私有仓库搭建 #
为什么需要私有仓库? #
text
┌─────────────────────────────────────────────────────┐
│ 私有仓库优势 │
├─────────────────────────────────────────────────────┤
│ │
│ 1. 安全性 - 镜像存储在内网 │
│ 2. 速度 - 内网传输更快 │
│ 3. 成本 - 无拉取限制 │
│ 4. 控制 - 完全自主管理 │
│ 5. 合规 - 满足数据安全要求 │
│ │
└─────────────────────────────────────────────────────┘
Docker Registry #
启动基础Registry #
bash
# 启动Registry容器
docker run -d \
--name registry \
-p 5000:5000 \
-v /data/registry:/var/lib/registry \
registry:2
# 验证运行状态
docker ps | grep registry
# 测试访问
curl http://localhost:5000/v2/
配置持久化存储 #
bash
# 使用数据卷
docker run -d \
--name registry \
-p 5000:5000 \
-v registry-data:/var/lib/registry \
registry:2
# 使用主机目录
docker run -d \
--name registry \
-p 5000:5000 \
-v /data/registry:/var/lib/registry \
registry:2
配置文件 #
yaml
# /etc/docker/registry/config.yml
version: 0.1
log:
level: info
storage:
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
启动带配置的Registry #
bash
docker run -d \
--name registry \
-p 5000:5000 \
-v /data/registry:/var/lib/registry \
-v /etc/docker/registry/config.yml:/etc/docker/registry/config.yml \
registry:2
认证配置 #
创建认证文件 #
bash
# 创建用户密码文件
mkdir -p /etc/docker/registry/auth
docker run --rm \
--entrypoint htpasswd \
httpd:2 -Bbn admin password > /etc/docker/registry/auth/htpasswd
# 查看文件
cat /etc/docker/registry/auth/htpasswd
启动带认证的Registry #
bash
docker run -d \
--name registry \
-p 5000:5000 \
-v /data/registry:/var/lib/registry \
-v /etc/docker/registry/auth:/auth \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
registry:2
登录私有仓库 #
bash
# 登录
docker login localhost:5000
# 输入用户名和密码
Username: admin
Password: password
# 登录成功
Login Succeeded
TLS配置 #
生成自签名证书 #
bash
# 创建证书目录
mkdir -p /etc/docker/registry/certs
# 生成私钥
openssl genrsa -out /etc/docker/registry/certs/domain.key 2048
# 生成证书
openssl req -new -x509 \
-key /etc/docker/registry/certs/domain.key \
-out /etc/docker/registry/certs/domain.crt \
-days 365 \
-subj "/CN=registry.example.com"
启动HTTPS Registry #
bash
docker run -d \
--name registry \
-p 443:443 \
-v /data/registry:/var/lib/registry \
-v /etc/docker/registry/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
客户端配置 #
bash
# 将证书复制到客户端
sudo mkdir -p /etc/docker/certs.d/registry.example.com
sudo cp /etc/docker/registry/certs/domain.crt \
/etc/docker/certs.d/registry.example.com/ca.crt
# 重启Docker
sudo systemctl restart docker
# 登录
docker login registry.example.com
Harbor企业级仓库 #
Harbor特点 #
text
┌─────────────────────────────────────────────────────┐
│ Harbor特点 │
├─────────────────────────────────────────────────────┤
│ │
│ 1. 基于角色的访问控制 │
│ 2. 镜像漏洞扫描 │
│ 3. 镜像签名验证 │
│ 4. 垃圾回收 │
│ 5. 复制策略 │
│ 6. 图形化管理界面 │
│ 7. 审计日志 │
│ │
└─────────────────────────────────────────────────────┘
安装Harbor #
bash
# 下载Harbor
wget https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz
# 解压
tar xzvf harbor-offline-installer-v2.8.0.tgz
# 进入目录
cd harbor
# 配置
cp harbor.yml.tmpl harbor.yml
配置harbor.yml #
yaml
# harbor.yml
hostname: harbor.example.com
http:
port: 80
https:
port: 443
certificate: /etc/docker/registry/certs/domain.crt
private_key: /etc/docker/registry/certs/domain.key
harbor_admin_password: Harbor12345
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data/harbor
安装启动 #
bash
# 安装
./install.sh
# 启动
docker-compose up -d
# 停止
docker-compose down
# 重新配置
./prepare
docker-compose up -d
Harbor使用 #
bash
# 登录Harbor
docker login harbor.example.com
# 标记镜像
docker tag myapp:v1.0 harbor.example.com/project/myapp:v1.0
# 推送镜像
docker push harbor.example.com/project/myapp:v1.0
# 拉取镜像
docker pull harbor.example.com/project/myapp:v1.0
镜像仓库操作 #
推送镜像 #
bash
# 标记镜像
docker tag nginx:alpine localhost:5000/nginx:alpine
# 推送镜像
docker push localhost:5000/nginx:alpine
拉取镜像 #
bash
# 拉取镜像
docker pull localhost:5000/nginx:alpine
查看仓库镜像 #
bash
# 列出仓库
curl -X GET http://localhost:5000/v2/_catalog
# 列出镜像标签
curl -X GET http://localhost:5000/v2/nginx/tags/list
# 带认证
curl -X GET -u admin:password http://localhost:5000/v2/_catalog
删除镜像 #
bash
# 获取镜像digest
curl -I -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
http://localhost:5000/v2/nginx/manifests/alpine
# 删除镜像
curl -X DELETE http://localhost:5000/v2/nginx/manifests/sha256:xxx
# 运行垃圾回收
docker exec registry bin/registry garbage-collect /etc/docker/registry/config.yml
仓库维护 #
垃圾回收 #
bash
# 配置允许删除
# config.yml
storage:
delete:
enabled: true
# 运行垃圾回收
docker exec registry bin/registry garbage-collect /etc/docker/registry/config.yml
# 干运行(只显示不删除)
docker exec registry bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml
备份恢复 #
bash
# 备份数据
tar czf registry-backup.tar.gz /data/registry
# 恢复数据
tar xzf registry-backup.tar.gz -C /
监控 #
bash
# 查看磁盘使用
docker exec registry df -h /var/lib/registry
# 查看日志
docker logs registry
# 实时查看日志
docker logs -f registry
小结 #
本节学习了私有Docker仓库的搭建:
- Docker Registry基础配置
- 认证和TLS配置
- Harbor企业级仓库
- 镜像仓库操作
- 仓库维护管理
下一步 #
接下来,让我们学习 镜像推送与拉取,了解镜像分发的详细操作。