Edge浏览器爬虫利器:XPath Helper插件安装与快捷键冲突解决实战
2026/5/13 11:37:08
39. 私有镜像仓库
1. 私有镜像仓库概述
私有镜像仓库用于存储和管理企业内部 Docker 镜像,提供镜像存储、分发、安全扫描、访问控制等功能。
┌─────────────────────────────────────────────────────────────┐ │ 私有镜像仓库架构 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ 镜像推送 │ │ │ │ 开发者 ──▶ 构建 ──▶ 推送 ──▶ Harbor/Registry │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ 镜像分发 │ │ │ │ Harbor/Registry ──▶ 拉取 ──▶ 测试环境 │ │ │ │ │ │ │ │ │ ├──▶ 拉取 ──▶ 预发环境 │ │ │ │ │ │ │ │ │ └──▶ 拉取 ──▶ 生产环境 │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ 核心功能: │ │ - 镜像存储和版本管理 │ │ - 漏洞扫描 │ │ - 镜像签名 │ │ - 访问控制 │ │ - 跨地域复制 │ │ │ └─────────────────────────────────────────────────────────────┘2. Docker Registry
2.1 部署 Registry
# 简单部署dockerrun-d\--nameregistry\-p5000:5000\-v/data/registry:/var/lib/registry\registry:2# 带认证的 Registrydockerrun-d\--nameregistry\-p5000:5000\-v/data/registry:/var/lib/registry\-v/data/auth:/auth\-eREGISTRY_AUTH=htpasswd\-eREGISTRY_AUTH_HTPASSWD_REALM=Registry\-eREGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd\registry:2# 创建密码文件dockerrun--entrypointhtpasswd registry:2-Bbnadmin admin123>/data/auth/htpasswd2.2 Registry 配置
# config.ymlversion:0.1log:level:infostorage:filesystem:rootdirectory:/var/lib/registrydelete:enabled:truecache:blobdescriptor:inmemoryhttp:addr::5000headers:X-Content-Type-Options:[nosniff]tls:certificate:/certs/domain.crtkey:/certs/domain.keyauth:htpasswd:realm:Registrypath:/auth/htpasswd# 使用配置文件dockerrun-d\--nameregistry\-p5000:5000\-v$(pwd)/config.yml:/etc/docker/registry/config.yml\registry:23. Harbor
3.1 Harbor 安装
# 下载 Harborgitclone https://github.com/goharbor/harbor.gitcdharbor# 复制配置cpharbor.yml.tmpl harbor.yml# 编辑配置vimharbor.yml# harbor.yml 示例hostname: harbor.example.com https: port:443certificate: /data/cert/server.crt private_key: /data/cert/server.key# 安装./install.sh --with-notary --with-trivy --with-chartmuseum3.2 Harbor 配置
# harbor.yml 完整配置hostname:harbor.example.com# HTTP 配置http:port:80# HTTPS 配置https:port:443certificate:/data/cert/server.crtprivate_key:/data/cert/server.key# 外部 URLexternal_url:https://harbor.example.com# 数据存储data_volume:/data/harbor# 日志trl_log:location:/data/logsrotate_count:50rotate_size:200M# 数据库database:password:root123max_idle_conns:100max_open_conns:900# Redisredis:url:redis:6379password:""# 认证模式auth_mode:db_auth# 自注册self_registration:false# 令牌过期时间token_expiration:30# 项目创建限制project_creation_restriction:adminonly# 漏洞扫描clair:updaters_interval:12# 镜像签名notary:enabled:true4. 镜像管理
4.1 基础操作
# 登录 Harbordockerlogin harbor.example.com# 打标签dockertag myapp:latest harbor.example.com/project/myapp:v1.0dockertag myapp:latest harbor.example.com/project/myapp:latest# 推送镜像dockerpush harbor.example.com/project/myapp:v1.0dockerpush harbor.example.com/project/myapp:latest# 拉取镜像dockerpull harbor.example.com/project/myapp:v1.0# 删除本地镜像dockerrmi harbor.example.com/project/myapp:v1.04.2 镜像复制
# 复制规则配置apiVersion:replication/v1kind:Replicationmetadata:name:replica-rulespec:src_registry:url:https://harbor-primary.example.cominsecure:falsedest_registry:url:https://harbor-secondary.example.cominsecure:falsefilters:-type:namevalue:"project/.*"-type:tagvalue:"v*"trigger:type:event_basedsettings:cron:"0 */6 * * *"deletion:falseoverride:true4.3 镜像清理
# 设置保留策略# Harbor UI → Projects → Project → Policies# CLI 清理dockerrun--rm-it\-v/var/run/docker.sock:/var/run/docker.sock\-eHARBOR_HOST=harbor.example.com\-eHARBOR_USER=admin\-eHARBOR_PASSWORD=admin123\harbor-cleanup/cleanup# 删除未使用的镜像# 设置自动清理任务# 保留最近 N 个标签# 保留最近 N 天的镜像5. 安全配置
5.1 漏洞扫描
# Trivy 扫描(Harbor 集成)trivy image harbor.example.com/project/myapp:v1.0# 设置扫描策略# Harbor UI → Interrogation Services → Scan All# 阻止漏洞镜像部署# Harbor UI → Project → Policies → Prevent vulnerable images5.2 镜像签名
# 启用 NotaryexportDOCKER_CONTENT_TRUST=1# 推送签名镜像dockerpush harbor.example.com/project/myapp:v1.0# 拉取验证签名dockerpull harbor.example.com/project/myapp:v1.0# 查看签名信息notary-shttps://notary.harbor.example.com\list harbor.example.com/project/myapp5.3 RBAC 权限
# 用户角色# - Project Admin: 完全控制# - Developer: 推送拉取# - Guest: 只读# - Master: 镜像复制权限# 创建机器人账户# Harbor UI → Project → Robot Accounts# 机器人账户配置robot:name:robot-cidescription:CI/CD systemexpires_at:2025-12-31permissions:-access:-resource:repositoryaction:pushnamespace:project-name6. CI/CD 集成
6.1 GitLab CI 集成
# .gitlab-ci.ymlvariables:HARBOR_REGISTRY:harbor.example.comHARBOR_PROJECT:myprojectbuild:stage:buildscript:-docker login-u $HARBOR_USER-p $HARBOR_PASSWORD $HARBOR_REGISTRY-docker build-t $HARBOR_REGISTRY/$HARBOR_PROJECT/myapp:$CI_COMMIT_SHA .-docker push $HARBOR_REGISTRY/$HARBOR_PROJECT/myapp:$CI_COMMIT_SHA6.2 GitHub Actions 集成
-name:Login to Harboruses:docker/login-action@v2with:registry:harbor.example.comusername:${{secrets.HARBOR_USER}}password:${{secrets.HARBOR_PASSWORD}}-name:Build and pushrun:|docker build -t harbor.example.com/myapp:latest . docker push harbor.example.com/myapp:latest7. 高可用部署
7.1 Harbor HA 架构
# docker-compose.ha.ymlversion:'3.8'services:harbor-core:image:goharbor/harbor-core:latestreplicas:3networks:-harborharbor-portal:image:goharbor/harbor-portal:latestreplicas:2redis:image:redis:6-alpinecommand:redis-server--appendonly yesnetworks:-harbordatabase:image:postgres:13environment:POSTGRES_PASSWORD:root123volumes:-pg-data:/var/lib/postgresql/datanetworks:harbor:driver:overlayvolumes:pg-data:7.2 负载均衡配置
# nginx.conf upstream harbor { server harbor-node1:8080 weight=1 max_fails=3 fail_timeout=30s; server harbor-node2:8080 weight=1 max_fails=3 fail_timeout=30s; server harbor-node3:8080 weight=1 max_fails=3 fail_timeout=30s; } server { listen 443 ssl; server_name harbor.example.com; ssl_certificate /etc/nginx/ssl/harbor.crt; ssl_certificate_key /etc/nginx/ssl/harbor.key; location / { proxy_pass http://harbor; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }8. 监控与告警
8.1 Prometheus 监控
# prometheus.ymlscrape_configs:-job_name:'harbor'static_configs:-targets:['harbor-exporter:8080']metrics_path:'/metrics'8.2 关键指标
| 指标 | 说明 | 告警阈值 |
|---|---|---|
| harbor_project_count | 项目数量 | - |
| harbor_repository_count | 仓库数量 | - |
| harbor_push_count | 推送次数 | - |
| harbor_pull_count | 拉取次数 | - |
| storage_used_bytes | 存储使用 | > 80% |
| registry_latency | 延迟 | > 5s |
9. 成本优化
9.1 存储优化
# 启用压缩# Harbor UI → Configuration → System Settings# 启用可重复使用层# 清理未使用 Blobdockerrun--rm-it\-v/data/harbor:/data\goharbor/garbage-collector\-d1h9.2 过期清理
# 设置清理策略# 保留最近 30 天的镜像# 保留最近 10 个版本# 手动清理dockerexecharbor-database psql-Upostgres-dregistry-c" DELETE FROM blob WHERE id NOT IN ( SELECT DISTINCT blob_id FROM artifact_blob ); "10. 常用命令速查
| 操作 | 命令 |
|---|---|
| 登录 | docker login harbor.example.com |
| 标签 | docker tag myapp harbor.example.com/project/myapp:v1 |
| 推送 | docker push harbor.example.com/project/myapp:v1 |
| 拉取 | docker pull harbor.example.com/project/myapp:v1 |
| 删除本地 | docker rmi harbor.example.com/project/myapp:v1 |
| 扫描 | trivy image harbor.example.com/project/myapp:v1 |
| 启动 Registry | docker run -d -p 5000:5000 registry:2 |
| 启动 Harbor | docker-compose up -d |
11. 常见问题
Q1: 镜像推送失败怎么办?
检查登录状态、权限、磁盘空间。
Q2: Harbor 忘记密码如何重置?
dockerexec-itharbor-database psql-Upostgres-dregistry UPDATE harbor_user SET password='新密码hash'WHERE username='admin';Q3: 如何迁移 Harbor 数据?
备份 /data 目录,在新服务器挂载相同路径。
12. 小结
- Registry:轻量级私有仓库
- Harbor:企业级功能全面
- 镜像管理:版本、复制、清理
- 安全:漏洞扫描、签名、RBAC
- CI/CD 集成:自动化推送
- 高可用:多副本 + 负载均衡
- 监控:Prometheus + Grafana
- 成本优化:压缩、清理、保留策略