background

To use images in Docker, they are generally downloaded from local, Docker Hup public warehouse and other third-party public warehouses. Generally, for reasons of security and external network (wall) resource download rate, they are not easy to use on the enterprise level. Is there a way to store your own image in a secure repository?

-- > Build your own security certification warehouse based on Harbor in the enterprise environment.

Harbor is the latest open source enterprise Docker Registry project of VMware, whose goal is to help users quickly build an enterprise Docker Registry service.

Install the Harbor

Docker and docker-compose are required for harbor to be used. The steps for docker installation can be referred to the previous old article: Introduction to Docker container Technology (1).

Install the docker – dompose

Docker-dompose installation steps are as follows:

Download the latest version of docker-compose file

$ curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-composeCopy the code

Add executable permissions

$ chmod +x /usr/local/bin/docker-composeCopy the code

Verify the version

$ docker-compose -v
docker-compose version 1.232.. build 1110ad01Copy the code

Obtaining Harbor Software Package

https:/ / storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgzCopy the code

Unpack the

tar -xf harbor-offline-installer-v17.1..tgz -C /usr/local/Copy the code

Editing a Configuration File

$CD /usr/local/harbor $vim harbor. CFG hostname = reg.for-k8s.com # External IP address or domain name Do not use 127.0.0.1 UI_url_protocol = HTTPS # protocol used by users to access private silos, default is HTTP, Mysql database administrator password harbor_admin_password Ssl_cert = /data/cert/reg.for-k8s.com.crt # set the certificate file path ssl_cert_key = /data/cert/reg.for-k8s.com.key # set the certificate key file path #### other configuration options are as requiredCopy the code

Generating an SSL Certificate

Generating a Root Certificate

$ cd /dada/cert/
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=Shanghai/O=harbor/CN=harbor-registry"Copy the code

Generate a certificate signature and set the access domain name to reg.For-k8s.com

$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.for-k8s.com.key -out server.csr -subj "/C=CN/L=Shanghai/O=harbor/CN=reg.for-k8s.com"Copy the code

Generating a Host Certificate

$ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.for-k8s.com.crtCopy the code

One-click installation using the built-in script

The installation steps are as follows:

$ cd /usr/local/harbor/ ./install.sh ...... . . ✔----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://reg.for-k8s.com.
For more details, please visit https://github.com/goharbor/harbor .Copy the code

Then bind hosts to access:

The default password is admin/Harbor12345

Ok that private warehouse service has been set up, how to use it?

First create a project on Harbor, myProject (I’m not using the default libary here)

In this case, I choose private repository, pull/push requires docker login on the host;

1, When I build a new image from Dockerfile, I specify registry and tag directly, for example:

$Docker build - treg. The for - k8s.com/myproject/mydocker-image:v1.0.1.Sending Build Contextto Docker Daemon97.21 MB Step1/12: FROM1and1internet/ Ubuntu-16 ---> dbf985f1f449  
Step2/12 : MAINTAINER guomaoqiu <[email protected]>  
 ---> Using cache  
 --->598894333db9  . . Successfully built b190966f3773 Successfully taggedreg. The for - k8s.com/myproject/mydocker-image:v1.0.1  
$ docker images |grep myproject  Reg. The for - k8s.com/myproject/mydocker-image v1.0.1 b190966f3773 44 seconds ago482MBCopy the code

2. Add when you want to upload images from elsewhere to a private repository? For example, if I want to put the nginx image from the official website into my repository:

$ dockertag nginxreg.for -k8s.com/myproject/mynginx:latest  
$ docker images |grep myproject  
reg.for- k8s.com/myproject/mydocker-image v1.0.1 b190966f3773 2 minutes line 482 MB reg.for -k8s.com/myproject/mynginx latest568c4670fa80  5 weeks ago 109MBCopy the code

3. Log in to the warehouse

$ docker login -u admin -p Harbor12345reg.for -k8s.com  
Username: admin  
Password:  
WARNING! Your password willbe stored unencrypted in /root/.docker/config.json.  
Configurea credential helpertoremove this warning. See  
https://docs.docker.com/engine/reference/commandline/login/#credentials-store  
  
Login SucceededCopy the code

4, I failed to push the local image to the repository when EXECUTING this:

docker pushreg.for -k8s.com/myproject/mynginx:latest  
Error response from daemon: Get https://reg.for -k8s.com/v2/: x509: certificate signed by unknown authorityCopy the code

The solution is that if you do not deploy the certificate on the client, set the parameter “-insecure -registry IP/ warehouse domain name” when Docker starts, and then reload the service to restart the Docker process. Note that the domain name I use here is custom, so you need to upload and download the image on the machine, also need to modify the docker process parameters, and bind hosts, otherwise even if configured parameters, the domain name can not be resolved is also unable to push/pull image.

5. Execute push again:

$ docker pushreg.for -k8s.com/myproject/mynginx:latest The push refersto repository [reg.for -k8s.com/myproject/mynginx]  b7efe781401d: Pushed c9c2a3696080: Pushed 7b4e562e58dc: Pushed latest: digest:sha256:e2847e35d4e0e2d459a7696538cbfea42ea2d3b8a1ee8329ba7e68694950afd3 size:948 $ [root@k8s-m1 Kubectl - terminal - ubuntu] # docker pushreg. The for - k8s.com/myproject/mydocker-image:v1.0.1 The push refersto The repository [reg.for -k8s.com/myproject/mydocker-image] 96dca48ee72c: Pushed fa879b69764c: Pushed 4d823b00e6b7: Pushed 6bf6e96da4a0: Pushed eedda540c6a8: Pushed f2a971e53afa: Pushed 3ee1a3b3fd18: Pushed 8a225cfa6dea: Pushed 428c1BA11354: Pushed b097F5edAB7B: Pushed 27712CAF4371: Pushed 8241AFC74C6F: Pushed v1.0.1: digest:sha256:a20629f62d73cff93bf73b31958878a1d76c2dd42e36ebb2cb6d0ac294a46da7 size:2826Copy the code

The above push succeeded;

The pull test

In order to test pull and run it successfully, I run a DaemonSet via Kuernetes. Mynginx is adopted and the pull policy is set to Always. Then create a service that can be accessed within the cluster through ClusterIP, yamL is as follows:

$cat >> test.yaml << EOF  
apiVersion: v1  
kind: Service  
metadata:  
  labels:  
    app: mynginx-service  
  name: mynginx-service  
spec:  
  ports:  
  - name:80- 80.  
    port:80  
    protocol: TCP  
    targetPort:80  
  selector:  
    run: mynginx  
type: ClusterIP  
 ---  
apiVersion: extensions/v1beta1  
kind: DaemonSet  
metadata:  
  labels:  
    run: mynginx  
  name: mynginx  
spec:  
  selector:  
    matchLabels:  
      run: mynginx  
  template:  
    metadata:  
      labels:  
        run: mynginx  
    spec:  
      containers:  
      - image:reg.for -k8s.com/myproject/mynginx:latest  
        imagePullPolicy: Always  
        name: mynginx  
EOF  
  
$ kubectl apply -f daemonset.yaml  
service/mynginx-service created  
daemonset.extensions/mynginx createCopy the code

K8s kubectl create will not be able to pull the image after docker login is successful. If set to public, this step is not required for a long time. K8s kubectl create can pull the image after docker login successfully; But I don’t want it to be public; Therefore, the following steps need to be configured:

Configure a private harbor secret:

kubectlcreate secret docker-registry registry-secret --namespace=default \\  
--docker-server=https://reg.for-k8s.com --docker-username=admin \\  
--docker-password=Harbor12345Copy the code

Specify imagePullSecrets when deploying, modify yamL above to add this option:

$cat >> test.yaml << EOF  
apiVersion: v1  
kind: Service  
metadata:  
  labels:  
    app: mynginx-service  
  name: mynginx-service  
spec:  
  ports:  
  - name:80- 80.  
    port:80  
    protocol: TCP  
    targetPort:80  
  selector:  
    run: mynginx  
type: ClusterIP  
 ---  
apiVersion: extensions/v1beta1  
kind: DaemonSet  
metadata:  
  labels:  
    run: mynginx  
  name: mynginx  
spec:  
  selector:  
    matchLabels:  
      run: mynginx  
  template:  
    metadata:  
      labels:  
        run: mynginx  
    spec:  
      containers:  
      - image:reg.for -k8s.com/myproject/mynginx:latest  
        imagePullPolicy: Always  
        name: mynginx  
      imagePullSecrets:  
        - name: registry-secret  
EOF  
  
$ kubectl apply -f daemonset.yaml  
service/mynginx-service created  
daemonset.extensions/mynginx createCopy the code

This is the entire process of building an enterprise-level private image repository based on Harbor.

If you have any mistakes or other questions, please leave comments and correct them. If you have any help, please like + forward to share.

Welcome to pay attention to the migrant brother’s public account:The road to technology