Linux教程FG378-容器镜像仓库部署

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍容器镜像仓库的部署和配置方法。

Part01-Harbor部署

1.1 安装Harbor

# 安装Docker
[root@harbor ~]# dnf config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@harbor ~]# dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# 启动Docker
[root@harbor ~]# systemctl enable –now docker

# 下载Harbor
[root@harbor ~]# cd /opt
[root@harbor opt]# wget https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz
[root@harbor opt]# tar xzf harbor-offline-installer-v2.8.0.tgz

# 配置Harbor
[root@harbor opt]# cd harbor
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# cat > harbor.yml << 'EOF' hostname: harbor.fgedu.net.cn http: port: 80 https: port: 443 certificate: /etc/harbor/ssl/harbor.crt private_key: /etc/harbor/ssl/harbor.key harbor_admin_password: Harbor@123456 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data/harbor trivy: ignore_unfixed: false skip_update: false offline_scan: false security_check: vuln insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.8.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy EOF # 生成SSL证书 [root@harbor ~]# mkdir -p /etc/harbor/ssl [root@harbor ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/harbor/ssl/harbor.key \ -out /etc/harbor/ssl/harbor.crt \ -subj "/C=CN/ST=Beijing/L=Beijing/O=Example/CN=harbor.fgedu.net.cn" # 安装Harbor [root@harbor harbor]# ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 23.0.1 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 2.16.1 [Step 2]: loading Harbor images ... Loaded image: goharbor/harbor-core:v2.8.0 Loaded image: goharbor/harbor-portal:v2.8.0 Loaded image: goharbor/harbor-jobservice:v2.8.0 Loaded image: goharbor/registry-photon:v2.8.0 Loaded image: goharbor/hfrom PG视频:www.itpux.comarbor-registryctl:v2.8.0 Loaded image: goharbor/harbor-db:v2.8.0 Loaded image: goharbor/harbor-exporter:v2.8.0 Loaded image: goharbor/redis-photon:v2.8.0 Loaded image: goharbor/trivy-adapter-photon:v2.8.0 Loaded image: goharbor/nginx-photon:v2.8.0 Loaded image: goharbor/prepare:v2.8.0 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /opt/harbor Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 5]: starting Harbor ... [+] Running 10/10 ✔ Network harbor_harbor Created ✔ Container harbor-log Started ✔ Container redis Started ✔ Container registry Started ✔ Container registryctl Started ✔ Container harbor-db Started ✔ Container harbor-portal Started ✔ Container harbor-core Started ✔ Container nginx Started ✔ Container harbor-jobservice Started ✔ ----Harbor has been installed and started successfully.----

1.2 使用Harbor

# 配置Docker信任Harbor
[root@client ~]# cat > /etc/docker/daemon.json << 'EOF' { "insecure-r学习交流加群风哥QQ113257174egistries": ["harbor.fgedu.net.cn"] } EOF [root@client ~]# systemctl restart docker # 登录Harbor [root@client ~]# docker login harbor.fgedu.net.cn Username: admin Password: Harbor@123456 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper t更多学习教程公众号风哥教程itpux_como remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded # 标记镜像 [root@client ~]# docker tag nginx:latest harbor.fgedu.net.cn/library/nginx:latest # 推送镜像 [root@client ~]# docker push harbor.fgedu.net.cn/library/nginx:latest The push refers to repository [harbor.fgedu.net.cn/library/nginx] 5f8e23f6b5a4: Pushed d0004b6b0e2b: Pushed latest: digest: sha256:1234567890abcdef size: 1365 # 拉取镜像 [root@client ~]# docker pull harbor.fgedu.net.cn/library/nginx:latest latest: Pulling from library/nginx Digest: sha256:1234567890abcdef Status: Downloaded newer image for harbor.fgedu.net.cn/library/nginx:latest harbor.fgedu.net.cn/library/nginx:latest # 查看镜像 [root@client ~]# docker images | grep harbor harbor.fgedu.net.cn/library/nginx latest 1234567890ab 2 weeks ago 142MB

Part02-镜像安全扫描

2.1 配置漏洞扫描

# Harbor已内置Trivy扫描器
# 在Web界面配置扫描策略

# 使用Trivy扫描镜像
[root@client ~]# dnf install -y trivy

[root@client ~]# trivy image harbor.fgedu.net.cn/library/nginx:latest
2026-04-04T23:00:00.000Z INFO Vulnerability scanning is enabled
2026-04-04T23:00:00.000Z INFO Secret scanning is enabled
2026-04-04T23:00:00.000Z INFO If your scanning is slow, please try ‘–security-checks vuln’ to disable secret scanning
2026-04-04T23:00:00.000Z INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2026-04-04T23:00:00.000Z INFO Detected OS family: debian
2026-04-04T23:00:00.000Z INFO Detected OS ID: debian
2026-04-04T23:00:00.000Z INFO Detected OS version: 11.6

nginx:latest (debian 11.6)
==========================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ libcurl4 │ CVE-2023-23916 │ MEDIUM │ 7.81.0-1 │ 7.81.0-1+deb11u5 │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ libgmp10 │ CVE-2023-32642 │ HIGH │ 6.2.1+dfsg-1 │ 6.2.1+dfsg-1+deb11u1 │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ libssl1.1 │ CVE-2023-0464 │ MEDIUM │ 1.1.1n-0+deb11u3 │ 1.1.1n-0+deb11u4 │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ openssl │ CVE-2023-0464 │ MEDIUM │ 1.1.1n-0+deb11u3 │ 1.1.1n-0+deb11u4 │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ zlib1g │ CVE-2022-37434 │ HIGH │ 1:1.2.11.dfsg-2 │ 1:1.2.11.dfsg-2+deb11u2 │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┘

# 配置镜像签名
[root@client ~]# dnf install -y skopeo

# 生成GPG密钥
[root@client ~]# gpg –full-generate-key

# 签名镜像
[root@client ~]# skopeo copy –sign-by admin@fgedu.net.cn \
docker://harbor.fgedu.net.cn/library/nginx:latest \
docker://harbor.fgedu.net.cn/library/nginx:signed

# 验证签名
[root@client ~]# skopeo verify –public-key /root/.gnupg/pubring.gpg \
docker://harbor.fgedu.net.更多视频教程www.fgedu.net.cncn/library/nginx:signed

风哥针对镜像仓库建议：

配置HTTPS加密传输
启用镜像扫描功能
配置访问控制策略
定期清理无用镜像
备份仓库数据

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html