1 准备工作
服务器(云主机):一台运行Rocky Linux操作系统的服务器
硬件配置:至少2个CPU核心,4GB内存和40GB硬盘空间
| 系统 | 配置 | ip | 主机名 |
|---|---|---|---|
| Rocky Linux 9.5 | 2核4G | 10.0.0.125(内网) 203.15.9.197(公网) |
Harbor |
2 Harbor介绍
Harbor 是一个开源的注册中心,它通过策略和基于角色的访问控制来保护工件,确保镜像经过扫描且无漏洞,并对镜像进行签名以表明其可信度。Harbor 是一个 CNCF 毕业项目,提供了合规性、性能和互操作性,帮助在 Kubernetes 和 Docker 等云原生计算平台上始终如一且安全地管理工件。
在现代软件开发中,容器化应用已经成为主流,而容器镜像仓库则是确保容器镜像安全、管理和分发的重要工具。Harbor 作为一款开源的企业级容器镜像仓库管理工具,不仅支持多种认证方式,还提供镜像复制、漏洞扫描和用户访问控制等功能,为企业提供了一个安全、高效的镜像管理方案。
本文将详细介绍如何搭建Harbor,并演示如何使用Harbor进行镜像的推送、拉取和管理操作。
3 创建自签发SSL
创建一个自签名的根证书,用于后续签发服务器证书。
有效期设置为 10 年(3650 天),适合长期使用。
3.1 生成根证书颁发机构(CA)
有的人直接就生成服务器证书,这是不对的,需要先生成根证书颁发机构,然后用这个CA去签名证书,以后可以让客户端信任这个CA,所有用这个CA生产的证书都会自动信任。
这条命令生成一个 4096 位的 RSA 私钥,并将其存储在 /usr/local/harbor/certs/ca.key 文件中。私钥是用于签署证书的核心部分。
[root@Harbor ~]# mkdir -p /usr/local/harbor/certs
[root@Harbor ~]# cd /usr/local/harbor/certs
# 创建私钥
openssl genrsa -out /usr/local/harbor/certs 4096
[root@Harbor certs]# openssl genrsa -out ca.key 4096 下面这条命令生成一个自签名证书,并将其存储在 /usr/local/harbor/certs/ca.crt文件中。以下是各参数的解释:
# 自签名机构生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net" -key /usr/local/harbor/certs/ca.key -out /usr/local/harbor/certs/ca.crt
[root@Harbor certs]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net" -key ca.key -out ca.crt参数说明:
-x509:生成一个自签名证书,而不是证书请求(CSR)。
-new:生成一个新的证书。
-nodes:不加密私钥文件。
-sha512:使用 SHA-512 哈希算法。
-days 3650:证书有效期为 3650 天(约 10 年)。
-subj “/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net”,指定证书的主题信息:
国家(C)、州/省(ST)、城市(L)、组织(O)、组织单位(OU)和通用名称(CN)。
-key /usr/local/harbor/certs/ca.key:使用之前生成的私钥。
-out /usr/local/harbor/certs/ca.crt:指定输出的证书文件路径。
用openssl命令查询证书文件,也可以复制到Windows上,直接双击也可以看。
[root@Harbor ~]# openssl x509 -in /usr/local/harbor/certs/ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5d:0b:06:2a:f8:00:7c:73:22:19:cb:50:6e:9f:c0:69:90:09:31:aa
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=cncf.net
Validity
Not Before: Oct 25 05:37:56 2025 GMT
Not After : Oct 23 05:37:56 2035 GMT
Subject: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=cncf.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ba:0d:13:6d:06:4b:70:e3:40:98:3d:0d:21:3b:
11:91:e3:58:16:fb:a3:f4:fd:e4:06:7f:64:18:d9:
53:cd:19:31:3e:28:5c:d4:83:5a:97:b7:87:fa:27:
f6:b9:ea:d0:d5:5d:96:27:38:94:cb:92:de:9c:75:
d0:0f:e0:bf:b2:1d:e9:3b:03:42:6c:dd:c1:40:c4:
12:6b:9b:c7:1d:86:b1:a4:d4:d7:fb:5d:0d:cc:9c:
e9:5c:59:91:2b:cf:cf:33:2a:89:c3:60:e9:ff:56:
46:1e:92:88:a5:cc:e5:ff:cc:a9:f6:0d:18:9b:cb:
bc:23:77:8f:f5:1d:e7:34:6d:11:bd:1e:b8:90:6f:
70:2f:b6:93:1c:61:57:5c:2d:84:f1:2f:b7:a5:bf:
88:cb:8b:aa:05:0e:51:cd:27:69:fd:f0:de:39:95:
d3:b0:50:3b:cb:77:b4:46:3c:22:52:fa:41:ca:5f:
78:f4:56:16:12:8f:b2:13:22:bf:f6:03:eb:1d:66:
5f:08:0e:b5:3a:36:ed:fd:23:fd:86:d8:37:2f:92:
e7:ce:95:5d:df:de:df:58:2d:59:0f:23:d1:9d:22:
5a:18:b3:2f:75:8f:5d:44:e1:c6:df:e5:81:71:d2:
a9:f1:f4:25:88:0b:06:d3:91:2f:c2:37:11:75:7b:
59:00:48:8b:d2:54:20:65:28:94:a2:43:62:89:cb:
52:db:1d:a8:d1:3d:88:34:ee:40:0a:ca:63:18:08:
91:7b:22:2e:bf:ce:4d:a4:fc:22:14:e8:83:4a:ca:
73:ef:4c:db:6d:02:44:89:72:a3:b3:d8:d7:80:7e:
0a:f0:15:40:df:90:d2:2f:f5:96:ff:c3:5b:26:d6:
f8:83:77:48:ec:d3:bf:bf:dc:50:3c:91:db:d9:e2:
f9:4c:cc:33:47:2c:d7:a5:99:03:a5:c1:e1:51:1e:
17:73:13:f1:4a:a9:0f:41:ab:d9:bc:74:6a:cd:e3:
d3:40:35:c6:4e:0d:f8:07:8d:52:a4:ad:b5:80:19:
a2:94:80:0b:eb:24:0a:80:e0:10:dc:a9:08:49:84:
40:d9:fa:6e:16:0d:bd:cd:db:ae:48:fe:07:ba:0d:
fc:fe:30:29:c3:40:48:e1:77:ef:95:0e:39:b0:cd:
a6:e0:fd:a7:de:0a:67:58:56:cd:2d:bd:69:80:e0:
cc:c2:f7:da:74:d2:03:52:96:3f:5f:4b:5b:87:5c:
07:bc:30:31:98:43:ec:9c:47:7d:73:6f:c6:e2:f1:
7a:02:1a:02:48:57:ce:e1:b7:dd:0d:ae:70:bc:56:
13:8b:37:86:1f:e6:49:3b:c3:fa:18:da:a8:e8:57:
f8:90:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B1:49:34:EF:7C:E5:A5:79:FC:D0:3A:D1:9F:65:D2:90:D8:1D:B9:64
X509v3 Authority Key Identifier:
B1:49:34:EF:7C:E5:A5:79:FC:D0:3A:D1:9F:65:D2:90:D8:1D:B9:64
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
0e:1b:45:83:ae:13:84:f8:76:5c:66:95:82:63:e9:82:89:90:
74:37:c4:06:16:23:36:ee:79:eb:55:23:f4:7f:fd:78:f8:57:
bf:73:b2:d3:5c:6a:a8:2c:97:22:b7:b7:86:66:50:ec:22:cb:
f2:1c:f5:45:1d:10:1b:20:76:fc:93:a2:8d:5a:16:91:1e:40:
8e:0f:d7:08:4b:6f:10:cb:10:85:51:67:d4:0a:31:14:a3:65:
f6:f2:3c:25:85:7c:a8:2c:46:fa:17:60:c2:14:4a:88:e7:b8:
73:30:1a:34:83:fa:96:8b:76:3b:61:6d:03:16:18:ee:10:9b:
f4:d5:2f:1d:04:52:4f:c1:c8:bf:c7:53:47:98:5a:d7:6f:6e:
f5:a7:c4:33:03:9d:e6:03:f1:70:2f:68:48:57:8f:a6:04:5c:
7f:f1:10:2e:3b:bc:5e:1c:14:16:e1:c6:2b:3c:d8:ca:fc:e2:
4b:5f:2a:67:73:30:64:03:03:c9:90:2c:18:b4:17:31:52:e5:
2a:a0:3d:cb:c3:cd:9d:d3:bd:07:9b:ba:71:c9:ae:a4:22:ca:
3f:f8:57:b5:ee:c5:b2:4a:9b:65:96:8b:d6:ad:cb:ec:4a:15:
f0:34:8a:3a:52:b1:ea:93:97:1a:59:cf:82:3f:26:4a:41:ce:
3a:2b:16:5a:03:58:86:c2:40:fc:d8:0f:64:d3:2f:a5:4b:49:
19:d7:df:73:6d:38:c8:9c:c8:d7:ae:a5:c9:f1:57:68:6b:2a:
ae:03:a6:fd:ab:08:9c:79:76:98:c4:41:03:c5:69:35:81:08:
c0:a1:21:92:1c:31:65:ae:df:10:b2:bf:4f:92:42:9a:40:8e:
35:9f:bf:86:e9:66:29:90:1b:cb:a4:d8:4c:36:ef:1d:6e:e5:
7e:e0:f8:af:04:8c:3a:d6:6a:31:2d:3d:13:62:7f:f7:bb:65:
ea:ed:9b:8a:cd:81:e8:76:bb:11:34:4a:b6:00:ea:48:f9:45:
9e:b3:db:33:b5:fc:2f:fa:b4:2b:dd:8a:00:fa:07:57:f1:76:
5b:33:bd:f2:78:e2:69:38:cb:08:50:49:ed:88:26:df:6d:fa:
c7:2b:ef:8e:fe:f8:ef:0e:f6:50:06:29:61:35:0c:a4:c5:93:
3e:98:c4:aa:fa:c3:8b:99:2e:7b:bd:db:33:74:8f:91:89:e5:
da:66:b5:c0:0f:18:0c:43:07:96:67:e8:fb:4c:76:68:fb:32:
38:06:da:3a:36:f4:43:3a:c5:dc:a0:bb:dd:a4:88:75:20:8b:
1a:7d:27:43:8e:71:4a:72:bc:42:99:82:83:9a:6c:05:3a:4a:
07:5a:77:65:f9:70:59:a8运行以下命令更新 CA 信任存储库,使系统信任新的根证书:
1.Ubuntu系统
update-ca-certificates
2.RHEL/CentOS 7及更高版本)
update-ca-trust3.2 生成服务器私钥及证书请求文件
为 Harbor 仓库生成专属私钥和证书请求文件。
CN=cncf.net 是证书绑定的域名,后续 Harbor 将使用该域名访问。
3.2.1 生成服务器私钥文件
# 服务器私钥文件生成
openssl genrsa -out /usr/local/harbor/certs/cncf.net.key 4096
[root@Harbor certs]# openssl genrsa -out cncf.net.key 40963.2.2 生成证书请求文件
openssl req -sha512 -new -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net" -key /usr/local/harbor/certs/cncf.net.key -out /usr/local/harbor/certs/cncf.net.csr
# 客户端私钥证书生成
[root@Harbor certs]# openssl req -sha512 -new -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net" -key cncf.net.key -out cncf.net.csr参数说明:
openssl req -sha512 -new:使用 SHA-512 哈希算法生成一个新的 CSR。
-subj “/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=cncf.net”:指定 CSR 的主题信息:
/C=CN:国家代码,CN 表示中国。
/ST=SiChuan:州/省,SiChuan 表示四川。
/L=Chengdu:城市,Chengdu 表示成都。
/O=Company:组织名称,Company 表示公司。
/OU=CD:组织单位,CD 表示成都分部。
/CN=cncf.net:通用名称,表示证书的域名。
-key /usr/local/harbor/certs/cncf.net.key:使用之前生成的私钥,存储在 /usr/local/harbor/certs/cncf.net.key 文件中。
-out /usr/local/harbor/certs/cncf.net.csr:指定输出的 CSR 文件路径为 /usr/local/harbor/certs/cncf.net.csr。
3.3 多个域名请求
定义证书扩展信息,包括使用场景、密钥用途和域名绑定。
为刚才的证书颁发请求扩充请求内容,额外增加cncf.com等多个验证域名
subjectAltName 中的 DNS.1 = cncf.com、DNS.2=harbor.cncf.net、DNS.3=harbor.cncf.local是 Harbor 的访问域名。
# 生成多个域名请求
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=cncf.com
DNS.2=harbor.cncf.net
DNS.3=harbor.cncf.local
EOF3.4 签发证书
使用自签名根证书为 Harbor 签发正式证书
证书有效期同样为 10 年
用创建的CA机构为证书颁发请求做最终的证书颁发
#使用自签名CA签发证书
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA /usr/local/harbor/certs/ca.crt -CAkey /usr/local/harbor/certs/ca.ckey -CAcreateserial -in /usr/local/harbor/certs/cncf.net.csr -out /usr/local/harbor/certs/cncf.net.crt
[root@Harbor certs]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in cncf.net.csr -out cncf.net.crt
Certificate request self-signature ok
subject=C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=cncf.net3.5 信任根证书
由于CA机构是自建的,所以在所有使用此CA颁发的证书位置,都需要信任此CA,才能自动信任由它颁发的证书
1.Ubuntu系统
update-ca-certificates
2.RHEL/CentOS 7及更高版本)
update-ca-trust4 部署Harbor仓库
4.1 部署Docker CE
4.1.1 卸载旧版本
在安装 Docker Engine 之前,需要卸载任何冲突的软件包。
Linux 发行版可能会提供非官方的 Docker 包,这可能会发生冲突 使用 Docker 提供的官方软件包。必须卸载这些包在安装正式版 Docker Engine 之前。
# dnf可能会报告您没有安装这些软件包。
# 存储在 卸载 Docker 时自动删除。/var/lib/docker/
sudo dnf remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine \
podman \
runc4.1.2 使用 rpm 存储库安装
可以根据需要以不同的方式安装 Docker Engine:
可以设置 Docker 的存储库并安装,从他们那里方便安装和升级任务。这是推荐的方法。
可以下载 RPM 包,手动安装,然后管理完全手动升级。适合在无法访问互联网的的系统上安装Docker。
在测试和开发环境中,可以使用自动化便利脚本来安装 Docker。
1.设置存储库
在首次在新主机上安装 Docker Engine 之前,需要设置 Docker 存储库。之后可以从存储库安装和更新 Docker 。
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo
sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo2.安装 Docker 引擎
1.安装 Docker 包
# yum install -y docker-ce docker-ce-cli containerd.io
sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
2.启动 Docker 引擎
sudo systemctl enable --now docker4.2 Docker 镜像加速器
添加Docker 镜像加速器,这里只限在国内部署时才需要加速,在国外这样加速反而缓慢
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": [
"https://docker.mirrors.ustc.edu.cn",
"https://mirror.baidubce.com",
"https://docker.m.daocloud.io",
"https://mirror.ccs.tencentyun.com",
"https://docker.nju.edu.cn",
"https://docker.mirrors.sjtug.sjtu.edu.cn",
"https://mirror.gcr.io",
"https://docker.registry.cyou",
"https://docker-cf.registry.cyou",
"https://dockercf.jsdelivr.fyi",
"https://docker.jsdelivr.fyi",
"https://dockertest.jsdelivr.fyi",
"https://mirror.aliyuncs.com",
"https://dockerproxy.com"
],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
systemctl daemon-reload
systemctl restart docker4.3 添加Compose支持
下载并安装 Docker Compose 二进制文件,重载 systemd 并重启 Docker 服务,确保配置生效。
curl -L "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
# 对二进制文件赋可执行权限
chmod +x /usr/local/bin/docker-compose
sudo systemctl daemon-reload
sudo systemctl restart docker
# 测试docker-compose是否安装成功
[root@Harbor ~]# docker-compose version
Docker Compose version v2.40.24.4 下载并安装Harbor
下载 Harbor 离线安装包,解压到指定目录,并加载 Harbor 所需的镜像。
wget https://github.com/goharbor/harbor/releases/download/v2.14.0/harbor-offline-installer-v2.14.0.tgz
tar xf harbor-offline-installer-v2.14.0.tgz -C /usr/local/bin
cd /usr/local/bin/harbor
# 将名为harbor.v2.14.0.tar.gz的Docker镜像归档文件加载到本地镜像库
docker load -i harbor.v2.14.0.tar.gz在harbor.yml中,修改以下参数,定义了网址、证书、密码:
设置 Harbor 的访问域名为 registry.luoharbor.cn。
指定 HTTPS 使用的证书和私钥路径。
设置管理员密码为 admin。
[root@Harbor harbor]# ll
total 656308
-rw-r--r-- 1 root root 3646 Sep 9 19:44 common.sh
-rw-r--r-- 1 root root 672014938 Sep 9 19:44 harbor.v2.14.0.tar.gz
-rw-r--r-- 1 root root 14688 Sep 9 19:44 harbor.yml.tmpl
-rwxr-xr-x 1 root root 1975 Sep 9 19:44 install.sh
-rw-r--r-- 1 root root 11347 Sep 9 19:44 LICENSE
-rwxr-xr-x 1 root root 2211 Sep 9 19:44 prepare
[root@Harbor harbor]# mv harbor.yml.tmpl harbor.yml
[root@Harbor harbor]# vim harbor.yml
1.修改hostname为harbor.cncf.net
2.修改https处的certificate为/usr/local/harbor/certs/cncf.net.crt
3.修改https处的private_key为/usr/local/harbor/certs/cncf.net.key
4.修改harbor_admin_password为admin
5.修改https访问时端口号为447
6.修改 data_volume: /data/harbor_dataprepare 会检查配置并生成必要的文件。
install.sh 执行 Harbor 的安装过程,启动所有服务组件。
./prepare
./install.sh
[root@Harbor harbor]# ./install.sh
......
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.3s
✔ Container registry Started 0.8s
✔ Container harbor-db Started 0.7s
✔ Container harbor-portal Started 0.9s
✔ Container redis Started 0.9s
✔ Container registryctl Started 0.6s
✔ Container harbor-core Started 1.1s
✔ Container harbor-jobservice Started 1.6s
✔ Container nginx Started 1.6s
✔ ----Harbor has been installed and started successfully.----4.5 生成服务文件
cat > /etc/systemd/system/harbor.service <<EOF
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /usr/local/bin/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /usr/local/bin/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
systemctl enable harbor --now
# harbor修改配置文件后重启
docker-compose down
./prepare
docker-compose up –d 4.6 页面访问测试
地址: https://203.15.9.197:447、https://harbor.cncf.net:447
Windows在hosts文件配置域名解析后,可实现域名访问
5 推送镜像到harbor
登录 Harbor 仓库。
使用 tag 命令将本地镜像重命名为符合 Harbor 格式的路径。
使用 push 命令将镜像上传到 Harbor 仓库。
上传前请确保所有机器 /etc/hosts文件中已添加harbor.cncf.net 的 IP 映射。
[root@k8s-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.8.4 k8s-master
192.168.8.5 k8s-node1
192.168.8.6 k8s-node2
203.15.9.197 harbor.cncf.net
203.15.9.197 cncf.com5.1 Containerd容器
5.1.1 配置harbor证书
# 创建证书目录
[root@k8s-master ~]# sudo mkdir -p /etc/containerd/certs.d/harbor.cncf.net:447
# 将Harbor的CA证书复制到该目录
[root@k8s-master ~]# sudo cp ca.crt /etc/containerd/certs.d/harbor.cncf.net:447
# 重启containerd服务
[root@k8s-master ~]# systemctl restart containerd.service5.1.2 登录harbor
[root@k8s-master ~]# nerdctl login harbor.cncf.net:447 -u admin -p admin
WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
Login Succeeded5.1.3 标记与推送镜像
[root@k8s-master ~]# nerdctl tag nginx:latest harbor.cncf.net:447/library/nginx:latest
[root@k8s-master ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
harbor.cncf.net:447/library/nginx latest 33e0bbc7ca9e 3 seconds ago linux/amd64 203.9MB 72.31MB
nginx latest 33e0bbc7ca9e 3 days ago linux/amd64 203.9MB 72.31MB
[root@k8s-master ~]# nerdctl push harbor.cncf.net:447/library/nginx:latest
INFO[0000] pushing as a reduced-platform image (application/vnd.oci.image.index.v1+json, sha256:3b248d21c1607a559f28263c7675dbf412234c938bdcb3a04b1c808a48b57fc9)
index-sha256:3b248d21c1607a559f28263c7675dbf412234c938bdcb3a04b1c808a48b57fc9: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:f15190cd0aed34df2541e6a569d349858dd83fe2a519d7c0ec023133b6d3c4f7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c3741b707ce659db0b820eef3d7277607c8fcc73494e162cb6d349f5799b16c8: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b1badc6e50664185acfaa0ca255d8076061c2a9d881cecaaad281ae11af000ce: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e5d9bb0b85cc4679fa056599af85512f519647fc66ac34366bfe010a35655d05: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:14a859b5ba2476efceab3febd8bbb2a45d9e4512e3dc517ace62011249bb25bc: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:716cdf61af5980e38ce793a90c1add1c40c93cc9371c2370705497ed3c48a77a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:14e422fd20a0170c368a8b40a1d145de07fcf31cf075f77861f2231fa5bd7936: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a2da0c0f2353a40d540821152b3b9453660db34259766b1ce68b0b1f708435fd: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:ad5708199ec7d169c6837fe46e1646603d0f7d0a0f54d3cd8d07bc1c818d0224: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 5.5 s total: 69.0 M (12.5 MiB/s)5.1.4 拉取镜像
[root@k8s-master ~]# nerdctl rmi 8532d21c0c85
Untagged: harbor.cncf.net:447/library/calico/node:v1.38.7@sha256:8532d21c0c85ca22e337c3125e84c575d77b6d59faae181e2cdd0adfd3abd1bf
Deleted: sha256:cbd5904e5fe4dc542c6005841bd8de76534dc402d6788fed3014057b89ef8069
[root@k8s-master ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
harbor.cncf.net:447/library/nginx latest 33e0bbc7ca9e 38 hours ago linux/amd64 203.9MB 72.31MB
[root@k8s-master ~]# nerdctl pull harbor.cncf.net:447/library/calico/node:v1.38.7
harbor.cncf.net:447/library/calico/node:v1.38.7: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:8532d21c0c85ca22e337c3125e84c575d77b6d59faae181e2cdd0adfd3abd1bf: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:b6c92e535b935575f48092edadcfaec716ebce53f1fbc56d312744e86ce0fb17: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:833e8e11d9dc187377eab6f31e275114a6b0f8f0afc3bf578a2a00507e85afc9: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.2 s total: 0.0 B (0.0 B/s)
[root@k8s-master ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
harbor.cncf.net:447/library/calico/node v1.38.7 8532d21c0c85 3 seconds ago linux/amd64 403.9MB 156.9MB
harbor.cncf.net:447/library/nginx latest 33e0bbc7ca9e 38 hours ago linux/amd64 203.9MB 72.31MB5.2 Docker容器
5.2.1 docker镜像操作
1.拉取镜像
[root@k8s-master ~]# docker pull httpd
[root@k8s-master ~]# docker pull nginx
[root@k8s-master ~]# docker pull registry.myk8s.cn/library/httpd
2.查看镜像
[root@k8s-master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 657fdcd1c365 2 weeks ago 152MB
httpd latest 4613a77dcb46 2 months ago 117MB
registry.myk8s.cn/library/httpd latest 199e3a035264 2 months ago 117MB5.2.2 配置harbor证书
[root@k8s-master ~]# sudo mkdir -p /etc/docker/certs.d/harbor.cncf.net:447
# 将Harbor的CA证书复制到该目录
[root@k8s-master ~]# sudo cp ca.crt /etc/docker/certs.d/harbor.cncf.net:447
# 重启docker服务
[root@k8s-master ~]# systemctl restart docker5.2.3 登录harbor
[root@k8s-master ~]# docker login harbor.cncf.net:447 -u admin -p admin
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded5.2.4 标记与推送镜像
1.标记镜像
docker tag SOURCE_IMAGE[:TAG] harbor.cncf.net:447/library/REPOSITORY[:TAG]
[root@k8s-master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 657fdcd1c365 2 weeks ago 152MB
httpd latest 4613a77dcb46 2 months ago 117MB
registry.myk8s.cn/library/httpd latest 199e3a035264 2 months ago 117MB
[root@k8s-master ~]# docker tag httpd:latest harbor.cncf.net:447/library/httpd:v1
[root@k8s-master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 657fdcd1c365 2 weeks ago 152MB
registry.myk8s.cn/library/httpd latest 199e3a035264 2 months ago 117MB
httpd latest 4613a77dcb46 2 months ago 117MB
harbor.cncf.net:447/library/httpd v1 4613a77dcb46 2 months ago 117MB
2.推送镜像到harbor
docker push harbor.cncf.net:447/library/REPOSITORY[:TAG]
[root@k8s-master ~]# docker push harbor.cncf.net:447/library/httpd:v1
The push refers to repository [harbor.cncf.net:447/library/httpd]
dfc51b2a5ad4: Pushed
f8c308326eb4: Pushed
9b9125eabbd9: Pushed
5f70bf18a086: Pushed
1a46d6e7f73c: Pushed
d7c97cb6f1fe: Pushed
v1: digest: sha256:103310f78680698fafe7ac7bbf654a7024b3cdb7e43a33e873318a510489618f size: 15725.2.5 拉取镜像
[root@k8s-master ~]# docker pull harbor.cncf.net:447/library/calico/node:v1.38.7
v1.38.7: Pulling from library/calico/node
44c2028a3ff8: Pull complete
Digest: sha256:8532d21c0c85ca22e337c3125e84c575d77b6d59faae181e2cdd0adfd3abd1bf
Status: Downloaded newer image for harbor.cncf.net:447/library/calico/node:v1.38.7
harbor.cncf.net:447/library/calico/node:v1.38.7
[root@k8s-master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.cncf.net:447/library/calico/node v1.38.7 833e8e11d9dc 11 days ago 401MB
nginx latest 657fdcd1c365 2 weeks ago 152MB
httpd latest 4613a77dcb46 2 months ago 117MB
harbor.cncf.net:447/library/httpd v1 4613a77dcb46 2 months ago 117MB
registry.myk8s.cn/library/httpd latest 199e3a035264 2 months ago 117MB
