Docke構(gòu)建私有Registry
1. 啟動(dòng)registry
docker run -d -p 5000:5000 --restart=always --name="registry" -v /data/registry:/var/lib/registry registry
2. 修改配置文件
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://68rmyzg7.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.105:5000"]
}
修改完重啟docker
3. 制作本地鏡像并push到registry
上傳鏡像需要把鏡像名改成標(biāo)準(zhǔn)格式
registry服務(wù)地址:服務(wù)端口號(hào)/用戶名/項(xiàng)目名:版本號(hào)
192.168.1.105:5000/jiuyangperp/nginx:v1
docker tar nginx:latest 192.168.1.105:5000/jiuyangperp/nginx:v1
docker push 192.168.1.105:5000/jiuyangperp/nginx:v1
4. 異地pull鏡像
docker pull 192.168.1.105:5000/jiuyangperp/nginx:v1
5. 本地倉庫加安全認(rèn)證
生成密碼:
yum install http-tools -y
mkdir /opt/registry-auth/ -p
htpasswd -Bbn admin jiuyang1205 > /opt/registry-auth/htpasswd
6. 重新啟動(dòng)帶有密鑰功能的registry容器
docker rm registry
docker -d -p 5000:5000 -v /opt/registry-auth/:/auth/ -v /data/registry:/var/lib/registry --name="registry-auth" -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry
7. push鏡像捐晶,需要進(jìn)行登錄
docker login 192.168.1.105:5000
Username:
Password:
harbor實(shí)現(xiàn)圖形化私有鏡像倉庫
Harbor是一個(gè)用于存儲(chǔ)和分發(fā)Docker鏡像的企業(yè)級(jí)Registry服務(wù)器,通過添加一些企業(yè)必須的功能特性,例如安全、標(biāo)識(shí)和管理等拆魏,擴(kuò)展了開源Docker Distribution酸钦。作為一個(gè)企業(yè)級(jí)私有Registry服務(wù)器,Harbor提供了更好的性能和安全夫偶。提升用戶 使用Registry構(gòu)建和運(yùn)行環(huán)境傳輸鏡像的效率蛉拙。Harbor支持安裝在多個(gè)Registry節(jié)點(diǎn)的鏡像資源復(fù)制尸闸,鏡像全部保存在私有Registry中,確保數(shù)據(jù)和知識(shí)產(chǎn)權(quán)在公司內(nèi)部網(wǎng)絡(luò)中管控。另外室叉,Harbor也提供了高級(jí)的安全特性睹栖,諸如用戶管理,訪問控制和活動(dòng)審計(jì)等茧痕。
- 基于角色的訪問控制—用戶與Docker鏡像倉庫通過“項(xiàng)目”進(jìn)行組織管理,一個(gè)用戶可以對(duì)多個(gè)鏡像倉庫在同一命名空間(project)里有不同的權(quán)限恼除。
- 鏡像復(fù)制—鏡像可以在多個(gè)Registry石磊中復(fù)制(同步)踪旷。尤其適合于負(fù)載均衡,高可用豁辉,混合云和多云的場景令野。
- 圖形化用戶界面—用戶可以通過瀏覽器來瀏覽,檢索當(dāng)前Docker鏡像倉庫徽级,管理項(xiàng)目和命名空間气破。
- AD/LDAP支持—Harbor可以繼承企業(yè)內(nèi)部已有的AD/LDAP,用于鑒權(quán)認(rèn)證管理餐抢。
- 審計(jì)管理—所有針對(duì)鏡像倉庫的操作都可以被記錄追溯现使,用于審計(jì)管理。
- 國際化—已擁有英文旷痕、中文碳锈、德文、日文和俄文的本地化版本欺抗。更多的語言將會(huì)添加進(jìn)來售碳。
- RESTful API—RESTful API 提供給管理員對(duì)于Harbor更多的操控,使得與其它的管理軟件集成變得更容易绞呈。
- 部署簡單—提供在線和離線兩種安裝工具贸人,也可以安裝到vSphere平臺(tái)(OVA方式)虛擬設(shè)備。
1 Install Docker CE
apt-get update
apt-get install apt-transport-https ca-certificates software-properties-common curl
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |sudo apt-key add -
apt-key fingerprint 0EBFCD88
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce
2 Install Docker-compose
curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
#查看版本
docker --version
Docker version 18.09.0, build 4d60db4
docker-compose --version
docker-compose version 1.22.0, build f46880fe
3 Install Harbor
wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-offline-installer-v1.6.0.tgz
tar -zxvf harbor-offline-installer-v1.6.0.tgz
#編輯配置文件
cd harbor/
vim harbor.cfg
hostname = www.harbor.mobi # 這里配置的監(jiān)聽地址佃声,可以是域名
harbor_admin_password = password # 配置admin用戶的密碼
#http:
# port: 80
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/www.harbor.mobi.crt
private_key: /data/cert/www.harbor.mobi.key
# 注意證書路徑
所有需要使用鏡像倉庫的docker主機(jī):
echo "192.168.1.150 www.harbor.mobi" >> /etc/hosts
4 運(yùn)行證書一鍵生成腳本:
#!/bin/bash
# 在該目錄下操作生成證書艺智,正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert
cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt
update-ca-trust
5 把這三個(gè)密鑰文件復(fù)制到docke下,所有節(jié)點(diǎn)都需要
mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp /data/cert/www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp /data/cert/www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
cp /data/cert/ca.crt /etc/docker/certs.d/www.harbor.mobi/
最終docker目錄結(jié)構(gòu):
/etc/docker/certs.d/
└── www.harbor.mobi
├── www.harbor.mobi.cert <-- Server certificate signed by CA
├── www.harbor.mobi.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
# 重啟docker
systemctl restart docker.service
# 停止
docker-compose down -v
# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum
# 啟動(dòng)
docker-compose up -d
問題:
docker login https://192.168.75.100
x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs
排查步驟:
檢查harbor.yml文件中hostname變量的值是否跟生成證書使用的一致秉溉,并檢查系統(tǒng)時(shí)間
官方步驟示例:
#set hostname
hostname: yourdomain.com
http:
port: 80
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/yourdomain.com.crt
private_key: /data/cert/yourdomain.com.key
# 生成使用的相關(guān)證書
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out yourdomain.com.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
# 把這三個(gè)復(fù)制到docke下
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
最終docker目錄結(jié)構(gòu):
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
# 重啟docker
systemctl restart docker.service
cp 192.168.75.100.crt /etc/pki/ca-trust/source/anchors/192.168.75.100.crt
update-ca-trust
# harbor證書配置
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum
# 停止
docker-compose down -v
# 啟動(dòng)
docker-compose up -d
