【Docker】企业级镜像仓库harbor的搭建(http/https)及使用
一:用途###
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。
二:安装docker-ce###
环境:阿里云轻量应用服务器CentOS 7.3
这里通过yum Docker源仓库安装:
①安装yum 管理依赖包
sudo yum install-y yum-utils device-mapper-persistent-data lvm2
②添加Docker 源仓库
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
③安装Docker CE
sudo yum install docker-ce docker-ce-cli containerd.io
三:安装docker-compose###
参考这篇博客:https://www.cnblogs.com/wucaiyun1/p/11811112.html
四:安装harbor###
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
①下载harbor
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz
或者到github releases下载
https://github.com/goharbor/harbor/releases
-------------------------------------------------------------------http方式-------------------------------------------------------------------
②配置安装(http方式)
[root@iZuf6hcb8yumasfp52oemxZ ailala]# tar -xf harbor-offline-installer-v1.6.1.tgz
[root@iZuf6hcb8yumasfp52oemxZ ailala]# cd harbor
[root@iZuf6hcb8yumasfp52oemxZ harbor]# vi harbor.yml
-------------------------------------------------------------------http方式-------------------------------------------------------------------
-------------------------------------------------------------------https方式-------------------------------------------------------------------
②配置安装(https方式)
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
Getting Certificate Authority####
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work"
-key ca.key
-out ca.crt
Getting Server Certificate####
- Create your own Private Key:
openssl genrsa -out fixedbug.work.key 4096
- Generate a Certificate Signing Request:
openssl req -sha512 -new
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work"
-key fixedbug.work.key
-out fixedbug.work.csr
- Generate the certificate of your registry host:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=fixedbug.work
DNS.2=fixedbug
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650
-extfile v3.ext
-CA ca.crt -CAkey ca.key -CAcreateserial
-in fixedbug.work.csr
-out fixedbug.work.crt
Configuration and Installation####
- Configure Server Certificate and Key for Harbor
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
- Configure Server Certificate, Key and CA for Docker
Convert server yourdomain.com.crt to yourdomain.com.cert:
openssl x509 -inform PEM -in fixedbug.work.crt -out fixedbug.work.cert
Delpoy yourdomain.com.cert, yourdomain.com.key, and ca.crt for Docker:
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
- Configure Harbor
-------------------------------------------------------------------https方式-------------------------------------------------------------------
[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./prepare
[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./install
③登录
五:上传镜像到harbor仓库###
在本机配置harbor仓库http可信
/etc/docker/daemon.json中添加“"insecure-registries":["reg.slito.com"]”,不然会报错,默认是走https的,重启docker;
登录harbor仓库
[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker login fixedbug.work:88
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传镜像
[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker tag mysql:8 fixedbug.work:88/library/mysql:v1
[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker push fixedbug.work:88/library/mysql:v1
The push refers to repository [fixedbug.work:88/library/mysql]
55f5c7d40658: Pushed
8d0c9963a6ad: Pushed
17b62e7a629c: Pushed
8eae701cdfcf: Pushing 31.11MB/341.1MB
d4078c1b9fdb: Pushed
8eae701cdfcf: Pushed
2a9aab74013a: Pushing 33.62MB/44.77MB
414373ffccb4: Pushed
2a9aab74013a: Pushed
51734435c93c: Pushed
5a8a245abd1c: Pushed
99b5261d397c: Pushing 23.78MB/55.34MB
99b5261d397c: Pushed
v1: digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3 size: 2828
[root@iZuf6hcb8yumasfp52oemxZ harbor]#
在harbor中查看
六:下载harbor中的镜像###
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker rmi fixedbug.work:88/library/mysql:v1
Untagged: fixedbug.work:88/library/mysql:v1
Untagged: fixedbug.work:88/library/mysql@sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql
mysql 8 d435eee2caa5 12 days ago 456MB
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker pull fixedbug.work:88/library/mysql:v1
v1: Pulling from library/mysql
Digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3
Status: Downloaded newer image for fixedbug.work:88/library/mysql:v1
fixedbug.work:88/library/mysql:v1
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql
mysql 8 d435eee2caa5 12 days ago 456MB
fixedbug.work:88/library/mysql v1 d435eee2caa5 12 days ago 456MB
踩坑记录:域名只是用来替代IP的,没有备案会*对应IP的80和433端口,这个IP必须是国内的才行。如果域名指向国外IP,备案还是不备案都不妨碍80和433端口的使用。