程是否开启 并查看端口5000是否打开 ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b87d25a0bee9 registry "/entrypoint.sh /etc…" about a minute ago Up about a minute 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry [root@server8 ~]# netstat -anptl #看有没有 :::5000 将容器中的web:y1镜像改名并标记到本地仓库中 [root@server8 ~]# docker tag web:y1 localhost:5000/webserver:latest [root@server8 ~]# docker push localhost:5000/webserver #上传 上传成功后本地路径中也产生了文件 删除之后,重新加载,之前的内容依然存在 [root@server8 ~]# docker rmi localhost:5000/webserver:latest [root@server8 ~]# docker tag web:y1 localhost:5000/webserver:latest [root@server8 ~]# docker push localhost:5000/webserver:latest2.本地容器仓库加密认证(采用openssl11版本)
[root@server8 certs]# docker stop registry registry [root@server8 certs]# docker rm registry registry [root@server8 ~]# lftp 172.25.254.111 lftp 172.25.254.111:/pub/docs/docker> mirror openssl11/ [root@server8 ~]# cd openssl11/ [root@server8 openssl11]# yum install -y * [root@server8 ~]# mkdir crets [root@server8 ~]# vim /etc/hosts 172.25.111.8 server8 reg.westos.org [root@server8 ~]# openssl11 req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -addext "subjectAltName = DNS:reg.westos.org" -x509 -days 365 -out certs/westos.org.crt
[root@server8 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry [root@server8 ~]# docker ps 标记重命名nginx并归类到本地reg.westos.org仓库中 然后上传容器: docker tag nginx:latest reg.westos.org/nginx:latest docker push reg.westos.org/nginx:latest 发现上传容器的时候,报错了 原因:取不到认证,需要将认证移动到指定目录 解决: [root@server8 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org [root@server8 ~]# cp /root/certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt 重新标记上传 docker push reg.westos.org/nginx:latest
取不到认证,手动建立
这种错误是版本低导致的(使用openssl11)
[root@server8 ~]# docker rm -f registry registry [root@server8 ~]# docker ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@server8 ~]# docker ps -a ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
下载软件
harbor-offline-installer-v1.10.1.tgz
docker-compose-Linux-x86_64-1.27.0
[root@server8 ~]# tar -zxf harbor-offline-installer-v1.10.1.tgz [root@server8 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose [root@server8 ~]# chmod +x /usr/local/bin/docker-compose [root@server8 ~]# mkdir /data [root@server8 ~]# cp /root/certs/ /data/ -r2。修改配置信息
[root@server8 ~]# cd harbor/ [root@server8 harbor]# vim harbor.yml3。安装
前提,联网,有含openssl11版的证书
[root@server8 harbor]# ./install.sh !!! docker-compose ps (必须在harbor目录下输入命令) docker ps4。登陆网页
访问172.25.111.8
vim /etc/docker/daemon.json
[root@server8 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]
}
[root@server8 docker]# systemctl reload docker.service
[root@server8 docker]# docker info
Registry Mirrors:
https://reg.westos.org/ #末端出现
Live Restore Enabled: false
[root@server8 docker]# docker pull nginx #拉取
Using default tag: latest
latest: Pulling from library/nginx
Digest: sha256:765e51caa9e739220d59c7f7a75508e77361b441dccf128483b7f5cce8306652
Status: Image is up to date for nginx:latest
docker.io/library/nginx:latest
[root@server8 docker]# docker rmi nginx:latest #删除
Untagged: nginx:latest
Untagged: nginx@sha256:765e51caa9e739220d59c7f7a75508e77361b441dccf128483b7f5cce8306652
[root@server8 docker]# docker run -d --name demo nginx #自动拉取
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
Digest: sha256:765e51caa9e739220d59c7f7a75508e77361b441dccf128483b7f5cce8306652
Status: Downloaded newer image for nginx:latest
a64c61eea31e03f0a8f04f912b11cb5e72df2db3805395d22ad0e23ca6f47b02
[root@server8 docker]# docker ps |grep demo
a64c61eea31e nginx "/docker-entrypoint.…" 2 minutes ago Up 2 minutesm 80/tcp demo
6。获取认证
[root@server8 ~]# docker logout reg.westos.org Removing login credentials for reg.westos.org [root@server8 ~]# docker login reg.westos.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded 改标签、上传 [root@server8 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest [root@server8 ~]# docker push reg.westos.org/library/nginx:latest
在浏览器上记得刷新一下
7。重新配置
[root@server8 ~]# cd harbor/
[root@server8 harbor]# docker-compose down
[root@server8 harbor]# ./prepare
[root@server8 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum ##–help可以查到
[root@server8 harbor]# export DOCKER_CONTENT_TRUST=1 [root@server8 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443 [root@server8 harbor]# mkdir /root/.docker/tls/reg.westos.org:4443 -p [root@server8 harbor]# cd /root/.docker/tls/reg.westos.org:4443/ [root@server8 reg.westos.org:4443]# cp /etc/docker/certs.d/reg.westos.org/ca.crt . 显示已经存在,需要我们输入root key 当我们只修改标签的时候,我们只用输入repository key [root@server8 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:latest The push refers to repository [reg.westos.org/library/nginx] 65e1ea1dc98c: Layer already exists 88891187bdd7: Layer already exists 6e109f6c2f99: Layer already exists 0772cb25d5ca: Layer already exists 525950111558: Layer already exists 476baebdfbf7: Layer already exists latest: digest: sha256:39065444eb1acb2cfdea6373ca620c921e702b0f447641af5d0e0ea1e48e5e04 size: 1570 Signing and pushing trust metadata You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID 67979dc: #根密码 Repeat passphrase for new root key with ID 67979dc: Enter passphrase for new repository key with ID 4c77fb4: ##仓库的key Repeat passphrase for new repository key with ID 4c77fb4: Finished initializing "reg.westos.org/library/nginx" Successfully signed reg.westos.org/library/nginx:latest
网页访问 签名成功 [root@server8 reg.westos.org:4443]# docker tag nginx:latest reg.westos.org/library/nginx:v1 [root@server8 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:v1 The push refers to repository [reg.westos.org/library/nginx] 65e1ea1dc98c: Layer already exists 88891187bdd7: Layer already exists 6e109f6c2f99: Layer already exists 0772cb25d5ca: Layer already exists 525950111558: Layer already exists 476baebdfbf7: Layer already exists v1: digest: sha256:39065444eb1acb2cfdea6373ca620c921e702b0f447641af5d0e0ea1e48e5e04 size: 1570 Signing and pushing trust metadata Enter passphrase for repository key with ID 4c77fb4: Successfully signed reg.westos.org/library/nginx:v1
export DOCKER_CONTENT_TRUST=0
再次拉取的时候就不需要再输入认证了
为了不让扫描使占用的空间越来越大,所以重新修改一下选项
[root@server8 ~]# export DOCKER_CONTENT_TRUST=0 [root@server8 ~]# cd harbor/ [root@server8 harbor]# docker-compose down [root@server8 harbor]# ./prepare [root@server8 harbor]# ./install.sh --with-chartmuseum
