一、简介

1.docker image的本质

镜像就是联合文件系统（UnionFS），目前用的驱动是overlay2(docker)/overlayfs(containerd)。

2.docker的镜像rootfs，和layer的设计

镜像的基础层是rootfs：任何程序运行时都会有依赖，无论是开发语言层的依赖库，还是各种系统lib、操作系统等，不同的系统上这些库可能是不一样的，或者有缺失的。为了让容器运行时一致，docker将依赖的操作系统、各种lib依赖整合打包在一起（即镜像），然后容器启动时，作为它的根目录（根文件系统rootfs），使得容器进程的各种依赖调用都在这个根目录里，这样就做到了环境的一致性。

Layer：Dockerfile中的基础是rootfs，而之后的每一个操作都是一层，如：RUN、ADD等命令。所有为了镜像体积小些，可以把多个RUN命令整合成一行，这样多层就变成一层了。

镜像只有最上一层是读写的，其余都是只读的（目录的whiteout属性）。所谓whiteout属性union文件系统中，如果删除的文件在只读层，最上层看到文件已经删除，但是只读层文件依然存在，在最上层做该文件whiteout隐藏文件实现。rm mnt/haha.log操作和touch a/.wh.haha.log效果相同。

3. 容器的镜像挂载

docker支持多种graphDriver，包括vfs、devicemapper、overlay、overlay2、aufs，docker镜像存储驱动目前用的是overlay2。

docker默认的存储目录是/var/lib/docker

[root@p22295v zhangzhifei]# ls -lrt /var/lib/docker/
total 156
drwx--x--x   3 root root  4096 Dec  6  2018 containerd
drwx------   4 root root  4096 Dec  6  2018 plugins
drwx------   3 root root  4096 Dec  6  2018 image
drwx------   2 root root  4096 Dec  6  2018 trust
drwxr-x---   3 root root  4096 Dec  6  2018 network
drwx------   2 root root  4096 Dec  6  2018 swarm
drwx------   2 root root  4096 Dec  6  2018 builder
drwx------  89 root root 12288 Jul 17 11:07 volumes
drwx------   2 root root  4096 Jul 17 14:30 runtimes
drwx------   2 root root  4096 Jul 23 12:51 tmp
drwx------ 758 root root 94208 Jul 29 19:12 overlay2
drwx------  80 root root 12288 Jul 29 19:12 containers

我们运行个容器演示下：

[root@p22295v zhangzhifei]# docker run -it -d  kraken-agent:dev 
83555ad8c034682ad885fc9e320bfb1f8b75498b61a1a8684d738c411caa930b

启动一个容器，在/var/lib/docker/overlay2目录下生成一个容器视图层，目录包括diff，link，lower，merged，work。

diff记录每一层自己内容的数据，link记录该层链接目录（实际是l目录下到层的链接），比如在容器中创建目录或在diff新增该目录。

根据存储数据及功能可以把这些层分为3部分：

1. 只读层

2. init层（夹在只读层和读写层之间，专门用来存放/etc/hosts、/etc/resolv.conf等信息。需要这样一层的原因是，这些文件本来属于只读的系统镜像层的一部分，但是用户往往需要在启动容器时写入一些指定的值比如hostname，所以就需要在可读写层对它们进行修改。可是，这些修改往往只对当前的容器有效，我们并不希望执行docker commit时，把这些信息连同可读写层一起提交掉。所以，Docker做法是，在修改了这些文件之后，以一个单独的层挂载了出来。而用户执行docker commit只会提交可读写层，所以是不包含这些内容的。）

3.读写层（在没有写入文件之前，这个目录是空的。而一旦在容器里做了写操作，你修改产生的内容就会以增量的方式出现在这个层中）

查看容器挂载目录

[root@p22295v zhangzhifei]# cat /var/lib/docker/image/overlay2/layerdb/mounts/83555ad8c034682ad885fc9e320bfb1f8b75498b61a1a8684d738c411caa930b/mount-id 
3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40[root@p22295v zhangzhifei]# 
读写层
[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/diff/
[root@p22295v zhangzhifei]#
只读层
[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/65e5cdd72f2995da4c73f2d9b90e8d974b9d2f18829a2479296aaec24e67d185/diff/
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
只读层（Dockerfile时ADD的二进制程序）
[root@p22295v zhangzhifei]# ls -lrt /var/lib/docker/overlay2/852fa5138c3da5070b59e6402348a5a281378b28ee08fede9c635e4101f91092/diff/usr/bin/
total 28836
-rwxr-xr-x 1 root root 29526888 Jul 10 16:23 kraken-origin
init层
[root@p22295v zhangzhifei]# ls /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40-init/diff/
dev  etc

最终，这写层都被联合挂载到/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/merged目录下，表现为一个完整的操作系统和运行时环境供容器使用。

[root@p22295v zhangzhifei]# mount | grep 3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40
overlay on /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/Z7QMVXSKSNAKCUEJ6ZMU5YTFWG:/var/lib/docker/overlay2/l/2OYCXTK7M4QN3DT7IYJK6J7VYT:/var/lib/docker/overlay2/l/UZTDJDVUOBHU2VERRLXF5KMIQO:/var/lib/docker/overlay2/l/NAXXPRFMO4ATUIG6SFPU4LBUUV:/var/lib/docker/overlay2/l/AM4PHUFWOD4UHYIVO5Q6GVZ5L7:/var/lib/docker/overlay2/l/7XLJNT7Q3UQIKHDNV4QG4EX2C3:/var/lib/docker/overlay2/l/3RAVSDXXRS3BASAKZFPT2ESY2K:/var/lib/docker/overlay2/l/FFNAQF5ADFSTEBNZZ4O2R3CP4N:/var/lib/docker/overlay2/l/X6BOWOZKYRN3DZFY6QLLP7OFDP:/var/lib/docker/overlay2/l/P3EO3WHIM2XPDNPIFUP42EGMQI:/var/lib/docker/overlay2/l/EOSBLWDBASO7GKSDILC4XVGO45:/var/lib/docker/overlay2/l/7K7266OIDWAVXLAN6AA3SZXZQZ,upperdir=/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/diff,workdir=/var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/work)
[root@p22295v zhangzhifei]# ls  /var/lib/docker/overlay2/3695f349587aaa2cdc82fcde1a380c7b567ef870a47e4c28b8b279e4edc9eb40/merged
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
[root@p22295v zhangzhifei]#

二、镜像在仓库中的数据结构以及应用

1.镜像存储的目录结构

以本地存储为例，在/data/registry/docker/registry/v2

├── blobs
│   └── sha256
│       │   └── dfa94d685d1c2179324f02bf2a119f6d8ee0d380cef5506566012f7c4936a04a
│       │       └── data
│       ├── e6
│       │   └── e6ae4ac760c8457aca9be07de8ca66b3a358a19b950389a0d158ae885178f6cf
│       │       └── data
│       ├── e7
│       │   └── e71de1ca8f2b18993c258e2bf50edea8c23ea4a78a821bcfef181de50b3c32f4
│       │       └── data
│       ├── e8
│       ├── eb
│       │   └── ebbcacd28e101968415b0c812b2d2dc60f969e36b0b08c073bf796e12b1bb449
│       │       └── data
│       ├── ee
│       │   └── ee3d4cdf51349229906ff11db003cf23390eb2642ae2a6fbd75af933bb33318e
│       │       └── data
│       ├── f2
│       │   └── f296fda86f10cfcb81d60d5bcb47a7784a8ec4876d6eac7fabd51f2a7e8694aa
│       │       └── data
│       ├── fc
│       │   └── fc2476ccae2a5186313f2d1dadb4a969d6d2d4c6b23fa98b6c7b0a1faad67685
│       │       └── data
│       └── ff
│           ├── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec
│           │   └── data
│           └── ffe92548d2836f6ed88665bc7d5655a78a041ff8bb006c772af6bf2326ddb0a6
│               └── data
└── repositories
    ├── registry-share-private
    │   ├── push-mount
    │   │   ├── _layers
    │   │   │   └── sha256
    │   │   │       ├── 1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f
    │   │   │       │   └── link
    │   │   │       ├── 286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df
    │   │   │       │   └── link
    │   │   │       ├── 298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6
    │   │   │       │   └── link
    │   │   │       ├── 37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d
    │   │   │       │   └── link
    │   │   │       ├── 4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2
    │   │   │       │   └── link
    │   │   │       ├── 94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9
    │   │   │       │   └── link
    │   │   │       ├── a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b
    │   │   │       │   └── link
    │   │   │       ├── a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f
    │   │   │       │   └── link
    │   │   │       ├── d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99
    │   │   │       │   └── link
    │   │   │       └── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec
    │   │   │           └── link
    │   │   ├── _manifests
    │   │   │   ├── revisions
    │   │   │   │   └── sha256
    │   │   │   │       └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd
    │   │   │   │           └── link
    │   │   │   └── tags
    │   │   │       └── v1
    │   │   │           ├── current
    │   │   │           │   └── link
    │   │   │           └── index
    │   │   │               └── sha256
    │   │   │                   └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd
    │   │   │                       └── link
    │   │   └── _uploads
    │   ├── push-new
    │   │   ├── _layers
    │   │   │   └── sha256
    │   │   │       ├── 1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f
    │   │   │       │   └── link
    │   │   │       ├── 286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df
    │   │   │       │   └── link
    │   │   │       ├── 298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6
    │   │   │       │   └── link
    │   │   │       ├── 37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d
    │   │   │       │   └── link
    │   │   │       ├── 4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2
    │   │   │       │   └── link
    │   │   │       ├── 94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9
    │   │   │       │   └── link
    │   │   │       ├── a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b
    │   │   │       │   └── link
    │   │   │       ├── a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f
    │   │   │       │   └── link
    │   │   │       ├── d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99
    │   │   │       │   └── link
    │   │   │       └── ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec
    │   │   │           └── link
    │   │   ├── _manifests
    │   │   │   ├── revisions
    │   │   │   │   └── sha256
    │   │   │   │       └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd
    │   │   │   │           └── link
    │   │   │   └── tags
    │   │   │       └── v1
    │   │   │           ├── current
    │   │   │           │   └── link
    │   │   │           └── index
    │   │   │               └── sha256
    │   │   │                   └── 9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bd
    │   │   │                       └── link
    │   │   └──

镜像存储的任何一层都不会重复：

1、blobs

目录是存放每层数据（gzip）以及一个镜像的manifests信息（json）的具体文件

2、repositories

存储镜像的组织信息，类似于元数据

仓库名

registry-share-private/push-mount就是一个仓库名，registry-share-private相当于project的概念，push-mount容器名

_layers

目录类似于blobs目录，但是它不存储真是数据仅仅以link文件保存每个layer的sha256编码。保存该repository长传过得所有layer的sha256编码信息

_manifests

该repository的上传的所有版本（tag）的manifest信息。其目录下有revisions目录和tags目录

_tags

每个tag一组记录（v1）， 每个tag下面有current目录和index目录， current目录下的link文件保存了该tag目前的manifest文件的sha256编码，而index目录则列出了该tag历史上传的所有版本的sha256编码信息

_revisions

目录里存放了该repository历史上上传版本的所有sha256编码信息

_uploads

是一个临时目录，一旦镜像上传完成，该目录下的文件就被删除

2.上传镜像流程

镜像上传有以下几种情况：

注：图中右侧Repo A和Repo B中的BLOB1实际是同一份

1、新镜像（各层在镜像仓库中不存在）

认证

GET /v2/ HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Accept-Encoding: gzipConnection: closeHTTP/1.1 401 UnauthorizedServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 87Connection: closeDocker-Distribution-Api-Version: registry/2.0Set-Cookie: beegosessionID=f949e87ea41cfdff40d4eaaf5ec4d8ad; Path=/; HttpOnlyWww-Authenticate: Bearer realm="http://reg.myharbor.com/service/token",service="harbor-registry"{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

到认证服务获取token

GET /service/token?account=share&scope=repository%3Aregistry-share-private%2Fpush-new%3Apush%2Cpull&service=harbor-registry HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Basic c2hhcmU6U2hhcmUxMjM0NQ==Accept-Encoding: gzipConnection: closeHTTP/1.1 200 OKServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 977Connection: closeContent-Encoding: gzipSet-Cookie: beegosessionID=b9847b82ec96b422708f2ca0f753ac21; Path=/; HttpOnly{  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBk",  "expires_in": 1800,  "issued_at": "2019-07-25T12:26:18Z"}

查询仓库中是否有欲上传的层

HEAD /v2/registry-share-private/push-new/blobs/sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkConnection: closeHTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2019 12:26:18 GMTContent-Type: application/json; charset=utf-8Content-Length: 157Connection: closeDocker-Distribution-Api-Version: registry/2.0Set-Cookie: beegosessionID=a8aaecf9ffe64fa3cbf8807b937025ab; Path=/; HttpOnly

开始上传blob

POST /v2/registry-share-private/push-new/blobs/uploads/ HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 0Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkContent-Type: Accept-Encoding: gzipConnection: closeHTTP/1.1 202 AcceptedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Distribution-Api-Version: registry/2.0Docker-Upload-Uuid: 6178733d-0607-4245-a092-6104cb784bf2Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=pKHNnX7zDiLowkh6Gin5zTfCas2AmKuyyrmVMRNx74x7Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAxOS0wNy0yNVQxMjoyNjoxOC44MTMxOTUzNjZaIn0%3DRange: 0-0Set-Cookie: beegosessionID=f5a3ac2921aca8e3afdbb465b0100cd2; Path=/; HttpOnly

大块用则分块传，小块用put。

PATCH /v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=pKHNnX7zDiLowkh6Gin5zTfCas2AmKuyyrmVMRNx74x7Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAxOS0wNy0yNVQxMjoyNjoxOC44MTMxOTUzNjZaIn0%3D HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Transfer-Encoding: chunkedAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkAccept-Encoding: gzipConnection: close............An.0.EY...@.3.1.x..t.U..7.  ....n_.I.*R.H-...6....o`..C12....,...6...R..\'DY..r..K.C4.@.i.........Qg.:...*.J....6|.7..6.....T.@")....|...n.x.......[.........2.G!xU.._V...M^.?.o.[5>hM .........pI..zc.M....,....!.s  didl.!.. Yh...! k......v1...g...m..........*..........g.n...k....!....]....8?... .F........._.......j#.....HTTP/1.1 202 AcceptedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Distribution-Api-Version: registry/2.0Docker-Upload-Uuid: 6178733d-0607-4245-a092-6104cb784bf2Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=19TYI6CYz6LohGdEhCNv7veQG2M77lz8q1evuLOEZU17Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MzMzLCJTdGFydGVkQXQiOiIyMDE5LTA3LTI1VDEyOjI2OjE4WiJ9Range: 0-332Set-Cookie: beegosessionID=8407c7ba275391b58314b94aed502179; Path=/; HttpOnly

分块上传后也要以一个put请求表示完成上传

PUT /v2/registry-share-private/push-new/blobs/uploads/6178733d-0607-4245-a092-6104cb784bf2?_state=19TYI6CYz6LohGdEhCNv7veQG2M77lz8q1evuLOEZU17Ik5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiVVVJRCI6IjYxNzg3MzNkLTA2MDctNDI0NS1hMDkyLTYxMDRjYjc4NGJmMiIsIk9mZnNldCI6MzMzLCJTdGFydGVkQXQiOiIyMDE5LTA3LTI1VDEyOjI2OjE4WiJ9&digest=sha256%3A286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 0Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkAccept-Encoding: gzipConnection: closeHTTP/1.1 201 CreatedServer: nginxDate: Thu, 25 Jul 2019 12:26:19 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Content-Digest: sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1dfDocker-Distribution-Api-Version: registry/2.0Location: http://reg.myharbor.com/v2/registry-share-private/push-new/blobs/sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1dfSet-Cookie: beegosessionID=157cb059f1bd7f8d37897952392a9082; Path=/; HttpOnly

一个blob上传成功后，还需确认下。

上传mainfest

当所有的blob上传完成后需上传文件清单

PUT /v2/registry-share-private/push-new/manifests/v1 HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Content-Length: 2205Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTkzNzgsIm5iZiI6MTU2NDA1NzU3OCwiaWF0IjoxNTY0MDU3NTc4LCJqdGkiOiJiZndhVFc5M2dzaE5va0wyIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbmV3IiwiYWN0aW9ucyI6WyJwdXNoIiwicHVsbCJdfV19.WIeHdiwqnm-ATdYS08wHvrHb7HHHCJT81iWbkXch1xrUC0M6leR9dN3grzWO7ONjT7cwL3u_9Q2OP7_dPbneHSJvdHRImxfVF09-74pC9-QgdGB8jEB4mVzqDpgCqxmjtHWAayqhxvUWyuVSuFZXuC4Yk-P2G6TmxN2uF261Igl46iKQOL-4btYleHL9VfDxT4L50QC27s7gJuSNvo_8u5bLazz31NxMHdZZY7mo0PgtzCntJVL2eyuarw3GrVK5E3SkMlSqPxQ3qRViCS7bCDZbWMc7Tl8nNSQDi5xBq3nMlXPQ6ubC-7vVSqtVFf9o_wBOqp6HZbWlIU9mhfWNhtThoIT-nBTSyChJ8sXPDNV2xzbmzqj0dzHeuMyKw6l6BS3-iRqXkceeRj7ywv9RWw1lgRJBCCy8zR3i8e8CpBceWufGeUDClf9LWDzO7Y_5G3G4ORYlZV1tHuJhDPGYgaO6ykYwcyQjXmGOoGL4nEG1LN8xjs4LLgkSQ018MARjsAEiK4D-QZ7aMI9vout10BgyqojcAaxdV8IqK9St_-4rzL59zQ9nWgJ6rqah4PWXCMY4dP3hzZS_iP0W5c2_CW94qONtof1i3zOYgT_oHRLjN1xKHksSqha3t394_28o511FVInkhFT5YfBdtCYAL5VLfa0AtqaykX9MCGq1gBkContent-Type: application/vnd.docker.distribution.manifest.v2+jsonAccept-Encoding: gzipConnection: close{   "schemaVersion": 2,   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",   "config": {      "mediaType": "application/vnd.docker.container.image.v1+json",      "size": 8216,      "digest": "sha256:298de445ff18300c143569dcd324fbf0512de036fc25d52454834bb2386947e6"   },   "layers": [      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 52595547,         "digest": "sha256:d93a2d7cc901177e87182b2003d50fb3ffd5be3eb698f39f5c862264efe6ee99"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 3635843,         "digest": "sha256:1b1ad4542c99b8881265610cf5dc09e37d38445529a7584edb2a607fd783216f"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 19806611,         "digest": "sha256:ff3ccaa8321b5ee312fab2cfe679467af2ae7510bb84032bdc0324e1d2d0edec"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 241,         "digest": "sha256:a5a06a865ace7f8ee9988fcc391741f1206e02b0164a71f6d1d6a097aa3d500b"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 1969212,         "digest": "sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 132,         "digest": "sha256:94af5ef9353dd0cd289df4ed00543f7dd0be6d746d84636435fd8d6ea2ccfee9"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 333,         "digest": "sha256:286e9e279b970184db33b43fa5e25008ea0b711f39ec9849baffdc191c8fd1df"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 22311565,         "digest": "sha256:37e8bc3ffc7a76234d479e1a4ad8692773f04c667c48262598780575e20a169d"      },      {         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",         "size": 35106,         "digest": "sha256:4af096619739efe5fd5966da63bf5e4db67ca9a7d9c44e0965b2b90d22a903d2"      }   ]}HTTP/1.1 201 CreatedServer: nginxDate: Thu, 25 Jul 2019 12:26:36 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: closeDocker-Content-Digest: sha256:9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bdDocker-Distribution-Api-Version: registry/2.0Location: http://reg.myharbor.com/v2/registry-share-private/push-new/manifests/sha256:9e4cf4691735c02e59dd49ee561a3f5e56bccf78d57eaa94581e29f69a5162bdSet-Cookie: beegosessionID=2b449cbfaea72b978aabc8c32c3617d7; Path=/; HttpOnly

2、部分层在其他仓库中已经存在并且有读权限

如果上传镜像的某一层在仓库中已经存在，并且有读的权限

docker 会先获取token

GET /service/token?account=share&scope=repository%3Aregistry-share-private%2Fpush-mount%3Apush%2Cpull&scope=repository%3Aregistry-share-private%2Fpush-new%3Apull&service=harbor-registry HTTP/1.1Host: reg.myharbor.comUser-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))Authorization: Basic c2hhcmU6U2hhcmUxMjM0NQ==Accept-Encoding: gzipConnection: closeHTTP/1.1 200 OKServer: nginxDate: Thu, 25 Jul 2019 12:27:45 GMTContent-Type: application/json; charset=utf-8Content-Length: 1065Connection: closeContent-Encoding: gzipSet-Cookie: beegosessionID=c27746a125006bd70a24d75205a4008c; Path=/; HttpOnly{  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTk0NjUsIm5iZiI6MTU2NDA1NzY2NSwiaWF0IjoxNTY0MDU3NjY1LCJqdGkiOiJBV29mNnVQYmhNM1hpMkRRIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbW91bnQiLCJhY3Rpb25zIjpbInB1c2giLCJwdWxsIl19LHsidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoicmVnaXN0cnktc2hhcmUtcHJpdmF0ZS9wdXNoLW5ldyIsImFjdGlvbnMiOlsicHVzaCIsInB1bGwiXX1dfQ.lQuoMmPI5SMlezxLN4RloK0wQnYQg-53oa0ZT7wE3ejzktQAEciR5LKDiPHo5OvMCiLcT50Z9zDdIaKwzRP7WAJT_WaaH0XNjvsB65M4HVAMq5p8lSz4skmCTsvW32pnDyLeCN1Rel3Vf876MbTXMmY2NM3PMqq3CnHOm-A02G2oZSwVmVsMvib3uSFNL5OFflXcZSyaTcZOEccwloND0OghbdLh6mx8sp-UYB-SeFWRu-poy9weMi7_gbxsk2IGjoqTIhGY8AMlrgjEYvq6RP2pclZxioPwW2wpJJXNDkv4G3Hbxpn9u6qe_TzpNmVhdJj6D48nm07W8R9rgfwegU8J7ZspdA-gKbA79C3gKpusrgPMGIJQweXxdPxlJ6i2pnZXS3boaeuB8q-I9_9bTvAQLisD_D5Ricbm-PtCKmoXzEYruBtFB4TFexynUmI52-zzHqQktMlp7egASBhcDXCICrCQxNsIbvqJKK1W9BcF6p_zW4eG5JdIxDiXIRQr2FyjrT9CX2Ync_km3on6gWewoWNQGPbJbhq3TTnpd1CCSP4x6E2bZAY4gMy4mUCkN5BzoY7pf1RUJEd_VGVm3P9N3aEORxAJb3QCAwgmW8LY2yg3c3VOgkMQp2gBPg1VgKiw3CsTzzEf73cIyL2SL4v5w1_ybAU6T81e837E8oQ",  "expires_in": 1800,  "issued_at": "2019-07-25T12:27:45Z"}

之后携带这个toke进行mount

POST /v2/registry-share-private/push-mount/blobs/uploads/?from=registry-share-private%2Fpush-new&mount=sha256%3Aa8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f HTTP/1.1
Host: reg.myharbor.com
User-Agent: docker/1.13.1 go/go1.9.4 kernel/3.10.0-514.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))
Content-Length: 0
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNCTE86WFJIUzpKQjRDOkQ0M006M1hITDpQRTIyOk9SNjM6UzY2WTo3STc3OlVJQlA6RE5BVzozUTI0In0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoic2hhcmUiLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE1NjQwNTk0NjUsIm5iZiI6MTU2NDA1NzY2NSwiaWF0IjoxNTY0MDU3NjY1LCJqdGkiOiJBV29mNnVQYmhNM1hpMkRRIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJyZWdpc3RyeS1zaGFyZS1wcml2YXRlL3B1c2gtbW91bnQiLCJhY3Rpb25zIjpbInB1c2giLCJwdWxsIl19LHsidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoicmVnaXN0cnktc2hhcmUtcHJpdmF0ZS9wdXNoLW5ldyIsImFjdGlvbnMiOlsicHVzaCIsInB1bGwiXX1dfQ.lQuoMmPI5SMlezxLN4RloK0wQnYQg-53oa0ZT7wE3ejzktQAEciR5LKDiPHo5OvMCiLcT50Z9zDdIaKwzRP7WAJT_WaaH0XNjvsB65M4HVAMq5p8lSz4skmCTsvW32pnDyLeCN1Rel3Vf876MbTXMmY2NM3PMqq3CnHOm-A02G2oZSwVmVsMvib3uSFNL5OFflXcZSyaTcZOEccwloND0OghbdLh6mx8sp-UYB-SeFWRu-poy9weMi7_gbxsk2IGjoqTIhGY8AMlrgjEYvq6RP2pclZxioPwW2wpJJXNDkv4G3Hbxpn9u6qe_TzpNmVhdJj6D48nm07W8R9rgfwegU8J7ZspdA-gKbA79C3gKpusrgPMGIJQweXxdPxlJ6i2pnZXS3boaeuB8q-I9_9bTvAQLisD_D5Ricbm-PtCKmoXzEYruBtFB4TFexynUmI52-zzHqQktMlp7egASBhcDXCICrCQxNsIbvqJKK1W9BcF6p_zW4eG5JdIxDiXIRQr2FyjrT9CX2Ync_km3on6gWewoWNQGPbJbhq3TTnpd1CCSP4x6E2bZAY4gMy4mUCkN5BzoY7pf1RUJEd_VGVm3P9N3aEORxAJb3QCAwgmW8LY2yg3c3VOgkMQp2gBPg1VgKiw3CsTzzEf73cIyL2SL4v5w1_ybAU6T81e837E8oQ
Content-Type: 
Accept-Encoding: gzip
Connection: close
HTTP/1.1 201 Created
Server: nginx
Date: Thu, 25 Jul 2019 12:27:45 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: close
Docker-Content-Digest: sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f
Docker-Distribution-Api-Version: registry/2.0
Location: http://reg.myharbor.com/v2/registry-share-private/push-mount/blobs/sha256:a8325e15f27f6d97d6b39264e402d9ee9d53f721c1c6d83cc3e39e9c1ceeec8f
Set-Cookie: beegosessionID=28c3b965f60774b92c3f9eb4c7e75b02; Path=/; HttpOnly

这样就减少了重复层的上传，加快push速度

mount信息处理其实就是在生产对应layer的信息放在_layers目录下

3、部分层在其他仓库中已经存在并且没有读权限

对于已经存在的层，但是没有权限的，客户端需要重新上传，但是最终存储还是一份。但是文件系统做move时，先判断目的路径是否存在，存在则不进行覆盖。可以对照registry源码看下

4、镜像已经存在

对于已经存在的镜像HEAD请求时世界返回200，表示不需要上传。

镜像下载流程基本上根上传是一个相反的流程，在此处就不详细介绍了。

三、镜像的管理和安全

1. 镜像仓库的管理

• 镜像仓库是存储和管理容器镜像的重要设施，包括公共仓库（如Docker Hub）和私有仓库。在使用公共仓库时，要注意镜像的来源和安全性，避免使用未经授权或存在安全风险的镜像。对于企业内部的私有仓库，要建立完善的镜像管理机制，包括镜像的上传、下载、版本控制、权限管理等。例如，企业可以设置不同的用户角色对私有仓库中的镜像进行不同级别的操作，如管理员可以上传和删除镜像，开发人员可以下载和使用镜像等。
• 镜像的安全扫描和漏洞管理
• 由于容器镜像可能包含各种软件组件，这些组件可能存在安全漏洞，因此对镜像进行安全扫描是非常必要的。可以使用专门的镜像安全扫描工具来检测镜像中的漏洞，并及时进行修复。例如，在构建和部署容器镜像之前，先对镜像进行安全扫描，如果发现有高危漏洞，就停止部署并对镜像进行修复，以确保应用程序的安全性。同时，镜像的签名和验证机制也可以用来保证镜像的来源可靠，防止恶意镜像的使用。
• 资源利用和成本控制

虽然容器镜像相对轻量级，但在大规模应用场景下，仍然需要考虑镜像的存储和网络传输成本。通过优化镜像的大小（如选择合适的基础镜像、在构建过程中去除不必要的文件等）可以减少存储和传输成本。同时，合理利用容器镜像的分层存储和共享机制，可以提高服务器资源的利用率，在有限的硬件资源下运行更多的容器实例，实现成本效益的最大化。

总结来说，容器镜像是容器技术中不可或缺的一部分，它为应用提供了可靠、高效、一致的运行环境。通过系统性地认识容器镜像，我们可以更好地把握这一技术的发展方向和应用场景，为企业带来更多的价值。