1. What is warehouse?
- Docker warehouse is used to contain the location of images. Docker provides a Register server to store multiple warehouses, and each warehouse can contain multiple images with different tag s.
- The default warehouse used in Docker operation is Docker Hub public warehouse.
The operation process of Docker is shown in the following figure:
2. Docker hub
Docker hub is a public warehouse maintained by docker company. Users can use it for free or purchase private warehouses.
- First of all https://hub.docker.com/ Register an account on the website; Create a new public warehouse on docker hub.
- Next, to upload the image from the docker host, you need to log in:
[root@server1 ~]# docker login
Username: yakexi007
Password: < fill in password > - In order to distinguish images with the same name of different users, docker hub requires that the image format be: [user name] / xxx.tag
#docker tag busybox:latest yakexi007/busybox:latest - Upload image to docker hub
#docker push yakexi007/busybox:latest - Pull image from docker hub
#docker pull yakexi007/busybox:latest - Delete local mirror
#docker rmi yakexi007/busybox:latest
3. How registry works
- What happens behind a docker pull or push
Index service mainly provides image index and user authentication. When downloading an image, it will first go to the index service for authentication, then find the address of the registry where the image is located and return it to the docker client. The docker client then downloads the image from the registry. During the download process, the registry will go to the index to verify the legitimacy of the client token. Different images can be saved on different registry services, The index information is put on the index service.
- Docker Registry has three roles: index, registry and registry client.
index: responsible for and maintain information about user account, image validation and public namespace.
Web UI, metadata storage, authentication service, symbolization.
registry: it is a repository of images and charts. It does not have a local database and does not provide user authentication. It is authenticated through the Token of Index Auth service.
Registry Client: Docker acts as Registry Client to maintain push and pull, as well as client authorization. - Scenario A: the user needs to obtain and download the image.
- Scenario B: the user wants to push the image to the registry.
- Scenario C: the user wants to delete the image from the index or registry.
Although docker hub is convenient, it is still limited; Need internet connection, slow speed; Accessible to all; Due to security reasons, enterprises are not allowed to put the image on the Internet. The good news is that docker company has opened the source of registry, so we can quickly build a private enterprise warehouse.
https://docs.docker.com/registry/deploying/
The warehouse built before has no certification, so the availability is not very high; Next, build a private warehouse;
Construction of private warehouse:
[root@server1 ~]# docker search registry ##search [root@server1 ~]# docker pull registry ##Pull image [root@server1 ~]# docker history registry:latest ##You can see the port information of its container IMAGE CREATED CREATED BY SIZE COMMENT 1fd8e1b0bb7e 5 weeks ago /bin/sh -c #(nop) CMD ["/etc/docker/registr... 0B <missing> 5 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.... 0B <missing> 5 weeks ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38... 155B <missing> 5 weeks ago /bin/sh -c #(nop) EXPOSE 5000 0B <missing> 5 weeks ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B <missing> 5 weeks ago /bin/sh -c #(nop) COPY file:4544cc1555469403... 295B <missing> 5 weeks ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7... 20.1MB <missing> 5 weeks ago /bin/sh -c set -ex && apk add --no-cache... 549kB <missing> 5 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 5 weeks ago /bin/sh -c #(nop) ADD file:282b9d56236cae296... 5.62MB [root@server1 ~]# docker run -d --name registry -p 5000:5000 registry ##Port mapping to run the warehouse, the front is the port of the host, and the back is the port of the container 7bb13092f4e40a9bc129a7a94a71d188b0360e1dc244d834372580fea6857d4f [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7bb13092f4e4 registry "/entrypoint.sh /etc..." 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry [root@server1 ~]# docker inspect registry ##Use this command to view the mount information without specifying the volume that comes with the docker engine [root@server1 ~]# docker images [root@server1 ~]# docker tag yakexi007/game2048:latest localhost:5000/game2048 ##Re labeling is used to distinguish images of the same name of different users [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE rhel7 v4 b3388a690329 6 hours ago 31.9MB <none> <none> 4cf308c51260 6 hours ago 146MB rhel7 v3 00f0b93070b1 7 hours ago 141MB rhel7 v2 55fd86415086 7 hours ago 255MB rhel7 v1 c8aeebec1de9 7 hours ago 296MB nginx latest d1a364dc548d 18 hours ago 133MB busybox v1 ec156da50087 43 hours ago 1.24MB busybox latest d3cd072556c2 8 days ago 1.24MB registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB yakexi007/game2048 latest 19299002fdbe 4 years ago 55.5MB localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB rhel7 latest 0a3eb3fde7fd 6 years ago 140MB gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB ##At this point, you can see the newly added image. The name of the two images is different, but the number is the same [root@server1 ~]# docker push localhost:5000/game2048:latest ##upload [root@server1 ~]# cd /var/lib/docker/volumes/c6ab78e2115ecc13a0b019bd902d9c7a1576d034e7b63669068ac75e05e98108/_data [root@server1 _data]# ls docker ##It's actually in the attached volume
After uploading the warehouse, delete the local image at this time; See if it can be pulled down again;
[root@server1 ~]# docker rmi localhost:5000/game2048:latest Untagged: localhost:5000/game2048:latest Untagged: localhost:5000/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 [root@server1 ~]# docker rmi yakexi007/game2048:latest Untagged: yakexi007/game2048:latest Untagged: yakexi007/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7 Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7 Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0 Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2 Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4 Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36 [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> 4cf308c51260 6 hours ago 146MB rhel7 v4 b3388a690329 6 hours ago 31.9MB rhel7 v3 00f0b93070b1 7 hours ago 141MB rhel7 v2 55fd86415086 7 hours ago 255MB rhel7 v1 c8aeebec1de9 7 hours ago 296MB nginx latest d1a364dc548d 18 hours ago 133MB busybox v1 ec156da50087 43 hours ago 1.24MB busybox latest d3cd072556c2 8 days ago 1.24MB registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB rhel7 latest 0a3eb3fde7fd 6 years ago 140MB gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB [root@server1 ~]# docker pull localhost:5000/game2048:latest ##Successfully pull the image of local warehouse latest: Pulling from game2048 534e72e7cedc: Pull complete f62e2f6dfeef: Pull complete fe7db6293242: Pull complete 3f120f6a2bf8: Pull complete 4ba4e6930ea5: Pull complete Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 Status: Downloaded newer image for localhost:5000/game2048:latest localhost:5000/game2048:latest [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 143abac135cb registry "/entrypoint.sh /etc..." 11 minutes ago Up 11 minutes 0.0.0.0:5000->5000/tcp registry
At this time, the warehouse can only be used for local upload and download; By default, remote access is not allowed; If the remote needs access, it needs to be told that it is not secure;
In order to access remotely, open another virtual machine to observe the effect; First, build docker software warehouse and install docker tools on the second virtual machine;
[root@server2 yum.repos.d]# ls docker.repo dvd.repo redhat.repo [root@server2 yum.repos.d]# cat docker.repo [docker] name=docker-ce baseurl=http://172.25.25.250/docker-ce gpgcheck=0 [root@server2 ~]# yum install -y docker-ce [root@server2 docker]# systemctl enable --now docker.service [root@server2 sysctl.d]# cat dokcer.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 [root@server2 docker]# sysctl --system [root@server2 sysctl.d]# docker info ##There is no error in viewing the basic information at this time
After the above, we need to tell docker that what we are pulling is a non secure warehouse;
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"insecure-registries": ["172.25.25.1:5000"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker info
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries: ##At this point, you can see its non secure warehouse information
172.25.25.1:5000
127.0.0.0/8
Live Restore Enabled: false
[root@server2 docker]# docker pull 172.25.25.1:5000/game2048: latest
##At this time, the remote host can pull its image
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for 172.25.25.1:5000/game2048:latest
172.25.25.1:5000/game2048:latest
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.25.25.1:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
The above is the simplest local warehouse, which does not involve encrypted authentication information.
4. Configure the image accelerator
It's too slow to download images from docker hub. You need to configure an image accelerator. Take alicloud as an example: (you need to register an alicloud account in advance)
To configure the docker daemon file:
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
heavy load docker Services:
#systemctl daemon-reload
#systemctl restart docker
5. Build private warehouse
Delete the previous warehouse and volume;
[root@server1 ~]# docker rm -f registry registry [root@server1 ~]# docker volume ls DRIVER VOLUME NAME local 7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532 [root@server1 ~]# docker volume prune ##Delete all useless volumes WARNING! This will remove all local volumes not used by at least one container. Are you sure you want to continue? [y/N] y Deleted Volumes: 7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532 Total reclaimed space: 17.75MB [root@server1 ~]# docker container prune ##Delete containers that are not running WARNING! This will remove all stopped containers. Are you sure you want to continue? [y/N] y Total reclaimed space: 0B [root@server1 ~]# docker image prune ##Delete all unused images WARNING! This will remove all dangling images. Are you sure you want to continue? [y/N] y Deleted Images: deleted: sha256:4cf308c51260643b216ebfa2ad0c853f0a190de24645d0031d3d20e687801a80 deleted: sha256:d8eefca77d25ab5621bb75f669ee3ed19a98cf336586d89e9d09c74f37e1711e deleted: sha256:9824bd8622ef082374d053fb2fb1cef2b24042390155c0d86c58e947a0f952f2 Total reclaimed space: 12.72MB [root@server1 ~]# docker rmi rhel7:v4 ##Delete unnecessary images in turn Untagged: rhel7:v4 Deleted: sha256:b3388a690329390dacbdcd45df04a82df802b02f5c87548318f916aa88d64dab Deleted: sha256:52d6aca444a9b645652020d25a103009851df5bc6d18f054a47d97932ec4b74b Deleted: sha256:55d6bb5728eb74472779ae0efd045b8bb46c29176157d1c8416ce047d50b1cda Deleted: sha256:36cd5ddf7ad3cdb0bf355bb689422f2935f5a93039b30bfb9dacacc978250022 Deleted: sha256:e675a6f01e302b423efb94d625945041619b4cdd5fc5a52b2495a0a042065323
For the construction of private warehouse, you can get help from the official website: docs.docker.com/registry;
- Add certificate encryption function for Docker warehouse
Generate Certificate (domain name westos.org requires resolution on host)
[root@server1 ~]# mkdir -p certs ##Create a new directory [root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt ##Used to generate certificates Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shaanxi Locality Name (eg, city) [Default City]:xi'an Organization Name (eg, company) [Default Company Ltd]:westos Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:reg.westos.org Email Address []:root@westos.org [root@server1 ~]# ls certs/ westos.org.crt westos.org.key ##Rebuild registry container [root@server1 ~]# docker run -d \ ##Run the container. > --restart=always \ ##Auto start > --name registry \ > -v "$(pwd)"/certs:/certs \ ##Mount, - v write absolute path > -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ ##port > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ > -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ > -p 443:443 \ ##Port mapping > -v /opt/registry:/var/lib/registry registry ##Specifies the mounted data directory 648da93dda348129139e9a3910b33139ef59f7e27f9aaca387d8137d645b6f10 [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 648da93dda34 registry "/entrypoint.sh /etc..." About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# cd /opt/registry/ ##Automatically create a new directory when mounting [root@server1 registry]# ls [root@server1 registry]# docker volume ls ##Overlay the previous mount volume DRIVER VOLUME NAME
To connect, you need to do parsing
[root@server1 registry]# vim /etc/hosts ##Write resolution [root@server1 registry]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.25.15.250 foundation15.ilt.example.com 172.25.15.1 server1 reg.westos.org 172.25.15.2 server2 172.25.15.3 server3 172.25.15.4 server4 172.25.15.5 server5 172.25.15.6 server6
upload
[root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest f0b8a9a54136 10 days ago 133MB registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB rhel7 latest 0a3eb3fde7fd 6 years ago 140MB gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB [root@server1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest ##Renaming [root@server1 ~]# docker push reg.westos.org/nginx:latest ##Upload at this time there will be problems, no authentication The push refers to repository [reg.westos.org/nginx] Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
Let docker get the certificate information automatically;
[root@server1 ~]# cd certs/ [root@server1 certs]# ls westos.org.crt westos.org.key [root@server1 certs]# cd /etc/docker/ [root@server1 docker]# ls daemon.json key.json [root@server1 docker]# mkdir certs.d [root@server1 docker]# cd certs.d/ [root@server1 certs.d]# mkdir reg.westos.org [root@server1 certs.d]# cd reg.westos.org/ [root@server1 reg.westos.org]# cp ~/certs/westos.org.crt ca.crt [root@server1 reg.westos.org]# ls ca.crt
At this time, upload again
[root@server1 reg.westos.org]# docker push reg.westos.org/nginx:latest ##Finish the certificate authentication and upload again. This is the way of encryption upload The push refers to repository [reg.westos.org/nginx] f0f30197ccf9: Pushed eeb14ff930d4: Pushed c9732df61184: Pushed 4b8db2d7f35a: Pushed 431f409d4c5a: Pushed 02c055ef67f5: Pushed latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
- Add user authentication function for Docker warehouse
[root@server1 ~]# yum install httpd-tools.x86_64 -y ##Install encryption plug-in [root@server1 ~]# mkdir auth [root@server1 ~]# htpasswd -cB auth/htpasswd admin ##Generate user password file New password: Re-type new password: Adding password for user admin [root@server1 ~]# cat auth/htpasswd admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92 [root@server1 ~]# htpasswd -B auth/htpasswd zxk ##Note: - c only needs to be added for the first time. If users want to add - c later, it will cover the previous one- B means mandatory New password: Re-type new password: Adding password for user zxk [root@server1 ~]# cat auth/htpasswd admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92 zxk:$2y$05$vDNpTjzreUkjfnzxfpZBYuB63W16zXPOl0mwu97sFIrKb0idr3c/2
Delete the previous warehouse and run it again. Deleting the warehouse will not delete the data;
[root@server1 ~]# docker rm -f registry registry [root@server1 ~]# ll -d /opt/registry/ drwxr-xr-x 3 root root 20 May 23 10:02 /opt/registry/ [root@server1 ~]# cd /data/ [root@server1 data]# ls [root@server1 data]# mv ~/auth/ . [root@server1 data]# ls auth [root@server1 data]# mv ~/certs/ . [root@server1 data]# ls auth certs ##Avoid relative paths at runtime
Rebuild the registry container and add password authentication to run the container
[root@server1 ~]# docker run -d \ --restart=always \ --name registry \ -v /data/certs:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ -p 443:443 -v /opt/registry:/var/lib/registry -v /data/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry 9c565b84e8420f4a2222f978a549dff290f477fde8f81d31c5a40943386c06f8 ##This operation has both encryption and user authentication after adding authentication [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9c565b84e842 registry "/entrypoint.sh /etc..." 38 seconds ago Up 37 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
After completion, upload the image test;
[root@server1 ~]# docker push reg.westos.org/nginx:latest ##There is a problem when uploading The push refers to repository [reg.westos.org/nginx] f0f30197ccf9: Preparing eeb14ff930d4: Preparing c9732df61184: Preparing 4b8db2d7f35a: Preparing 431f409d4c5a: Preparing 02c055ef67f5: Preparing no basic auth credentials ##Prompt no authentication
At this point, after the encrypted user logs in, there is no problem uploading again;
[root@server1 ~]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# cat /root/.docker/config.json
##This authentication information will be stored in the file. You only need to authenticate once
{
"auths": {
"reg.westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.15 (linux)"
}
}
[root@server1 ~]#docker push reg.westos.org/nginx:latest
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Layer already exists
eeb14ff930d4: Layer already exists
c9732df61184: Layer already exists
4b8db2d7f35a: Layer already exists
431f409d4c5a: Layer already exists
02c055ef67f5: Layer already exists
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
At this time to test the remote, change the previous non secure to the specified warehouse; Or directly specify the access address; No matter which method, we need to do the analysis first;
1) Direct access address:
[root@server2 docker]# vim /etc/hosts [root@server2 docker]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.25.25.250 foundation39.ilt.example.com 172.25.25.1 server1 reg.westos.org 172.25.25.2 server2 172.25.25.3 server3 172.25.25.4 server4 172.25.25.5 server5 172.25.25.6 server6 172.25.25.7 server7 172.25.25.8 server8 [root@server2 docker]# docker pull reg.westos.org/nginx:latest ##At this time, when pulling the image, you will be prompted that there is no authentication Error response from daemon: Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority [root@server2 docker]# ls ##Copy the certificate of the previous host certs.d key.json daemon.json [root@server2 docker]# docker pull reg.westos.org/nginx:latest ##In this case, authentication is needed in the process of pulling Error response from daemon: Get https://reg.westos.org/v2/nginx/manifests/latest: no basic auth credentials [root@server2 docker]# docker login reg.westos.org Username: zxk ##land Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@server2 docker]# docker pull reg.westos.org/nginx:latest ##After successful login, you can pull it latest: Pulling from nginx 69692152171a: Pull complete 30afc0b18f67: Pull complete 596b1d696923: Pull complete febe5bd23e98: Pull complete 8283eee92e2f: Pull complete 351ad75a6cfa: Pull complete Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa Status: Downloaded newer image for reg.westos.org/nginx:latest reg.westos.org/nginx:latest
2) Modify file:
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]
}
[root@server2 docker]# systemctl restart docker.service
[root@server2 docker]# docker info
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://reg.westos.org/ ## Warehouse address
Live Restore Enabled: false
###In this process, you will need authentication as before, and then pull
[root@server2 docker]# docker logout reg.westos.org
##Log out
The above process warehouse has been built, and authentication and encryption have been realized; However, all the information in the warehouse is encrypted at the same time, and authentication is required for each pull. For some commonly used images in the enterprise, it is better to allow anonymous pull, which will save a lot of time and energy;
- Full function warehouse construction: harbor warehouse
This is achieved by using the offline package of Gabor; You can also learn from https://github.com/goharbor/harbor/releases Download and download;
[root@server1 ~]# ls base-debian10.tar docker-compose-Linux-x86_64-1.27.0 rhel7.tar docker harbor-offline-installer-v1.10.1.tgz [root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose ##Move the binary program to the corresponding location and give an execution permission [root@server1 ~]# chmod +x /usr/local/bin/docker-compose [root@server1 ~]# docker-compose ##Look at the binaries [root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz [root@server1 ~]# ls base-debian10.tar docker harbor harbor-offline-installer-v1.10.1.tgz rhel7.tar [root@server1 ~]# cd harbor/ [root@server1 harbor]# ls common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare [root@server1 harbor]# vim harbor.yml 5 hostname: reg.westos.org 17 certificate: /data/certs/westos.org.crt ##Certificate and key 18 private_key: /data/certs/westos.org.key 27 harbor_admin_password: admin ##Login password of web interface [root@server1 harbor]# cd /data/ [root@server1 data]# ls auth certs ##Remove certificate [root@server1 data]# mv auth/ /mnt/ [root@server1 data]# ls certs
After completion, you can install, - with note for image signature trust, - with claim for image scanning-- With chartmuseum is used to store the package of hub;
[root@server1 harbor]# ./install.sh --help Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients. Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. Please set --with-clair if needs enable Clair in Harbor Please set --with-chartmuseum if needs enable Chartmuseum in Harbor [root@server1 harbor]# ./install.sh ##Execute the script to start the installation [root@server1 harbor]# ls common docker-compose.yml harbor.yml LICENSE common.sh harbor.v1.10.1.tar.gz install.sh prepare [root@server1 harbor]# docker-compose ps ##The usage class of this command is similar to docker, but it must be in the corresponding directory, and the corresponding file will be read. This file is generated after executing the script. ##You can also see the port information [root@server1 harbor]# docker-compose start ##After opening, you can access it in the web page
The image can't be automatically downloaded from the external king, so it must be managed manually;
Be an accelerator to speed it up;
[root@server1 harbor]# cd /etc/docker/
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# cat daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
[root@server1 harbor]# docker login reg.westos.org ##At this time, the login uses the user and password of harbor
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
After the upload is completed, view on the web page:
Then log out the previous authentication on another host, delete the previous image and pull the latest uploaded image;
[root@server2 docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE [root@server2 docker]# docker logout reg.westos.org Removing login credentials for reg.westos.org [root@server2 docker]# docker pull game2048:latest ##In the customer pull do not need authentication, you can see from the authentication information of the web page latest: Pulling from library/game2048 534e72e7cedc: Pull complete f62e2f6dfeef: Pull complete fe7db6293242: Pull complete 3f120f6a2bf8: Pull complete 4ba4e6930ea5: Pull complete Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 Status: Downloaded newer image for game2048:latest docker.io/library/game2048:latest
You can also view user information on the web page; You can see that it is anonymous pull;
You can upload another image to observe the effect;
[root@server1 ~]# docker rmi reg.westos.org/nginx:latest Untagged: reg.westos.org/nginx:latest [root@server1 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest [root@server1 ~]# docker push reg.westos.org/library/nginx:latest [root@server2 docker]# docker pull reg.westos.org/library/nginx:latest
For the introduction of other functions of harbor:
[root@server1 harbor]# docker-compose stop ##Stop the warehouse [root@server1 harbor]# docker-compose rm ##Delete all containers [root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum ##Install again [root@server1 harbor]# docker-compose ps ##There will be more things to check at this time
At this point, after the installation is completed again, there will be more functions:
After the completion of the existing scan to see if there are loopholes;
You can see that the image can be scanned by adding parameters,; When auto scan image is checked, the image will be automatically scanned when it is uploaded;
It can also be trusted and signed; When content trust is checked, when you pull the image again, you will be prompted as follows:
[root@server2 docker]# docker pull reg.westos.org/library/game2048:latest Error response from daemon: unknown: The image is not signed in Notary.
After opening the docker content trust, delete nginx from the web page, clear the cache, and then upload to view the signature;
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1 [root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443 [root@server1 harbor]# export DOCKER_CONTENT_TRUST=1 ##Enable content trust [root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443 ##Where is the content trusted server [root@server1 harbor]# docker push reg.westos.org/library/nginx:latest The push refers to repository [reg.westos.org/library/nginx] 075508cf8f04: Pushed 5c865c78bc96: Pushed 134e19b2fac5: Pushed 83634f76e732: Pushed 766fe2c3fc08: Pushed 02c055ef67f5: Pushed latest: digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa size: 1570 Signing and pushing trust metadata Error: error contacting notary server: x509: certificate signed by unknown authority
Do authentication and upload again:
When the upload is brand new, you need to enter two passwords; When the image does not change, you only need to enter a password when updating the version;
[root@server1 ~]# cd .docker/ [root@server1 .docker]# ls config.json trust [root@server1 .docker]# mkdir tls ##Do certification [root@server1 .docker]# cd tls/ [root@server1 tls]# mkdir reg.westos.org:4443 [root@server1 tls]# cd reg.westos.org\:4443/ [root@server1 reg.westos.org:4443]# cp /data/certs/westos.org.crt ca.crt [root@server1 reg.westos.org:4443]# ls ca.crt [root@server1 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:latest The push refers to repository [reg.westos.org/library/nginx] f0f30197ccf9: Layer already exists eeb14ff930d4: Layer already exists c9732df61184: Layer already exists 4b8db2d7f35a: Layer already exists 431f409d4c5a: Layer already exists 02c055ef67f5: Layer already exists latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570 Signing and pushing trust metadata You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID 72900f3: Repeat passphrase for new root key with ID 72900f3: Enter passphrase for new repository key with ID 2d31532: Repeat passphrase for new repository key with ID 2d31532: Finished initializing "reg.westos.org/library/nginx" Successfully signed reg.westos.org/library/nginx:latest
After completion, when the newly uploaded image is viewed on the web page, it will be automatically scanned and signed;
After signing, pull again to view:
The role of signature is to trust the image. Those without signature can be put in the warehouse, but cannot be downloaded to the production environment.
[root@server2 ~]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx 69692152171a: Pull complete 30afc0b18f67: Pull complete 596b1d696923: Pull complete febe5bd23e98: Pull complete 8283eee92e2f: Pull complete 351ad75a6cfa: Pull complete Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa Status: Downloaded newer image for nginx:latest docker.io/library/nginx:latest
Sign the existing images in the warehouse:
[root@server1 ~]# docker push reg.westos.org/library/game2048:latest The push refers to repository [reg.westos.org/library/game2048] 88fca8ae768a: Layer already exists 6d7504772167: Layer already exists 192e9fad2abc: Layer already exists 36e9226e74f8: Layer already exists 011b303988d2: Layer already exists latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364 Signing and pushing trust metadata Enter passphrase for root key with ID 40db6c1: Enter passphrase for new repository key with ID a55c78f: Repeat passphrase for new repository key with ID a55c78f: Finished initializing "reg.westos.org/library/game2048" Successfully signed reg.westos.org/library/game2048:latest
For the update of the existing image version:
[root@server1 ~]# cd docker/ [root@server1 docker]# mkdir test [root@server1 docker]# cd test/ [root@server1 test]# vim Dockerfile [root@server1 test]# cat Dockerfile FROM nginx COPY index.html /usr/share/nginx/html [root@server1 test]# cp ../index.html . [root@server1 test]# ls Dockerfile index.html [root@server1 test]# cat index.html www.westos.org [root@server1 test]# export DOCKER_CONTENT_TRUST=0 [root@server1 test]# docker build -t nginx:v1 . ##Building a mirror image Sending build context to Docker daemon 3.072kB Step 1/2 : FROM nginx ---> d1a364dc548d Step 2/2 : COPY index.html /usr/share/nginx/html ---> 3167572bbc25 Successfully built 3167572bbc25 Successfully tagged nginx:v1 [root@server1 test]# docker tag nginx:v1 reg.westos.org/library/nginx:v1 ##Renaming [root@server1 test]# export DOCKER_CONTENT_TRUST=1 [root@server1 test]# docker push reg.westos.org/library/nginx:v1 The push refers to repository [reg.westos.org/library/nginx] 47c5645eaeea: Pushed 075508cf8f04: Layer already exists 5c865c78bc96: Layer already exists 134e19b2fac5: Layer already exists 83634f76e732: Layer already exists 766fe2c3fc08: Layer already exists 02c055ef67f5: Layer already exists v1: digest: sha256:a19f00ff8772f68dd96f1bab4482ec70c636adfdfc3867e49bca2ba7fe2c9a25 size: 1777 Signing and pushing trust metadata Enter passphrase for repository key with ID fdacdce: ##At this point, you only need to enter a password Successfully signed reg.westos.org/library/nginx:v1 [root@server2 ~]# docker pull nginx:v1 ##Pull test
New project:
Upload image test:
[root@server1 test]# export DOCKER_CONTENT_TRUST=0 [root@server1 test]# export DOCKER_CONTENT_TRUST=0 [root@server1 test]# docker tag reg.westos.org/library/game2048:latest reg.westos.org/westos/game2048:latest [root@server1 test]# docker push reg.westos.org/westos/game2048:latest The push refers to repository [reg.westos.org/westos/game2048] 88fca8ae768a: Mounted from library/game2048 6d7504772167: Mounted from library/game2048 192e9fad2abc: Mounted from library/game2048 36e9226e74f8: Mounted from library/game2048 011b303988d2: Mounted from library/game2048 latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
To pull this image, you need to authenticate the login user and create a user on the web page;
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest Error response from daemon: pull access denied for reg.westos.org/westos/game2048, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
After adding, you need to give users certain permissions; Developers and visitors can pull images, but cannot upload them;
After adding users, do authentication and pull again:
[root@server2 ~]# docker login reg.westos.org Username: zxk Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest latest: Pulling from westos/game2048 534e72e7cedc: Pull complete f62e2f6dfeef: Pull complete fe7db6293242: Pull complete 3f120f6a2bf8: Pull complete 4ba4e6930ea5: Pull complete Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 Status: Downloaded newer image for reg.westos.org/westos/game2048:latest reg.westos.org/westos/game2048:latest
Although it can be pulled at this time, visitors cannot upload it.
After the scanning parameters are added in the front, when the data changes, another copy will be saved. After a long time, the virtual machine will have a bit of a card, and now it will be compiled again.
[root@server1 harbor]# docker-compose stop [root@server1 harbor]# docker-compose rm [root@server1 harbor]# ./install.sh --with-chartmuseum [root@server1 harbor]# docker-compose ps
5. Summary
Learning the working principle of docker warehouse, and practicing the construction of docker private warehouse.
- docker warehouse subcommand
docker search query image
docker pull image
docker push upload image
docker login
docker logout log out of warehouse