docker builds private warehouse

Docker builds private warehouse

1, Official standard configuration: Registry private image warehouse

1.1 download the Registry image and start it

docker pull registry

1.2 run a container instance of Registry image warehouse

docker run -d --name registry -p 5000:5000 --restart=always -v /opt/registry:/var/lib/registry registry

1.3 view the existing image of this machine

docker images

1.4 Tag the image to be uploaded (take nginx as an example) docker Tag source_ ImageID NEW_ Warehouse: Tag

docker tag nginx:latest

1.5 upload the image to the server image warehouse

docker push

1.6 use curl to view the image in the warehouse. If you see {"repositories":["nginx"]}, it indicates that the image has been uploaded successfully


1.7 delete the existing image first, and then try to download the image from the private warehouse

docker rmi mirror ID)
docker pull

1.8 in order to enable the client server to quickly access the image warehouse just built on the server (HTTPS certificate needs to be configured by default), simply configure the trusted settings of the private warehouse on the client so that we can access it directly through HTTP: # VIM / etc / docker / daemon JSON writes the following contents (if the file does not exist, please create a new file)

         " "# add the mirror image source of docker hub to speed up image acquisition 
         ""     ##registry server ip or domain name

1.9 to make the configuration effective, restart the docker service

systemctl restart docker

2, Enterprise favorite: Harbor enterprise image warehouse

1.1 install docker compose (if the download is too slow, you can download the installation package directly from the following official website)

sudo curl -L "$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
$ docker-compose --version

Note: if the docker compose command fails after installation, please check your path. You can also create symbolic links to / usr/bin or any other directory in the path.

sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

2.1 Harbor domain name (if ip is used, it can be omitted) the owner uses ip

[root@dev110 ~]# vim /etc/hosts

3.1 generate a self signed certificate (CN = domain name or ip instance can replace ip) for the owner's ip

stay harbor Host path new directory
mkdir -p /etc/docker/certs.d/

generate CA Certificate private key
openssl genrsa -out ca.key 4096

generate CA certificate
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/" \
-key ca.key \
-out ca.crt

Generate a server certificate. A certificate usually contains a.crt File and one.key File, for example and
 Generate private key
openssl genrsa -out 4096

Generate certificate signing request( CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/" \
-key \

Generate a x509 v3 enlarge file
cat > v3.ext <<-EOF
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names


Use this v3.ext File for your Harbor If the host generates a certificate, it will yourdomain.comCRS and CRT Replace with in file name Harbor host name
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in \

Connect the server crt Convert to client cert´╝îDocker The daemon will.crt The document is interpreted as CA Certificate, and.cert The file is interpreted as a client certificate
openssl x509 -inform PEM -in -out

At this point, all certificates are created
[root@dev]# ll
total 32
 -rw-r--r-- 1 root root 2017 Feb 23 13:44 ca.crt
 -rw-r--r-- 1 root root 3243 Feb 23 13:42 ca.key
 -rw-r--r-- 1 root root   17 Feb 23 13:53
 -rw-r--r-- 1 root root  232 Feb 23 13:52 externalfile.ext
 -rw-r--r-- 1 root root 2049 Feb 23 13:54
 -rw-r--r-- 1 root root 2049 Feb 23 13:53
 -rw-r--r-- 1 root root 1700 Feb 23 13:49
 -rw-r--r-- 1 root root 3247 Feb 23 13:47

4.1 distribute certificates to docker clients

Put the domain name on the Harbor host cert and Copy the key certificate file to / etc / docker / certs d/xxx. xxx. COM / directory

stay Docker Execute on client host
mkdir -p /etc/docker/certs.d/
scp root@ /etc/docker/certs.d/
scp root@ /etc/docker/certs.d/

On the Docker host, modify / etc / Docker / daemon JSON, mainly adding "secure registers":[“"]

[root@dev111 ~]# vim /etc/docker/daemon.json
    "insecure-registries":["http://yourdomain. Com "], can replace the harbor host ip, and the building owner can use ip

Restart Docker

systemctl daemon-reload
systemctl restart docker

5.1 install Harbor (if the download is too slow, you can download the installation package directly from the following official website)

After so much preparatory work, we can finally get to the point

Download & unzip

cd /opt/
tar -zxvf harbor-offline-installer-v2.1.0.tgz

Modify the configuration file harbor yml

[root@dev110 ~] vim /opt/harbor/harbor.yml
hostname: #IP address or domain name
	port: 80
	port: 443
	certificate: /etc/docker/certs.d/ # Here is the certificate information (domain name replaces ip)
	private_key: /etc/docker/certs.d/ # Here is the certificate information (domain name replaces ip)
harbor_admin_password: Ccxharbor123 #  Modify the password of the admin user on the Web side as needed. The default is Harbor12345
	password: Ccxharbor123  #  It is the password of the root user of the harbor built-in database. The default is root123
data_volumn: /data
    level: info
    location: /var/log/harbor # harbor log storage path

Update parameters first

cd /opt/harbor

Then install


When you see Harbor has been installed and started successfully, I want to congratulate you on the successful installation

6.1 using Harbor

Using a browser, use HTTPS: / / domain name or https://ip:port Both methods can access Harbor's Web UI.
Because it is a self signed CA certificate, the browser will intercept it and you need to add trust.

https://Domain name or https://ip:port
 user name: admin Password: i.e harbor.yml In the file harbor_admin_password The value of the parameter. Default is:Harbor12345

7.1 push image: docker client host = = > harbor host

To push the image into the Harbor warehouse, you must first create your own project in Harbor, that is, project. Of course, you can also use the project of Harbor: library

Let's see how to push the nginx image to the Harbor image (domain name can replace ip)

docker Pull an image and modify it tag
docker pull nginx
docker tag nginx:latest

docker login Sign in Harbor
# harbor_user_name - Harbor user name
# harbor_password - the password of the Harbor user
# harbor_ Domain - the domain name or ip address of harbor
docker login -u<harbor_user_name> -p<harbor_password> <harbor_domain>

When you see Login Succeeded, it indicates that the login is successful

You can view the login information saved in docker below

[root@dev ~]# cat ~/.docker/config.json 
    "auths": {
            "": {
                    "auth": "Y2N4LWRldjpDY3hkZXYxMjM="

docker pushes the image to Harbor (domain name can replace ip)

[root@dev ~]# docker push

Log in to Harbor to view the image

https://Domain name or https://ip:port
 user name: admin Password: i.e harbor.yml In the file harbor_admin_password The value of the parameter. Default is:Harbor12345

8.1 pull image: docker < = = harbor

The Docker client host pulls the image from the Harbor host. You only need to:

1.docker login to harbor

2. When docker pull, add the Harbor domain name before the image name, as follows:

docker pull

9.1 common commands during maintenance

View harbor

[root@dev110 harbor]# docker-compose ps

Stop & start command

docker-compose stop
docker-compose start

When you want to modify the harbor configuration

docker-compose down -v
vim harbor.yml
docker-compose up -d

Posted by erikwebb on Sun, 17 Apr 2022 05:44:01 +0930