搭建私有仓库(dockerhub)- 带有harbor管理篇

3,137 阅读11分钟

1 Docker Hub

#Docker Hub被用于源代码管理集成,也用于构建和测试工具来加速部署周期,部署周期从天减少到以分钟计算,Docker宣称已经允许用户加速应用的传输。

#架构和技术堆栈升级对于Docker Hub的大规模和不可预知的采用是必须的。

#作为开发人员迅速采用Docker容器,IT管理员加速将其纳入企业生产环境。除了管理和配置工具,还需要编排和调度软件。

#当然有些内网环境需要访问Docker Hub,这时候就访问不了,这时就需要搭建一套内网DockerHub,官方有推出docker-registry工具,可以用于构建私有的镜像仓库,实现简单。

2 环境准备

[root@dockerhub250 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@dockerhub250 ~]# ifconfig eth1
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.2.250  netmask 255.255.255.0  broadcast 172.16.2.255

2.1 docker安装

#安装必要的一些系统工具

yum install -y yum-utils device-mapper-persistent-data lvm2

#添加软件源信息

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast

#查看可用 docker 版本

yum list docker-ce.x86_64 --showduplicates | sort -r

#安装docker-ce,也可以根据上面罗列的各版本使用指定版本安装

yum -y install docker-ce

#开启Docker服务

systemctl enable docker
systemctl start docker

2.2 docker加速

#添加加速文件配置,这里选用了阿里云的配置 #vim /etc/docker/daemon.json

{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"]}

#重新加载服务,重启docker,并查看是否生效

systemctl daemon-reload
systemctl restart docker
docker info

3 私有仓库搭建

3.1 查看registry的版本

[root@dockerhub250 ~]# docker search registry
NAME                                 DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
registry                             The Docker Registry 2.0 implementation for s…   3062                [OK]
distribution/registry                WARNING: NOT the registry official image!!! …   57                                      [OK]
stefanscherer/registry-windows       Containerized docker registry for Windows Se…   32
budry/registry-arm                   Docker registry build for Raspberry PI 2 and…   18
deis/registry                        Docker image registry for the Deis open sour…   12
jc21/registry-ui                     A nice web interface for managing your Docke…   12
anoxis/registry-cli                  You can list and delete tags from your priva…   10                                      [OK]
sixeyed/registry                     Docker Registry 2.6.0 running on Windows - N…   10
pallet/registry-swift                Add swift storage support to the official do…   4                                       [OK]
allingeek/registry                   A specialization of registry:2 configured fo…   4                                       [OK]
arm32v6/registry                     The Docker Registry 2.0 implementation for s…   3
goharbor/registry-photon                                                             2
conjurinc/registry-oauth-server      Docker registry authn/authz server backed by…   1
concourse/registry-image-resource                                                    1
ibmcom/registry                      Docker Image for IBM Cloud private-CE (Commu…   1
metadata/registry                    Metadata Registry is a tool which helps you …   1                                       [OK]
webhippie/registry                   Docker images for Registry                      1                                       [OK]
kontena/registry                     Kontena Registry                                0
gisjedi/registry-proxy               Reverse proxy of registry mirror image gisje…   0
dwpdigital/registry-image-resource   Concourse resource type                         0
lorieri/registry-ceph                Ceph Rados Gateway (and any other S3 compati…   0
convox/registry                                                                      0
digillect/registry-cleaner           Tool to remove unused images from Docker reg…   0                                       [OK]
pivnet/registry-gcloud-image                                                         0
upmcenterprises/registry-creds

3.2 安装registry

[root@dockerhub250 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest
[root@dockerhub250 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
registry            latest              2d4f4b5309b1        2 months ago        26.2MB

#创建本地目录,用于映射本地目录进docker里,目的是,当容器崩溃时,数据还在,随时以启用一个新容器替换

mkdir -p /data/dockerhub

#启动registry

docker run -d -v /data/dockerhub:/var/lib/registry -p 5000:5000 --restart=always --name dockerhub-registry2.0 registry

#访问网址http://172.16.1.250:5000/v2,如果出现以下页面说明正常

[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/
{}

在这里插入图片描述

3.3 上传镜像至私有仓库

[root@dockerhub250 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              4bb46517cac3        8 days ago          133MB
registry            latest              2d4f4b5309b1        2 months ago        26.2MB
#将要推送至私有仓库的docker镜像做标识
[root@dockerhub250 ~]# docker tag nginx:latest 172.16.1.250:5000/nginx:latest
[root@dockerhub250 ~]# docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
nginx                     latest              4bb46517cac3        8 days ago          133MB
172.16.1.250:5000/nginx   latest              4bb46517cac3        8 days ago          133MB
registry                  latest              2d4f4b5309b1        2 months ago        26.2MB
#通过 docker push 命令将 nginx 镜像 push到私有仓库
[root@dockerhub250 ~]# docker push 172.16.1.250:5000/nginx:latest
The push refers to repository [172.16.1.250:5000/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362
#查看是否上传成功
[root@dockerhub250 ~]# curl http://127.0.0.1:5000/v2/_catalog
{"repositories":["nginx"]}
#查看镜像信息
[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/nginx/tags/list
{"name":"nginx","tags":["latest"]}

#从其他内网机器验证拉取镜像

[root@k8snode172 ~]# docker pull 172.16.1.250:5000/nginx
Using default tag: latest
latest: Pulling from nginx
bf5952930446: Pull complete
cb9a6de05e5a: Pull complete
9513ea0afb93: Pull complete
b49ea07d2e93: Pull complete
a5e4a503d449: Pull complete
Digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c
Status: Downloaded newer image for 172.16.1.250:5000/nginx:latest
172.16.1.250:5000/nginx:latest
[root@k8snode172 ~]# docker images
REPOSITORY                                  TAG                 IMAGE ID            CREATED             SIZE
172.16.1.250:5000/nginx                     latest              4bb46517cac3        8 days ago          133MB

4 harbor

harbor项目 github地址 #作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

#基于角色的访问控制 - 用户与 Docker 镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。

  1. 镜像复制 - 镜像可以在多个 Registry 实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  2. 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前 Docker 镜像仓库,管理项目和命名空间。
  3. AD/LDAP 支持 - Harbor 可以集成企业内部已有的 AD/LDAP,用于鉴权认证管理。
  4. 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  5. 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
  6. RESTful API - RESTful API 提供给管理员对于 Harbor 更多的操控, 使得与其它管理软件集成变得更容易。
  7. 部署简单 - 提供在线和离线两种安装工具, 也可以安装到 vSphere 平台(OVA 方式)虚拟设备。

4.1 下载并安装harbor

#==harbor项目有基本要求:docker 17.06.0-ce+、golang : 1.12.0+ 和 docker-compose 1.18.0+ ==

[root@dockerhub250 ~]# yum install golang docker-ce docker-compose
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * elrepo: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Package golang-1.13.14-1.el7.x86_64 already installed and latest version
Package 3:docker-ce-19.03.12-3.el7.x86_64 already installed and latest version
Package docker-compose-1.18.0-4.el7.noarch already installed and latest version

#这里直接选用了下载最新版本的harbor离线安装包

#下载
[root@dockerhub250 ~]# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz
#解压
[root@dockerhub250 ~]# tar zxvf harbor-offline-installer-v2.0.2.tgz

#harbor默认工作方式是http,但是这只能在页面访问,默认harbor推送拉取镜像时走的是https,所以需要配置下https

#生成秘钥和自签名证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
#生成证书签名请求(域名访问,就把common name的值写为域名):
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.kkcai.vip.key -out harbor.kkcai.vip.csr
#生成服务器证书
openssl x509 -req -days 365 -in harbor.kkcai.vip.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.kkcai.vip.crt
[root@dockerhub250 harbor]# ll
total 535264
-rw-r--r-- 1 root root      2045 Aug 22 15:32 ca.crt
-rw-r--r-- 1 root root      3272 Aug 22 15:32 ca.key
-rw-r--r-- 1 root root        17 Aug 22 15:36 ca.srl
-rw-r--r-- 1 root root      3361 Jul 28 17:47 common.sh
-rw-r--r-- 1 root root      1948 Aug 22 15:36 harbor.kkcai.vip.crt
-rw-r--r-- 1 root root      1797 Aug 22 15:34 harbor.kkcai.vip.csr
-rw-r--r-- 1 root root      3272 Aug 22 15:34 harbor.kkcai.vip.key
-rw-r--r-- 1 root root 548041010 Jul 28 17:47 harbor.v2.0.2.tar.gz
-rw-r--r-- 1 root root      7829 Aug 22 12:00 harbor.yml
-rw-r--r-- 1 root root      7828 Jul 28 17:47 harbor.yml.tmpl
-rwxr-xr-x 1 root root      2523 Jul 28 17:47 install.sh
-rw-r--r-- 1 root root     11347 Jul 28 17:47 LICENSE
-rwxr-xr-x 1 root root      1856 Jul 28 17:47 prepare

#安装证书

[root@dockerhub250 harbor]# mkdir -p /etc/cert/harbor
[root@dockerhub250 harbor]# cp harbor.kkcai.vip.crt harbor.kkcai.vip.key /etc/cert/harbor
[root@dockerhub250 harbor]# ll /etc/cert/harbor/
total 8
-rw-r--r-- 1 root root 1948 Aug 22 15:38 harbor.kkcai.vip.crt
-rw-r--r-- 1 root root 3272 Aug 22 15:38 harbor.kkcai.vip.key

#==由于我内网有搭建了DNS服务器,因此没有设置hosts,如果内网没有搭建DNS的同学,请vim /etc/hosts 给域名添加个路由地址== #快捷添加hosts

echo "172.16.1.250 harbor.kkcai.vip" >>/etc/hosts

#进到目录复制默认文件并修改配置文件harbor.yml

[root@dockerhub250 harbor]# cp harbor.yml.tmpl harbor.yml
[root@dockerhub250 harbor]# vim harbor.yml
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
#建议使用域名
hostname: harbor.kkcai.vip
#修改证书位置
  certificate: /etc/cert/harbor/harbor.kkcai.vip.crt
  private_key: /etc/cert/harbor/harbor.kkcai.vip.key
#harbor密码
harbor_admin_password: devops
# Harbor数据库密码
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: devops
#数据存储位置
data_volume: /data/harbor

#运行install.sh进行安装

[root@dockerhub250 harbor]# sh install.sh

[Step 0]: checking if docker is installed ...

Note: docker version: 19.03.12

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.18.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/prepare:v2.0.2
Loaded image: goharbor/harbor-jobservice:v2.0.2
Loaded image: goharbor/harbor-registryctl:v2.0.2
Loaded image: goharbor/registry-photon:v2.0.2
Loaded image: goharbor/harbor-core:v2.0.2
Loaded image: goharbor/notary-signer-photon:v2.0.2
Loaded image: goharbor/clair-photon:v2.0.2
Loaded image: goharbor/trivy-adapter-photon:v2.0.2
Loaded image: goharbor/harbor-log:v2.0.2
Loaded image: goharbor/nginx-photon:v2.0.2
Loaded image: goharbor/clair-adapter-photon:v2.0.2
Loaded image: goharbor/chartmuseum-photon:v2.0.2
Loaded image: goharbor/harbor-portal:v2.0.2
Loaded image: goharbor/harbor-db:v2.0.2
Loaded image: goharbor/redis-photon:v2.0.2
Loaded image: goharbor/notary-server-photon:v2.0.2


[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

Creating harbor-db ... done
Creating harbor-core ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating redis ...
Creating harbor-db ...
Creating registryctl ...
Creating harbor-portal ...
Creating registry ...
Creating harbor-core ...
Creating nginx ...
Creating harbor-jobservice ...
✔ ----Harbor has been installed and started successfully.----

#常用命令

4.2 验证harbor是否安装成功

#访问网址:harbor.kkcai.vip/ #默认账号是 admin 密码 devops 在这里插入图片描述

4.3 验证harbor是否能够正常推送镜像

#创建docker证书存放位置,并复制ca证书

[root@dockerhub250 harbor]# mkdir -p /etc/docker/certs.d/harbor.kkcai.vip
[root@dockerhub250 harbor]# cp ca.crt /etc/docker/certs.d/harbor.kkcai.vip

#docker登录harbor

[root@dockerhub250 harbor]# docker login harbor.kkcai.vip
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

#推送镜像至对应的项目中

[root@dockerhub250 harbor]# docker tag nginx:latest harbor.kkcai.vip/library/nginx:latest
[root@dockerhub250 harbor]# docker push harbor.kkcai.vip/library/nginx:latest
The push refers to repository [harbor.kkcai.vip/library/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362

#查看harbor web页面,已经推送成功 在这里插入图片描述

4.4 添加第三方仓库

#系统管理-仓库管理-新建目标 #提供者选择:Docker Registry #目标名:test #目标URL:http://172.16.1.250:5000 (为前面创建的私有仓库,前面创建的为不鉴权的方式,因此不需要填写用户名密码) #确定即可 在这里插入图片描述 在这里插入图片描述

X.遇到的问题

X.1 WARNING: bridge-nf-call-iptables is disabled

#问题表现
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
#原因:由于网桥工作于数据链路层,在iptables没有开启 bridge-nf时,数据会直接经过网桥转发,结果就是对FORWARD的设置失效;
#解决方案:编辑配置,添加如下配置保存并重新加载
#vim /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#sysctl -p

X.2 Get http: server gave HTTP response to HTTPS client

#问题表现
[root@dockerhub250 ~]# docker push 172.16.1.250:5000/nginx:latest
The push refers to repository [172.16.1.250:5000/nginx]
Get https://172.16.1.250:5000/v2/: http: server gave HTTP response to HTTPS client
#原因:docker registry未采用https服务,而客户端docker使用https请求push所致
#解决方案:编辑配置,添加 "insecure-registries":["172.16.1.250:5000"] 配置保存并重新加载
#vim  /etc/docker/daemon.json
{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"], "insecure-registries":["172.16.1.250:5000"]}
#systemctl restart docker