第八部分-企业级实践——39. 私有镜像仓库

39. 私有镜像仓库1. 私有镜像仓库概述私有镜像仓库用于存储和管理企业内部 Docker 镜像提供镜像存储、分发、安全扫描、访问控制等功能。┌─────────────────────────────────────────────────────────────┐ │ 私有镜像仓库架构 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ 镜像推送 │ │ │ │ 开发者 ──▶ 构建 ──▶ 推送 ──▶ Harbor/Registry │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ 镜像分发 │ │ │ │ Harbor/Registry ──▶ 拉取 ──▶ 测试环境 │ │ │ │ │ │ │ │ │ ├──▶ 拉取 ──▶ 预发环境 │ │ │ │ │ │ │ │ │ └──▶ 拉取 ──▶ 生产环境 │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ 核心功能 │ │ - 镜像存储和版本管理 │ │ - 漏洞扫描 │ │ - 镜像签名 │ │ - 访问控制 │ │ - 跨地域复制 │ │ │ └─────────────────────────────────────────────────────────────┘2. Docker Registry2.1 部署 Registry# 简单部署dockerrun-d\--nameregistry\-p5000:5000\-v/data/registry:/var/lib/registry\registry:2# 带认证的 Registrydockerrun-d\--nameregistry\-p5000:5000\-v/data/registry:/var/lib/registry\-v/data/auth:/auth\-eREGISTRY_AUTHhtpasswd\-eREGISTRY_AUTH_HTPASSWD_REALMRegistry\-eREGISTRY_AUTH_HTPASSWD_PATH/auth/htpasswd\registry:2# 创建密码文件dockerrun--entrypointhtpasswd registry:2-Bbnadmin admin123/data/auth/htpasswd2.2 Registry 配置# config.ymlversion:0.1log:level:infostorage:filesystem:rootdirectory:/var/lib/registrydelete:enabled:truecache:blobdescriptor:inmemoryhttp:addr::5000headers:X-Content-Type-Options:[nosniff]tls:certificate:/certs/domain.crtkey:/certs/domain.keyauth:htpasswd:realm:Registrypath:/auth/htpasswd# 使用配置文件dockerrun-d\--nameregistry\-p5000:5000\-v$(pwd)/config.yml:/etc/docker/registry/config.yml\registry:23. Harbor3.1 Harbor 安装# 下载 Harborgitclone https://github.com/goharbor/harbor.gitcdharbor# 复制配置cpharbor.yml.tmpl harbor.yml# 编辑配置vimharbor.yml# harbor.yml 示例hostname: harbor.example.com https: port:443certificate: /data/cert/server.crt private_key: /data/cert/server.key# 安装./install.sh --with-notary --with-trivy --with-chartmuseum3.2 Harbor 配置# harbor.yml 完整配置hostname:harbor.example.com# HTTP 配置http:port:80# HTTPS 配置https:port:443certificate:/data/cert/server.crtprivate_key:/data/cert/server.key# 外部 URLexternal_url:https://harbor.example.com# 数据存储data_volume:/data/harbor# 日志trl_log:location:/data/logsrotate_count:50rotate_size:200M# 数据库database:password:root123max_idle_conns:100max_open_conns:900# Redisredis:url:redis:6379password:# 认证模式auth_mode:db_auth# 自注册self_registration:false# 令牌过期时间token_expiration:30# 项目创建限制project_creation_restriction:adminonly# 漏洞扫描clair:updaters_interval:12# 镜像签名notary:enabled:true4. 镜像管理4.1 基础操作# 登录 Harbordockerlogin harbor.example.com# 打标签dockertag myapp:latest harbor.example.com/project/myapp:v1.0dockertag myapp:latest harbor.example.com/project/myapp:latest# 推送镜像dockerpush harbor.example.com/project/myapp:v1.0dockerpush harbor.example.com/project/myapp:latest# 拉取镜像dockerpull harbor.example.com/project/myapp:v1.0# 删除本地镜像dockerrmi harbor.example.com/project/myapp:v1.04.2 镜像复制# 复制规则配置apiVersion:replication/v1kind:Replicationmetadata:name:replica-rulespec:src_registry:url:https://harbor-primary.example.cominsecure:falsedest_registry:url:https://harbor-secondary.example.cominsecure:falsefilters:-type:namevalue:project/.*-type:tagvalue:v*trigger:type:event_basedsettings:cron:0 */6 * * *deletion:falseoverride:true4.3 镜像清理# 设置保留策略# Harbor UI → Projects → Project → Policies# CLI 清理dockerrun--rm-it\-v/var/run/docker.sock:/var/run/docker.sock\-eHARBOR_HOSTharbor.example.com\-eHARBOR_USERadmin\-eHARBOR_PASSWORDadmin123\harbor-cleanup/cleanup# 删除未使用的镜像# 设置自动清理任务# 保留最近 N 个标签# 保留最近 N 天的镜像5. 安全配置5.1 漏洞扫描# Trivy 扫描Harbor 集成trivy image harbor.example.com/project/myapp:v1.0# 设置扫描策略# Harbor UI → Interrogation Services → Scan All# 阻止漏洞镜像部署# Harbor UI → Project → Policies → Prevent vulnerable images5.2 镜像签名# 启用 NotaryexportDOCKER_CONTENT_TRUST1# 推送签名镜像dockerpush harbor.example.com/project/myapp:v1.0# 拉取验证签名dockerpull harbor.example.com/project/myapp:v1.0# 查看签名信息notary-shttps://notary.harbor.example.com\list harbor.example.com/project/myapp5.3 RBAC 权限# 用户角色# - Project Admin: 完全控制# - Developer: 推送拉取# - Guest: 只读# - Master: 镜像复制权限# 创建机器人账户# Harbor UI → Project → Robot Accounts# 机器人账户配置robot:name:robot-cidescription:CI/CD systemexpires_at:2025-12-31permissions:-access:-resource:repositoryaction:pushnamespace:project-name6. CI/CD 集成6.1 GitLab CI 集成# .gitlab-ci.ymlvariables:HARBOR_REGISTRY:harbor.example.comHARBOR_PROJECT:myprojectbuild:stage:buildscript:-docker login-u $HARBOR_USER-p $HARBOR_PASSWORD $HARBOR_REGISTRY-docker build-t $HARBOR_REGISTRY/$HARBOR_PROJECT/myapp:$CI_COMMIT_SHA .-docker push $HARBOR_REGISTRY/$HARBOR_PROJECT/myapp:$CI_COMMIT_SHA6.2 GitHub Actions 集成-name:Login to Harboruses:docker/login-actionv2with:registry:harbor.example.comusername:${{secrets.HARBOR_USER}}password:${{secrets.HARBOR_PASSWORD}}-name:Build and pushrun:|docker build -t harbor.example.com/myapp:latest . docker push harbor.example.com/myapp:latest7. 高可用部署7.1 Harbor HA 架构# docker-compose.ha.ymlversion:3.8services:harbor-core:image:goharbor/harbor-core:latestreplicas:3networks:-harborharbor-portal:image:goharbor/harbor-portal:latestreplicas:2redis:image:redis:6-alpinecommand:redis-server--appendonly yesnetworks:-harbordatabase:image:postgres:13environment:POSTGRES_PASSWORD:root123volumes:-pg-data:/var/lib/postgresql/datanetworks:harbor:driver:overlayvolumes:pg-data:7.2 负载均衡配置# nginx.conf upstream harbor { server harbor-node1:8080 weight1 max_fails3 fail_timeout30s; server harbor-node2:8080 weight1 max_fails3 fail_timeout30s; server harbor-node3:8080 weight1 max_fails3 fail_timeout30s; } server { listen 443 ssl; server_name harbor.example.com; ssl_certificate /etc/nginx/ssl/harbor.crt; ssl_certificate_key /etc/nginx/ssl/harbor.key; location / { proxy_pass http://harbor; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }8. 监控与告警8.1 Prometheus 监控# prometheus.ymlscrape_configs:-job_name:harborstatic_configs:-targets:[harbor-exporter:8080]metrics_path:/metrics8.2 关键指标指标说明告警阈值harbor_project_count项目数量-harbor_repository_count仓库数量-harbor_push_count推送次数-harbor_pull_count拉取次数-storage_used_bytes存储使用 80%registry_latency延迟 5s9. 成本优化9.1 存储优化# 启用压缩# Harbor UI → Configuration → System Settings# 启用可重复使用层# 清理未使用 Blobdockerrun--rm-it\-v/data/harbor:/data\goharbor/garbage-collector\-d1h9.2 过期清理# 设置清理策略# 保留最近 30 天的镜像# 保留最近 10 个版本# 手动清理dockerexecharbor-database psql-Upostgres-dregistry-c DELETE FROM blob WHERE id NOT IN ( SELECT DISTINCT blob_id FROM artifact_blob ); 10. 常用命令速查操作命令登录docker login harbor.example.com标签docker tag myapp harbor.example.com/project/myapp:v1推送docker push harbor.example.com/project/myapp:v1拉取docker pull harbor.example.com/project/myapp:v1删除本地docker rmi harbor.example.com/project/myapp:v1扫描trivy image harbor.example.com/project/myapp:v1启动 Registrydocker run -d -p 5000:5000 registry:2启动 Harbordocker-compose up -d11. 常见问题Q1: 镜像推送失败怎么办检查登录状态、权限、磁盘空间。Q2: Harbor 忘记密码如何重置dockerexec-itharbor-database psql-Upostgres-dregistry UPDATE harbor_user SET password新密码hashWHERE usernameadmin;Q3: 如何迁移 Harbor 数据备份 /data 目录在新服务器挂载相同路径。12. 小结Registry轻量级私有仓库Harbor企业级功能全面镜像管理版本、复制、清理安全漏洞扫描、签名、RBACCI/CD 集成自动化推送高可用多副本 负载均衡监控Prometheus Grafana成本优化压缩、清理、保留策略