Docker 镜像仓库的概念
在 Docker 生态系统中,Docker 镜像仓库(或称为 Docker Registry)是一个存储和分发 Docker 镜像的服务。它类似于其他编程语言中的包管理系统,允许开发者上传、下载和管理 Docker 镜像。Docker 官方提供了一个公共的镜像仓库服务,称为Docker Hub,但你也可以在自己的服务器上运行私有镜像仓库。
Docker 仓库的特点
存储镜像:Docker 镜像仓库用来存储 Docker 镜像。这些镜像可以是官方提供的,也可以是用户自己创建的。
版本控制:每个镜像可以有多个版本(tags),这使得用户可以轻松地回溯到之前的版本或者使用特定的版本。
分发:通过镜像仓库,用户可以轻松地共享和分发他们的 Docker 镜像给其他用户或团队。
认证和安全:许多镜像仓库支持基于角色的访问控制(RBAC),允许管理员控制谁可以访问哪些镜像。
Docker 镜像仓库分类
Docker 镜像仓库主要分为公共镜像仓库和私有镜像仓库。
公共镜像仓库
公共镜像仓库为 Docker 官方提供,称为Docker Hub,地址:https://hub.docker.com当然,现在目前各厂商也相继推出了公共的镜像仓库。目前Docker hub在国内访问不了,需要配置一些代理才能够访问,可以参考下列:
sudo mkdir -p /etc/dockersudo tee /etc/docker/daemon.json <<EOF{ "registry-mirrors": [ "https://docker.1ms.run", "https://docker.mybacc.com", "https://dytt.online", "https://lispy.org", "https://docker.xiaogenban1993.com", "https://docker.yomansunter.com", "https://aicarbon.xyz", "https://666860.xyz", "https://docker.zhai.cm", "https://a.ussh.net", "https://hub.littlediary.cn", "https://hub.rat.dev", "https://docker.m.daocloud.io" ]}EOFsudo systemctl daemon-reloadsudo systemctl restart docker
复制代码
私有镜像仓库
对于需要更高安全性和控制的企业或组织,可以在自己的服务器上设置私有镜像仓库。这可以通过以下几种方式实现:
Docker Registry:Docker 官方提供了一个轻量级的、开源的镜像仓库服务,称为 Docker Registry。它可以很容易地部署在自己的服务器上,并提供基本的镜像存储和分发功能。
harbor 镜像仓库:Harbor 是一个开源的镜像仓库服务,用于容器镜像、Helm Chart 等符合 OCI 标准的 Artifact 的安全托管及高效分发,能够帮助您跨云原生计算平台(如 Kubernetes 和 Docker)一致且安全地管理 Artifact。
使用云服务:许多云服务提供商(如 AWS、Azure、Google Cloud)提供托管 Docker 镜像仓库的服务,如 Amazon Elastic Container Registry (ECR)、Azure Container Registry (ACR)、Google Container Registry (GCR)等。
私有镜像仓库之 Docker Registry 搭建
下载镜像
[root@lb ~]# docker pull registryUsing default tag: latestlatest: Pulling from library/registryf18232174bc9: Pull completee5a9c19e7b9d: Pull completee8a894506e86: Pull completee1822bac1992: Pull completeb5da7f963a9e: Pull completeDigest: sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7Status: Downloaded newer image for registry:latestdocker.io/library/registry:latest[root@lb ~]# docker images | grep registryregistry latest 3dec7d02aaea 2 weeks ago 57.7MB
复制代码
运行容器
# 查看需要挂载的存储卷[root@lb ~]# docker inspect registry | jq .[].Config.Volumes{ "/var/lib/registry": {}}# 查看需要映射的端口[root@lb ~]# docker inspect registry | jq .[].Config.ExposedPorts{ "5000/tcp": {}} # 运行容器[root@lb ~]# docker run -d --name registry -p 5000:5000 --restart always -v /data/docker/registry:/var/lib/registry registry2e0087e93d0d5070d4d232fdf081bf6be9b6a71f2f72d83ccf01e1a2fb9acfa3[root@lb ~]# docker ps -a | grep registry2e0087e93d0d registry "/entrypoint.sh /etc…" 8 seconds ago Up 8 seconds 0.0.0.0:5000->5000/tcp, [::]:5000->5000/tcp registry
复制代码
测试访问
http://10.0.0.10:5000/v2/_catalog
配置 docker 准许 http 访问
docker 默认是使用 https 进行通信的,我们这里配置一下 docker 使用 http 访问仓库
示例:如果不配置 http 访问,推送镜像时会报错
# 给镜像打一个tag[root@lb ~]# docker tag mysql:5.7 10.0.0.10:5000/huangsir/mysql:5.7 # 推送镜像[root@lb ~]# docker push 10.0.0.10:5000/huangsir/mysql:5.7The push refers to repository [10.0.0.10:5000/huangsir/mysql]Get "https://10.0.0.10:5000/v2/": http: server gave HTTP response to HTTPS client
复制代码
给 docker 配置 http
需要在/etc/docker/daemon.json文件中添加{ "insecure-registries": ["10.0.0.10:5000"] }这行配置,让 Docker 认为该地址是安全的,当然这里的 IP 也可以换成域名
[root@lb ~]# cat /etc/docker/daemon.json{ "registry-mirrors": [ ... ], "insecure-registries": [ "10.0.0.10:5000" ]}[root@lb ~]# systemctl daemon-reload[root@lb ~]# systemctl restart docker
复制代码
再次推送镜像查看:
[root@lb ~]# docker push 10.0.0.10:5000/huangsir/mysql:5.7The push refers to repository [10.0.0.10:5000/huangsir/mysql]441e16cac4fe: Pushed73cb62467b8f: Pushed337ec6bae222: Pushed532b66f4569d: Pushed0d9e9a9ce9e4: Pushed4555572a6bb2: Pushed8527ccd6bd85: Pushedd76a5f910f6b: Pushed8b2952eb02aa: Pushed7ff7abf4911b: Pushedcff044e18624: Pushed5.7: digest: sha256:4b6c4935195233bc10b617df3cc725a9ddd5a7f10351a7bf573bea0b5ded7649 size: 2618 [root@lb ~]# curl http://10.0.0.10:5000/v2/_catalog{"repositories":["huangsir/mysql"]}
复制代码
如何查看仓库中有哪些镜像的版本
curl http://<your-server-ip>:5000/v2/<your-image-name>/tags/list
[root@lb ~]# curl http://10.0.0.10:5000/v2/huangsir/mysql/tags/list{"name":"huangsir/mysql","tags":["5.7"]}
复制代码
registry 配置用户名密码进行访问
创建一个目录用于存放认证信息,并使用 htpasswd 命令创建用户名和密码。例如:
[root@lb ~]# mkdir -p /data/docker/auth[root@lb ~]# htpasswd -Bbn admin 123456 > /data/docker/auth/htpasswd[root@lb ~]# cat /data/docker/auth/htpasswdadmin:$2y$05$mAp6m7bU5RlQvG808YmRDu6.vgg3q4cMOcCCDZYWkquBqaJrGQtLO
复制代码
这会创建一个名为 admin 的用户,密码为 123456。
创建容器
[root@lb ~]# docker run -d --name registry -p 5000:5000 --restart always \-v /data/docker/registry:/var/lib/registry \-v /data/docker/auth:/auth \-e "REGISTRY_AUTH=htpasswd" \-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \registryb355fdcdb98093ca05d66dd0ddd9246af2e8e81653d8975ed6bcbb7a3fd9b234 [root@lb ~]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESb355fdcdb980 registry "/entrypoint.sh /etc…" 4 seconds ago Up 4 seconds 0.0.0.0:5000->5000/tcp, [::]:5000->5000/tcp registry
复制代码
测试拉取镜像
# 拉取镜像时提示需要进行验证[root@lb ~]# docker pull 10.0.0.10:5000/huangsir/mysql:5.7Error response from daemon: Head "http://10.0.0.10:5000/v2/huangsir/mysql/manifests/5.7": no basic auth credentials
复制代码
登录 docker 镜像
docker login -u admin -p 123456 10.0.0.10:5000
复制代码
最后返回登录成功的信息即可
私有镜像仓库之 harbor 搭建使用
docker 搭建 harbor 仓库需要 Docker compose!!!
harbor 仓库地址:https://github.com/goharbor/harbor
部署 harbor
# 下载harbor[root@lb ~]# wget https://github.com/goharbor/harbor/releases/download/v2.13.0/harbor-offline-installer-v2.13.0.tgz[root@lb ~]# ll harbor-offline-installer-v2.13.0.tgz-rw-r--r-- 1 root root 657690441 Apr 20 13:47 harbor-offline-installer-v2.13.0.tgz # 解压[root@lb ~]# tar -xvf harbor-offline-installer-v2.13.0.tgzharbor/harbor.v2.13.0.tar.gzharbor/prepareharbor/LICENSEharbor/install.shharbor/common.shharbor/harbor.yml.tmpl
复制代码
修改 harbor 的配置文件
[root@lb ~/harbor]# cd harbor[root@lb ~/harbor]# mv harbor.yml.tmpl harbor.yml # 只需修改下面的即可[root@lb ~/harbor]# vim harbor.yml# 访问域名。这里先随便填写一个域名即可hostname: reg.huangsir.com ##### 将https相关的内容注释掉#https: # https port for harbor, default is 443 #port: 443 # The path of cert and key files for nginx #certificate: /your/certificate/path #private_key: /your/private/key/path # enable strong ssl ciphers (default: false) # strong_ssl_ciphers: false ## 修改用户密码harbor_admin_password: 123456 ## 修改挂载的存储卷data_volume: /data/harbor/regsitry
复制代码
安装 harbor
harbor 仓库默认使用 80 端口,需要确保宿主机的 80 端口没有被占用,或者修改docker-compose.yaml文件,将 80 端口进行修改
# 先创建存储卷[root@lb ~/harbor]# mkdir -p /data/harbor/regsitry# 执行安装前置校验脚本,最后输出Successfully即可[root@lb ~/harbor]# ./prepare......#省略万字内容Successfully called func: create_root_certGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir # 执行安装,最后输出successfully即可[root@lb ~/harbor]# ./install.sh.....#省略万字内容[+] Running 10/10 ✔ Network harbor_harbor Created 0.0s ✔ Container harbor-log Started 0.3s ✔ Container harbor-portal Started 1.4s ✔ Container registryctl Started 1.2s ✔ Container registry Started 1.4s ✔ Container harbor-db Started 1.3s ✔ Container redis Started 1.2s ✔ Container harbor-core Started 1.7s ✔ Container harbor-jobservice Started 2.5s ✔ Container nginx Started 2.6s✔ ----Harbor has been installed and started successfully.---- # 查看镜像运行状况[root@lb ~/harbor]# docker-compose psNAME IMAGE COMMAND SERVICE CREATED STATUS PORTSharbor-core goharbor/harbor-core:v2.13.0 "/harbor/entrypoint.…" core 55 seconds ago Up 53 seconds (healthy)harbor-db goharbor/harbor-db:v2.13.0 "/docker-entrypoint.…" postgresql 55 seconds ago Up 54 seconds (healthy)harbor-jobservice goharbor/harbor-jobservice:v2.13.0 "/harbor/entrypoint.…" jobservice 55 seconds ago Up 46 seconds (healthy)harbor-log goharbor/harbor-log:v2.13.0 "/bin/sh -c /usr/loc…" log 55 seconds ago Up 54 seconds (healthy) 127.0.0.1:1514->10514/tcpharbor-portal goharbor/harbor-portal:v2.13.0 "nginx -g 'daemon of…" portal 55 seconds ago Up 54 seconds (healthy)nginx goharbor/nginx-photon:v2.13.0 "nginx -g 'daemon of…" proxy 55 seconds ago Up 53 seconds (healthy) 0.0.0.0:80->8080/tcp, [::]:80->8080/tcpredis goharbor/redis-photon:v2.13.0 "redis-server /etc/r…" redis 55 seconds ago Up 54 seconds (healthy)registry goharbor/registry-photon:v2.13.0 "/home/harbor/entryp…" registry 55 seconds ago Up 54 seconds (healthy)registryctl goharbor/harbor-registryctl:v2.13.0 "/home/harbor/start.…" registryctl 55 seconds ago Up 54 seconds (healthy)
复制代码
浏览器访问 harbor
http://10.0.0.10:80/或者使用你配置好的域名访问也可以
登录 harbor:
用户名:admin 密码:前面我们配置的,123456
使用 harbor 仓库
docker 配置准许 harbor 仓库进行 http 访问
需要在/etc/docker/daemon.json文件中添加{ "insecure-registries": ["reg.huangsir.com"] }这行配置,让 Docker 认为该地址是安全的,当然这里的 IP 也可以换成域名
[root@lb ~]# cat /etc/docker/daemon.json{ "registry-mirrors": [ ... ], "insecure-registries": [ "10.0.0.10:5000", "reg.huangsir.com" ]}[root@lb ~]# systemctl daemon-reload[root@lb ~]# systemctl restart docker
复制代码
登录 harbor 仓库
# 本地做一些hosts解析[root@lb ~/harbor]# echo '10.0.0.10 reg.huangsir.com' >> /etc/hosts# 登录[root@lb ~/harbor]# docker login -u admin -p 123456 reg.huangsir.comWARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/go/credential-store/ Login Succeeded
复制代码
推送镜像至 harbor 仓库
在 harbor 仓库新建一个项目
推送镜像
# 打标签[root@lb ~/harbor]# docker tag mysql:5.7 reg.huangsir.com/private/mysql:5.7 # 推送镜像[root@lb ~/harbor]# docker push reg.huangsir.com/private/mysql:5.7The push refers to repository [reg.huangsir.com/private/mysql]441e16cac4fe: Mounted from library/mysql73cb62467b8f: Mounted from library/mysql337ec6bae222: Pushed532b66f4569d: Mounted from library/mysql0d9e9a9ce9e4: Pushed4555572a6bb2: Pushed8527ccd6bd85: Pushedd76a5f910f6b: Pushed8b2952eb02aa: Pushed7ff7abf4911b: Pushedcff044e18624: Pushed5.7: digest: sha256:4b6c4935195233bc10b617df3cc725a9ddd5a7f10351a7bf573bea0b5ded7649 size: 2618
复制代码
通过浏览器查看,发现我们的镜像已经推送成功了
harbor 仓库配置 https 访问
修改 harbor.yml 文件,将 https 部分放开即可
[root@lb ~/harbor]# vim harbor.ymlhttps: # https的端口 port: 443 # 公钥 certificate: /your/certificate/path # 私钥 private_key: /your/private/key/path # 修改完成之后重启即可[root@lb ~/harbor]# docker-compose restart
复制代码
私有镜像仓库之阿里云镜像仓库(ACR)使用
阿里云镜像仓库地址:https://cr.console.aliyun.com/cn-hangzhou/instance/dashboard阿里云镜像仓库个人版可以面试试用,但是有限制,只有三个命名空间,三百个仓库
登录到阿里云镜像仓库
点击访问凭证即可,我们可以设置固定密码,后续登录就使用改密码进行登录
[root@lb ~/harbor]# docker login --username=灬halo丨少年 crpi-jzkigw8wlyp1a5sg.cn-hangzhou.personal.cr.aliyuncs.com i Info → A Personal Access Token (PAT) can be used instead. To create a PAT, visit https://app.docker.com/settings Password: WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/go/credential-store/ Login Succeeded
复制代码
新建命名空间和镜像仓库
新建命名空间
新建镜像仓库
选择本地仓库
duang,我们的镜像仓库就建好了
测试上传镜像
[root@lb ~/harbor]# docker tag mysql:5.7 crpi-jzkigw8wlyp1a5sg.cn-hangzhou.personal.cr.aliyuncs.com/huangxin/mysql:5.7[root@lb ~/harbor]# docker push crpi-jzkigw8wlyp1a5sg.cn-hangzhou.personal.cr.aliyuncs.com/huangxin/mysql:5.7The push refers to repository [crpi-jzkigw8wlyp1a5sg.cn-hangzhou.personal.cr.aliyuncs.com/huangxin/mysql]441e16cac4fe: Pushed73cb62467b8f: Pushed337ec6bae222: Pushed532b66f4569d: Pushed0d9e9a9ce9e4: Pushed4555572a6bb2: Pushed8527ccd6bd85: Pushedd76a5f910f6b: Pushed8b2952eb02aa: Pushed7ff7abf4911b: Pushedcff044e18624: Pushed5.7: digest: sha256:4b6c4935195233bc10b617df3cc725a9ddd5a7f10351a7bf573bea0b5ded7649 size: 2618
复制代码
查看阿里云镜像仓库
文章转载自:huangSir-devops
原文链接:https://www.cnblogs.com/huangSir-devops/p/18836093
体验地址:http://www.jnpfsoft.com/?from=001YH
评论