How to Deploy Local Docker Registry
搭建私有容器云平台离不开镜像仓库,本文介绍如何通过Harbor搭建私有镜像仓库。
安装docker与docker-compose
这里以centos系统为例安装docker(按照docker官方提示进行即可,后续配置过程中会描述与ubuntu的差异)。
1
2
3
4
5
6
7
8
9
10
11
|
# install docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl enable docker
systemctl start docker
# install docker-compose
yum install -y epel-release
yum install -y docker-compose
|
部署Harbor
下载并解压Harbor的离线压缩包。
1
2
3
|
cd /opt
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz
tar xf harbor-offline-installer-v1.6.1.tgz && cd harbor
|
为了安全性,与后续部署的便捷性,我们需要准备一对证书与密钥文件。注意“Common Name“的内容,一定要是domain name
,而不能填写ip
,而且最好填写三段式的域名。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
mkdir certs && cd certs
openssl req -newkey rsa:4096 -nodes -keyout domain.key -x509 -days 3650 -out domain.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.......................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:reg.localregistry.com
Email Address []:
|
接下来,我们需要对Harbor的设置稍作修改。需要注意hostname
要保持与生成密钥时的Common Name
一致。
1
2
3
4
5
6
7
8
9
10
11
12
|
pwd
/opt/harbor
ls certs/
domain.crt domain.key
grep hostname harbor.cfg
#The IP address or hostname to access admin UI and registry service.
hostname = reg.localregistry.com
grep ssl_cert harbor.cfg
ssl_cert = /opt/harbor/certs/domain.crt
ssl_cert_key = /opt/harbor/certs/domain.key
|
然后便可以部署Harbor。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
./prepare
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
./install.sh
|
设置Harbor开机自启动。
1
|
echo "/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up -d" >> /etc/rc.d/rc.local
|
客户端设置
若希望通过docker连接我们刚刚部署的Harbor,我们需要将证书文件导入到可信列表中,下面将分别针对Centos与Ubuntu环境进行说明。
需要上传,则需要登录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
mkdir -p /etc/docker/certs.d/localregistry.com
cp certs/domain.crt /etc/docker/certs.d/localregistry.com/
cp certs/domain.crt /etc/pki/ca-trust/source/anchors/localregistry.com.crt
update-ca-trust
systemctl stop docker
systemctl start docker
grep localregistry /etc/hosts
192.168.0.130 reg.localregistry.com
docker login reg.localregistry.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
mkdir -p /etc/docker/certs.d/localregistry.com
cp certs/domain.crt /etc/docker/certs.d/localregistry.com/
cp certs/domain.crt /etc/ssl/certs/localregistry.com.crt
update-ca-certificates
systemctl stop docker
systemctl start docker
grep localregistry /etc/hosts
192.168.0.130 reg.localregistry.com
docker login reg.localregistry.com
Username: admin
Password:
Login Succeeded
|
若只需要下载镜像,则只需导入证书并添加hosts文件内容即可
Pass。