通常做好的 docker image 都是直接往 docker hub 丟,但是如果要在內部架設使用,又有一些安全或隱私的問題
就需要一個存放私人 docker image 的地方,最終讓我找到這個避風港
Hardware
| Resource |
Minimum |
Recommended |
| CPU |
2 CPU |
4 CPU |
| Mem |
4 GB |
8 GB |
| Disk |
40 GB |
160 GB |
Dependencies
- ntp
- swapoff
- Remove any matching reference found in /etc/fstab
- swapoff -a
- Docker version 17.06.0-ce+
- Docker-compose 1.18.0+
- Openssl
- python 36
python 36 for centOS 7
Install
1
2
3
4
5
6
7
8
9
10
11
12
13
|
yum install epel-release
yum install python36
rm -rf /usr/bin/python
ln -s /usr/bin/python3 /usr/bin/python
# install pip3
python3 -m ensurepip
# update pip3
pip3 install --upgrade pip
|
Fix
change /usr/bin/python to /usr/bin/python2.7
- /usr/libexec/urlgrabber-ext-down
- /usr/bin/yum-config-manager
- /usr/bin/yum
Install
Harbor
前往 Official Download v1.8+
1
2
3
4
|
wget https://github.com/goharbor/harbor/releases/download/v1.10.0/harbor-offline-installer-v1.10.0.tgz
tar zxvf harbor-offline-installer-v1.10.0.tgz
cd harbor
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#set hostname
hostname: <domain>
http:
port: 80
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/<domain>.crt
private_key: /data/cert/<domain>.key
......
|
Gen config files for harbor
Start Harbor
Default installation without Notary, Clair, or Chart Repository Service
Installation with Notary, Clair, and Chart Repository Service
1
|
sudo ./install.sh --with-notary --with-clair --with-chartmuseum
|
Login Harbor
Login to https://192.168.0.242
Create Project
輸入 ProjectName , 並且可選擇公倉/私倉、上限、空間
創建成功會出現在下面
Docker
Config
如果 http 沒有憑證,內部使用的話,可以在 docker 設定 insecure-registries
新增以下片段
"insecure-registries": [
"192.168.0.242",
"127.0.0.1"
]
Login
登入私倉後才能進行推送和拉取
1
2
|
# docker login <private registry ip>
docker login 192.168.0.242
|
Push
推送 image,要先將其把名稱更改成 domain_or_ip/repo/image_name:version,然後才會推送到私倉中
1
2
3
4
|
docker pull centos:7
docker tag centos:7 192.168.0.242/acom/centos:7
docker push 192.168.0.242/acom/centos:7
|
Pull
拉取私倉的 image
1
|
docker pull 192.168.0.242/acom/centos:7
|
Security Scan
進入對應的 Image 並點擊 SCAN 按鈕
掃描後會產生弱點報告
Fix
從 192.168.0.242/acom/centos:7 Layer 進行修補
1
2
3
4
5
6
7
8
9
10
|
FROM 192.168.0.242/acom/centos:7
RUN yum update -y nss*
LABEL maintainer="CodyChen <cody@acom-networks.com>" \
org.label-schema.name="Acom-Networks" \
org.label-schema.vendor="CodyChen" \
org.label-schema.schema-version="1.0"
ENV TZ "Asia/Taipei"
|
編譯新的 Image,並且上傳至 Harbor Hub 並再次掃描弱點
1
2
3
|
docker build -t 192.168.0.242/acom/centos:7.7 .
docker push 192.168.0.242/acom/centos:7.7
|
成功修補漏洞
Ref
- Harbor Offical
- harbor/installation_guide.md at master · goharbor/harbor · GitHub
- harbor/configure_https.md at master · goharbor/harbor · GitHub