Linux操作文档——Docker私有仓库

tech2023-07-12 99

文章目录

一、Docker Hub公共仓库二、Registry私有仓库1、用docker容器运行registry私有仓库服务2、运行私有仓库服务3、镜像重命名4、编辑docker配置文件5、上传私有仓库用三、Harbor私有仓库1、下载docker-compse工具2、下载harbor3、更改docker配置文件4、启动Harbor5、使用HTTPS访问harbor

一、Docker Hub公共仓库

Docker Hub官网：https://hub.docker.com/

[root@localhost ~]# docker login Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: gaoyufu Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@localhost ~]# docker push centos:test

二、Registry私有仓库

1、用docker容器运行registry私有仓库服务

[root@localhost ~]# docker pull registry:2 2: Pulling from library/registry cbdbe7a5bc2a: Pull complete 47112e65547d: Pull complete 46bcb632e506: Pull complete c1cc712bcecd: Pull complete 3db6272dcbfa: Pull complete Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d Status: Downloaded newer image for registry:2

2、运行私有仓库服务

[root@localhost ~]# docker run -itd --name registry --restart=always -p 5000:5000 -v /registry:/var/lib/registry registry:2 b94d47e57026c239509e3dea3b4b107332c450f0bc775095660f2154275f94e1 参数说明-p端口映射。宿主机端口：容器暴露的端口-p 80如果-p选项后边只写了一个端口，那么这个端口是指容器暴露的端口号随机映射到宿主机（32768开始…）-P后边没有接任何的端口参数。那么它会把容器暴露的端口，全部随机的映射到宿主机-v挂载目录。宿主机的目录：容器内的目录

3、镜像重命名

[root@localhost ~]# docker tag web:centos 192.168.1.10:5000/web

4、编辑docker配置文件

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H unix:// //修改此行为以下内容 ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.10:5000 //其中192.168.1.10的IP地址是作为私有仓库服务器的IP地址 [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker

5、上传私有仓库用

[root@localhost ~]# docker push 192.168.1.10:5000/web The push refers to repository [192.168.1.10:5000/web] d2c6afabab1c: Pushed 0086b2c72a31: Pushed bce59d767f25: Pushed 5b20514ca564: Pushed d080a77574aa: Pushed 9c30307b4a72: Pushed a7b6955a7df9: Pushed b42bd86910be: Pushed 2aa965e5fa60: Pushed 613be09ab3c0: Pushed latest: digest: sha256:caf5eb847cc83a90e93d6490e1e0b513c0af78e269272d993a56d90830ad4c0c size: 2409 [root@localhost ~]# curl -XGET http://192.168.1.10:5000/v2/_catalog //查看上传的镜像 {"repositories":["web"]} [root@localhost ~]# curl -XGET http://192.168.1.10:5000//v2/busybox/tags/list

三、Harbor私有仓库

1、下载docker-compse工具

[root@localhost ~]# wget https://github.com/docker/compose/releases/download/1.26.2/docker-compose-Linux-x86_64 [root@localhost ~]# mv docker-compose-Linux-x86_64 docker-compose [root@localhost ~]# mv docker-compose /usr/local/sbin/ [root@localhost ~]# chmod +x /usr/local/sbin/docker-compose [root@localhost ~]# docker-compose -v docker-compose version 1.26.2, build eefe0d31 [root@localhost ~]# yum -y install yum-utils device-mapper-persistent-data lvm2

2、下载harbor

[root@localhost ~]# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz [root@localhost ~]# tar -zxf harbor-offline-installer-v2.0.2.tgz -C /usr/local/ [root@localhost ~]# cd /usr/local/harbor/ [root@localhost harbor]# cp harbor.yml.tmpl harbor.yml [root@localhost harbor]# vim harbor.yml hostname: harbor.gyf.com #harbor服务器主机IP或域名 harbor_admin_password: 123456 #harbor管理员登录密码 certificate: /usr/local/harbor/certs/harbor.gyf.com.crt #证书路径 private_key: /usr/local/harbor/certs/harbor.gyf.com.key #私钥路径

3、更改docker配置文件

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.10 [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker

4、启动Harbor

[root@localhost certs]# cd /usr/local/harbor/ [root@localhost harbor]# ./install.sh [root@localhost harbor]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 761b777135e1 goharbor/harbor-jobservice:v2.0.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice 04cf6322d8ac goharbor/nginx-photon:v2.0.2 "nginx -g 'daemon of…" About a minute ago Restarting (1) 30 seconds ago nginx 208ec9162ec5 goharbor/harbor-core:v2.0.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core 24dc3d4f2326 goharbor/registry-photon:v2.0.2 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) 5000/tcp registry 66511aeb434a goharbor/harbor-registryctl:v2.0.2 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl 8ac92be8562a goharbor/harbor-portal:v2.0.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 8080/tcp harbor-portal bc1b66eb1eac goharbor/harbor-db:v2.0.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 5432/tcp harbor-db 42d78c8cb4db goharbor/redis-photon:v2.0.2 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) 6379/tcp redis 7b9a01a003e7 goharbor/harbor-log:v2.0.2 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log [root@localhost ~]# docker tag httpd:latest harbor.gyf.com/test/web:v1 [root@localhost ~]# docker login -u admin -p 123456 192.168.1.10 [root@localhost ~]# docker push harbor.gyf.com/test/web:v1

docker-compose这个命令可以管理harbor服务，不过需要注意的是想使用以下命令，必须是和 docker-compose.yml 这个文件在同一个目录下

[root@localhost harbor]# docker-compose start | stop | restart //启动|停止|重启

使用IP或者域名登录皆可默认用户名：admin 密码：123456

5、使用HTTPS访问harbor

将这里的harbor.gyf.com替换成你的域名即可 1、安装openssl证书工具

[root@localhost ~]# yum -y install openssl

2、创建证书存放文件夹

[root@localhost ~]# mkdir /usr/local/harbor/certs

3、生成无加密的根证书私钥（注意一定要进到证书目录）

[root@localhost ~]# cd /usr/local/harbor/certs/ [root@localhost certs]# openssl genrsa -out ca.key 4096

4、使用刚才生成的私钥制作自签名证书

[root@localhost certs]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=harbor.gyf.com/OU=harbor.gyf.com/CN=harbor.gyf.com" -key ca.key -out ca.crt

5、生成服务器端自己域名的key

[root@localhost certs]# openssl genrsa -out harbor.gyf.com.key 4096

6、生成服务器端自己域名的CSR签名请求

[root@localhost certs]# openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=harbor.gyf.com/OU=harbor.gyf.com/CN=harbor.gyf.com" -key harbor.gyf.com.key -out harbor.gyf.com.csr

7、生成一个 openssl 命令需要的外部配置文件 xexternalfile.ext

[root@localhost certs]# cat > xexternalfile.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.gyf.com EOF

8、通过外部配置文件 xexternalfile.ext和 csr 生成 crt

[root@localhost certs]# openssl x509 -req -sha512 -days 3650 -extfile xexternalfile.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.gyf.com.csr -out harbor.gyf.com.crt

9、将服务端的 crt 转换成客户端用的 cert

[root@localhost certs]# openssl x509 -inform PEM -in harbor.gyf.com.crt -out harbor.gyf.com.cert [root@localhost certs]# ls ca.crt ca.srl harbor.gyf.com.crt harbor.gyf.com.key ca.key harbor.gyf.com.cert harbor.gyf.com.csr xexternalfile.ext

10、启动服务后访问

[root@localhost certs]# cd /usr/local/harbor/ [root@localhost harbor]# ./install.sh [root@localhost ~]# mkdir -p /etc/docker/certs.d/harbor.gyf.com [root@localhost ~]# cd /etc/docker/certs.d/harbor.gyf.com/ [root@localhost harbor.gyf.com]# cp /usr/local/harbor/certs/harbor.gyf.com.crt . [root@localhost ~]# docker login https://harbor.gyf.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@localhost ~]# docker push harbor.gyf.com/test/web:v1 The push refers to repository [harbor.gyf.com/test/web] 88b680b1fdfc: Pushed 843c3701e622: Pushed 3ba8a4f66ba2: Pushed c865989f86f7: Pushed d0f104dc0a1f: Pushed v1: digest: sha256:fc717ed0d0b55ada05af1c1a95a2d4ee1153a5858fd65b654644a1a5add0c28b size: 1367

最新回复(0)