Generally, images are downloaded from local, docker hub public warehouses and other third-party public warehouses when using images in dockers. Generally, images are not easy to use in enterprises because of security and download rate of external network (wall) resources. So is there a way to store your own image and a warehouse with security authentication?
- - > build your own security certification warehouse based on harbor in enterprise environment.
Harbor is the latest open source enterprise docker registry project of VMware company. Its goal is to help users quickly build an enterprise docker registry service.
To use harbor, you need to install docker and docker compose. For the steps to install docker, please refer to the previous article:Introduction to docker container technology (1)
Install docker Dompose
The installation steps of docker Dompose are as follows:
Download the latest version of docker compose file
$ curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
Add executable permission
$ chmod +x /usr/local/bin/docker-compose
$ docker-compose -v docker-compose version 1.23.2, build 1110ad01
Get the harbor package
tar -xf harbor-offline-installer-v1.7.1.tgz -C /usr/local/
$ cd /usr/local/harbor $ vim harbor.cfg hostname = reg.for-k8s.com #The IP or domain name of the external network of this machine, which can be accessed by users through UI, do not use 127.0.0.1 ui_url_protocol = https #The protocol used by users to access private warehouses is HTTP by default and configured as HTTPS db_password = root123 #Specify MySQL database administrator password harbor_admin_password：Harbor12345 #Administrator account password of harbor ssl_cert = /data/cert/reg.for-k8s.com.crt #Set certificate file path ssl_cert_key = /data/cert/reg.for-k8s.com.key #Set certificate key file path ####Other configuration options can be filled in as needed
Generate SSL certificate
Generate root certificate
$ cd /dada/cert/ $ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=Shanghai/O=harbor/CN=harbor-registry"
Generate a certificate signature and set the access domain name to reg.for -k8s.com
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.for-k8s.com.key -out server.csr -subj "/C=CN/L=Shanghai/O=harbor/CN=reg.for-k8s.com"
Generate host certificate
$ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.for-k8s.com.crt
One click installation through its own script
The installation steps are as follows:
$ cd /usr/local/harbor/ ./install.sh ...... ...... ...... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.for-k8s.com. For more details, please visit https://github.com/goharbor/harbor .
Then bind hosts to access
Default account password: admin / harbor12345
OK, the private warehouse service has been built. How to use it?
First, create a project on harbormyproject(I don’t use the default libary here)
Here I choose a private warehouse. Pull / push requires docker login on the host;
1. When I build a new image through dockerfile, I directly specify the registry and label, such as:
$ docker build -treg.for -k8s.com/myproject/mydocker-image:v1.0.1 . Sending build contextto Docker daemon97.21MB Step1/12 : FROM1and1internet/ubuntu-16 ---> dbf985f1f449 Step2/12 : MAINTAINER guomaoqiu <[email protected]> ---> Using cache --->598894333db9 ...... ...... Successfully built b190966f3773 Successfully taggedreg.for -k8s.com/myproject/mydocker-image:v1.0.1 $ docker images |grep myproject reg.for -k8s.com/myproject/mydocker-image v1.0.1 b190966f3773 44 seconds ago482MB
2. When you want to upload the image you got from other places to the private warehouse? For example, I want to put the nginx image from the official website into my warehouse
$ dockertag nginxreg.for -k8s.com/myproject/mynginx:latest $ docker images |grep myproject reg.for -k8s.com/myproject/mydocker-image v1.0.1 b190966f3773 2 minutes ago 482MB reg.for -k8s.com/myproject/mynginx latest568c4670fa80 5 weeks ago 109MB
3. Log in to the warehouse
$ docker login -u admin -p Harbor12345reg.for -k8s.com Username: admin Password: WARNING! Your password willbe stored unencrypted in /root/.docker/config.json. Configurea credential helpertoremove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
4. Finally, push the local image to the warehouse
When I execute this, I report an error:
docker pushreg.for -k8s.com/myproject/mynginx:latest Error response from daemon: Get https://reg.for -k8s.com/v2/: x509: certificate signed by unknown authority
The solution is to set the parameter “– insure registry IP / warehouse domain name” at the time of docker startup if the certificate is not deployed on the client, and then restart the docker process by overloading the service. Note that the domain name I use here is user-defined, so it is also necessary to modify the docker process parameters and bind hosts on the machine that needs to upload and download the image, Otherwise, even if the parameters are configured, the domain name cannot be resolved, and the push / pull cannot be mirrored.
5. Push again:
$ docker pushreg.for -k8s.com/myproject/mynginx:latest The push refersto repository [reg.for -k8s.com/myproject/mynginx] b7efe781401d: Pushed c9c2a3696080: Pushed 7b4e562e58dc: Pushed latest: digest:sha256:e2847e35d4e0e2d459a7696538cbfea42ea2d3b8a1ee8329ba7e68694950afd3 size:948 $ [[email protected] kubectl-terminal-ubuntu]# docker pushreg.for -k8s.com/myproject/mydocker-image:v1.0.1 The push refersto repository [reg.for -k8s.com/myproject/mydocker-image] 96dca48ee72c: Pushed fa879b69764c: Pushed 4d823b00e6b7: Pushed 6bf6e96da4a0: Pushed eedda540c6a8: Pushed f2a971e53afa: Pushed 3ee1a3b3fd18: Pushed 8a225cfa6dea: Pushed 428c1ba11354: Pushed b097f5edab7b: Pushed 27712caf4371: Pushed 8241afc74c6f: Pushed v1.0.1: digest:sha256:a20629f62d73cff93bf73b31958878a1d76c2dd42e36ebb2cb6d0ac294a46da7 size:2826
The above push is successful;
In order to test the pull and run it successfully, I run a daemonset through kuernetes. The image adopts mynginx, and set the image pull policy to always. Then I create a service that can be accessed through clusterip inside the cluster. Yaml is as follows:
$cat >> test.yaml << EOF apiVersion: v1 kind: Service metadata: labels: app: mynginx-service name: mynginx-service spec: ports: - name:80-80 port:80 protocol: TCP targetPort:80 selector: run: mynginx type: ClusterIP --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: labels: run: mynginx name: mynginx spec: selector: matchLabels: run: mynginx template: metadata: labels: run: mynginx spec: containers: - image:reg.for -k8s.com/myproject/mynginx:latest imagePullPolicy: Always name: mynginx EOF $ kubectl apply -f daemonset.yaml service/mynginx-service created daemonset.extensions/mynginx create
Since the privacy of the warehouse I set when I created the warehouse just now is private, after the docker login is successful, k8s kubectl create will not be able to pull the image; if it is set to public, it will not be necessary to configure this step for a long time. After the docker login is successful, k8s kubectl create can pull the image. However, I don’t want it to be public. Therefore, I need to configure the following steps:
Configure the secret of a private warehouse Harbor:
kubectlcreate secret docker-registry registry-secret --namespace=default \ --docker-server=https://reg.for-k8s.com --docker-username=admin \ --docker-password=Harbor12345
When deploying, specify imagepullsecrets, modify and add this option in yaml above:
$cat >> test.yaml << EOF apiVersion: v1 kind: Service metadata: labels: app: mynginx-service name: mynginx-service spec: ports: - name:80-80 port:80 protocol: TCP targetPort:80 selector: run: mynginx type: ClusterIP --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: labels: run: mynginx name: mynginx spec: selector: matchLabels: run: mynginx template: metadata: labels: run: mynginx spec: containers: - image:reg.for -k8s.com/myproject/mynginx:latest imagePullPolicy: Always name: mynginx imagePullSecrets: - name: registry-secret EOF $ kubectl apply -f daemonset.yaml service/mynginx-service created daemonset.extensions/mynginx create
The above is the whole process of building enterprise private image warehouse based on harbor.
If there are errors or other problems, welcome to comment and correct. If you have any help, please click like + forward to share.
Welcome to the official account of the brother of migrant workers:The way of migrant workers’ Technology