Quay 简介
红帽 Quay
适用于企业的分布式高可用性容器镜像仓库
红帽® Quay 容器镜像仓库具有存储功能,可支持您轻松地构建、分布和部署容器。通过自动化、身份验证和授权系统,提高镜像存储库的安全性。Quay 既可搭配 OpenShift 使用,也可单独使用。
开源项目Quay
https://github.com/quay/quay
https://github.com/quay/quay-docs
Quay 架构
https://docs.projectquay.io/deploy_quay.html
Quay 由下面几个核心组件组成
Database: 用于 Quay 的 metadata 存储 (不存储 image 文件)。
Redis (key, value store): 存储即时编译的日志和Quay手册。
Quay (container registry): 以服务运行 quay 容器,pod内包含数个组件。
Clair: 扫描容器镜像文件的漏洞并提供修复建议。
为了部署,需要配置使用如下一种存储:
Public cloud storage: 在公有云环境,你应该使用云服务商提供的对象存储,比如 Amazon S3 (for AWS) or Google Cloud Storage (for Google Cloud)。
Private cloud storage: 在私有云环境,需要S3 or Swift兼容的对象存储,比如Ceph RADOS, or OpenStack Swift。
Quay 部署准备
Red Hat Enterprise Linux (RHEL):RHEL7
Valid Red Hat Subscription: RHEL订阅
CPUs: >= 2 虚拟CPU
RAM: >= 4GB
-
Disk space:
测试系统需要>30GB磁盘空间
10GB 用于操作系统 (Red Hat Enterprise Linux Server).
10GB 用于docker存储 (运行 3 容器)
10GB 用于Quay 本地存储 (CEPH or other local storage might require more memory)
Github上的 master 分支处于 unstable or even broken state 状态。所以需要在 releases 而不是 master 分支获取稳定版本。
这里选择padme版本部署。下载源码包。
编译Quay容器镜像
解压的代码包
[root@quay quay-padme]# ls
active_migration.py boot.py conf displayversion.py docs health local-config-app.sh package.json README.md secscan.py tox.ini workers
alembic.ini buildman config_app Dockerfile emails image local-docker.sh path_converters.py registry.py static tsconfig.json yarn.lock
application.py build.sh config.py Dockerfile.centos7.osbs endpoints initdb.py local-run.sh Procfile release.py storage tslint.json
app.py buildstatus data Dockerfile.cirun events _init.py loghandler.py project_quay_logo.png requirements-dev.txt templates util
auth buildtrigger deploy Dockerfile.dev external_libraries.py integration_tests Makefile pyproject.toml requirements-nover.txt test verbs.py
avatars CHANGELOG.md dev.df Dockerfile.osbs features karma.conf.js notifications quay-base.dockerfile requirements.txt TESTING.md webpack.config.js
bill-of-materials.json cirun.config.yaml digest Dockerfile.rhel7 GOVERNANCE.md LICENSE oauth quay-entrypoint.sh scripts tools web.py
通过Dockerfile编译镜像
[root@quay quay-padme]# docker build -t quay:padme -f Dockerfile .
报错:(国内访问不了google)
2020-06-03 09:11:58,644 [994] [ERROR] [__main__] Got exception when trying to download URL https://ajax.googleapis.com/ajax/libs/angularjs/1.5.3/angular.min.js (try #1)
Traceback (most recent call last):
解决方案:
在某台能访问google的PC上编译镜像(我安装了docker desktop)
使用编译好的镜像
Quay官方仓库 下载需要的镜像
- latest最新版本,3个漏洞
- qui-gon版本,通过安全扫描没有漏洞
- padme版本,gitlab发布的最新稳定版本
[root@quay quay-padme]# docker pull quay.io/projectquay/quay:latest
[root@quay quay-padme]# docker pull quay.io/projectquay/quay:qui-gon
[root@quay quay-padme]# docker pull quay.io/projectquay/quay:padme
[root@quay quay-padme]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/projectquay/quay latest 1c600bb6715d 14 hours ago 1.89GB
quay.io/projectquay/quay qui-gon f8b3832224e9 16 hours ago 1.91GB
quay.io/projectquay/quay padme 75833230d18f 3 weeks ago 2GB
Quay 部署
配置Post
[root@quay ~]# mkdir /opt/postgres
[root@quay ~]# ll /opt/postgres/
total 0
[root@quay ~]# ll /opt/
total 0
drwx--x--x 4 root root 28 Jun 3 01:41 containerd
drwxr-xr-x 2 root root 6 Jun 9 17:42 postgres
[root@quay ~]# setfacl -m u:26:-wx /opt/postgres/
[root@quay ~]# ll /opt/
total 0
drwx--x--x 4 root root 28 Jun 3 01:41 containerd
drwxrwxr-x+ 2 root root 6 Jun 9 17:42 postgres
下载版本postgres:10.12的容器镜像,配置用户名user,密码pass,实例名quay,端口5432,映射数据保存路径/opt/postgres
[root@quay ~]# docker run -d --rm --name postgresql \
> -e POSTGRES_USER=user \
> -e POSTGRES_PASSWORD=pass \
> -e POSTGRES_DB=quay \
> -p 5432:5432 \
> -v /opt/postgres:/var/lib/postgresql/data:Z \
> postgres:10.12
[root@quay ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dfb7b67a9832 postgres:10.12 "docker-entrypoint.s…" 24 seconds ago Up 23 seconds 0.0.0.0:5432->5432/tcp postgresql
安装pg_trgmmodule
[root@quay ~]# docker exec -it postgresql /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm" | psql -d quay -U user'
CREATE EXTENSIONCREATE EXTENSION
查看地址,等会要用
[root@quay ~]# docker inspect -f "{{.NetworkSettings.IPAddress}}" postgresql
172.17.0.2
配置Redis
[root@quay ~]# docker run -d --rm --name redis -p 6379:6379 redis:5.0.7 --requirepass strongpassword
[root@quay ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e4a17eed32ae redis:5.0.7 "docker-entrypoint.s…" 11 seconds ago Up 9 seconds 0.0.0.0:6379->6379/tcp redis
dfb7b67a9832 postgres:10.12 "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 0.0.0.0:5432->5432/tcp postgresql
[root@quay ~]# docker inspect -f "{{.NetworkSettings.IPAddress}}" redis
172.17.0.3
使用ConfigTool生成Quay的配置
ConfigTool 在Quay image 里面,帮助生成 Quay 配置文件和设置 Postgres 数据库。这是个web应用,有向导帮助进行Quay配置。Quay 的配置是保存在本地的YAML文件的tar包,Quay启动时候会读取。
运行Quay image加载ConfigTool,密码'secret' (Quay image版本选择padme,也可以选择最新版)
[root@quay ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/projectquay/quay latest 1c600bb6715d 6 days ago 1.89GB
quay.io/projectquay/quay qui-gon f8b3832224e9 6 days ago 1.91GB
quay.io/projectquay/quay padme 75833230d18f 4 weeks ago 2GB
postgres 10.12 b500168be260 6 weeks ago 200MB
redis 5.0.7 7eed8df88d3b 3 months ago 98.2MB
[root@quay ~]#
[root@quay ~]#
[root@quay ~]#
[root@quay ~]# docker run --rm -it --name quay_config -p 8443:8443 quay.io/projectquay/quay:padme config secret
__ __
/ \ / \ ______ _ _ __ __ __
/ /\ / /\ \ / __ \ | | | | / \ \ \ / /
/ / / / \ \ | | | | | | | | / /\ \ \ /
\ \ \ \ / / | |__| | | |__| | / ____ \ | |
\ \/ \ \/ / \_ ___/ \____/ /_/ \_\ |_|
\__/ \__/ \ \__
\___\ by Red Hat
Build, Store, and Distribute your Containers
Entering config mode, only copying config-app entrypoints
Creating self-signed certs for quay-config app
Generating a 4096 bit RSA private key
访问地址: https://10.0.31.202:8443/
-
用户名/密码: quayconfig/secret
QQ截图20200609102844.png -
点击 “Start New Registry Setup”
QQ截图20200609103140.png -
点击 “Validate Database Settings” ,初始化数据库
QQ截图20200609103306.png -
点击 “Create Super User”,创建用户
QQ截图20200609103514.png -
在弹出的页面上,配置Server Configuration和redis
QQ截图20200609103713.png
QQ截图20200609103823.png -
点击 “Save Configuration Changes” 悬浮在页面底部的按钮保存配置
QQ截图20200609103956.png -
下载Quay config.yaml的tar包到本地
QQ截图20200609104118.png
与官方文档不同,我们下载在个人PC,上传到服务器
[root@quay config]# pwd
/opt/quay/config
[root@quay config]# ll
total 4
-rw-r--r-- 1 root root 1170 Jun 9 10:41 quay-config.tar.gz
[root@quay config]# tar xvf quay-config.tar.gz
config.yaml
[root@quay config]# ll
total 8
-rw-r--r-- 1 1001 root 2053 Jun 9 18:39 config.yaml
-rw-r--r-- 1 root root 1170 Jun 9 10:41 quay-config.tar.gz
- 创建目录用于保存images
[root@quay config]# mkdir -p /opt/quay/storage
[root@quay config]# setfacl -m u:1001:-wx /opt/quay/storage/
[root@quay config]# ll /opt/quay/
total 0
drwxr-xr-x 2 root root 51 Jun 9 18:45 config
drwxrwxr-x+ 2 root root 6 Jun 9 18:47 storage
- 停止Config Tool的运行,不需要了。使用
CTRL-C
运行Quay
[root@quay ~]# docker run --rm -p 8080:8080 \
> --name=quay \
> --privileged=true \
> -v /opt/quay/config:/conf/stack:Z \
> -v /opt/quay/storage:/datastorage:Z \
> -d quay.io/projectquay/quay:padme
42aff6c77cb6c8c24313d37909d4394f4c8d7319d0e8df19d785acc187896b68
[root@quay ~]#
[root@quay ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
42aff6c77cb6 quay.io/projectquay/quay:padme "/quay-registry/quay…" 4 seconds ago Up 3 seconds 7443/tcp, 8443/tcp, 9091/tcp, 0.0.0.0:8080->8080/tcp quay
e4a17eed32ae redis:5.0.7 "docker-entrypoint.s…" 55 minutes ago Up 55 minutes 0.0.0.0:6379->6379/tcp redis
dfb7b67a9832 postgres:10.12 "docker-entrypoint.s…" About an hour ago Up About an hour 0.0.0.0:5432->5432/tcp postgresql
[root@quay ~]#
检查日志
[root@quay ~]# docker logs -f quay
查看数据库
[root@quay quay-padme]# docker exec -it postgresql /bin/bash
root@dfb7b67a9832:/# psql -d quay -U user
psql (10.12 (Debian 10.12-2.pgdg90+1))
Type "help" for help.
quay-#
quay-# \q
root@dfb7b67a9832:/# exit
exit
[root@quay quay-padme]#
测试
访问地址:http://10.0.31.202:8080/
使用在上面创建的 admin / password 账户登陆
docker login
test@singlek8s:~$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://xjwwbj57.mirror.aliyuncs.com"],
"insecure-registries": ["10.0.31.201","10.0.31.202:8080"],
"debug": true,
"experimental": false
}
test@singlek8s:~$ sudo systemctl reload docker
test@singlek8s:~$ sudo docker login 10.0.31.202:8080
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /home/test/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
test@singlek8s:~$
