私有仓库搭建 (两种方案)
- registry (非生产)
- harbor (生产环境,企业级私有仓库)
方案一 利用registry搭建
拉取register镜像
docker pull registry:2
创建容器
docker run -d -p 5000:5000 registry:2
给本地镜像打一个tag
docker tag zookeeper:3.5 localhost:5000/zookeeper:3.5
将本地仓库上传到私有仓库中
docker push localhost:5000/zookeeper:3.5
image
此方案存在的问题?
- 存在单点故障问题
- 跟用户交互不友好,方便
总结?
生产环境一般不会用的
方案二 利用harbor搭建
属于企业级的私有仓库方案
前提环境准备?
需要提前安装docker-compse,
请查看docker-compose的安装文档(https://www.jianshu.com/p/1bf911f81d5c) ;
安装harbor
harbor官网
https://github.com/goharbor/harbor/releases
找到Download Binary中的Harbor offline installer, 采用离线下载安装
下载
wget https://github.com/goharbor/harbor/releases/download/v1.2.2/harbor-offline-installer-v1.2.2.tgz
解压
tar -zxvf harbor-offline-installer-v1.2.2.tgz
进入harbor目录
cd harbor
修改配置文件harbor.cfg
A、将hostname的值设置成服务器的IP。 或者设置成域名,如hub.guxin.com (必做)
B、将secretkey_path = /data 改成 secretkey_path = ./data
C、如果是mac系统的话,需要加上8080, hostname = IP:8080
D、修改登录密码harbor_admin_password = 123456
修改配置文件docker-compose.yaml, (若是window系统,选做)
A、就是修改此文件中volumes的值,统一添加上 . 表示将日志,数据,配置文件都存在当前工作目录下
B、若系统是mac系统的话,
a、还需要修改端口号,改成8080:80
修改data目录的权限
chmod 755 data
开始安装脚本
./install.sh
添加http访问方式
方法一:
在启动docker服务的命令后面,添加
--insecure-registry=172.16.91.165:80
方法二:
vim /etc/docker/daemo.json
{
"registry-mirrors":["https://registry.docker-cn.com"],
"insecure-registries":["172.16.91.165:80"]
}
注意:
方法一,方法二中,参数的名字是不一的,要看清楚
insecure-registry、insecure-registries
通过页面访问harbor
用户名:admin
密码:123456
http://172.16.91.165
将本地镜像上传到harbor上
docker login 172.16.91.165:80
用户名:admin
密码:123456
将本地镜像打tag
docker tag message-thrift-go-service 172.16.91.165:80/micro-service/message-thrift-go-service
将本地镜像上传到harbor上
docker push 172.16.91.165:80/micro-service/message-thrift-go-service
注意:
虽然使用的是默认端口80,但是,你最好还是显示的注明
其他服务器如何访问私有仓库
更新配置文件,如
vim /etc/docker/daemo.json
{
"registry-mirrors":["https://registry.docker-cn.com"],
"insecure-registries":["172.16.91.165:80"]
}
重新启动docker服务
systemctl restart docker
拉取镜像
docker pull 172.16.91.165:80/micro-service/message-thrift-go-service
遇到的问题?
- denied: requested access to the resource is denied
image
因为这是此节点第一次登录harbor,并且push镜像到harbor上,需要密码登陆的
docker login 172.16.91.222:80
username:admin
password:123456
就可以了
当前配置文件
docker-compose.yml
version: '2'
services:
log:
image: vmware/harbor-log:v1.2.2
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
ports:
- 127.0.0.1:1514:514
networks:
- harbor
registry:
image: vmware/registry:2.6.2-photon
container_name: registry
restart: always
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.2.2
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.2.2
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.2.2
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.2.2
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
- /data/secretkey:/etc/jobservice/key:z
networks:
- harbor
depends_on:
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
proxy:
image: vmware/nginx-photon:1.11.13
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
harbor.cfg
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 172.16.91.165
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http
#The password for the root user of mysql db, change this before any production use.
db_password = root123
#Maximum number of job workers in job service
max_job_workers = 3
#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
#The path of secretkey storage
secretkey_path = /data
#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA
#The password of the Clair's postgres database, only effective when Harbor is deployed with Clair.
#Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password
#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui
#************************BEGIN INITIAL PROPERTIES************************
#Email account settings for sending out password resetting emails.
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = 123456
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth
#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com
#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#the password of the ldap_searchdn
#ldap_search_pwd = password
#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com
#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)
# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid
#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3
#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5
#Turn on or off the self-registration feature
self_registration = on
#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30
#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone
#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on
#************************END INITIAL PROPERTIES************************
#############
