1. Registry
官方私有仓库,优点:简单;缺点:部署无法进行复杂的管理操作
1.1 镜像
docker pull registry:2.7.1
docker pull joxit/docker-registry-ui:latest
1.2 配置
mkdir -p /etc/docker/registry
cat > /etc/docker/registry/config.yml <<EOF
version: 0.1
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['http://192.168.80.200']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization', 'Accept']
Access-Control-Max-Age: [1728000]
Access-Control-Allow-Credentials: [true]
Access-Control-Expose-Headers: ['Docker-Content-Digest']
http2:
disabled: false
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
EOF
1.3 启动
cat > docker-compose.yaml <<EOF
version: '2.0'
services:
registry:
image: registry:2.7.1
ports:
- 5000:5000
volumes:
- /opt/registry:/var/lib/registry
- /etc/docker/registry/config.yml:/etc/docker/registry/config.yml
ui:
image: joxit/docker-registry-ui:latest
ports:
- 80:80
environment:
- REGISTRY_TITLE=My Private Docker Registry
- REGISTRY_URL=http://192.168.80.200:5000
- SINGLE_REGISTRY=true
depends_on:
- registry
EOF
docker-compose up -d
1.4 镜像推送
$ docker tag nginx 192.168.80.200:5000/nginx:latest
$ docker push 192.168.80.200:5000/nginx:latest
The push refers to repository [192.168.80.200:5000/nginx]
Get "https://192.168.80.200:5000/v2/": http: server gave HTTP response to HTTPS client
$ vi /etc/docker/daemon.json
{
"insecure-registries" : [ "192.168.80.250:5000" ]
}
$ systemctl restart docker
1.5 登录界面
http://192.168.80.200
1.6 Restful API
参考:https://docs.docker.com/registry/spec/api/#detail
$ curl 192.168.80.200:5000/v2/
{}
$ curl 192.168.80.200:5000/v2/_catalog
{"repositories":["nginx"]}
$ curl 192.168.80.200:5000/v2/nginx/tags/list
{"name":"nginx","tags":["latest"]}
$ curl 192.168.80.200:5000/v2/nginx/manifests/latest
$ curl -I 192.168.80.200:5000/v2/nginx/manifests/latest -H 'Accept: application/vnd.docker.distribution.manifest.v2+json'
...
Docker-Content-Digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
$ curl -X DELETE 192.168.80.200:5000/v2/nginx/manifests/sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
$ docker exec -it docker-registry bin/registry garbage-collect /etc/docker/registry/config.yml
2. Harbor
VMware 出品,优点:大而全;缺点:过于庞大,安装很多组件,如redis, nginx,较耗资源
2.1 生成证书
mkdir -p /etc/harbor/pki && cd $_
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ca.key \
-x509 -days 365 -out ca.crt \
-subj "/C=CN/ST=Jiangsu/L=Nanjing/O=XTWL/OU=IT/CN=test"
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout harbor.key \
-out harbor.csr \
-subj "/C=CN/ST=Jiangsu/L=Nanjing/O=XTWL/OU=IT/CN=192.168.80.201"
echo 'subjectAltName = IP:192.168.80.201' > extfile.cnf
openssl x509 -req -days 365 -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor.crt
2.2 安装包
mkdir -p ~/harbor && cd $_
wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
tar xzvf harbor-offline-installer-v2.4.1.tgz
2.3 配置
cd harbor
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
hostname: 192.168.80.201
http:
port: 8080
https:
port: 443
certificate: /etc/harbor/pki/harbor.crt
private_key: /etc/harbor/pki/harbor.key
harbor_admin_password: Harbor12345
data_volume: /data
location: /var/log/harbor
2.4 安装
./install.sh
...
[Step 5]: starting Harbor ...
[+] Running 10/10
⠿ Network harbor_harbor Created 0.2s
⠿ Container harbor-log Started 1.6s
⠿ Container registryctl Started 3.7s
⠿ Container registry Started 3.0s
⠿ Container redis Started 3.3s
⠿ Container harbor-portal Started 3.7s
⠿ Container harbor-db Started 3.6s
⠿ Container harbor-core Started 4.8s
⠿ Container harbor-jobservice Started 6.2s
⠿ Container nginx Started 6.5s
✔ ----Harbor has been installed and started successfully.----
2.5 Docker 配置
dockerd 进程会将.crt
文件标记为CA证书,.cert
文件为客户端证书,所以需要先进行转换
cd /etc/harbor/pki
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
mkdir -p /etc/docker/certs.d/192.168.80.201
cp harbor.cert /etc/docker/certs.d/192.168.80.201
cp harbor.key /etc/docker/certs.d/192.168.80.201
cp ca.crt /etc/docker/certs.d/192.168.80.201
systemctl restart docker
2.6 镜像推送
$ docker login https://192.168.80.201
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/
Login Succeeded
$ docker tag busybox:latest 192.168.80.201/library/busybox:latest
$ docker push 192.168.80.201/library/busybox:latest
The push refers to repository [192.168.80.201/library/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
2.7 登录界面
https://192.168.80.201 admin/Harbor12345
3. nexus3
可作为 docker
, maven
, yum
, apt
, PyPI
,npm
, go proxy
等私有仓库或代理。
3.1 安装
$ mkdir -p /opt/nexus3 && chown -R 200 /opt/nexus3
$ docker run -d --name nexus3 --restart=always -p 8081:8081 -v /opt/nexus3:/nexus-data sonatype/nexus3
$ docker logs -f nexus3
...
Started Sonatype Nexus OSS 3.37.3-02
3.2 登录
$ docker exec nexus3 cat /nexus-data/admin.password
ac686e08-008c-4f60-aaf3-17a7bea079a1
http://192.168.80.200:8081 admin/ac686e08-008c-4f60-aaf3-17a7bea079a1
admin/admin123
3.3 创建仓库
创建一个私有仓库的方法: Repository->Repositories
点击右边菜单 Create repository
选择 docker (hosted)
- Name: 仓库的名称
- HTTP: 仓库单独的访问端口(例如:8082)
- Hosted -> Deplioyment policy: 请选择 Allow redeploy 否则无法上传 Docker 镜像。
3.4 添加访问权限
菜单 Security->Realms
把 Docker Bearer Token Realm 移到右边的框中保存。
添加用户规则:菜单 Security->Roles
->Create role
在 Privlleges
选项搜索 docker 把相应的规则移动到右边的框中然后保存。
添加用户:菜单 Security->Users
->Create local user
在 Roles
选项中选中刚才创建的规则移动到右边的窗口保存。
3.5 开放端口
$ vi /etc/docker/daemon.json
{
"insecure-registries" : [ "192.168.80.200:8082" ]
}
$ systemctl restart docker
$ docker inspect nexus3 | grep -w IPAddress
"IPAddress": "172.17.0.2",
$ iptables -t nat -vnL
Chain POSTROUTING (policy ACCEPT 327 packets, 17060 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-f2446e4164ee 172.20.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:8081
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-f2446e4164ee * 0.0.0.0/0 0.0.0.0/0
326 16984 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.17.0.2:8081
iptables -t nat -A DOCKER -p tcp --dport 8082 -j DNAT --to-destination 172.17.0.2:8082
iptables -t nat -A DOCKER -p tcp ! -i docker0 --dport 8082 -j DNAT --to-destination 172.17.0.2:8082
$ iptables -t nat -vnL DOCKER --line-number
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- br-f2446e4164ee * 0.0.0.0/0 0.0.0.0/0
3 25 1300 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.17.0.2:8081
4 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:172.17.0.2:8082
iptables -t nat -D DOCKER 4
3.6 镜像管理
$ docker login http://192.168.80.200:8082
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/
$ docker tag busybox:latest 192.168.80.200:8082/repository/xtwl/busybox:latest
$ docker push 192.168.80.200:8082/repository/xtwl/busybox:latest
The push refers to repository [192.168.80.200:8082/repository/xtwl/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)