【docker】docker 镜像仓库的管理

Docker
仓库（
Docker Registry
）
是用于存储和分发
Docker
镜像的集中式存储库。

它就像是一个大型的镜像仓库，开发者可以将自己创建的
Docker
镜像推送到仓库中，也可以从仓库中拉取所需的镜像。

Docker
仓库可以分为公共仓库和私有仓库：

公共仓库，如
Docker Hub
，任何人都可以访问和使用其中的镜像。许多常用的软件和应用都有在

Docker Hub
上提供的镜像，方便用户直接获取和使用。

例如，您想要部署一个
Nginx
服务器，就可以从
Docker Hub
上拉取
Nginx
的镜像。

私有仓库则是由组织或个人自己搭建和管理的，用于存储内部使用的、不希望公开的镜像。

比如，一家企业为其特定的业务应用创建了定制化的镜像，并将其存储在自己的私有仓库中，以保证安全性和控制访问权限。

通过
Docker
仓库，开发者能够方便地共享和复用镜像，加速应用的开发和部署过程。

搭建docker的私有仓库

1.下载Registry镜像

[root@docker ~]# docker pull registry


Using default tag: latest


latest: Pulling from library/registry


930bdd4d222e: Pull complete


a15309931e05: Pull complete


6263fb9c821f: Pull complete


86c1d3af3872: Pull complete


a37b1bf6a96f: Pull complete


Digest: sha256:12120425f07de11a1b899e418d4b0ea174c8d4d572d45bdb640f93bc7ca06a3d


Status: Downloaded newer image for registry:latest


docker.io/library/registry:latest

 2.开启Registry

[root@docker ~]# docker run -d -p 5000:5000 --restart=always --name registry


registry


bc58d3753a701ae67351fac335b06a4d7f66afa10ae60b992f647117827734c5


[root@docker ~]# docker ps


CONTAINER ID IMAGE COMMAND CREATED STATUS


PORTS NAMES


bc58d3753a70 registry "/entrypoint.sh /etc…" 7 seconds ago Up 6 seconds


5000/tcp, 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry

 3.上传镜像到仓库中

#给要上传的经镜像大标签


[root@docker ~]# docker tag busybox:latest 172.25.254.100:5000/busybox:latest


#docker在上传的过程中默认使用https，但是我们并没有建立https认证需要的认证文件所以会报错


[root@docker ~]# docker push 172.25.254.100:5000/busybox:latest


The push refers to repository [172.25.254.100:5000/busybox]


Get "https://172.25.254.100:5000/v2/": dial tcp 172.25.254.100:5000: connect:


connection refused


#配置非加密端口


[root@docker ~]# vim /etc/docker/daemon.json


{


"insecure-registries" : ["http://172.25.254.100:5000"]


}


[root@docker ~]# systemctl restart docker


#上传镜像


[root@docker ~]# docker push 172.25.254.100:5000/busybox:latest


The push refers to repository [172.25.254.100:5000/busybox]


d51af96cf93e: Pushed


latest: digest:


sha256:28e01ab32c9dbcbaae96cf0d5b472f22e231d9e603811857b295e61197e40a9b size: 527


#查看镜像上传


[root@docker ~]# curl 172.25.254.100:5000/v2/_catalog


{"repositories":["busybox"]}

为
Registry
提加密传输

#生成认证key和证书


[root@docker ~]# openssl req -newkey rsa:4096 


-nodes -sha256 -keyout certs/timinglee.org.key 


-addext "subjectAltName = DNS:reg.timinglee.org"  #指定备用名称


-x509 -days 365 -out certs/timinglee.org.crt


You are about to be asked to enter information that will be incorporated


into your certificate request.


What you are about to enter is what is called a Distinguished Name or a DN.


There are quite a few fields but you can leave some blank


For some fields there will be a default value,


If you enter '.', the field will be left blank.


-----


Country Name (2 letter code) [XX]:CN


State or Province Name (full name) []:Shaanxi


Locality Name (eg, city) [Default City]:Xi'an


Organization Name (eg, company) [Default Company Ltd]:timinglee


Organizational Unit Name (eg, section) []:docker


Common Name (eg, your name or your server's hostname) []:reg.timinglee.org


Email Address []:admin@timinglee.org


#启动registry仓库


[root@docker ~]# docker run -d -p 443:443 --restart=always --name registry 


> --name registry -v /opt/registry:/var/lib/registry 


> -v /root/certs:/certs 


> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 


> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/timinglee.org.crt 


> -e REGISTRY_HTTP_TLS_KEY=/certs/timinglee.org.key registry

测试：

#为客户端建立证书


[root@docker docker]# mkdir /etc/docker/certs.d/reg.timinglee.org/ -p


[root@docker docker]# cp /root/certs/timinglee.org.crt


/etc/docker/certs.d/reg.timinglee.org/ca.crt


[root@docker docker]# systemctl restart docker


[root@docker docker]# docker push reg.timinglee.org/busybox:latest


The push refers to repository [reg.timinglee.org/busybox]


d51af96cf93e: Pushed


latest: digest:


sha256:28e01ab32c9dbcbaae96cf0d5b472f22e231d9e603811857b295e61197e40a9b size: 527


[root@docker docker]# curl -k https://reg.timinglee.org/v2/_catalog


{"repositories":["busybox"]}

为仓库建立登陆认证

[root@docker docker]# dnf install httpd-tools -y


#建立认证文件


[root@docker ~]# mkdir auth


[root@docker ~]# htpasswd -Bc auth/htpasswd timinglee #-B 强制使用最安全加密方式，


默认用md5加密


New password:


Re-type new password:


Adding password for user timinglee


#添加认证到registry容器中


[root@docker ~]# docker run -d -p 443:443 --restart=always --name registry 


> --name registry -v /opt/registry:/var/lib/registry 


> -v /root/certs:/certs 


> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 


> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/timinglee.org.crt 


> -e REGISTRY_HTTP_TLS_KEY=/certs/timinglee.org.key 


> -v /root/auth:/auth 


> -e "REGISTRY_AUTH=htpasswd" 


> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 


> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd 


> registry


[root@docker ~]# curl -k https://reg.timinglee.org/v2/_catalog -u timinglee:lee


{"repositories":["busybox","nginx"]}


#登陆测试


[root@docker ~]# docker login reg.timinglee.org


Username: timinglee


Password:


WARNING! Your password will be stored unencrypted in /root/.docker/config.json.


Configure a credential helper to remove this warning. See


https://docs.docker.com/engine/reference/commandline/login/#credential-stores


Login Succeeded

建立认证文件

#
添加认证到
registry
容器中

#
登陆测试

当仓库开启认证后必须登陆仓库才能进行镜像上传

#未登陆情况下上传镜像


[root@docker ~]# docker push reg.timinglee.org/busybox


Using default tag: latest


The push refers to repository [reg.timinglee.org/busybox]


d51af96cf93e: Preparing


no basic auth credentials


#未登陆请款下也不能下载


[root@docker-node2 ~]# docker pull reg.timinglee.org/busybox


Using default tag: latest


Error response from daemon: Head


"https://reg.timinglee.org/v2/busybox/manifests/latest": no basic auth


credentials

构建企业级私有仓库

[root@docker ~]# tar zxf harbor-offline-installer-v2.5.4.tgz


[root@docker ~]# ls


anaconda-ks.cfg certs harbor-offline-installer-v2.5.4.tgz


auth harbor


[root@docker ~]# cd harbor/


[root@docker harbor]# cp harbor.yml.tmpl harbor.yml


[root@docker harbor]# vim harbor.yml


hostname: reg.timinglee.org


certificate: /data/certs/timinglee.org.crt


private_key: /data/certs/timinglee.org.key


harbor_admin_password: lee


[root@docker harbor]# ./install.sh --help


Please set --with-notary #证书签名


Please set --with-trivy #安全扫描


Please set --with-chartmuseum if needs enable Chartmuseum in Harbor


[root@docker harbor]# ./install.sh --with-chartmuseum


#管理harbor的容器


[root@docker harbor]# docker compose stop


[root@docker harbor]# docker compose up -d

测试页面：