一、搭建配置harbor私有仓库(离线安装)
1. 确认机器已安装docker及dokcer-compose
root@harbor002:~# docker info ##确认docker已安装 Client: Debug Mode: false Server: Containers: 9 Running: 9 Paused: 0 Stopped: 0 Images: 15 Server Version: 19.03.15 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: ea765aba0d05254012b0b9e595e995c09186427f runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd init version: fec3683 Security Options: apparmor seccomp Profile: default Kernel Version: 5.4.0-81-generic Operating System: Ubuntu 20.04.3 LTS OSType: linux Architecture: x86_64 CPUs: 10 Total Memory: 9.729GiB Name: harbor002 ID: PK4O:UGU4:YAPK:ANC5:6QCN:2ZSS:DJLP:XLPS:5LXF:FR6E:R5VI:UCZQ Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false Product License: Community Engine root@harbor002:~# docker-compose -v ##确认docker-compose 已安装 docker-compose version 1.24.1, build 4667896b
2. 将提前下载好的harbor离线包解压,修改harbor配置文件,之后执行./install.sh
root@harbor002:~# tar -xf harbor-offline-installer-v2.3.2.tgz root@harbor002:~# cd harbor root@harbor002:~/harbor# cp harbor.yml.tmpl harbor.yml root@harbor002:~/harbor# cat harbor.yml|grep -v "#\|^$" hostname: harbor.magedu.com ##修改harbor域名 http: port: 80 harbor_admin_password: 12345 ##修改harbor web 页面登陆密码(默认登陆名为admin) database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data ##修改数据存储目录 trivy: ignore_unfixed: false skip_update: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.3.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
3. 通过Web页面访问harbor
4. 服务器上通过命令行登录harbor测试
1). 需要在docker启动文件中添加非安全镜像仓库的地址 (即harbor地址)
2)执行 systemctl daemon-reload && systemctl restart docker 重启docker 使上面配置的参数生效, 执行docker info 查看是否生效
3)命令行login harbor
root@master001:~# docker login 192.168.0.10 ##通过harbor地址 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded root@master001:~# docker login harbor.magedu.com ##通过域名,需要提前在/etc/hosts 文件中做本地域名解析 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded root@master001:~#
4) push 镜像至harbor
root@master001:~# docker tag nginx:v1 192.168.0.10/nginx/nginx:v1 ##修改镜像标签 root@master001:~# docker images |grep 192.168.0.10/nginx/nginx 192.168.0.10/nginx/nginx v1 291dfaf2c1b6 45 hours ago 366MB root@master001:~# docker push 192.168.0.10/nginx/nginx:v1 ##push 镜像至habor The push refers to repository [192.168.0.10/nginx/nginx] 51ef65eceb06: Pushed 02501cc6149f: Pushed 010253d16668: Pushed bf1e3d89f48f: Pushed dca8c6072095: Pushed 89169d87dbe2: Pushed v1: digest: sha256:d139534475507d7eaf5ffd8aabf4c3be1b9918dfaa145aa42265513ec71c7ca6 size: 1577
二、掌握docker网络
docker 默认支持三种网络模式,brige、host、null 。可以用 docker network ls
查看
root@harbor002:~# docker network ls NETWORK ID NAME DRIVER SCOPE 6593776eaca5 bridge bridge local 014d93bedacf host host local b5bf7c097fee none null local
1. bridge
默认模式,,docker 会为容器分配一个网络接口并设置 IP,并将该网络接口桥接至 docker0 。
该模式下,docker proxy 会创建一对对等虚拟设备接口 veth pair,将其中一个接口设置为容器的 eth0 接口(容器的网络接口),另一个接口放置在宿主机的命名空间中,以类似 vethxxx 这样的名字命名
同时,守护进程还会从网桥 docker0 的私有地址空间中分配一个 IP 地址和子网给该容器,并设置 docker0 的 IP 地址为容器的默认网关
查看容器内网络接口情况
查看宿主机网络接口情况
2. host
那么这个容器将不会获得一个独立的 Network Namespace,而是和宿主机共用一个 Network Namespace。容器将不会虚拟出自己的网卡,而是使用宿主机的 IP 和端口
host 模式时,在容器中看到的是宿主机的网络接口
优缺点
优点:减少网络转发次数,网络效率比 bridge 模式更好
缺点:IP 和端口都是使用宿主机,没有隔离性
3. none
none 模式的容器拥有自己的 Network Namespace,但是,并不为 Docker 容器进行任何网络配置。也就是说,这个容器只有 lo 回环网络,没有其他网络接口、IP、路由等信息。也因此,可以很好地保证容器安全性
root@harbor002:~# docker run -it --net none 192.168.0.10/nginx/alpine:latest sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever / #