cover_image

系统性认识容器镜像

智汇云 360智汇云开发者
2025年01月10日 02:03

一、简介

1.docker image的本质

镜像就是联合文件系统(UnionFS),目前用的驱动是overlay2(docker)/overlayfs(containerd)。

2.docker的镜像rootfs,和layer的设计

镜像的基础层是rootfs任何程序运行时都会有依赖,无论是开发语言层的依赖库,还是各种系统lib、操作系统等,不同的系统上这些库可能是不一样的,或者有缺失的。为了让容器运行时一致,docker将依赖的操作系统、各种lib依赖整合打包在一起(即镜像),然后容器启动时,作为它的根目录(根文件系统rootfs),使得容器进程的各种依赖调用都在这个根目录里,这样就做到了环境的一致性。
Layer:Dockerfile中的基础是rootfs,而之后的每一个操作都是一层,如:RUN、ADD等命令。所有为了镜像体积小些,可以把多个RUN命令整合成一行,这样多层就变成一层了。
镜像只有最上一层是读写的,其余都是只读的(目录的whiteout属性)。所谓whiteout属性union文件系统中,如果删除的文件在只读层,最上层看到文件已经删除,但是只读层文件依然存在,在最上层做该文件whiteout隐藏文件实现。rm mnt/haha.log操作和touch a/.wh.haha.log效果相同。
图片

3. 容器的镜像挂载

docker支持多种graphDriver,包括vfs、devicemapper、overlay、overlay2、aufs,docker镜像存储驱动目前用的是overlay2。
docker默认的存储目录是/var/lib/docker
[root@p22295v zhangzhifei]# ls -lrt /var/lib/docker/total 156drwx--x--x   3 root root  4096 Dec  6  2018 containerddrwx------   4 root root  4096 Dec  6  2018 pluginsdrwx------   3 root root  4096 Dec  6  2018 imagedrwx------   2 root root  4096 Dec  6  2018 trustdrwxr-x---   3 root root  4096 Dec  6  2018 networkdrwx------   2 root root  4096 Dec  6  2018 swarmdrwx------   2 root root  4096 Dec  6  2018 builderdrwx------  89 root root 12288 Jul 17 11:07 volumesdrwx------   2 root root  4096 Jul 17 14:30 runtimesdrwx------   2 root root  4096 Jul 23 12:51 tmpdrwx------ 758 root root 94208 Jul 29 19:12 overlay2drwx------  80 root root 12288 Jul 29 19:12 containers

我们运行个容器演示下:

[root@p22295v zhangzhifei]# docker run -it -d  kraken-agent:dev 83555ad8c034682ad885fc9e320bfb1f8b75498b61a1a8684d738c411caa930b

启动一个容器,在/var/lib/docker/overlay2目录下生成一个容器视图层,目录包括diff,link,lower,merged,work。

 diff记录每一层自己内容的数据,link记录该层链接目录(实际是l目录下到层的链接),比如在容器中创建目录或在diff新增该目录。

根据存储数据及功能可以把这些层分为3部分:

1. 只读层

2. init层(夹在只读层和读写层之间,专门用来存放/etc/hosts、/etc/resolv.conf等信息。需要这样一层的原因是,这些文件本来属于只读的系统镜像层的一部分,但是用户往往需要在启动容器时写入一些指定的值比如hostname,所以就需要在可读写层对它们进行修改。可是,这些修改往往只对当前的容器有效,我们并不希望执行docker commit时,把这些信息连同可读写层一起提交掉。所以,Docker做法是,在修改了这些文件之后,以一个单独的层挂载了出来。而用户执行docker commit只会提交可读写层,所以是不包含这些内容的。)

3.读写层(在没有写入文件之前,这个目录是空的。而一旦在容器里做了写操作,你修改产生的内容就会以增量的方式出现在这个层中

查看容器挂载目录

[root@p22295v zhangzhifei]# cat /var/lib/docker/image/overlay2/layerdb/mounts/83555ad8c034682ad885fc9e320bfb1f8b75498b61a1a8684d738c411caa930b/mount-id 3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40[root@p22295v zhangzhifei]# 读写层[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/diff/[root@p22295v zhangzhifei]#只读层[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/65e5cdd72f2995da4c73f2d9b90e8d974b9d2f18829a2479296aaec24e67d185/diff/bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var只读层(Dockerfile时ADD的二进制程序)[root@p22295v zhangzhifei]# ls -lrt /var/lib/docker/overlay2/852fa5138c3da5070b59e6402348a5a281378b28ee08fede9c635e4101f91092/diff/usr/bin/total 28836-rwxr-xr-x 1 root root 29526888 Jul 10 16:23 kraken-origininit层[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40-init/diff/dev  etc

最终,这写层都被联合挂载到/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/merged目录下,表现为一个完整的操作系统和运行时环境供容器使用。

[root@p22295v zhangzhifei]# mount | grep 3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40overlay on /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/Z7QMVXSKSNAKCUEJ6ZMU5YTFWG:/var/lib/docker/overlay2/l/2OYCXTK7M4QN3DT7IYJK6J7VYT:/var/lib/docker/overlay2/l/UZTDJDVUOBHU2VERRLXF5KMIQO:/var/lib/docker/overlay2/l/NAXXPRFMO4ATUIG6SFPU4LBUUV:/var/lib/docker/overlay2/l/AM4PHUFWOD4UHYIVO5Q6GVZ5L7:/var/lib/docker/overlay2/l/7XLJNT7Q3UQIKHDNV4QG4EX2C3:/var/lib/docker/overlay2/l/3RAVSDXXRS3BASAKZFPT2ESY2K:/var/lib/docker/overlay2/l/FFNAQF5ADFSTEBNZZ4O2R3CP4N:/var/lib/docker/overlay2/l/X6BOWOZKYRN3DZFY6QLLP7OFDP:/var/lib/docker/overlay2/l/P3EO3WHIM2XPDNPIFUP42EGMQI:/var/lib/docker/overlay2/l/EOSBLWDBASO7GKSDILC4XVGO45:/var/lib/docker/overlay2/l/7K7266OIDWAVXLAN6AA3SZXZQZ,upperdir=/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/diff,workdir=/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/work)[root@p22295v zhangzhifei]# ls  /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/mergedbin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var[root@p22295v zhangzhifei]#

二、镜像在仓库中的数据结构以及应用

1.镜像存储的目录结构

以本地存储为例,在/data/registry/docker/registry/v2
├── blobs│   └── sha256│       │   └── dfa94d685d1c2179324f02bf2a119f6d8ee0d380cef5506566012f7c4936a04a│       │       └── data│       ├── e6│       │   └── e6ae4ac760c8457aca9be07de8ca66b3a358a19b950389a0d158ae885178f6cf│       │       └── data│       ├── e7│       │   └── e71de1ca8f2b18993c258e2bf50edea8c23ea4a78a821bcfef181de50b3c32f4│       │       └── data│       ├── e8│       ├── eb│       │   └── ebbcacd28e101968415b0c812b2d2dc60f969e36b0b08c073bf796e12b1bb449│       │       └── data│       ├── ee│       │   └── ee3d4cdf51349229906ff11db003cf23390eb2642ae2a6fbd75af933bb33318e│       │       └── data│       ├── f2│       │   └── f296fda86f10cfcb81d60d5bcb47a7784a8ec4876d6eac7fabd51f2a7e8694aa│       │       └── data│       ├── fc│       │   └── fc2476ccae2a5186313f2d1dadb4a969d6d2d4c6b23fa98b6c7b0a1faad67685│       │       └── data│       └── ff│           ├── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec│           │   └── data│           └── ffe92548d2836f6ed88665bc7d5655a78a041ff8bb006c772af6bf2326ddb0a6│               └── data└── repositories    ├── registry-share-private    │   ├── push-mount    │   │   ├── _layers    │   │   │   └── sha256    │   │   │       ├── 1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f    │   │   │       │   └── link    │   │   │       ├── 286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df    │   │   │       │   └── link    │   │   │       ├── 298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6    │   │   │       │   └── link    │   │   │       ├── 37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d    │   │   │       │   └── link    │   │   │       ├── 4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2    │   │   │       │   └── link    │   │   │       ├── 94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9    │   │   │       │   └── link    │   │   │       ├── a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b    │   │   │       │   └── link    │   │   │       ├── a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f    │   │   │       │   └── link    │   │   │       ├── d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99    │   │   │       │   └── link    │   │   │       └── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec    │   │   │           └── link    │   │   ├── _manifests    │   │   │   ├── revisions    │   │   │   │   └── sha256    │   │   │   │       └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd    │   │   │   │           └── link    │   │   │   └── tags    │   │   │       └── v1    │   │   │           ├── current    │   │   │           │   └── link    │   │   │           └── index    │   │   │               └── sha256    │   │   │                   └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd    │   │   │                       └── link    │   │   └── _uploads    │   ├── push-new    │   │   ├── _layers    │   │   │   └── sha256    │   │   │       ├── 1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f    │   │   │       │   └── link    │   │   │       ├── 286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df    │   │   │       │   └── link    │   │   │       ├── 298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6    │   │   │       │   └── link    │   │   │       ├── 37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d    │   │   │       │   └── link    │   │   │       ├── 4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2    │   │   │       │   └── link    │   │   │       ├── 94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9    │   │   │       │   └── link    │   │   │       ├── a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b    │   │   │       │   └── link    │   │   │       ├── a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f    │   │   │       │   └── link    │   │   │       ├── d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99    │   │   │       │   └── link    │   │   │       └── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec    │   │   │           └── link    │   │   ├── _manifests    │   │   │   ├── revisions    │   │   │   │   └── sha256    │   │   │   │       └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd    │   │   │   │           └── link    │   │   │   └── tags    │   │   │       └── v1    │   │   │           ├── current    │   │   │           │   └── link    │   │   │           └── index    │   │   │               └── sha256    │   │   │                   └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd    │   │   │                       └── link    │   │   └──


镜像存储的任何一层都不会重复:
1、blobs
目录是存放每层数据(gzip)以及一个镜像的manifests信息(json)的具体文件
2、repositories
存储镜像的组织信息,类似于元数据
仓库名
registry-share-private/push-mount就是一个仓库名,registry-share-private相当于project的概念,push-mount容器名
_layers
目录类似于blobs目录,但是它不存储真是数据仅仅以link文件保存每个layer的sha256编码。保存该repository长传过得所有layer的sha256编码信息 
_manifests
该repository的上传的所有版本(tag)的manifest信息。其目录下有revisions目录和tags目录
_tags
每个tag一组记录(v1), 每个tag下面有current目录和index目录, current目录下的link文件保存了该tag目前的manifest文件的sha256编码,而index目录则列出了该tag历史上传的所有版本的sha256编码信息
_revisions
目录里存放了该repository历史上上传版本的所有sha256编码信息
_uploads
是一个临时目录,一旦镜像上传完成,该目录下的文件就被删除

2.上传镜像流程

镜像上传有以下几种情况:
图片
注:图中右侧Repo A和Repo B中的BLOB1实际是同一份

1、新镜像(各层在镜像仓库中不存在)

认证 
GET /v2/ HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Accept-Encoding: gzipConnection: closeHTTP/1.1 401 UnauthorizedServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 87Connection: closeDocker-Distribution-Api-Version: registry/2.0Set-Cookie: beegosessionID=f949e87ea41cfdff40d4eaaf5ec4d8ad; Path=/; HttpOnlyWww-Authenticate: Bearer realm="http://reg.myharbor.com/service/token",service="harbor-registry"{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
到认证服务获取token
GET /service/token?account=share&scope=repository%3Aregistry-share-private%2Fpush-new%3Apush%2Cpull&service=harbor-registry HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Basic c2hhcmU6U2hhcmUxMjM0NQ==Accept-Encoding: gzipConnection: closeHTTP/1.1 200 OKServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 977Connection: closeContent-Encoding: gzipSet-Cookie: beegosessionID=b9847b82ec96b422708f2ca0f753ac21; Path=/; HttpOnly{  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBk",  "expires_in": 1800,  "issued_at": "2019-07-25T12:26:18Z"}
查询仓库中是否有欲上传的层
HEAD /v2/registry-share-private/push-new/blobs/sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkConnection: closeHTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 157Connection: closeDocker-Distribution-Api-Version: registry/2.0Set-Cookie: beegosessionID=a8aaecf9ffe64fa3cbf8807b937025ab; Path=/; HttpOnly
开始上传blob
POST /v2/registry-share-private/push-new/blobs/uploads/ HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 0Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkContent-Type: Accept-Encoding: gzipConnection: closeHTTP/1.1 202 AcceptedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Distribution-Api-Version: registry/2.0Docker-Upload-Uuid: 6178733d-0607-4245-a092-6104cb784bf2Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=pKHNnX7zDiLowkh6Gin5zTfCas2AmKuyyrmVMRNx74x7Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAxOS0wNy0yNVQxMjoyNjoxOC44MTMxOTUzNjZaIn0%3DRange: 0-0Set-Cookie: beegosessionID=f5a3ac2921aca8e3afdbb465b0100cd2; Path=/; HttpOnly
大块用则分块传,小块用put。
PATCH /v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=pKHNnX7zDiLowkh6Gin5zTfCas2AmKuyyrmVMRNx74x7Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAxOS0wNy0yNVQxMjoyNjoxOC44MTMxOTUzNjZaIn0%3D HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Transfer-Encoding: chunkedAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkAccept-Encoding: gzipConnection: close............An.0.EY...@.3.1.x..t.U..7.  ....n_.I.*R.H-...6....o`..C12....,...6...R..\'DY..r..K.C4.@.i.........Qg.:...*.J....6|.7..6.....T.@")....|...n.x.......[.........2.G!xU.._V...M^.?.o.[5>hM .........pI..zc.M....,....!.s  didl.!.. Yh...! k......v1...g...m..........*..........g.n...k....!....]....8?... .F........._.......j#.....HTTP/1.1 202 AcceptedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Distribution-Api-Version: registry/2.0Docker-Upload-Uuid: 6178733d-0607-4245-a092-6104cb784bf2Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=19TYI6CYz6LohGdEhCNv7veQG2M77lz8q1evuLOEZU17Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MzMzLCJTdGFydGVkQXQiOiIyMDE5LTA3LTI1VDEyOjI2OjE4WiJ9Range: 0-332Set-Cookie: beegosessionID=8407c7ba275391b58314b94aed502179; Path=/; HttpOnly
分块上传后也要以一个put请求表示完成上传
PUT /v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=19TYI6CYz6LohGdEhCNv7veQG2M77lz8q1evuLOEZU17Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MzMzLCJTdGFydGVkQXQiOiIyMDE5LTA3LTI1VDEyOjI2OjE4WiJ9&digest=sha256%3A286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 0Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkAccept-Encoding: gzipConnection: closeHTTP/1.1 201 CreatedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Content-Digest: sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1dfDocker-Distribution-Api-Version: registry/2.0Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1dfSet-Cookie: beegosessionID=157cb059f1bd7f8d37897952392a9082; Path=/; HttpOnly
一个blob上传成功后,还需确认下。
上传mainfest
当所有的blob上传完成后需上传文件清单
PUT /v2/registry-share-private/push-new/manifests/v1 HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 2205Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkContent-Type: application/vnd.docker.distribution.manifest.v2+jsonAccept-Encoding: gzipConnection: close{   "schemaVersion": 2,   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",   "config": {      "mediaType": "application/vnd.docker.container.image.v1+json",      "size": 8216,      "digest": "sha256:298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6"   },   "layers": [      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 52595547,         "digest": "sha256:d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 3635843,         "digest": "sha256:1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 19806611,         "digest": "sha256:ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 241,         "digest": "sha256:a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 1969212,         "digest": "sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 132,         "digest": "sha256:94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 333,         "digest": "sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 22311565,         "digest": "sha256:37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 35106,         "digest": "sha256:4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2"      }   ]}HTTP/1.1 201 CreatedServer: nginxDate: Thu, 25 Jul 2019 12:26:36 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Content-Digest: sha256:9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bdDocker-Distribution-Api-Version: registry/2.0Location: http://reg.myharbor.com/v2/registry-share-private/push-new/manifests/sha256:9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bdSet-Cookie: beegosessionID=2b449cbfaea72b978aabc8c32c3617d7; Path=/; HttpOnly

2、部分层在其他仓库中已经存在并且有读权限

如果上传镜像的某一层在仓库中已经存在,并且有读的权限
docker 会先获取token
GET /service/token?account=share&scope=repository%3Aregistry-share-private%2Fpush-mount%3Apush%2Cpull&scope=repository%3Aregistry-share-private%2Fpush-new%3Apull&service=harbor-registry HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Basic c2hhcmU6U2hhcmUxMjM0NQ==Accept-Encoding: gzipConnection: closeHTTP/1.1 200 OKServer: nginxDate: Thu, 25 Jul 2019 12:27:45 GMTContent-Type: application/json; charset=utf-8Content-Length: 1065Connection: closeContent-Encoding: gzipSet-Cookie: beegosessionID=c27746a125006bd70a24d75205a4008c; Path=/; HttpOnly{  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTk0NjUsIm5iZiI6MTU2NDA1NzY2NSwiaWF0IjoxNTY0MDU3NjY1LCJqdGkiOiJBV29mNnVQYmhNM1hpMkRRIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbW91bnQiLCJhY3Rpb25zIjpbInB1c2giLCJwdWxsIl19LHsidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoicmVnaXN0cnktc2hhcmUtcHJpdmF0ZS9wdXNoLW5ldyIsImFjdGlvbnMiOlsicHVzaCIsInB1bGwiXX1dfQ.lQuoMmPI5SMlezxLN4RloK0wQnYQg-53oa0ZT7wE3ejzktQAEciR5LKDiPHo5OvMCiLcT50Z9zDdIaKwzRP7WAJT_WaaH0XNjvsB65M4HVAMq5p8lSz4skmCTsvW32pnDyLeCN1Rel3Vf876MbTXMmY2NM3PMqq3CnHOm-A02G2oZSwVmVsMvib3uSFNL5OFflXcZSyaTcZOEccwloND0OghbdLh6mx8sp-UYB-SeFWRu-poy9weMi7_gbxsk2IGjoqTIhGY8AMlrgjEYvq6RP2pclZxioPwW2wpJJXNDkv4G3Hbxpn9u6qe_TzpNmVhdJj6D48nm07W8R9rgfwegU8J7ZspdA-gKbA79C3gKpusrgPMGIJQweXxdPxlJ6i2pnZXS3boaeuB8q-I9_9bTvAQLisD_D5Ricbm-PtCKmoXzEYruBtFB4TFexynUmI52-zzHqQktMlp7egASBhcDXCICrCQxNsIbvqJKK1W9BcF6p_zW4eG5JdIxDiXIRQr2FyjrT9CX2Ync_km3on6gWewoWNQGPbJbhq3TTnpd1CCSP4x6E2bZAY4gMy4mUCkN5BzoY7pf1RUJEd_VGVm3P9N3aEORxAJb3QCAwgmW8LY2yg3c3VOgkMQp2gBPg1VgKiw3CsTzzEf73cIyL2SL4v5w1_ybAU6T81e837E8oQ",  "expires_in": 1800,  "issued_at": "2019-07-25T12:27:45Z"}
之后携带这个toke进行mount
POST /v2/registry-share-private/push-mount/blobs/uploads/?from=registry-share-private%2Fpush-new&mount=sha256%3Aa8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 0Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTk0NjUsIm5iZiI6MTU2NDA1NzY2NSwiaWF0IjoxNTY0MDU3NjY1LCJqdGkiOiJBV29mNnVQYmhNM1hpMkRRIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbW91bnQiLCJhY3Rpb25zIjpbInB1c2giLCJwdWxsIl19LHsidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoicmVnaXN0cnktc2hhcmUtcHJpdmF0ZS9wdXNoLW5ldyIsImFjdGlvbnMiOlsicHVzaCIsInB1bGwiXX1dfQ.lQuoMmPI5SMlezxLN4RloK0wQnYQg-53oa0ZT7wE3ejzktQAEciR5LKDiPHo5OvMCiLcT50Z9zDdIaKwzRP7WAJT_WaaH0XNjvsB65M4HVAMq5p8lSz4skmCTsvW32pnDyLeCN1Rel3Vf876MbTXMmY2NM3PMqq3CnHOm-A02G2oZSwVmVsMvib3uSFNL5OFflXcZSyaTcZOEccwloND0OghbdLh6mx8sp-UYB-SeFWRu-poy9weMi7_gbxsk2IGjoqTIhGY8AMlrgjEYvq6RP2pclZxioPwW2wpJJXNDkv4G3Hbxpn9u6qe_TzpNmVhdJj6D48nm07W8R9rgfwegU8J7ZspdA-gKbA79C3gKpusrgPMGIJQweXxdPxlJ6i2pnZXS3boaeuB8q-I9_9bTvAQLisD_D5Ricbm-PtCKmoXzEYruBtFB4TFexynUmI52-zzHqQktMlp7egASBhcDXCICrCQxNsIbvqJKK1W9BcF6p_zW4eG5JdIxDiXIRQr2FyjrT9CX2Ync_km3on6gWewoWNQGPbJbhq3TTnpd1CCSP4x6E2bZAY4gMy4mUCkN5BzoY7pf1RUJEd_VGVm3P9N3aEORxAJb3QCAwgmW8LY2yg3c3VOgkMQp2gBPg1VgKiw3CsTzzEf73cIyL2SL4v5w1_ybAU6T81e837E8oQContent-Type: Accept-Encoding: gzipConnection: closeHTTP/1.1 201 CreatedServer: nginxDate: Thu, 25 Jul 2019 12:27:45 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Content-Digest: sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8fDocker-Distribution-Api-Version: registry/2.0Location: http://reg.myharbor.com/v2/registry-share-private/push-mount/blobs/sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8fSet-Cookie: beegosessionID=28c3b965f60774b92c3f9eb4c7e75b02; Path=/; HttpOnly
这样就减少了重复层的上传,加快push速度
mount信息处理其实就是在生产对应layer的信息放在_layers目录下

3、部分层在其他仓库中已经存在并且没有读权限

对于已经存在的层,但是没有权限的,客户端需要重新上传,但是最终存储还是一份。但是文件系统做move时,先判断目的路径是否存在,存在则不进行覆盖。可以对照registry源码看下
图片

4、镜像已经存在

对于已经存在的镜像HEAD请求时世界返回200,表示不需要上传。
镜像下载流程基本上根上传是一个相反的流程,在此处就不详细介绍了。

三、镜像的管理和安全

  1. 镜像仓库的管理
    • 镜像仓库是存储和管理容器镜像的重要设施,包括公共仓库(如Docker Hub)和私有仓库。在使用公共仓库时,要注意镜像的来源和安全性,避免使用未经授权或存在安全风险的镜像。对于企业内部的私有仓库,要建立完善的镜像管理机制,包括镜像的上传、下载、版本控制、权限管理等。例如,企业可以设置不同的用户角色对私有仓库中的镜像进行不同级别的操作,如管理员可以上传和删除镜像,开发人员可以下载和使用镜像等。
  2. 镜像的安全扫描和漏洞管理
    • 由于容器镜像可能包含各种软件组件,这些组件可能存在安全漏洞,因此对镜像进行安全扫描是非常必要的。可以使用专门的镜像安全扫描工具来检测镜像中的漏洞,并及时进行修复。例如,在构建和部署容器镜像之前,先对镜像进行安全扫描,如果发现有高危漏洞,就停止部署并对镜像进行修复,以确保应用程序的安全性。同时,镜像的签名和验证机制也可以用来保证镜像的来源可靠,防止恶意镜像的使用。
  3. 资源利用和成本控制
    4. 虽然容器镜像相对轻量级,但在大规模应用场景下,仍然需要考虑镜像的存储和网络传输成本。通过优化镜像的大小(如选择合适的基础镜像、在构建过程中去除不必要的文件等)可以减少存储和传输成本。同时,合理利用容器镜像的分层存储和共享机制,可以提高服务器资源的利用率,在有限的硬件资源下运行更多的容器实例,实现成本效益的最大化。
总结来说,容器镜像是容器技术中不可或缺的一部分,它为应用提供了可靠、高效、一致的运行环境。通过系统性地认识容器镜像,我们可以更好地把握这一技术的发展方向和应用场景,为企业带来更多的价值。
更多技术和产品文章,请关注👆
如果您对哪个产品感兴趣,欢迎留言给我们,我们会定向邀文~
图片
360智汇云是以"汇聚数据价值,助力智能未来"为目标的企业应用开放服务平台,融合360丰富的产品、技术力量,为客户提供平台服务。

目前,智汇云提供数据库、中间件、存储、大数据、人工智能、计算、网络、视联物联与通信等多种产品服务以及一站式解决方案,助力客户降本增效,累计服务业务1000+。

智汇云致力于为各行各业的业务及应用提供强有力的产品、技术服务,帮助企业和业务实现更大的商业价值。

官网:https://zyun.360.cn 或搜索“360智汇云
客服电话:4000052360

欢迎使用我们的产品!😊

继续滑动看下一个
360智汇云开发者
向上滑动看下一个