Docker builds private warehouse
1, Official standard configuration: Registry private image warehouse
1.1 download the Registry image and start it
docker pull registry
1.2 run a container instance of Registry image warehouse
docker run -d --name registry -p 5000:5000 --restart=always -v /opt/registry:/var/lib/registry registry
1.3 view the existing image of this machine
docker images
1.4 Tag the image to be uploaded (take nginx as an example) docker Tag source_ ImageID NEW_ Warehouse: Tag
docker tag nginx:latest 127.0.0.1:5000/nginx:latest
1.5 upload the image to the server image warehouse
docker push 127.0.0.1:5000/nginx:latest
1.6 use curl to view the image in the warehouse. If you see {"repositories":["nginx"]}, it indicates that the image has been uploaded successfully
curl http://127.0.0.1:5000/v2/_catalog
1.7 delete the existing image first, and then try to download the image from the private warehouse
docker rmi 127.0.0.1:5000/nginx:latest(Or mirror ID) docker pull 127.0.0.1:5000/nginx:latest
1.8 in order to enable the client server to quickly access the image warehouse just built on the server (HTTPS certificate needs to be configured by default), simply configure the trusted settings of the private warehouse on the client so that we can access it directly through HTTP: # VIM / etc / docker / daemon JSON writes the following contents (if the file does not exist, please create a new file)
{
"registry-mirror":[
"http://hub-mirror.c.163.com "# add the mirror image source of docker hub to speed up image acquisition
],
"insecure-registries":[
"192.168.1.1" ##registry server ip or domain name
]
}
1.9 to make the configuration effective, restart the docker service
systemctl restart docker
2, Enterprise favorite: Harbor enterprise image warehouse
1.1 install docker compose (if the download is too slow, you can download the installation package directly from the following official website)
sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose $ docker-compose --version
Note: if the docker compose command fails after installation, please check your path. You can also create symbolic links to / usr/bin or any other directory in the path.
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
2.1 Harbor domain name (if ip is used, it can be omitted) the owner uses ip
[root@dev110 ~]# vim /etc/hosts ... 192.168.100.110 harbor.cn ...
3.1 generate a self signed certificate (CN = domain name or ip instance yourdomain.com can replace ip) for the owner's ip
stay harbor Host path new directory mkdir -p /etc/docker/certs.d/yourdomain.com/ generate CA Certificate private key openssl genrsa -out ca.key 4096 generate CA certificate openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key ca.key \ -out ca.crt Generate a server certificate. A certificate usually contains a.crt File and one.key File, for example yourdomain.com.crt and yourdomain.com.key Generate private key openssl genrsa -out yourdomain.com.key 4096 Generate certificate signing request( CSR) openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key yourdomain.com.key \ -out yourdomain.com.csr Generate a x509 v3 enlarge file cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yourdomain.com DNS.2=yourdomain DNS.3=hostname EOF Use this v3.ext File for your Harbor If the host generates a certificate, it will yourdomain.comCRS and CRT Replace with in file name Harbor host name openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yourdomain.com.csr \ -out yourdomain.com.crt Connect the server crt Convert to client cert,Docker The daemon will.crt The document is interpreted as CA Certificate, and.cert The file is interpreted as a client certificate openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert At this point, all certificates are created [root@dev yourdomain.com]# ll total 32 -rw-r--r-- 1 root root 2017 Feb 23 13:44 ca.crt -rw-r--r-- 1 root root 3243 Feb 23 13:42 ca.key -rw-r--r-- 1 root root 17 Feb 23 13:53 ca.srl -rw-r--r-- 1 root root 232 Feb 23 13:52 externalfile.ext -rw-r--r-- 1 root root 2049 Feb 23 13:54 yourdomain.com.cert -rw-r--r-- 1 root root 2049 Feb 23 13:53 yourdomain.com.crt -rw-r--r-- 1 root root 1700 Feb 23 13:49 yourdomain.com.csr -rw-r--r-- 1 root root 3247 Feb 23 13:47 yourdomain.com.key
4.1 distribute certificates to docker clients
Put the domain name on the Harbor host cert and Copy the key certificate file to / etc / docker / certs d/xxx. xxx. COM / directory
stay Docker Execute on client host mkdir -p /etc/docker/certs.d/yourdomain.com/ scp root@192.168.100.111:/etc/docker/certs.d/yourdomain.com/yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ scp root@192.168.100.111:/etc/docker/certs.d/yourdomain.com/yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
On the Docker host, modify / etc / Docker / daemon JSON, mainly adding "secure registers":[“ http://harbor.cn"]
[root@dev111 ~]# vim /etc/docker/daemon.json
{
...
"insecure-registries":["http://yourdomain. Com "], #yourdomain.com can replace the harbor host ip, and the building owner can use ip
...
}
Restart Docker
systemctl daemon-reload systemctl restart docker
5.1 install Harbor (if the download is too slow, you can download the installation package directly from the following official website)
After so much preparatory work, we can finally get to the point
Download & unzip
cd /opt/ wget https://github.com/goharbor/harbor/releases/download/v2.1.0/harbor-offline-installer-v2.1.0.tgz tar -zxvf harbor-offline-installer-v2.1.0.tgz
Modify the configuration file harbor yml
[root@dev110 ~] vim /opt/harbor/harbor.yml
hostname: #IP address or domain name
http:
port: 80
https:
port: 443
certificate: /etc/docker/certs.d/yourdomain.com/yourdomain.com.crt # Here is the certificate information (domain name replaces ip)
private_key: /etc/docker/certs.d/yourdomain.com/yourdomain.com.key # Here is the certificate information (domain name replaces ip)
harbor_admin_password: Ccxharbor123 # Modify the password of the admin user on the Web side as needed. The default is Harbor12345
database:
password: Ccxharbor123 # It is the password of the root user of the harbor built-in database. The default is root123
data_volumn: /data
log:
level: info
location: /var/log/harbor # harbor log storage path
Update parameters first
cd /opt/harbor ./prepare
Then install
./install.sh
When you see Harbor has been installed and started successfully, I want to congratulate you on the successful installation
6.1 using Harbor
Using a browser, use HTTPS: / / domain name or https://ip:port Both methods can access Harbor's Web UI.
Because it is a self signed CA certificate, the browser will intercept it and you need to add trust.
https://Domain name or https://ip:port user name: admin Password: i.e harbor.yml In the file harbor_admin_password The value of the parameter. Default is:Harbor12345
7.1 push image: docker client host = = > harbor host
To push the image into the Harbor warehouse, you must first create your own project in Harbor, that is, project. Of course, you can also use the project of Harbor: library
Let's see how to push the nginx image to the Harbor image (domain name can replace ip)
docker Pull an image and modify it tag docker pull nginx docker tag nginx:latest yourdomain.com/library/nginx:latest docker login Sign in Harbor # harbor_user_name - Harbor user name # harbor_password - the password of the Harbor user # harbor_ Domain - the domain name or ip address of harbor docker login -u<harbor_user_name> -p<harbor_password> <harbor_domain>
When you see Login Succeeded, it indicates that the login is successful
You can view the login information saved in docker below
[root@dev ~]# cat ~/.docker/config.json
{
"auths": {
"harbor.cn": {
"auth": "Y2N4LWRldjpDY3hkZXYxMjM="
}
},
...
}
docker pushes the image to Harbor (domain name can replace ip)
[root@dev ~]# docker push yourdomain.com/library/nginx:latest
Log in to Harbor to view the image
https://Domain name or https://ip:port user name: admin Password: i.e harbor.yml In the file harbor_admin_password The value of the parameter. Default is:Harbor12345
8.1 pull image: docker < = = harbor
The Docker client host pulls the image from the Harbor host. You only need to:
1.docker login to harbor
2. When docker pull, add the Harbor domain name before the image name, as follows:
docker pull harbor.cn/library/nginx:latest
9.1 common commands during maintenance
View harbor
[root@dev110 harbor]# docker-compose ps
Stop & start command
docker-compose stop docker-compose start
When you want to modify the harbor configuration
docker-compose down -v vim harbor.yml ./prepare docker-compose up -d