镜像管理工具skopeo部署与实战

 2024/12/01 

能够非常方便的管理仓库中的镜像，在生产环境中做镜像转移

也可以挂了代理之后，拿来去搬运国外的镜像到本地，搭建自己的镜像源

也可以用来做主备的harbor，可以说相当有用

下载

#linux系统，x86适用
wget https://github.com/lework/skopeo-binary/releases/download/v1.17.0/skopeo-linux-amd64
sudo mv skopeo-linux-amd64 /usr/bin/skopeo
sudo chmod +x /usr/bin/skopeo 

skopeo --version
#skopeo version 1.17.0

用法

# 复制镜像
skopeo copy docker://xxx docker://xxx
从docker仓库复制到docker仓库
如果需要使用仓库之间拷贝，则需要两个仓库都进行登录
并且在复制时，指定--tls-verify=false

skopeo copy docker://xxx dir:/xxx
从docker仓库复制到本地目录

skopeo copy dir:/xxx docker://xxx
从本地复制到docker仓库中

# 显示镜像tag
skopeo list-tags docker://xxx

# 删除镜像tag
skopeo delete docker://xxx:tag

# 检查镜像信息，返回详细信息
skopeo inspect docker://xxx

# 登录仓库，类似于docker
skopeo login 
skopeo logout

其余选项

--insecure-policy 不进行策略检查
--debug 调试，输出更详细信息
--tls-verify=false 不使用tls证书进行验证，如果使用账号密码进行登录的docker仓库，需要使用
--authfile 指定认证文件

--src-tls-verify
--dest-tls-verify
用来接替--tls-verify的参数

搭建两台harbor进行测试

一般适用于两台不同环境中的harbor进行镜像同步，如果是同网段的harbor，可以直接做主从复制

为了部署方便我给他放同网段了

环境

VMware WorkStation 17 Pro
CentOS 7.9.2009
4G4C 20G

192.168.8.130 harbor1
192.168.8.131 harbor2
192.168.8.132 test（中间测试主机）

harbor使用离线安装,版本v2.10

快速部署harbor

# 自签发证书
mkdir /ssl
cd /ssl
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.pem
openssl genrsa -out harbor.key 2048
openssl req -new -key harbor.key -out harbor.csr
openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 365

# 换源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum -y install wget net-tools yum-utils nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel  python-devel epel-release openssh-server socat ipvsadm conntrack
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum clean all && yum makecache

# 安全
yum -y install iptables-services
systemctl disable firewalld --now
systemctl disable iptables --now
iptables -F
sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
setenforce 0
sed -i 's/^server/#server/g' /etc/chrony.conf
sed -i '1s/^/server cn.pool.ntp.org iburst\n/' /etc/chrony.conf
systemctl restart chronyd.service

cat > /etc/hosts <<EOF
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.8.130 harbor1
192.168.8.131 harbor2
192.168.8.132 test
EOF

yum -y install docker-ce
yum -y update
cat >/etc/docker/daemon.json << 'EOF'
{
	"registry-mirrors": [
		"https://hub-mirror.c.163.com",
		"https://docker.m.daocloud.io",
		"https://ghcr.io",
		"https://mirror.baidubce.com",
		"https://docker.nju.edu.cn"
	],
		"insecure-registries": ["192.168.8.130","192.168.8.131"]
}
EOF
systemctl daemon-reload
systemctl restart docker.service
systemctl enable docker.service --now

# 启用转发
modprobe br_netfilter
echo "
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1" > /etc/sysctl.d/docker.conf
sysctl -p /etc/sysctl.d/docker.conf

# 安装docker-compose
cd ~
wget https://github.com/docker/compose/releases/download/v2.23.3/docker-compose-linux-x86_64
mkdir -p /usr/bin/docker-compose
mv docker-compose-linux-x86_64 /usr/bin/docker-compose/
chmod +x /usr/bin/docker-compose

# 安装harbor
cd ~
tar zxvf harbor-offline-installer-v2.10.0.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
sed -i 's/^hostname.*/hostname: harbor1/' harbor.yml #根据实际主机名修改
sed -i 's#/your/certificate/path#/ssl/harbor.pem#' harbor.yml
sed -i 's#/your/private/key/path#/ssl/harbor.key#g' harbor.yml
./install.sh

# 安装完成

使用skopeo查看与搬运镜像

分别登录docker与habor

建议使用ip，因为如果使用域名，push的时候不一定能解析出来

docker login -u admin -p Harbor12345 192.168.8.130
Login Succeeded
docker login -u admin -p Harbor12345 192.168.8.131
Login Succeeded

skopeo login --tls-verify=false -u admin -p Harbor12345 192.168.8.130
Login Succeeded!
skopeo login --tls-verify=false -u admin -p Harbor12345 192.168.8.131
Login Succeeded!

我先上传一个镜像到harbor1，搞个大点的镜像，不然一秒传完了多没意思

docker push 192.168.8.130/wangsheng/jenkins-jnlp:v1
docker push 192.168.8.130/wangsheng/jenkins-jnlp:v2
docker push 192.168.8.130/wangsheng/jenkins-jnlp:v3

# 查看tag
skopeo list-tags --tls-verify=false docker://192.168.8.130/wangsheng/jenkins-jnlp
{
    "Repository": "192.168.8.130/wangsheng/jenkins-jnlp",
    "Tags": [
        "v1",
        "v2",
        "v3"
    ]
}

# 查看信息
skopeo inspect --tls-verify=false docker://192.168.8.130/wangsheng/jenkins-jnlp:v1

配置skopeo信任所有镜像

mkdir /etc/containers
cat > /etc/containers/policy.json<<EOF
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}
EOF

复制镜像——到本地

要复制到本地，需要一个空目录

mkdir /root/image
skopeo copy --src-tls-verify=false --dest-tls-verify=false \
docker://192.168.8.130/wangsheng/jenkins-jnlp:v1 \
dir://root/image

会出来一个显示镜像分层结构的目录
这样就完成了，现在把它从本地复制到harbor2里
skopeo copy --src-tls-verify=false --dest-tls-verify=false \
dir://root/image docker://192.168.8.131/library/jenkins-jnlp:v1

复制镜像——到远程仓库

1
2
3

skopeo copy --src-tls-verify=false --dest-tls-verify=false \
docker://192.168.8.130/wangsheng/jenkins-jnlp:v2 \
docker://192.168.8.131/library/jenkins-jnlp:v2

查看harbor2的镜像情况

skopeo inspect --tls-verify=false \
docker://192.168.8.131/library/jenkins-jnlp:v1 \
| grep -i -A 5 tag 

#     "RepoTags": [
#        "v1",
#        "v2"
#    ],
可以看到刚刚两个版本都传送过来了