registry - 《docker》

1. Docker Registry 分类
2. docker-registry 安装使用
3. Harbor 安装使用

1. Docker Registry 分类

Docker Registry 有两部分组成：

Repostitory
- 由特定的一组镜像组成的仓库称为 Repostitory
- 一个 Docker Registry 可以包含多个 Repostitory
- Repostitory 可以分为两个大类
- - 官方的仓库，格式仓库名:标签，如 nginx:latest
  - 其它类，如用户仓库、第三方仓库、私有仓库等等
- 一个镜像可以有多个标签
Index

提供用户认证、镜像检索功能

2. docker-registry 安装使用

docker-registry 是 Docker 官方提供的镜像仓库管理软件，可以提供 docker pull 和 docker push 等操作，但是没有web 界面，镜像管理非常不方便，一般不作为私有仓库使用。

[root@centos-82 ~]# yum install -y docker-registry ## 实际安装软件包是 docker distribution

[root@centos-82 ~]# rpm -ql docker-distribution

/etc/docker-distribution/registry/config.yml        ## Configuration
/usr/bin/registry
/usr/lib/systemd/system/docker-distribution.service ## Service
......

[root@centos-82 ~]# vim /etc/docker-distribution/registry/config.yml ## 配置端口和镜像存放目录

version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /data/docker-registry
http:
    addr: :5000

[root@centos-82 ~]# mkdir /data/docker-registry

[root@centos-82 ~]# systemctl start docker-distribution.service

[root@centos-82 ~]# ss -lntp | grep 5000

LISTEN     0      128         :::5000                    :::*                   users:(("registry",pid=9789,fd=3)

[root@centos-81 ~]# docker tag httpd:v0.2 hub.docker.reg:5000/httpd:v0.2 ## /etc/hosts 配置域名映射

[root@centos-81 ~]# docker push hub.docker.reg:5000/httpd:v0.2 ## docker 默认使用https协议

The push refers to a repository [hub.docker.reg:5000/httpd]
Get https://hub.docker.reg:5000/v1/_ping: http: server gave HTTP response to HTTPS client

[root@centos-81 ~]# vim /etc/docker/daemon.json ##添加http协议的registry

{
    "registry-mirrors":["https://registry.docker-cn.com"],
    "insecure-registries":["hub.docker.reg:5000"]
}

[root@centos-81 ~]# systemctl restart docker

[root@centos-81 ~]# docker push hub.docker.reg:5000/httpd:v0.2

[root@centos-81 ~]# curl -s http://192.168.1.82:5000/v2/httpd/tags/list | python -mjson.tool ## 根据仓库名获取tags

{
    "name": "httpd",
    "tags": [
        "v0.2",
        "v0.1"
    ]
}

[root@centos-82 ~]# tree /data/docker-registry/

/data/docker-registry/
└── docker
    └── registry
        └── v2
            ├── blobs
            │   └── sha256
            │       ├── 3f
            │       │   └── 3f22152f75b71784bfb6946248858ace5fad0e1a0db4a208f20607d88810e60c
            │       │       └── data
            │       ├── 6d
            │       │   └── 6df52055d83b6b866af9d4907574421aedfdf3f8c27c1ba45e7d1c9236000f80
            │       │       └── data
            │       └── 95
            │           └── 95090e1ca932d43e6791e981e310d67d50af9ef7fe4ec1fda859064e6533a21c
            │               └── data
            └── repositories
                └── httpd
                    ├── _layers
                    │   └── sha256
                    │       ├── 3f22152f75b71784bfb6946248858ace5fad0e1a0db4a208f20607d88810e60c
                    │       │   └── link
                    │       └── 6df52055d83b6b866af9d4907574421aedfdf3f8c27c1ba45e7d1c9236000f80
                    │           └── link
                    ├── _manifests
                    │   ├── revisions
                    │   │   └── sha256
                    │   │       └── 95090e1ca932d43e6791e981e310d67d50af9ef7fe4ec1fda859064e6533a21c
                    │   │           └── link
                    │   └── tags
                    │       └── v0.2
                    │           ├── current
                    │           │   └── link
                    │           └── index
                    │               └── sha256
                    │                   └── 95090e1ca932d43e6791e981e310d67d50af9ef7fe4ec1fda859064e6533a21c
                    │                       └── link
                    └── _uploads

[root@centos-81 ~]# docker image ls | grep hub

[root@centos-81 ~]# docker pull hub.docker.reg:5000/httpd:v0.1 ## 从私有registry拉取镜像

Trying to pull repository hub.docker.reg:5000/httpd ...
v0.1: Pulling from hub.docker.reg:5000/httpd
Digest: sha256:ec0aa9e4aff0ab1a001f87277324df24281a00513637f0c8045c59c2667f3eb8
Status: Downloaded newer image for hub.docker.reg:5000/httpd:v0.1

[root@centos-81 ~]# docker image ls | grep hub

hub.docker.reg:5000/httpd   v0.1                562ec613ec3a        4 weeks ago         1.2 MB

3. Harbor 安装使用

3.1. Harbor 介绍

Docker-distribution 虽然能实现私有镜像仓库，但是管理复杂，且没有web界面，不支持搜索等。VMware基于docker distribution二次开发了Harbor，实现了web界面管理仓库，功能性极大的增强。Harbor 的特性：

基于多用户，多项目的访问控制
镜像复制
可以在WEB界面管理镜像仓库，并且支持中文
日志审计

3.2. Harbor 安装

3.2.1. 依赖

Resource	Capacity	Description
CPU	minimal 2 CPU	4 CPU is preferred
Mem	minimal 4GB	8GB is preferred
Disk	minimal 40GB	160GB is preferred

Software	Version	Description
Python	version 2.7 or higher	Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
Docker engine	version 1.10 or higher	For installation instructions, please refer to: https://docs.docker.com/engine/installation/
Docker Compose	version 1.6.0 or higher	For installation instructions, please refer to: https://docs.docker.com/compose/install/
Openssl	latest is preferred	Generate certificate and keys for Harbor

Port	Protocol	Description
443	HTTPS	Harbor portal and core API will accept requests on this port for https protocol
4443	HTTPS	Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
80	HTTP	Harbor portal and core API will accept requests on this port for http protocol

3.2.2. 安装和配置

[root@centos-82 ~]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.4.tgz

[root@centos-82 ~]# tar -xf harbor-offline-installer-v1.7.4.tgz -C /usr/local/ && cd /usr/local/harbor

[root@centos-82 harbor]# readlink -f docker-compose.yml ## 镜像配置文件，一般只需要配置路径即可

/usr/local/harbor/docker-compose.yml

[root@centos-82 harbor]# grep -Ev “^$|#” harbor.cfg

    _version = 1.7.0
    hostname = hub.docker.reg   ## docker推拉镜像时需要指定的服务端地址
    ui_url_protocol = http      ## 使用的协议
    max_job_workers = 6         ## 最大工作进程数
    customize_crt = on          ## ssl密钥相关，仅在https模式下生效
    ssl_cert = /data/cert/server.crt
    ssl_cert_key = /data/cert/server.key
    secretkey_path = /data
    admiral_url = NA
    log_rotate_count = 50       ## 日志切割配置
    log_rotate_size = 200M
    http_proxy =
    https_proxy = 
    no_proxy = 127.0.0.1,localhost,core,registry  
    email_identity =            ## Email配置项
    email_server = smtp.mydomain.com
    email_server_port = 25
    email_username = sample_admin@mydomain.com
    email_password = abc
    email_from = admin <sample_admin@mydomain.com>
    email_ssl = false
    email_insecure = false
    harbor_admin_password = Harbor12345  ## admin初始密码，可登陆到WEB页面修改
    auth_mode = db_auth
    ldap_url = ldaps://ldap.mydomain.com ## 若关联ldap可以配置该项目
    ldap_basedn = ou=people,dc=mydomain,dc=com
    ldap_uid = uid
    ldap_scope = 2
    ldap_timeout = 5
    ldap_verify_cert = true
    ldap_group_basedn = ou=group,dc=mydomain,dc=com
    ldap_group_filter = objectclass=group
    ldap_group_gid = cn
    ldap_group_scope = 2
    self_registration = on
    token_expiration = 30
    project_creation_restriction = everyone
    db_host = postgresql
    db_password = Database.harbor.123  ## 数据库密码
    db_port = 5432
    db_user = postgres
    redis_host = redis
    redis_port = 6379
    redis_password =
    redis_db_index = 1,2,3
    clair_db_host = postgresql
    clair_db_password = root123
    clair_db_port = 5432
    clair_db_username = postgres
    clair_db = postgres
    clair_updaters_interval = 12
    uaa_endpoint = uaa.mydomain.org
    uaa_clientid = id
    uaa_clientsecret = secret
    uaa_verify_cert = true
    uaa_ca_cert = /path/to/ca.pem
    registry_storage_provider_name = filesystem
    registry_storage_provider_config =
    registry_custom_ca_bundle =

[root@centos-82 harbor]# ./install.sh ## 执行安装脚本，依赖(docker-compose，epel源)

[root@centos-82 harbor]# docker image ls ## 涉及到的镜像

REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
goharbor/chartmuseum-photon     v0.8.1-v1.7.4       7e2272c02339        3 weeks ago         113MB
goharbor/harbor-migrator        v1.7.4              968c31d07d2f        3 weeks ago         678MB
goharbor/redis-photon           v1.7.4              611d1ead0a28        3 weeks ago         99.7MB
goharbor/clair-photon           v2.0.7-v1.7.4       01090529ab14        3 weeks ago         165MB
goharbor/notary-server-photon   v0.6.1-v1.7.4       737518b1b943        3 weeks ago         135MB
goharbor/notary-signer-photon   v0.6.1-v1.7.4       495dc3326120        3 weeks ago         132MB
goharbor/harbor-registryctl     v1.7.4              723aed7bbf8d        3 weeks ago         102MB
goharbor/registry-photon        v2.6.2-v1.7.4       f4743bd7b0d9        3 weeks ago         86.7MB
goharbor/nginx-photon           v1.7.4              dda34e6afafe        3 weeks ago         35.9MB
goharbor/harbor-log             v1.7.4              bf4916eef530        3 weeks ago         81.4MB
goharbor/harbor-jobservice      v1.7.4              1b6a0445ae9c        3 weeks ago         84.1MB
goharbor/harbor-core            v1.7.4              e603b8750d26        3 weeks ago         95.6MB
goharbor/harbor-portal          v1.7.4              2ca1d845cafa        3 weeks ago         40.6MB
goharbor/harbor-adminserver     v1.7.4              5706c65d65dc        3 weeks ago         72.3MB
goharbor/harbor-db              v1.7.4              08d163f732f3        3 weeks ago         136MB

[root@centos-82 harbor]# docker container ls

CONTAINER ID        IMAGE                                    COMMAND                  ......
d5c7eeca50fb        goharbor/nginx-photon:v1.7.4             "nginx -g 'daemon of…"   ......
6ec59a513f9a        goharbor/harbor-portal:v1.7.4            "nginx -g 'daemon of…"   ......
201267927c06        goharbor/harbor-jobservice:v1.7.4        "/harbor/start.sh"       ......
3711d9548a8b        goharbor/harbor-core:v1.7.4              "/harbor/start.sh"       ......
1c092514ca13        goharbor/harbor-registryctl:v1.7.4       "/harbor/start.sh"       ......
264c26f4d27c        goharbor/harbor-adminserver:v1.7.4       "/harbor/start.sh"       ......
527ceb179532        goharbor/registry-photon:v2.6.2-v1.7.4   "/entrypoint.sh /etc…"   ......
127009add4f7        goharbor/harbor-db:v1.7.4                "/entrypoint.sh post…"   ......
ca8dcdd36bc1        goharbor/redis-photon:v1.7.4             "docker-entrypoint.s…"   ......
a850c81e3abb        goharbor/harbor-log:v1.7.4               "/bin/sh -c /usr/loc…"   ......

[root@centos-82 harbor]# netstat -lntp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:1514          0.0.0.0:*               LISTEN      11409/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      12326/docker-proxy
tcp6       0      0 :::443                  :::*                    LISTEN      12312/docker-proxy
tcp6       0      0 :::4443                 :::*                    LISTEN      12299/docker-proxy

[root@centos-82 ~]# cat /etc/docker/daemon.json

{
    "registry-mirrors":["http://hub-mirror.c.163.com","https://registry.docker-cn.com"],
    "insecure-registries":["hub.docker.reg"]
}

[root@centos-82 ~]# cat /etc/hosts

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    192.168.1.82  hub.docker.reg

3.2.3. 启停Harbor

停止Harbor

[root@centos-82 ~]# cd /usr/local/harbor/ ## change woker directory to harbor root directory.

[root@centos-82 harbor]# docker-compose stop

Stopping nginx              ... done
Stopping harbor-portal      ... done
Stopping harbor-jobservice  ... done
Stopping harbor-core        ... done
Stopping registryctl        ... done
Stopping harbor-adminserver ... done
Stopping registry           ... done
Stopping harbor-db          ... done
Stopping redis              ... done
Stopping harbor-log         ... done

启动Harbor

[root@centos-82 ~]# cd /usr/local/harbor/

[root@centos-82 harbor]# docker-compose start

Starting log         ... done
Starting registry    ... done
Starting adminserver ... done
Starting core        ... done
Starting redis       ... done
Starting jobservice  ... done
Starting registryctl ... done
Starting postgresql  ... done
Starting portal      ... done
Starting proxy       ... done

3.3. Harbor 使用

registry - 图1

registry - 图2

[root@centos-81 ~]# docker tag nginx:latest hub.docker.reg/devops/nginx:latest

[root@centos-81 ~]# docker login -u admin hub.docker.reg ## Login

Password:
Login Succeeded

[root@centos-81 ~]# docker push hub.docker.reg/devops/nginx:latest ## Docker push

The push refers to a repository [hub.docker.reg/devops/nginx]
6b5e2ed60418: Pushed
92c15149e23b: Pushed
0a07e81f5da3: Pushed
latest: digest: sha256:5b49c8e2c890fbb0a35f6050ed3c5109c5bb47b9e774264f4f3aa85bb69e2033 size: 948

[root@centos-81 ~]# docker logout hub.docker.reg ## Logout

[root@centos-81 ~]# docker image pull hub.docker.reg/devops/nginx:latest ## Docker pull

Trying to pull repository hub.docker.reg/devops/nginx ...
latest: Pulling from hub.docker.reg/devops/nginx
Digest: sha256:5b49c8e2c890fbb0a35f6050ed3c5109c5bb47b9e774264f4f3aa85bb69e2033
Status: Downloaded newer image for hub.docker.reg/devops/nginx:latest

[root@centos-81 ~]# docker image ls | grep hub.docker.reg

hub.docker.reg/devops/nginx   latest              f09fe80eb0e7        7 weeks ago         109 MB