镜像仓库与CI集成
1. 镜像仓库选型
| 仓库 | 特点 |
|---|---|
| Docker Hub | 公共免费,私有有限制 |
| GitHub Container Registry(ghcr.io) | GitHub 深度集成 |
| AWS ECR | AWS 生态 |
| 阿里云 ACR | 国内速度快 |
| Harbor | 开源自建,企业级 |
| Google Artifact Registry | GCP 生态 |
2. 推送流程
# 登录
docker login
docker login ghcr.io -u <username>
docker login registry.cn-hangzhou.aliyuncs.com
# 标签
docker tag myapp:latest ghcr.io/myorg/myapp:v1.0.0
docker tag myapp:latest ghcr.io/myorg/myapp:latest
# 推送
docker push ghcr.io/myorg/myapp:v1.0.0
docker push ghcr.io/myorg/myapp:latest
2.1 标签策略
v1.2.3 # 版本号(推荐 semver)
v1.2 # 浮动标签(指向 v1.2.x 最新)
latest # 最新
sha-abc123 # git commit hash
main # 分支名(CI 常用)
pr-42 # PR 号
不要只推 latest:无法回滚。每次至少推一个唯一标签(commit sha / version)。
3. CI 集成:GitHub Actions
name: Build and Push
on:
push:
branches: [main]
tags: ['v*']
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: $}} github.actor }}
password: $}} secrets.GITHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/$}} github.repository }}
tags: |
type=semver,pattern=}}version}}
type=semver,pattern=}}major}}.}}minor}}
type=sha
type=ref,event=branch
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: $}} steps.meta.outputs.tags }}
labels: $}} steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64
3.1 关键点
docker/metadata-action自动生成标签(按 git tag、branch、sha)cache-from/to: type=gha用 GitHub Actions 内置 cacheplatforms: linux/amd64,linux/arm64多架构
4. buildx 与多架构
# 创建 builder
docker buildx create --name multiarch --use
# 构建多架构
docker buildx build \
--platform linux/amd64,linux/arm64 \
-t ghcr.io/myorg/myapp:v1.0.0 \
--push .
# 看 manifest
docker buildx imagetools inspect ghcr.io/myorg/myapp:v1.0.0
Apple Silicon 本地开发必须注意:
# 本地 build 默认 arm64
docker build -t myapp .
# 强制 amd64(推到 x86 服务器跑)
docker build --platform linux/amd64 -t myapp .
5. Harbor(自建)
企业场景:安全审计、漏洞扫描、RBAC、镜像签名。
# docker-compose 部署(开发/小规模)
wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-online-installer-v2.11.0.tgz
tar xzf harbor-online-installer-v2.11.0.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
# 编辑 hostname、https 配置
./install.sh
登录:
docker login harbor.example.com
docker push harbor.example.com/myproject/myapp:v1.0.0
6. 镜像安全扫描
# Docker Scout(Docker 官方)
docker scout cves myapp:latest
docker scout quickview myapp:latest
# Trivy(Aqua Security,开源)
trivy image myapp:latest
# Snyk
snyk container test myapp:latest
CI 集成:
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/myorg/myapp:$}} github.sha }}
severity: CRITICAL,HIGH
exit-code: 1 # 发现高危漏洞 CI 失败
7. 镜像签名与验证
Cosign(Sigstore):
# 签名
cosign sign ghcr.io/myorg/myapp@sha256:abc123
# 验证
cosign verify ghcr.io/myorg/myapp@sha256:abc123 --key cosign.pub
K8s admission controller(如 Kyverno / OPA)可强制只运行已签名镜像。
8. 加速拉取
国内加速:
// /etc/docker/daemon.json
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com",
"https://hub-mirror.c.163.com"
]
}
CI 加速:
- 构建缓存(buildx cache)
- 基础镜像预拉到 runner
- 自建 mirror / proxy
9. 常见反模式
- 只推 latest:无法回滚,不知道跑的是什么版本
- 镜像不扫描:含高危漏洞上生产
- 不用 cache:每次 CI 构建 10 分钟
- 密码写在 Dockerfile / docker-compose:泄密
- 不做多架构:arm64 团队成员跑不了
- build context 传几 GB:没 .dockerignore
- registry 单点无备份:挂了无法部署
- 不清理老镜像:registry 磁盘满。配 retention policy