云原生01-创建私有镜像仓库和加密认证

私有仓库介绍

https://hub.docker.com

使用registry搭建docker私有仓库

启动

$ docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:latest
# 测试
$ curl localhost:5000/v2/_catalog
{"repositories":[]}

• 仓库机器和其他机器都要将其地址配置到文件

# vim /etc/docker/daemon
{
    "registry-mirrors": ["https://docker.xuanyuan.me"],
    "insecure-registries": ["192.168.59.64:5000"]
}
# 重启docker服务 使用docker info 可以看的配置生效

• 测试

# registry 机器上传busybox
$ docker pull busybox
# 更新标签
$ docker tag busybox:latest 192.168.59.64:5000/busybox:v1
# push 到registry
$ docker push 192.168.59.64:5000/busybox:v1
The push refers to repository [192.168.59.64:5000/busybox]
59654b79daad: Pushed 
v1: digest: sha256:9307d4acaeed71c4c6ba84494aef0464ffc446a5d91f0a7c196fa8eda1bf0590 size: 527
# 查看
$ curl localhost:5000/v2/_catalog
{"repositories":["busybox"]}
# 通过映射地址查看仓库和标签 (该地址一定要在物理机保存好，这样仓库就不会丢)
$ tree /opt/registry
# 测试其他机器拉取registry
$ docker pull 192.168.59.64:5000/busybox:v1

实战：使用Harbor·搭建 Docker 私有仓库

Docker容器应用的开发和运行离不开可靠的镜像管理，虽然Docker官方也提供了公共的镜像仓 库，但是从安全和效率等方面考虑，部署我们私有环境内的Registry也是非常必要的。Harbor是由 VMware公司开源的企业级的Docker·Registry管理项目，它包括权限管理（RBAC）、LDAP、日志审 核、管理界面、自我注册、镜像复制和中文支持等功能。 官网地址：https://github.com/goharbor/harbor

部署步骤

• 为Harbor自签发证书

$ mkdir /data/ssl -p
$ cd /data/ssl

• 生成ca证书私有及根证书

  # 生成ca证书私钥：生成一个3072位的key，也就是私钥
  $ openssl genrsa -out ca.key 3072
  # #生成一个数字证书ca.pem，3650表示证书的有效时间是10年，按箭头提示填写即可，没有箭头
  $ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  # 国家
  Country Name (2 letter code) [XX]:CN
  # 省 随便写
  State or Province Name (full name) []:chengdu
  # 城市 随便写
  Locality Name (eg, city) [Default City]:chengdu
  # 公司 随便写
  Organization Name (eg, company) [Default Company Ltd]:master
  # 公司成员(部门) 随便写
  Organizational Unit Name (eg, section) []:CA
  # 主机名 (必填，与服务器域名一致）
  Common Name (eg, your name or your server's hostname) []:xuegod64
  # 邮箱 随便写，可不填
  Email Address []:test@163.com
  

• 生成域名证书

# 生成域名证书私钥：生成一个3072位的key，也就是私钥
$ openssl genrsa -out harbor.key 3072
# 生成证书请求文件, 重复内容跟之前一致 密码公司名称跳过即可
$ openssl req -new -key harbor.key -out harbor.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:chengdu
Locality Name (eg, city) [Default City]:chengdu
Organization Name (eg, company) [Default Company Ltd]:master
Organizational Unit Name (eg, section) []:CA 
Common Name (eg, your name or your server's hostname) []:xuegod64
Email Address []:test@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

• 根据域名证书请求文件签发域名证书

$ openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
Signature ok
subject=C = CN, ST = chengdu, L = chengdu, O = master, OU = CA, CN = xuegod64, emailAddress = test@163.com
Getting CA Private Key

• 所有证书签发完成

$ ls
ca.key  ca.pem  ca.srl  harbor.csr  harbor.key  harbor.pem

• 安装harbor

• 下载安装包

# registry 与 harbor 冲突，要删除相关容器
$ docker rm -f registry
$ mkdir /data/install
$ cd /data/install
# https://github.com/goharbor/harbor 中找到 2.3.0 下载
# $ wget https://github.com/goharbor/harbor/releases/download/v2.3.0/harbor-offline-installer-v2.3.0.tgz
# 可以下载最新版
$ wget https://github.com/goharbor/harbor/releases/download/v2.12.1/harbor-offline-installer-v2.12.1.tgz
# 网络号可以尝试在线版

1. 设置harbor.yml

hostname: xuegod64
# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/ssl/harbor.pem
  private_key: /data/ssl/harbor.key

1. 安装

$ cd /data/install/harbor
$ sh install.sh

1. 扩展： 如何停掉harbor：

$ cd /data/install/harbor
$ docker-compose stop 
# 如何启动harbor：
$ cd /data/install/harbor
$ docker compose up -d

外部访问 harbor 改host文件

192.168.59.64 xuegod64

1. 登陆查看

https://xuegod64

默认用户名密码参考 harbor.yml eg： admin Harbor12345

其他机器访问

1. 修改 /etc/docker/daemon.json 文件

{
    "registry-mirrors": ["https://docker.xuanyuan.me"],
    "insecure-registries": ["192.168.59.64"]
    // 可用设置的域名
    // "insecure-registries": ["xuegod64"]
}

镜像操作

$ docker login -u admin -p Harbor12345 192.168.59.64
$ docker tag tomcat:latest 192.168.59.64/test/tomcat:v1
# push 完成后可看网页有镜像
$ docker push 192.168.59.64/tomcat:v1
# 删除镜像后
$ docker pull 192.168.59.64/tomcat:v1

阿里云私有仓库

搜索镜像，容器镜像服务，设置密码，创建命名空间，其他自行探索

Comments