How to Deploy Local Docker Registry


搭建私有容器云平台离不开镜像仓库,本文介绍如何通过Harbor搭建私有镜像仓库。

安装docker与docker-compose

这里以centos系统为例安装docker(按照docker官方提示进行即可,后续配置过程中会描述与ubuntu的差异)。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# install docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl enable docker
systemctl start docker

# install docker-compose
yum install -y epel-release
yum install -y docker-compose

部署Harbor

下载并解压Harbor的离线压缩包。

1
2
3
cd /opt
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz
tar xf harbor-offline-installer-v1.6.1.tgz && cd harbor

为了安全性,与后续部署的便捷性,我们需要准备一对证书与密钥文件。注意“Common Name“的内容,一定要是domain name,而不能填写ip,而且最好填写三段式的域名。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
mkdir certs && cd certs

openssl req -newkey rsa:4096 -nodes -keyout domain.key -x509 -days 3650 -out domain.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.......................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:reg.localregistry.com
Email Address []:

接下来,我们需要对Harbor的设置稍作修改。需要注意hostname要保持与生成密钥时的Common Name一致。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
pwd
/opt/harbor
ls certs/
domain.crt  domain.key

grep hostname harbor.cfg 
#The IP address or hostname to access admin UI and registry service.
hostname = reg.localregistry.com

grep ssl_cert harbor.cfg
ssl_cert = /opt/harbor/certs/domain.crt
ssl_cert_key = /opt/harbor/certs/domain.key

然后便可以部署Harbor。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
./prepare 
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

./install.sh

设置Harbor开机自启动。

1
echo "/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up -d" >> /etc/rc.d/rc.local

客户端设置

若希望通过docker连接我们刚刚部署的Harbor,我们需要将证书文件导入到可信列表中,下面将分别针对Centos与Ubuntu环境进行说明。

需要上传,则需要登录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
mkdir -p /etc/docker/certs.d/localregistry.com
cp certs/domain.crt /etc/docker/certs.d/localregistry.com/
cp certs/domain.crt /etc/pki/ca-trust/source/anchors/localregistry.com.crt
update-ca-trust
systemctl stop docker
systemctl start docker

grep localregistry /etc/hosts
192.168.0.130   reg.localregistry.com

docker login reg.localregistry.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
mkdir -p /etc/docker/certs.d/localregistry.com
cp certs/domain.crt /etc/docker/certs.d/localregistry.com/
cp certs/domain.crt /etc/ssl/certs/localregistry.com.crt
update-ca-certificates
systemctl stop docker
systemctl start docker

grep localregistry /etc/hosts
192.168.0.130   reg.localregistry.com

docker login reg.localregistry.com
Username: admin
Password:
Login Succeeded 

若只需要下载镜像,则只需导入证书并添加hosts文件内容即可

Pass。