#Docker Private Registry
Docker Registry
网上有很多的Registry服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。
Registry用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry,也可以使用官方的Docker Hub。
Docker Registry分类:
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry服务的,除非明确的告诉它,我们就是要用http协议的Registry。
Docker Private Registry
为了帮助我们快速创建私有Registry,Docker专门提供了一个名为Docker Distribution的软件包,我们可以通过安装这个软件包快速构建私有仓库。
问:既然Docker是为了运行程序的,Docker Distribution能否运行在容器中?
容器时代,任何程序都应该运行在容器中,除了Kernel和init。而为了能够做Docker Private Registry,Docker Hub官方直接把Registry做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry。
Registry的主要作用是托管镜像,Registry运行在容器中,而容器自己的文件系统是随着容器的生命周期终止和删除而被删除的,所以当我们把Registry运行在容器中时,客户端上传了很多镜像,随着Registry容器的终止并删除,所有镜像都将化为乌有,因此这些镜像应该放在存储卷上,而且这个存储卷最好不要放在Docker主机本地,而应该放在一个网络共享存储上,比如NFS。不过,镜像文件自己定义的存储卷,还是一个放在Docker本地、Docker管理的卷,我们可以手动的将其改成使用其它文件系统的存储卷。
这就是使用容器来运行Registry的一种简单方式。自建Registry的另一种方式,就是直接安装docker-distribution软件。
使用docker-distribution自建Registry
在虚拟机上自建Registry
[root@localhost ~]# yum install -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/docker-distribution-2.6.2-2.git48294d9.el7.x86_64.rpm
Last metadata expiration check: 1 day, 1:02:46 ago on Wed 10 Aug 2022 02:52:10 PM CST.
docker-distribution-2.6.2-2.git48294d9.el7.x86_64.rpm 7.2 kB/s | 3.5 MB 08:19
Dependencies resolved.
============================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================
Installing:
docker-distribution x86_64 2.6.2-2.git48294d9.el7 @commandline 3.5 M
Transaction Summary
============================================================================================================================================
Install 1 Package
Total size: 3.5 M
Installed size: 12 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Installing : docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Running scriptlet: docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Verifying : docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Installed:
docker-distribution-2.6.2-2.git48294d9.el7.x86_64
Complete!
[root@localhost ~]#
[root@localhost ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry # 修改此处为一个容量大的磁盘分区目录
http:
addr: :5000
[root@localhost ~]# systemctl start docker-distribution
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 *:2375 *:*
LISTEN 0 128 *:5000 *:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
[root@localhost ~]#
在虚拟机上使用自建的Registry去上传镜像
# 使用insecure-registries参数添加http支持
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://urcxei73.mirror.aliyuncs.com"],
"bip": "192.168.1.5/24",
"insecure-registries": ["192.168.181.159:5000"] #添加此行可以写主机名称也可以写IP地址
}
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest beae173ccac6 7 months ago 1.24MB
nginx latest 605c77e624dd 7 months ago 141MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 10 months ago 231MB
[root@localhost ~]# docker tag busybox:latest 192.168.181.159:5000/busybox:latest
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest beae173ccac6 7 months ago 1.24MB
192.168.181.159:5000/busybox latest beae173ccac6 7 months ago 1.24MB
nginx latest 605c77e624dd 7 months ago 141MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 10 months ago 231MB
[root@localhost ~]# docker push 192.168.181.159:5000/busybox
Using default tag: latest
The push refers to repository [192.168.181.159:5000/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
[root@localhost ~]# docker rmi 192.168.181.159:5000/busybox
Untagged: 192.168.181.159:5000/busybox:latest
Untagged: 192.168.181.159:5000/busybox@sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest beae173ccac6 7 months ago 1.24MB
nginx latest 605c77e624dd 7 months ago 141MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 10 months ago 231MB
[root@localhost ~]# docker pull 192.168.181.159:5000/busybox
Using default tag: latest
latest: Pulling from busybox
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for 192.168.181.159:5000/busybox:latest
192.168.181.159:5000/busybox:latest
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.181.159:5000/busybox latest beae173ccac6 7 months ago 1.24MB
busybox latest beae173ccac6 7 months ago 1.24MB
nginx latest 605c77e624dd 7 months ago 141MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 10 months ago 231MB
[root@localhost ~]# curl 192.168.181.159:5000/v2/_catalog
{"repositories":["busybox"]}
[root@localhost ~]# systemctl stop docker-distribution.service
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 *:2375 *:*
LISTEN 0 128 [::]:111 [::]:*
使用官方镜像自建Registry
[root@localhost ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
af5a2153a37ebd1d2b422c05541163522f416421928b719e378af4f6fcc0f103
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 *:2375 *:*
LISTEN 0 128 [::]:5000 [::]:*
LISTEN 0 128 [::]:111
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af5a2153a37e registry "/entrypoint.sh /etc…" 3 minutes ago Up 3 minutes 0.0.0.0:5000->5000/tcp,
[root@localhost ~]# docker tag busybox:latest 192.168.181.159:5000/runtime:v1
[root@localhost ~]# docker push 192.168.181.159:5000/runtime:v1
The push refers to repository [192.168.181.159:5000/runtime]
01fd6df81c8e: Pushed
v1: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
[root@localhost ~]# curl http://192.168.181.159:5000/v2/_catalog
{"repositories":["runtime"]}
[root@localhost ~]# curl http://192.168.181.159:5000/v2/runtime/tags/list
{"name":"runtime","tags":["v1"]}
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Project Harbor is an open source trusted cloud native registry project that stores, signs, and scans context.
Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management.
Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances.
Harbor的功能
Feathers:
- Multi-tenant content signing and validation
- Security and vulnerability analysis
- Audit logging
- Identity integration and role-based access control
- Image replication between instances
- Extensible API and graphical UI
- Internationalization(currently English and Chinese)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration.
Docker Compose官方文档
Harbor部署
#下载安装包
[root@docker ~]# curl -SL https://github.com/docker/compose/releases/download/v2.7.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
[root@docker ~]# cd /usr/local/bin/
[root@docker bin]# ls
docker-compose
[root@docker bin]# chmod +x docker-compose
[root@docker ~]# wget https://github.com/goharbor/harbor/releases/download/v2.4.3/harbor-offline-installer-v2.4.3.tgz
[root@localhost ~]# ls
anaconda-ks.cfg harbor-offline-installer-v2.4.3.tgz initial-setup-ks.cfg
[root@localhost ~]#
[root@docker ~]# tar xf harbor-offline-installer-v2.4.3.tgz -C /usr/local/
[root@docker ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
[root@docker ~]# cd /usr/local/harbor/
[root@docker harbor]# ls
common.sh harbor.v2.4.3.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@docker harbor]# cp harbor.yml.tmpl harbor.yml
[root@docker harbor]# vim harbor.yml
hostname: 192.168.181.159
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
[root@docker harbor]# cd /etc/docker/
[root@docker docker]# ls
daemon.json key.json
[root@docker docker]# vim daemon.json
{
"registry-mirrors": ["https://glvnpwyn.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.181.159"]
}
[root@docker docker]# systemctl daemon-reload
[root@docker docker]# systemctl restart docker.service
[root@docker harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 [::]:111 [::]:*
[root@docker harbor]# vim siyouku.sh //把此脚本放入vim /etc/rc.d/rc.local
#!/bin/bash
cd /usr/local/harbor
/usr/local/bin/docker-compose stop
/usr/local/bin/docker-compose start
[root@docker ~]# vim /etc/rc.d/rc.local
/bin/bash /usr/local/harbor/siyouku.sh
[root@docker ~]# chmod +x /etc/rc.d/rc.local
测试
[root@docker harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3e31d30d24f7 goharbor/harbor-jobservice:v2.4.3 "/harbor/entrypoint.…" 5 minutes ago Up 35 seconds (healthy) harbor-jobservice
bf766f4298f3 goharbor/nginx-photon:v2.4.3 "nginx -g 'daemon of…" 5 minutes ago Up 35 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
826625096c9c goharbor/harbor-core:v2.4.3 "/harbor/entrypoint.…" 5 minutes ago Up 36 seconds (healthy) harbor-core
daae5a69f09a goharbor/harbor-db:v2.4.3 "/docker-entrypoint.…" 5 minutes ago Up 36 seconds (healthy) harbor-db
a639d404ae18 goharbor/harbor-portal:v2.4.3 "nginx -g 'daemon of…" 5 minutes ago Up 36 seconds (healthy) harbor-portal
d8cb0a14b630 goharbor/redis-photon:v2.4.3 "redis-server /etc/r…" 5 minutes ago Up 36 seconds (healthy) redis
bdeecc2e295c goharbor/registry-photon:v2.4.3 "/home/harbor/entryp…" 5 minutes ago Up 36 seconds (healthy) registry
c86ebe83512d goharbor/harbor-registryctl:v2.4.3 "/home/harbor/start.…" 5 minutes ago Up 36 seconds (healthy) registryctl
c951960ee86d goharbor/harbor-log:v2.4.3 "/bin/sh -c /usr/loc…" 5 minutes ago Up 38 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
harbor-log
[root@docker harbor]# reboot
[root@docker ~]# docker ps -a //测试成功
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3e31d30d24f7 goharbor/harbor-jobservice:v2.4.3 "/harbor/entrypoint.…" 5 minutes ago Up 35 seconds (healthy) harbor-jobservice
bf766f4298f3 goharbor/nginx-photon:v2.4.3 "nginx -g 'daemon of…" 5 minutes ago Up 35 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
826625096c9c goharbor/harbor-core:v2.4.3 "/harbor/entrypoint.…" 5 minutes ago Up 36 seconds (healthy) harbor-core
daae5a69f09a goharbor/harbor-db:v2.4.3 "/docker-entrypoint.…" 5 minutes ago Up 36 seconds (healthy) harbor-db
a639d404ae18 goharbor/harbor-portal:v2.4.3 "nginx -g 'daemon of…" 5 minutes ago Up 36 seconds (healthy) harbor-portal
d8cb0a14b630 goharbor/redis-photon:v2.4.3 "redis-server /etc/r…" 5 minutes ago Up 36 seconds (healthy) redis
bdeecc2e295c goharbor/registry-photon:v2.4.3 "/home/harbor/entryp…" 5 minutes ago Up 36 seconds (healthy) registry
c86ebe83512d goharbor/harbor-registryctl:v2.4.3 "/home/harbor/start.…" 5 minutes ago Up 36 seconds (healthy) registryctl
c951960ee86d goharbor/harbor-log:v2.4.3 "/bin/sh -c /usr/loc…" 5 minutes ago Up 38 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
使用IP登录管理Harbor:默认用户密码"admin or Harbor12345"
扫一扫
2413
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
