Docker镜像加速器和本地镜像仓库
容器镜像加速器
由于国内访问国外的容器镜像仓库速度比较慢,因此国内企业创建了容器镜像加速器,以方便国内用户使用容器镜像。
获取阿里云容器镜像加速地址
登录“阿里云”,进入“控制台”页面,点击左侧菜单,进入“容器镜像服务 ACR”,然后在左侧菜单中点击“镜像加速器”,最终的网址是cr.console.aliyun.com/cn-hangzhou…
配置docker daemon使用加速器
# 添加daemon.json配置文件
vim /etc/docker/daemon.json
cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://zwyx2n3v.mirror.aliyuncs.com"]
}
# 重启docker
systemctl daemon-reload
systemctl restart docker
# 尝试下载容器镜像
docker rmi centos
docker pull centos
容器镜像仓库
docker hub
注册并创建镜像仓库
进入Docker Hub官网,点击"Sign UP"注册一个用户,注册成功之后需要验证邮箱
登录"Docker Hub",点击"Create repository",填写信息创建一个公开的仓库
在本地登录Docker Hub
# 默认可以不添加docker hub容器镜像仓库地址
docker login
Log in with your Docker ID or email address to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com/ to create one.
You can log in with your password or a Personal Access Token (PAT). Using a limited-scope PAT grants better security and is required for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/
Username: zhangjiabao4
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 登出
docker logout
Removing login credentials for https://index.docker.io/v1/
上传容器镜像
登录Docker Hub上传容器镜像,向全球用户共享容器镜像。
为容器镜像重新打标记
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 24 months ago 231MB
# 重新为容器镜像打标记
docker tag centos:latest zhangjiabao4/zhangjiabao_test:v1
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 24 months ago 231MB
zhangjiabao4/zhangjiabao_test v1 5d0da3dc9764 24 months ago 231MB
# 上传容器镜像至docker hub,需要先登录
docker push zhangjiabao4/zhangjiabao_test:v1
The push refers to repository [docker.io/zhangjiabao4/zhangjiabao_test]
74ddd0ec08fa: Mounted from library/centos
v1: digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc size: 529
在Docker Hub网页端,查看刚刚上传的镜像
下载容器镜像
# 先删除镜像
docker rmi zhangjiabao4/zhangjiabao_test:v1
# 下载镜像
docker pull zhangjiabao4/zhangjiabao_test:v1
v1: Pulling from zhangjiabao4/zhangjiabao_test
Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
Status: Downloaded newer image for zhangjiabao4/zhangjiabao_test:v1
docker.io/zhangjiabao4/zhangjiabao_test:v1
# 查看下载后容器镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 24 months ago 231MB
zhangjiabao4/zhangjiabao_test v1 5d0da3dc9764 24 months ago 231MB
harbor
获取 docker compose二进制文件
# 下载docker-compose二进制文件
wget https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64
# 移动二进制文件到/usr/bin目录,并更名为docker-compose
mv docker-compose-linux-x86_64 /usr/bin/docker-compose
# 为二进制文件添加可执行权限
chmod +x /usr/bin/docker-compose
# 安装完成后,查看docker-compse版本
docker-compose version
Docker Compose version v2.20.3
签发证书
签发证书可进入harbor官网浏览 goharbor.io/docs/2.9.0/…
这里假设harbor所在服务器的域名是:myharbor.com;ip是:172.25.10.66,签发证书时需要也可以使用ip
生成证书颁发机构证书
mkdir certs
cd certs/
# 创建CA私钥
openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..............................++
................................................................................................................++
e is 65537 (0x10001)
# 自签发CA crt证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=myharbor.com" \
-key ca.key \
-out ca.crt
# 参数说明:
# C,Country,代表国家
# ST,STate,代表省份
# L,Location,代表城市
# O,Organization,代表组织,公司
# OU,Organization Unit,代表部门
# CN,Common Name,代表服务器域名
这样就签发好了一对密钥了,就可以用它们来给harbor来颁发证书了
生成服务器证书
# 生成私钥,myharbor.com.key 是给harbor用的,myharbor.com是harbor的域名
openssl genrsa -out myharbor.com.key 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................................................................................................................................++
................++
e is 65537 (0x10001)
# 生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=myharbor.com" \
-key myharbor.com.key \
-out myharbor.com.csr
# 生成一个x509 v3扩展文件,生成的证书只对alt_names中指定的三个域名有效
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=myharbor.com
DNS.2=myharbor
DNS.3=172.25.10.66
EOF
# 使用v3.ext文件为您的Harbor主机生成证书,即使用自签名CA签发证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in myharbor.com.csr \
-out myharbor.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=myharbor.com
Getting CA Private Key
# 将myharbor.com.crt转换为myharbor.com.cert,供 Docker 使用,Docker 守护进程将.crt文件解释为 CA 证书,.cert将文件解释为客户端证书
openssl x509 -inform PEM -in myharbor.com.crt -out myharbor.com.cert
ls
ca.crt ca.key ca.srl myharbor.com.cert myharbor.com.crt myharbor.com.csr myharbor.com.key v3.ext
harbor安装
# 下载harbor离线安装包
wget https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-offline-installer-v2.9.0.tgz
# 解压harbor离线安装包
tar xf harbor-offline-installer-v2.9.0.tgz
cd harbor
ls
common.sh harbor.v2.9.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
# 修改配置文件
cp harbor.yml.tmpl harbor.yml
修改 harbor.yml 配置文件中的如下内容
# harbor的域名
hostname: myharbor.com
# 端口没有被占用可以不用修改
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 20080
https:
# https port for harbor, default is 443
port: 20443
# The path of cert and key files for nginx
# 修改为自己的证书路径
certificate: /data/certs/harbor/myharbor.com.crt
private_key: /data/certs/harbor/myharbor.com.key
# 系统访问密码配置
harbor_admin_password: Harbor12345
如果harbor已经安装过,可以通过下面的命令重启
# 停止并删除实体,镜像数据保存在文件系统中不会丢失
# 在harbor的初始化目录执行命令
docker-compose down -v
# 重启
docker-compose up -d
执行预备脚本
./prepare
prepare base dir is set to /data/test/harbor
Unable to find image 'goharbor/prepare:v2.9.0' locally
v2.9.0: Pulling from goharbor/prepare
e8a5cf3bb110: Pull complete
89872053070b: Pull complete
c712ccb1360e: Pull complete
5e55ac8684b3: Pull complete
9381d0348d02: Pull complete
9707a9088856: Pull complete
b61456e9641f: Pull complete
7778cfb7224f: Pull complete
25fb2f26a42f: Pull complete
47767553283a: Pull complete
Digest: sha256:9243e46abfc692ea49eadb4550ba50fd4e26ea31b5c5f270cb73f317c08906b9
Status: Downloaded newer image for goharbor/prepare:v2.9.0
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
执行安装脚本
./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 24.0.6
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.21.0
[Step 2]: loading Harbor images ...
...
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
...
[Step 5]: starting Harbor ...
...
[+] Running 10/10
✔ Network harbor_harbor Created 0.0s
✔ Container harbor-log Started 0.0s
✔ Container harbor-db Started 0.0s
✔ Container registry Started 0.0s
✔ Container harbor-portal Started 0.0s
✔ Container redis Started 0.0s
✔ Container registryctl Started 0.0s
✔ Container harbor-core Started 0.0s
✔ Container nginx Started 0.0s
✔ Container harbor-jobservice Started 0.0s
✔ ----Harbor has been installed and started successfully.----
验证运行情况
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6a499c4411b3 goharbor/harbor-jobservice:v2.9.0 "/harbor/entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-jobservice
f780e933c1b0 goharbor/nginx-photon:v2.9.0 "nginx -g 'daemon of…" 6 minutes ago Up 6 minutes (healthy) 0.0.0.0:20080->8080/tcp, :::20080->8080/tcp, 0.0.0.0:20443->8443/tcp, :::20443->8443/tcp nginx
463b1c89c01f goharbor/harbor-core:v2.9.0 "/harbor/entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-core
d53dc09ef103 goharbor/harbor-registryctl:v2.9.0 "/home/harbor/start.…" 6 minutes ago Up 6 minutes (healthy) registryctl
9d6dae4d54d5 goharbor/redis-photon:v2.9.0 "redis-server /etc/r…" 6 minutes ago Up 6 minutes (healthy) redis
00ce52e4e946 goharbor/harbor-portal:v2.9.0 "nginx -g 'daemon of…" 6 minutes ago Up 6 minutes (healthy) harbor-portal
4f1daf3a870f goharbor/harbor-db:v2.9.0 "/docker-entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-db
b5becd402f4c goharbor/registry-photon:v2.9.0 "/home/harbor/entryp…" 6 minutes ago Up 6 minutes (healthy) registry
028df76a1d13 goharbor/harbor-log:v2.9.0 "/bin/sh -c /usr/loc…" 6 minutes ago Up 6 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
打开浏览器访问 http://172.25.10.66:20080,会自动跳转到 https://172.25.10.66:20443/,输入用户名 admin,密码 Harbor12345,即可登录成功。修改本机的hosts文件,添加域名映射,也可以用域名访问
docker配置
# 创建docker证书目录
mkdir -p /etc/docker/certs.d/myharbor.com:20443/
# 将证书放到对应的目录,如果端口是443可以省略端口
cp myharbor.com.cert /etc/docker/certs.d/myharbor.com:20443/
cp myharbor.com.key /etc/docker/certs.d/myharbor.com:20443/
cp ca.crt /etc/docker/certs.d/myharbor.com:20443/
# 重启docker
systemctl restart docker
docker登录harbor
# 先配置hosts文件,添加 172.25.10.66 myharbor.com
vim /etc/hosts
# 登录
docker login myharbor.com:20443
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 在客户端的/root/.docker/config.json文件中有harbord的账号信息
cat /root/.docker/config.json
{
"auths": {
"myharbor.com:20443": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
# 可对密码进行解密
echo YWRtaW46SGFyYm9yMTIzNDU= | base64 -d
admin:Harbor12345
# 在不需要通过https安全访问harbor时
# 先在 /etc/docker/daemon.json 文件中做如下配置
cat /etc/docker/daemon.json
{
"insecure-registries": ["myharbor.com:20080"]
}
# 然后重启docker
systemctl restart docker
# 通过http登录harbor
docker login myharbor.com:20080
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
镜像上传与下载
docker tag
# 查看已有容器镜像文件
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 24 months ago 231MB
# 为已存在镜像重新添加tag
docker tag centos:latest myharbor.com:20443/library/centos:v1
# 再次查看本地容器镜像
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 24 months ago 231MB
myharbor.com:20443/library/centos v1 5d0da3dc9764 24 months ago 231MB
docker push
# 推送本地容器镜像到harbor仓库,需要先登录
docker push myharbor.com:20443/library/centos:v1
The push refers to repository [myharbor.com:20443/library/centos]
74ddd0ec08fa: Pushed
v1: digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc size: 529
docker pull
# 先删除该镜像再重新下载
docker rmi myharbor.com:20443/library/centos:v1
docker pull myharbor.com:20443/library/centos:v1
v1: Pulling from library/centos
Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
Status: Downloaded newer image for myharbor.com:20443/library/centos:v1
myharbor.com:20443/library/centos:v1
注意:实际部署harbor时应该使用默认端口,这样镜像中就不会有端口的信息。这样上传和下载镜像可以同时使用http和https,不使用默认端口就不能混用http和https
