- podman加速器&&Harbor
- podman加速配置
- Harbor
- Harbor简介
- Harbor的功能
- Docker compose
- Harbor部署
podman加速器&&Harbor
podman加速配置
配置加速器,不需要重启,立马生效
centos8:
[root@localhost ~]# vi /etc/containers/registries.conf
[[registry]]
prefix="docker.io"
location="pvurwzu6.mirror.aliyuncs.com"
centos7:
[root@localhost ~]# vi /etc/containers/registries.conf
[[docker.io]]
location="pvurwzu6.mirror.aliyuncs.com"
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.conf.d registries.d storage.conf
[root@localhost containers]# vi registries.conf
··············
[registries.search]
registries = ["docker.io"]
··············
//拉取镜像
[root@localhost ~]# podman pull nginx
Trying to pull docker.io/library/nginx:latest... //默认找docker.io
Getting image source signatures
Copying blob 21e0df283cd6 done
Copying blob e5ae68f74026 done
Copying blob ed835de16acd done
Copying blob 77700c52c969 done
Copying blob 881ff011f1c9 done
Copying blob 44be98c0fab6 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Harbor是一个开源可信的云原生的仓库项目,用于存储、用户管理和查找镜像。
Harbor通过添加用户通常需要的功能,如安全、身份和管理,扩展了开源Docker分发版。
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
-
多租户内容签名和验证
-
安全性和漏洞分析
-
审计日志记录
-
身份集成和基于角色的访问控制
-
实例之间的映像复制
-
可扩展API和图形UI
-
国际化(目前为中英文化)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排
Compose 是一个用于定义和运行多容器 Docker 应用程序的工具。使用 Compose,您可以使用 YAML 文件来配置应用程序的服务。然后,使用单个命令,从配置创建并启动所有服务。
Docker Compose官方文档
Harbor部署
Harbor官方文档
[root@node3 bin]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@node3 bin]# pwd
/usr/local/bin
[root@node3 bin]# ls
docker-compose
对二进制文件应用可执行权限:
[root@localhost ~]# chmod +x /usr/local/bin/docker-compose
[root@node3 ~]# wget https://github.com/goharbor/harbor/releases/tag/v2.3.5 .
[root@node3 ~]# ls
anaconda-ks.cfg grafana-enterprise-8.2.5-1.x86_64.rpm
harbor-offline-installer-v2.3.5.tgz
[root@node3 ~]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/
[root@node3 ~]# cd /usr/local/
[root@node3 local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
[root@node3 local]# cd harbor/
[root@node3 harbor]# ls
common.sh harbor.yml.tmpl LICENSE
harbor.v2.3.5.tar.gz install.sh prepare
[root@node3 harbor]# hostnamectl set-hostname registry.example.com
[root@node3 harbor]# bash
[root@registry harbor]# vim /etc/hosts
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.136.142 registry.example.com
//在另一台主机添加域名解析进行查看
[root@node2 ~]# vim /etc/hosts
[root@node2 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.136.142 registry.example.com
[root@node2 ~]# ping registry.example.com
PING registry.example.com (192.168.136.142) 56(84) bytes of data.
64 bytes from registry.example.com (192.168.136.142): icmp_seq=1 ttl=64 time=0.552 ms
64 bytes from registry.example.com (192.168.136.142): icmp_seq=2 ttl=64 time=0.254 ms
64 bytes from registry.example.com (192.168.136.142): icmp_seq=3 ttl=64 time=0.336 ms
//在服务器
[root@registry harbor]# cp harbor.yml.tmpl harbor.yml
[root@registry harbor]# ls
common.sh harbor.yml install.sh prepare
harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE
[root@registry harbor]# vim harbor.yml
hostname: registry.example.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
//注释掉以上没注释的
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 #管理员密码
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 #数据库密码
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100 #最大空闲连接数100
..............................................
of harbor.
max_open_conns: 900 #最大连接数900
# The default data volume
data_volume: /data #数据存放在data
······················
//安装
** 注意事项
[root@registry harbor]# systemctl start docker
[root@registry harbor]# systemctl enable docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[root@registry harbor]# systemctl status firewall
Unit firewall.service could not be found.
[root@registry harbor]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vend>
Active: inactive (dead)
Docs: man:firewalld(1)
[root@registry harbor]# setenforce 0
setenforce: SELinux is disabled
[root@registry harbor]# ./install.sh
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating registry ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
//生成的镜像
[root@registry harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.5 1730c6f650e2 5 days ago 81.9MB
goharbor/chartmuseum-photon v2.3.5 47004f032938 5 days ago 179MB
goharbor/redis-photon v2.3.5 3d0cedc89a0d 5 days ago 156MB
goharbor/trivy-adapter-photon v2.3.5 5c0212e98070 5 days ago 133MB
goharbor/notary-server-photon v2.3.5 f20a76c65359 5 days ago 111MB
goharbor/notary-signer-photon v2.3.5 b9fa38eef4d7 5 days ago 108MB
goharbor/harbor-registryctl v2.3.5 7a52567a76ca 5 days ago 133MB
goharbor/registry-photon v2.3.5 cf22d3e386b8 5 days ago 82.6MB
goharbor/nginx-photon v2.3.5 5e3b6d9ce11a 5 days ago 45.7MB
goharbor/harbor-log v2.3.5 a03e4bc963d6 5 days ago 160MB
goharbor/harbor-jobservice v2.3.5 2ac32df5a2e0 5 days ago 211MB
goharbor/harbor-core v2.3.5 23baee01156f 5 days ago 193MB
goharbor/harbor-portal v2.3.5 bb545cdedf5a 5 days ago 58.9MB
goharbor/harbor-db v2.3.5 9826c57a5749 5 days ago 221MB
goharbor/prepare v2.3.5 a1ceaabe47b2 5 days ago 255MB
[root@registry harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:3000 *:*
使用ip登录管理harbor
账号密码是之前文件里面的账号密码
在客户端安装docke服务
//安装docker
[root@node2 ~]# cd /etc/yum.repos.d/
[root@node2 yum.repos.d]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 1919 100 1919 0 0 3360 0 --:--:-- --:--:-- --:--:-- 3360
[root@node2 yum.repos.d]# ls
CentOS-Linux-AppStream.repo CentOS-Linux-HighAvailability.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-Media.repo
CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Plus.repo
CentOS-Linux-Debuginfo.repo CentOS-Linux-PowerTools.repo
CentOS-Linux-Devel.repo CentOS-Linux-Sources.repo
CentOS-Linux-Extras.repo docker-ce.repo
CentOS-Linux-FastTrack.repo salt.repo
[root@node2 yum.repos.d]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' docker-ce.repo
[root@node2 yum.repos.d]# yum -y install docker-ce
[root@node2 yum.repos.d]# sudo mkdir -p /etc/docker
[root@node2 yum.repos.d]# cd
[root@node2 ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
> {
> "registry-mirrors": ["https://pvurwzu6.mirror.aliyuncs.com"]
> }
> EOF
{
"registry-mirrors": ["https://pvurwzu6.mirror.aliyuncs.com"]
}
[root@node2 ~]# systemctl daemon-reload
[root@node2 ~]# systemctl restart docker
//修改daemon.json文件
[root@node2 ~]# vim /etc/docker/daemon.json
[root@node2 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["registry.example.com"]
}
[root@node2 ~]# systemctl restart docker
//登录私有仓库
[root@node2 ~]# docker login registry.example.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
//拉取镜像 这里拉取的镜像是从官方拉的
[root@node2 ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
//修改名字
[root@node2 ~]# docker tag busybox:latest registry.example.com/library/busybox:0.1
[root@node2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 7 days ago 1.24MB
registry.example.com/library/busybox 0.1 ffe9d497c324 7 days ago 1.24MB
//上传镜像
[root@node2 ~]# docker push registry.example.com/library/busybox:0.1
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
0.1: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
在服务器web界面查看
删除镜像后尝试在私有仓库拉取
[root@node2 ~]# docker rmi registry.example.com/library/busybox:0.1
Untagged: registry.example.com/library/busybox:0.1
Untagged: registry.example.com/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
[root@node2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 7 days ago 1.24MB
[root@node2 ~]# docker pull registry.example.com/library/busybox:0.1
0.1: Pulling from library/busybox
Digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
Status: Downloaded newer image for registry.example.com/library/busybox:0.1
registry.example.com/library/busybox:0.1
[root@node2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 7 days ago 1.24MB
registry.example.com/library/busybox 0.1 ffe9d497c324 7 days ago 1.24MB
//速度非常快
使用Harbor的注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help
