Docker privatized warehouse introduction
Introduction to private Warehouse
Dockerhub, do you remember what it is? Docker Hub Docker Hub Docker Hub Registry.hub.docker.com Public repositories such as Docker Hub can sometimes be inconvenient (and sometimes inaccessible) to use. Users can create a local repository for private use and use the official provided tool Docker-Registry to configure private image repositories
Docker-registry is an official provided tool that can be used to build private image repositories. Registry [ˈ ˈ s ɪ t] : n
What are the advantages of a private mirror warehouse?
Advantages of private warehouse: 1, fast speed 2, convenient maintenance 3, security
Build private repository idea: old idea: download source tar/yum install – “install -” modify configuration file – “start service using docker idea: directly download and use the Registry image to start the Docker instance, so that the repository is built successfully.
With Docker, all software is no longer released in the form of office.exe or lrzsz. RPM, but released as docker images. You just need to download the Docker image and run a Docker instance. With Docker, there is no need to worry about installing Linux services!
Experimental environment planning
Xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 xuegod64 Xuegod63 (xuegod63) allows you to use Xuegod64 (xuegod64) to pull/push the image.
Use Registry to build docker private warehouse
Docker service: host name xuegod63 host IP: 192.168.1.63 (this IP can be configured according to their environment, configure static IP) configuration: 4vCPU/4Gi memory
Xuegod64 host IP: 192.168.1.64 (this IP can be configured according to your environment) configuration: 4vCPU/4Gi memory
Initialize the lab environment – Install docker
Configure a static IP address for a virtual machine or physical machine, so that the IP address does not change after the machine restarts. /etc/sysconfig/network-scripts/ifcfg-ens33 (xuegod64);
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=192.1681.64.
NETMASK=255.255255.. 0
GATEWAY=192.1681.1.
DNS1=192.1681.1.DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE= stables -privacy NAME=ens33 DEVICE=ens33 ONBOOT=yes Xuegod64 hostnamectl (xuegod64set- the hostname xuegod64 # on xuegod63 and xuegod64 configuration hosts file, let two hosts hosts file consistent [root @ xuegod63 ~]# cat /etc/hosts
127.0. 01. localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.1681.63. xuegod63
192.1681.64. xuegod64
[root@xuegod64 ~]# cat /etc/hosts
127.0. 01. localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.1681.63. xuegod63
192.1681.64.Xuegod64 # disable firewalld firewall [root@xuegod64 ~]# systemctl stop firewalld ; systemctl disable firewalld# disable iptables firewall [root@xuegod64 ~]# yum install iptables-services -yIptables [root@xuegod64 ~]# service iptables stop && systemctl disable iptablesClearing firewall rules [root@xuegod64 ~]# iptables -F # close selinux [root@xuegod64 ~]# setenForce 0 # Temporarily disabled# Permanently disable [root@xuegod64 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configNote: Selinux will take effect permanently after the selinux configuration file is modified and the machine is restarted [root@xuegod64 ~]# getenforceDisabled # Configure time synchronization [root@xuegod64 ~]# ntpdate cn.pool.ntp.orgCrontab -e * */1* * * /usr/sbin/ntpdate cn.pool.ntp.org Restart the crond service to make the configuration take effectCopy the code
Method 1: Install docker-CE online, configure the yum source of Domestic Docker-CE (Ali Cloud)
[root@xuegod64 ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Copy the code
Configure docker-CE offline yum source: Offline installation is recommended, [root@xuegod64 ~]# tar xf k8s-docker.tar.gz -c /opt/ [root@xuegod64 ~]# tee /etc/yum.repos.d/k8s-docker.repo << ‘EOF’ [k8s-docker] name=k8s-docker baseurl=file:///opt/k8s-docker enable=1 gpgcheck=0 EOF
Installing Basic Software Packages
[root@xuegod64 ~]# yum install -y wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl
curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel python-devel epel-release
openssh-server socat ipvsadm conntrack ntpdate telnet
Copy the code
Install docker environment dependencies
[root@xuegod64 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
Copy the code
Install the docker – ce
[root@xuegod64 ~]# yum install docker-ce docker-ce-cli containerd.io -y
Copy the code
Containerd. IO containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io containerd.io
Start the Docker service
[root@xuegod64 ~]# systemctl start docker && systemctl enable docker
Copy the code
# check Docker version information
[root@xuegod64 ~]# docker version
[root@xuegod64 ~]# systemctl status dockerLow docker. Service - docker Application Container Engine the Loaded: the Loaded (/ usr/lib/systemd/system/docker. Service; enabled; vendor preset: disabled) Active: active (running) since Tue2021- 04- 20 10:07:23 CST; 9s ago
Copy the code
Enable the packet forwarding function and modify kernel parameters
Kernel parameter modification:
[root@xuegod64 ~]# modprobe br_netfilter
[root@xuegod64 ~]# echo "modprobe br_netfilter" >> /etc/profile
[root@xuegod64 ~]# cat > /etc/sysctl.d/docker.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
[root@xuegod64 ~]# sysctl -p /etc/sysctl.d/docker.conf
Copy the code
# restart docker
[root@xuegod64 ~]# systemctl restart docker
Copy the code
What is br_netfilter? Linux Iptables/NetFilter interworks with Linux Bridge to implement the transparent firewall function.
Transparent firewalls are also called Bridge firewalls. Simply put, add firewall functionality to bridge devices. Transparent firewall has the advantages of strong deployment ability, good concealment, and high security.
Why modprobe br_netfilter? Add the following to /etc/sysctl.conf:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
Copy the code
Sysctl -p
Solutions:
modprobe br_netfilter
Copy the code
Remember net.bridge-nF-call-ip6tables and net.ipv4.ip_forward?
Net. Ipv4. Ip_forward: The network architecture of standalone Docker is essentially that a docker0 bridge is installed on the host. When accessing the inside of the container from the outside, only the address of the host and the corresponding container mapping address are needed. After IP packet parsing on the host, the packets will be forwarded to the Docker0 bridge by the eth0 network card through the rules of destination port and iptables for the next route. So if ip_forward is not open on the host of the container, then the container on that host cannot be accessed by other hosts
Net.bridge. bridge-nF-call-ip6tables: By default, traffic sent from the container to the default bridge is not forwarded externally. To enable forwarding: net.bridge.bridge-nf-call-ip6tables = 1
Configure Xuegod64 as docker private warehouse server
1. Pull the Registry image. The registry image includes software to set up a local private repository:
Registry [ˈ ˈ s ɪ t] Pull pull; Push pushCopy the code
Xuegod64 (xuegod64)
[root@xuegod64 ~]# docker load -i registry.tar
Copy the code
- View the Registry image
[root@xuegod64 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 047218491f8c 3 weeks ago 33.17 MB
Copy the code
- Use the Registry image to build a private repository
Build a private repository using the Registry image. The private library has been installed in the Registry image. I only need to run a Docker instance using the Registry image.
The Registry service listens to the port number, which is 5000 by default
[root@xuegod64~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:latest
e4698f625a56661edd2678269215ba42d4fa41c2da881768a741a72b4a3d0c60
Copy the code
By default, Registry stores images in /var/lib/registry, so that if the container is deleted, the images stored in the container will also be lost. Therefore, we usually specify a directory such as /opt/registry on the local physical machine to be mounted under the container /var/lib/registry. Use the -v argument to specify the local persistent path.
[root@xuegod64~]This directory will be created automatically
[root@xuegod64~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90cc7afb477e registry:latest "/ entrypoint. Sh/etc..." 34 seconds ago Up 33 seconds 0.0. 0. 0:5000->5000/tcp registry
[root@xuegod63 ~]# netstat -antup | grep 5000
tcp6 0 0: : :5000 :::* LISTEN 4032/docker-proxy
Copy the code
The private library has been started successfully.
View the list of images in the private repository:
curl http:/ / 192.168.1.64:5000 / v2 / _catalog
{"repositories": []}Copy the code
The docker image is now empty. The docker image is now empty. The docker image is empty.
Configure xuegod63 on Docker using xuegod64 on private repository
Modify the Docker configuration file, specify the Docker image acceleration node as: private warehouse address
[root@xuegod63 ~]# vim /etc/docker/daemon.json
Copy the code
[“insecure-registries”: [“192.168.1.64:35000”]] /etc/docker/daemon.json
{
"registry-mirrors": ["https://rsbud4vc.mirror.aliyuncs.com"."https://registry.docker-
cn.com"."https://docker.mirrors.ustc.edu.cn"."https://dockerhub.azk8s.cn"."http://hub-
mirror.c.163.com"."http://qtid6917.mirror.aliyuncs.com"."https://rncxm540.mirror.aliyuncs.com"
,"https://e9yneuy4.mirror.aliyuncs.com"]."insecure-registries": [ "192.168.1.64:5000"]}Copy the code
Note: –insecure-registry is an unsafe registry. In this case, it refers to using HTTP. To securely transfer images, you need to use HTTPS. Our private repositories are generally used locally, so HTTP protocol can be used directly. Reload the configuration to take effect
[root@xuegod63 ~]# systemctl daemon-reload
Copy the code
Restart the Docker service
[root@xuegod63 ~]# systemctl restart docker
Copy the code
Real – Upload a local image to a private repository
- Pull a test image from the Docker HUB named BusyBox
[xuegod63] [xuegod63] [xuegod63] [Xuegod63]
[root@xuegod63 ~]# docker load -i busybox.tar
[root@xuegod63 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 00f017a8c2a6 2 weeks ago 1.11 MB
Copy the code
Note: Overview of BusyBox: BusyBox is an integration of more than one hundred of the most commonly used Linux commands and tools. BusyBox includes simple BusyBox tools such as ls, cat, and echo, as well as larger and more complex tools such as grep, find, mount, and Telnet. Some call BusyBox the Swiss Army knife of Linux tools. In short, BusyBox is like a big toolkit, packed with Linux tools and commands, including the Android shell. Have you ever seen a Swiss Army knife?
Website:www.busybox.net Docker tag: original image name: tag private repository address/new image name: tag
[root@xuegod63 ~]# docker tag busybox: latest 192.168.1.64:5000 / busybox: the latest
Copy the code
Note: No mirror label is written. The default is latest
[root@xuegod63 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.1681.64.:5000/busybox latest 00f017a8c2a6 4 years ago 1.11MB
Copy the code
3. Will just new play tag 192.168.1.64:35000 / busybox image, push the xuegod64 private warehouse.
[root@xuegod63 ~]# docker push 192.168.1.64:5000 / busybox
Copy the code
Xuegod64 (xuegod64, xuegod64, xuegod64, xuegod64
[root@xuegod64 ~]# yum install tree -y
[root@xuegod64 ~]# tree /opt/registry/docker/registry/v2/repositories// opt/registry/docker/registry/v2 / repositories / └ ─ ─ busybox # can see upload imagesCopy the code
Visit http://192.168.1.64:5000/v2/_catalog # can view mirror in a private warehouse list, as follow:
{"repositories": ["busybox"]}
Copy the code
Docker rmI docker rmI Label/root @ xuegod63 ~ # docker rmi 192.168.1.64:5000 / busybox/root @ xuegod63 ~ # # remove image docker pull 192.168.1.64:5000 / busybox # download mirror/root @ xuegod63 ~ # # docker images to view the imported IMAGE REPOSITORY TAG IMAGE ID CREATED the SIZE 00 192.168.1.64:5000 / busybox latest f017a8c2a6 2 weekes line 1.11 MB
Using the new import mirror, running a new docker instance: [root @ xuegod63 ~] # docker run 192.168.1.64:5000 / busybox: latest echo “hello” hello run successfully.
2. Run a Docker instance based on the Registry image. Registry listens to port 5000 by default, and needs to map port 5000 on the host
1. Install docker service 2. Modify the docker service image source to change the private warehouse address:
"insecure-registries": [ "192.168.1.64:5000" ]
Copy the code
3, to import the image of a tag, such as: 192.168.1.64:5000 / busybox: latest 4, upload the label image to private warehouse: docker push 192.168.1.64:5000 / busybox: the latest
1, Modify docker service image source, change the private repository address:
"insecure-registries": [ "192.168.1.64:5000" ]
Copy the code
2 just upload, download mirror: docker pull 192.168.1.64:5000 / busybox: latest 3, view mirror in a private warehouse list: http://192.168.1.64:5000/v2/_catalog
Actual combat: Build Docker private warehouse with Harbor
Docker container application development and operation cannot be separated from reliable image management. Although Docker officially provides a public image warehouse, it is also necessary to deploy Registry in our private environment in terms of security and efficiency. Harbor is an open source enterprise Docker Registry project managed by VMware, including rights management (RBAC), LDAP, log audit, management interface, self-registration, image replication and Chinese support, etc. Official website address:Github.com/goharbor/ha…
Harbor [‘ h ɑ : b goes bay
Xuegod64 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Memory more than 2G
Issue a certificate for Harbor
[root@xuegod64 ~]# mkdir /data/ssl -p
[root@xuegod64 ~]# cd /data/ssl/
Copy the code
Generating a CA certificate:
[root@xuegod64 ssl]# openssl genrsa -out ca.key 3072
Copy the code
Create a 3072-bit private key
[root@xuegod64 ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
Copy the code
Create a digital certificate ca.pem. 3650 indicates that the validity period of the certificate is 3 years.
[root@xuegod64 ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '. ', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:xuegod64.cn
Email Address []:[email protected]
Copy the code
Create domain name certificate:
[root@xuegod64 ssl]# openssl genrsa -out harbor.key 3072
Copy the code
Create a 3072-bit private key
[root@xuegod64 ssl]# openssl req -new -key harbor.key -out harbor.csr
Copy the code
Create a request for a certificate. If the request is not marked with an arrow, fill in the blank.
[root@xuegod64 ssl]# openssl req -new -key harbor.key -out harbor.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '. ', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:xuegod64.cn Email Address []:[email protected] Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Copy the code
Issue certificate:
[root@xuegod64 ssl]# openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
Copy the code
If the following information is displayed, the certificate is issued:Check whether the certificate is valid:
openssl x509 -noout -text -in harbor.pem
Copy the code
It is valid if the following information is displayed:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
cd:21:3c:44:64:17:65:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, ST=BJ, L=BJ, O=Default Company Ltd
Validity
Not Before: Dec 26 09:29:19 2020 GMT
Not After : Dec 24 09:29:19 2030 GMT
Subject: C=CH, ST=BJ, L=BJ, O=Default Company Ltd, CN=harbor
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:b0:60:c3:e6:35:70:11:c8:73:83:38:9a:7E: b8:...Copy the code
Install the harbor
Delete the previous registry container to prevent conflicts with harbor installation
[root@xuegod64 ssl]# docker rm -f registry
Copy the code
Creating an installation directory
[root@xuegod64 ssl]# mkdir /data/install -p
[root@xuegod64 ssl]# cd /data/install/
Copy the code
Harbor /data/ SSL
ca.key ca.pem ca.srl harbor.csr harbor.key harbor.pem
[root@xuegod64 install]# cd /data/install/
Copy the code
Harbor-offline-installer-v1.5.0. TGZ 插 件 签 件 : Harbor-offline-installer-v1.5.0. TGZ
[root@xuegod64 install]# tar ZXVF harbor - offline installer - v1.5.0. TGZ
[root@xuegod64 install]# cd harbor
[root@xuegod64 harbor]# ls
Copy the code
The common directory is used to store template configuration. The ha directory is used to do harbor high availability
Modifying a configuration file:
[root@xuegod64 harbor]# vim harbor.cfg
hostname = xuegod64
Copy the code
# change hostname to match the domain name of the certificate issued face to face
ui_url_protocol = https
Copy the code
The protocol is HTTPS
ssl_cert = /data/ssl/harbor.pem
ssl_cert_key = /data/ssl/harbor.key
Copy the code
Note: The harbor default account password is admin/Harbor12345
Docker-compose installation method 1: offline upload docker-compose to the server download binary file to upload to Linux (docker-compose binary file can be directly uploaded)
[root@xuegod63 ~]# rz
Copy the code
[root@xuegod63 ~]# mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
Copy the code
Adding Execution Permission
[root@xuegod63 ~]# chmod +x /usr/local/bin/docker-compose
Copy the code
Note: Docker-compose project is an official open source project of Docker, which is responsible for the rapid choreography of docker container clusters. Docker-compose project configuration file default docker-compose. Yml docker-compose project configuration file default docker-compose project configuration file default docker-compose. Docker-compose can manage multiple Docker instances.
Method 2: Online Installation:
[root@xuegod63 ~]# curl -L https:/ / github.com/docker/compose/releases/download/1.26.2/docker-compose- ` ` uname - s - ` uname -m ` > /usr/local/bin/docker-compose
Copy the code
Adding Execution Permission
[root@xuegod63 ~]# chmod +x /usr/local/bin/docker-compose
Copy the code
Docker-harbor.tar. gz (xuegod64, xuegod64, docker load -i
[root@xuegod64 ~]# docker load -i docker-harbor.tar.gz
[root@xuegod64 install]# cd /data/install/harbor
[root@xuegod64 harbor]# ./install.sh --with-notary --with-clair
Copy the code
#clair enables vulnerability scanning for images. Clair is an open source project that provides a tool to monitor container security by statically analyzing vulnerabilities in APPC and Docker containers. Clair is an API-driven analysis engine that checks containers layer by layer for known security flaws. With Clair, you can easily build services that provide continuous monitoring for container vulnerabilities. The above interface will appear during the installation process, indicating that the installation is normal. The docker PS display is as follows, indicating that the container is started normallyModify the hosts file on your computerAdd the following line to the hosts file and save
192.1681.64. xuegod64
Copy the code
Extension: How to Stop Harbor: You can use Docker-compose to start or stop harbor services. But it must be run in the same directory as docker-comemage.yml.
[root@xuegod64 harbor]# cd /data/install/harbor
[root@xuegod64 harbor]# docker-compose stop Docker-compose stop -f /data/install/docker-compose. YmlCopy the code
How to start harbor:
[root@xuegod64 harbor]# cd /data/install/harbor
[root@xuegod64 harbor]# docker-compose start
docker-compose start
Copy the code
If docker-compose start fails after harbor is started, the docker-compose vm will need to be restarted
Harbor graphical interface instructions
Type in your browser:https://xuegod64 Accept risks and continue. If the following interface is displayed, the access is normalAccount: admin Password: Harbor12345 Enter the account password and the following appears:All the base images are stored in the Library, which is a public mirror repository
Create a new project -> Create a project name test (open the access level so that the project can be used publicly)
Xuegod63 allows you to use Xuegod64 for harbor mirroring
Modify docker configuration
[root@xuegod63 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://rsbud4vc.mirror.aliyuncs.com"."https://registry.docker-cn.com"."https://docker.mirrors.ustc.edu.cn"."https://dockerhub.azk8s.cn"."http://hub-mirror.c.163.com"."http://qtid6917.mirror.aliyuncs.com"."https://rncxm540.mirror.aliyuncs.com"."https://e9yneuy4.mirror.aliyuncs.com"]."insecure-registries": ["192.168.1.64." "]}Copy the code
Modify the configuration to make the configuration take effect:
[root@xuegod63 ~]# systemctl daemon-reload && systemctl restart docker
Copy the code
Check whether docker is successfully started
[root@xuegod63 ~]# systemctl status docker
Copy the code
# If the following information is displayed, the startup is successful:
Active: Active (running) since Fri... agoCopy the code
Note: A new line is added to the configuration as follows:
"insecure-registries": ["192.168.1.64." "].Copy the code
The content added above indicates that our Intranet access to Harbor is HTTP, and 192.168.1.64 is the IP address of the harbor installation machine
Login harbor:
[root@xuegod63]# docker login 192.168.1.64Username: admin Password: Harbor12345Copy the code
If the following information is displayed after you enter the account password, the login is successful:
Login Succeeded
Copy the code
# import tomcat image, tomcat.tar.gz in courseware
[root@xuegod63 ~]# docker load -i tomcat.tar.gz
Copy the code
# tag the Tomcat image
[root@xuegod63 ~]# docker tag tomcat: latest 192.168.1.64 / test/tomcat: v1
Copy the code
The above command will 192.168.1.64 / test/tomcat: v1 onto the test project in the harbor
[root@xuegod63 ~]# docker/test/tomcat: push 192.168.1.64 v1
Copy the code
The above command will 192.168.1.64 / test/tomcat: v1 onto the test project in the harbor
Download the image from harbor repository
Delete the image on xuegod63
[root@xuegod63 ~]# docker rmi/test/tomcat: -f 192.168.1.64 v1
Copy the code
Pull the mirror
[root@xuegod63 ~]# docker/test/tomcat: pull 192.168.1.64 v1
Copy the code
Extension: If you want secure HTTPS access to Harbor, you can use the following method
Login to xuegod63, create the certificate store directory
[root@xuegod63]# mkdir -p /etc/docker/certs.d/xuegod64
Copy the code
Xuegod64 is the host name used by Harbor when it issues its certificate
Log in to harbor server and copy the CA certificate to the docker machine
[root@xuegod64 ~]# cd /data/ssl
[root@xuegod64 ~]# scp ca.pem xuegod63:/etc/docker/certs.d/xuegod64/
Copy the code
Login to xuegod63
[root@xuegod63]# mv /etc/docker/certs.d/xuegod64
[root@xuegod64 ~]# mv ca.pem ca.crt
Copy the code
Modify docker configuration
[root@xuegod63 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://rsbud4vc.mirror.aliyuncs.com"."https://registry.docker-cn.com"."https://docker.mirrors.ustc.edu.cn"."https://dockerhub.azk8s.cn"."http://hub-mirror.c.163.com"."http://qtid6917.mirror.aliyuncs.com"."https://rncxm540.mirror.aliyuncs.com"."https://e9yneuy4.mirror.aliyuncs.com"],}Copy the code
# delete “insecure-registries”: [“192.168.1.64”]
# restart docker
[root@xuegod63]# systemctl restart docker
[root@xuegod63]# docker login https://xuegod64Username: admin Password: Harbor12345Copy the code
Use Ali Cloud private warehouse to store their own Docker images
Log in ali Cloud Developer platformdeveloper.aliyun.com/service Log in using your own account, or create one if you don’t have one
Cr.console.aliyun.com/cn-hangzhou… # Click to run the personal versionOn this page click “Namespace” – Create namespace: testXuegod1 Configure a password to access the private repository. The username is the username you use to log in to the site.Creating a mirror repository:Warehouse name: test Click management to view the usage method:Click the management page to view the operation guide:
Start using Ali Cloud private warehouse
Log in to Aliyun Docker Registry:
[root@xuegod63 ~]# docker login --username=lucky6a6a registry.cn-hangzhou.aliyuncs.com
Copy the code
The user name for logging in to Registry is the full name of Aliyun account, and the password is the password set when the service is opened. “Xuegod63”, “Xuegod63”, “Xuegod63”
docker load -i tomcat.tar.gz
Copy the code
Label the base image
[root@xuegod63 ~]# docker tag tomcat registry.cn-hangzhou.aliyuncs.com/testxuegod1/test:v1
Copy the code
Upload the image to aliyun host
[root@xuegod63 ~]# docker push registry.cn-hangzhou.aliyuncs.com/testxuegod1/test:v1
Copy the code
Check it out on Aliyun: Download an image:
[root@xuegod64 ~]# docker login --username=lucky6a6a registry.cn-hangzhou.aliyuncs.com
Copy the code
The user name for logging in to Registry is the full name of Aliyun account, and the password is the password set when the service is opened. If the following information is displayed, the login succeeds:
[root@xuegod64 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/testxuegod1/test:v1
[root@xuegod64 ~]# docker images
Copy the code
# Configure ali Cloud image accelerator
https://cr.console.aliyun.com/cn-hangzhou/instances/mirrors
Copy the code