基于Harbor搭建docker registry

基于Harbor搭建docker registry

环境

本文记录一下在Centos7.3操作系统上,基于Harbor来搭建docker registry。当前环境为:

# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)

# uname -a
Linux bogon 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# docker --version
Docker version 17.12.1-ce, build 7390fc6
# docker-compose --version
docker-compose version 1.20.1, build 5d8c71b

1. Harbor简介

Harbor工程是一个企业级的镜像服务器,用于存储和分发Docker镜像。Harbor扩展了开源软件Docker Distribution,添加了如securityidentitymanagement等功能。作为一个企业级的私有镜像仓库,Harbor提供了更好的性能和安全性。Harbor支持建立多个registries,并提供这些仓库间镜像的复制能力。Harbor也提供了更加先进的安全特性,比如用户管理、访问控制、活动审计。

Harbor特性:

  • 基于角色的访问控制: usersrepositories都是以projects的方式组织的。在一个project下面,每一个用户对镜像有不同的全向。

  • 基于策略的镜像复制: 在多个registry之间镜像可以同步,并且在出现错误的时候可以进行自动重试。在负载均衡、高可用性、多数据中心和异构云环境下都表现出色。

  • 脆弱性扫描(Vulnerability Scanning): Harbor会周期性的扫描镜像,然后警告用户相应的脆弱性

  • LDAP/AD支持: Harbor可以和已存在的企业版LDAP/AD系统集成,以提供用户认证和管理

  • 镜像删除 & 垃圾回收: Images可以被删除,然后回收它们所占用的空间

  • 可信任(Notary): 可以确保镜像的真实性

  • 用户界面(Graphical user portal): 用户可以人容易的浏览、搜索仓库和管理工程

  • 审计(Auditing): 所有对仓库的操作都会被跟踪记录

  • RESTful API: 对于大部分的管理操作都提供了RESTful API, 很容易和外部系统进行集成

  • 易部署: 提供了离线和在线安装

2. Harbor的安装

这里介绍的是通过Harbor安装文件的方式来安装Harbor。在Linux操作系统上至少需要如下环境:

2.1 下载Harbor离线安装包

到Harbor Release页面下载对应的离线安装包,目前我们下载最新版本v1.4.0:

# mkdir /opt/harbor-inst
# cd /opt/harbor-inst

# wget https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-offline-installer-v1.4.0.tgz

2.2 目标主机相关配置推荐

Harbor部署完后会运行多个Docker containers,因此可以部署在任何支持docker的Linux发布版本上。部署的目标主机需要安装Python, DockerDocker Compose

硬件环境:

Resource Capacity Description
CPU minimal 2 CPU 4 CPU is prefered
Mem minimal 4GB 8GB is preffered
Disk minimal 40GB 160GB is preffered

软件环境

Software Version Description
Python version 2.7 or higher 注意: 在有一些Linux发布版本(Gentoo、Arch)默认没有安装Python,此时你必须手动安装
Docker Engine version 1.10 or higher 具体安装手册,请参看相关文档:https://docs.docker.com/engine/installation/
Docker Compose version 1.6.0 or higher 具体安装手册,请参看相关文档:https://docs.docker.com/compose/install/
Openssl latest is preffered 用于为Harbor产生证书和秘钥

网络端口

Port Protocol Description
443 HTTPS 在https协议下,Harbor UI与API将会在本端口上接收请求
4443 HTTPS Harbor的Docker Content Trust service将会连接到本端口,只在Notary启用时使用
80 HTTP 在http协议下,Harbor UI与API将会在本端口上接收请求

我们当前的硬件环境:

//物理CPU个数
# cat /proc/cpuinfo| grep "physical id"| sort| uniq| wc -l
1

//每个CPU核数
# cat /proc/cpuinfo| grep "cpu cores"| uniq
cpu cores       : 4

//逻辑CPU个数
# cat /proc/cpuinfo  | grep processor
processor       : 0
processor       : 1
processor       : 2
processor       : 3

# cat /proc/meminfo | grep MemTotal
MemTotal:       10058704 kB

#  fdisk -l | grep Disk
Disk /dev/sda: 85.9 GB, 85899345920 bytes, 167772160 sectors
Disk label type: dos
Disk identifier: 0x000c3eb0

我们当前软件环境

# python --version
Python 2.7.5

# docker --version
Docker version 17.12.1-ce, build 7390fc6

# docker-compose --version
docker-compose version 1.20.1, build 5d8c71b

# openssl version -v
OpenSSL 1.0.2k-fips  26 Jan 2017

2.3 安装步骤

安装Harbor一般遵循如下步骤:

  • 下载Harbor installer

  • 配置harbor.cfg

  • 运行install.sh脚本进行安装并启动harbor

2.3.1 解压harbor安装包

我们在上面下载了harbor安装包,这里解压:

# pwd
/opt/harbor-inst

# ls
harbor-offline-installer-v1.4.0.tgz

# tar -zxvf harbor-offline-installer-v1.4.0.tgz 
# cd harbor

2.3.2 配置Harbor

Harbor配置参数处于harbor.cfg文件中。在harbor.cfg配置文件中,有两大类参数: 必填参数可选参数

  • required parameters: 这些参数在配置文件中必须填写。在更新harbor.cfg配置文件后,调用install.sh重新安装Harbor,这些参数就会起作用

  • optional parameters: 这些参数在更新时是可选的。例如, 用户可以先让这些参数取默认值,然后在Harbor启动后在Web UI上来进行修改。假如这些参数在harbor.cfg中也进行了配置,那么只在第一次启动harbor有效。后续再对harbor.cfg进行更新将会被忽略。

Note: 假如你选择通过Web UI的方式来更改这些参数,确保在Harbor启动之后马上进行更改。通常,你必须在注册或创建新的用户之前设置auth_mode。
当Harbor系统中有用户之后(出admin管理用户外),auth_mode是不能被修改的

如下所描述的参数,你至少需要更改hostname属性:

Required parameters:

  • hostname: 目标主机的hostname名称,被用于访问WebUI和registry服务。其可以被设置为IP地址,或者你目标机器的全限定域名。例如: 192.168.1.10或者reg.yourdomain.com。注意不要将hostname设置为localhost或者127.0.0.1, registry服务需要能够被外网访问的到。

  • ui_url_protocol: 可以设置为http或者https,默认值为http。该协议被用于访问Web UI和token/notification服务。假如Notary被使能的话,则必须设置为https。默认情况下采用http协议,要想设置为https,请参看Configuring Harbor with HTTPS Access

  • db_password: 当auth采用db_auth方式时,用于设置MySQL数据库的密码。请在任何实际生产环境中,修改此密码

  • max_job_workers: 用于设置job service中replicationworker的最大数(默认为3)。对于每一个image replication任务,一个worker会同步repository中所有tags到远程目标地址。增大本字段的值,允许在一个系统中有更多的并发复制进程。然而,每个replication worker都会消耗一定数量的network/CPU/IO资源,请基于你当前的硬件环境选择一个合适的值。

  • customize_crt: 可以被设置为on或者off,默认值为on。当本属性设置为on时,prepare脚本会创建一个private keyroot certificate,以用于registry token的验证。假如本属性被设置为off的话,你可以自己手动来产生private keyroot certificate。请参看:Customize Key and Certificate of Harbor Token Service

  • ssl_cert: SSL certificate路径,当协议被设置为https时使用

  • ssl_cert_key: SSL key路径,当协议被设置为https时使用

  • secretkey_path: 用于加密和机密远程registry密码的key路径

  • log_rotate_count: 用于设置日志在回滚多少次之后被删除。假如被设置为0,则日志不会被回滚,而是会被直接删除

  • log_rotate_size: 用于设置日志在多大时会进行回滚,单位可以是K/M/G,分别表示KB/MB/GB。

Optional parameters:

  • Email settings: 这些信息主要是为了重置Harbor密码时使用,通常情况下我们并不需要。

  • harbor_admin_password: 用于设置管理员初始密码。该密码只在Harbor第一次启动时有效。启动之后该密码将会被忽略,Administrator的密码应该在UI中进行设置。注意,默认的用户名/密码为admin/Harbor12345

  • auth_mode: 用户认证的类型,默认情况下为db_auth,这种情况下用户名密码被存放在数据库中。如果要使用LDAP认证的话,请将此字段设置为ldap_auth

IMPORTANT: 当要从一个已存在的Harbor实例升级的时候,你必须确保在harbor.cfg中配置的auth_mode是相同的,否则在更新后可能会造成用户不能正常登录
  • ldap_url: LDAP端点的URL(例如:ldaps://ldap.mydomain.com)。只在auth_mode被设置为ldap_auth时使用

  • ldap_searchdnldap_search_pwdldap_basednldap_filterldap_uidldap_scope

  • self_registration: 可选值为on/off,默认为on。本选项用于使能或禁止注册成为本系统的账户。当被禁止时,新用户只能由admin用户来创建,在Harbor中只有admin用户可以创建新用户。注意: 当auth_mode被设置为ldap_auth时,self-registration功能总是会被禁止,并且此选项会被忽略。

  • token_expiration: token创建多长时间之后会过期,默认是30min

  • project_creation_restriction: 本flag用于控制哪些用户有权限来创建projects。默认情况下,任何用户都可以创建project,假如设置为adminonly,则只有admin用户可以创建project。

2.3.3 配置存储后端(可选)

默认情况下,Harbor存储镜像到本地文件系统。在实际的生产环境下,你可以采用其他的存储后端来代替本地文件系统,例如可以采用S3、OpenStack Swift、Ceph等。而这你需要修改的文件是common/templates/registry/config.ymlstorage字段。例如,假如你需要配置存储后端为Openstack swift,则storage段类似如下:

storage:
  swift:
    username: admin
    password: ADMIN_PASS
    authurl: http://keystone_addr:35357/v3/auth
    tenant: admin
    domain: default
    region: regionOne
    container: docker_images

想要了解详细的后端存储配置,请参看Registry Configuration Reference

2.4 完成安装并启动Harbor

一旦harbor.cfg及存储后端(可选)完成配置,使用install.sh脚本完成安装并启动Harbor。

1) 默认安装(without Notary/Clair)

Harbor已经集成了Notary/Clair(用于vulnerability scanning)。然而,默认的安装并不包含Notary/Clair:

# sudo ./install.sh

假如一切工作正常的话,你可以打开一个用户界面,然后访问后台管理页面http://reg.yourdomain.com/(注意这里请将reg.yourdomain.com替换为你在harbor.cfg中配置的hostname字段的值),默认的后台管理username/password为admin/Harbor12345

登录admin管理页面,然后创建一个新的工程,例如myproject,你可以使用docker命令来登录并push镜像(默认情况下,registry server监听在80端口上):

# docker login reg.yourdomain.com
# docker push reg.yourdomain.com/myproject/myrepo:mytag

IMPORTANT: 默认情况下安装Harbor,使用的是http协议。这样你必须为docker daemon添加--insecure-registry,并重启docker daemon服务

2) Installation with Notary

要安装带Notary服务的Harbor,你可以在运行install.sh脚本时添加一个参数:

# sudo ./install.sh --with-notary

NOTE: 要让Harbor支持Notary服务的话,ui_url_protocol必须配置为https。要配置https,请参考另外的章节

要了解更多关于NotaryDocker Content Trust相关信息,请参看docker相关文档:Docker Content Trust

3) Installation with Clair

要安装带Clair服务的Harbor,你可以在运行install.sh脚本时添加一个参数:

# sudo ./install.sh --with-clair

要想了解更多Clair相关信息,请参看Clair文档

注意: 假如要同时支持Notary与Clair,你必须在同一个命令中同时指定这两个参数:

# sudo ./install.sh --with-notary --with-clair

欲了解更多Harbor的使用,请参看User Guide of Harbor

3. 配置Harbor以支持https访问

Harbor本身在发布时并不提供任何证书,默认情况下,其使用http来提供相应服务。这使得Harbor可以相对容易来建立及运行,特别是在开发及测试环境中,这很重要。然而在实际的生产环境中,并不建议采用http。要使能https,请参看Configuring Harbor with HTTPS Access

4. Harbor生命周期管理

你可以使用docker-compose来管理Harbor的生命周期,下面列出一些常用的命令(说明必须在docker-compose.yml文件所在目录运行):

1) 停止Harbor

# sudo docker-compose stop
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done

2) 在Harbor停止后,重启Harbor

# sudo docker-compose start
Starting log ... done
Starting ui ... done
Starting mysql ... done
Starting jobservice ... done
Starting registry ... done
Starting proxy ... done

3) 如果要改变Harbor的配置,首先要停止当前已存在的Harbor实例,然后更新harbor.cfg。然后再运行prepare脚本更新配置文件,最后再重新创建并启动Harbor实例

# sudo docker-compose down -v
# vim harbor.cfg
# sudo prepare
# sudo docker-compose up -d

4) 移除Harbor容器,但保留文件系统上的image data及Harbor数据库

# sudo docker-compose down -v

5) 移除Harbor数据库及image data(用于干净环境下Harbor重装)

# rm -rf /data/database
# rm -rf /data/registry

4.1 Harbor with Notary生命周期管理

当Harbor被安装支持Notary服务时,需要给docker-compose提供一个额外的模板文件docker-compose.notary.yml。docker-compose管理Harbor生命周期的命令:

# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml [ up|down|ps|stop|start ]

例如,假如你想要改变harbor.cfg配置文件,并重新部署带Notary服务的Harbor,那么你可以用如下的命令:

# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml down -v
# vim harbor.cfg
# sudo prepare --with-notary
# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml up -d

4.2 Harbor with Clair生命周期管理

当Harbor被安装支持Clair服务时,需要给docker-compose提供一个额外的模板文件docker-compose.clair.yml。docker-compose管理Clair生命周期的命令:

#  sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.clair.yml [ up|down|ps|stop|start ]

例如,假如你想要改变harbor.cfg配置文件,并重新部署带Clair服务的Harbor,那么你可以用如下的命令:

# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.clair.yml down -v
# vim harbor.cfg
# sudo prepare --with-clair
# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.clair.yml up -d

4.3 Harbor with Notary and Clair生命周期管理

假如你安装了同时支持Notary及Clair服务的Harbor,你应该在docker-compose命令中包含两个组件:

# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml down -v
# vim harbor.cfg
# sudo prepare --with-notary --with-clair
# sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml up -d

请参看Docker Compose command-line reference以了解更多docker-compose的用法。

5. 持久化数据及日志文件

默认情况下,registry的数据会被持久化到主机的/data/目录。即使在容器被移除或者重新创建的情况下,这些数据都会维持不变。

另外,Harbor使用rsyslog来收集每一个容器的日志。默认情况下,这些日志文件都被存储在/var/log/harbor目录下,我们可以使用这些日志来处理一些相关问题。

6. 定制化Harbor监听端口

默认情况下,Harbor会监听80端口(http)和443端口(假如配置了https),以此来处理Harbor的后台管理操作及支持docker的相关命令。你也可以对这些端口进行相应的定制。

6.1 定制http协议端口

1) 修改docker-compose.yml文件

替换第一个80端口为一个定制化指定端口,例如8888:80:

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 8888:80
      - 443:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

2) 修改harbor.cfg文件,添加端口到hostname参数

hostname = 192.168.0.2:8888

3) 重新部署Harbor

请参看前面”Harbor生命周期管理”相关章节。

6.2 定制https协议端口

1) 在Harbor中使能HTTPS

请参看相关章节。

2) 修改docker-compose.yml文件

将第一个443端口替换为一个定制化指定端口,例如8888:80:

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 80:80
      - 8888:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

3) 修改harbor.cfg文件,添加端口到hostname参数

hostname = 192.168.0.2:8888

4) 重新部署Harbor

请参看前面”Harbor生命周期管理”相关章节。

7. 性能调优

默认情况下,Harbor会限制Clair容器的的CPU使用率为15000来避免其占用所有的CPU资源。这是在docker-compose.clair.yml文件中进行配置的。你可以根据你的硬件配置进行相应的修改。

8. Troubleshooting

1) 当Harbor不能正常工作时,通过运行如下的命令来找出是否所有的容器都处于UP状态

# sudo docker-compose ps
        Name                     Command               State                    Ports                   
  -----------------------------------------------------------------------------------------------------
  harbor-db           docker-entrypoint.sh mysqld      Up      3306/tcp                                 
  harbor-jobservice   /harbor/harbor_jobservice        Up                                               
  harbor-log          /bin/sh -c crond && rsyslo ...   Up      127.0.0.1:1514->514/tcp                    
  harbor-ui           /harbor/harbor_ui                Up                                               
  nginx               nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp 
  registry            /entrypoint.sh serve /etc/ ...   Up      5000/tcp 

假如有一个container不是处于UP状态,请检查/var/log/harbor目录下该容器的日志。例如,假如harbor-ui没有运行的话,你可以查询ui.log日志文件。

  1. 当在一个Nginx代代理或ELB(elastic load balancing)后端建立Harbor时,请在common/templates/nginx/nginx.http.conf文件中查询如下行:

proxy_set_header X-Forwarded-Proto $scheme;

假如代理中已经有类似于location /, location /v2/ 与 location /service/的设置,请将其从所在section移除,然后根据上面Harbor生命周期管理相关章节重新部署Harbor。

9. 部署示例

前面我们已经下载并解压好了harbor,这里我们进入解压好的根目录:

# cd /opt/harbor-inst/harbor
# ls
common  docker-compose.clair.yml  docker-compose.notary.yml  docker-compose.yml  ha  harbor.cfg  harbor.v1.4.0.tar.gz  install.sh  LICENSE  NOTICE  prepare

我们当前ip地址为192.168.69.128, 用netstat查看80443等端口也没有被占用。

1) 修改harbor.cfg的hostname字段

hostname = 192.168.69.128

2) 执行install.sh脚本

# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 17.12.1

Note: docker-compose version: 1.20.1

[Step 1]: loading Harbor images ...
651f69aef02c: Loading layer [==================================================>]  135.8MB/135.8MB
40a1aad64343: Loading layer [==================================================>]  23.24MB/23.24MB
3fe2713e4072: Loading layer [==================================================>]  12.16MB/12.16MB
ba3a1eb0e375: Loading layer [==================================================>]   17.3MB/17.3MB
447427ec5e1a: Loading layer [==================================================>]  15.87kB/15.87kB
4ccb4026663c: Loading layer [==================================================>]  3.072kB/3.072kB
16faa95946a1: Loading layer [==================================================>]  29.46MB/29.46MB
Loaded image: vmware/notary-server-photon:v0.5.1-v1.4.0
fa7ba9fd42c9: Loading layer [==================================================>]  10.95MB/10.95MB
4e400f9ae23e: Loading layer [==================================================>]   17.3MB/17.3MB
2802fb27c88b: Loading layer [==================================================>]  15.87kB/15.87kB
e6367a4e1e1e: Loading layer [==================================================>]  3.072kB/3.072kB
8ece8dfcdd98: Loading layer [==================================================>]  28.24MB/28.24MB
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.4.0
a7dd1a8afcaf: Loading layer [==================================================>]  396.7MB/396.7MB
05adebbe496f: Loading layer [==================================================>]  9.216kB/9.216kB
86eb534949fa: Loading layer [==================================================>]  9.216kB/9.216kB
d7f127c69380: Loading layer [==================================================>]   7.68kB/7.68kB
5ac1c4dc5ee9: Loading layer [==================================================>]  1.536kB/1.536kB
d0bec56b5b1a: Loading layer [==================================================>]  9.728kB/9.728kB
4bbe83860556: Loading layer [==================================================>]   2.56kB/2.56kB
e526f9e6769f: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: vmware/harbor-db:v1.4.0
1cff102bbda2: Loading layer [==================================================>]  154.1MB/154.1MB
04c9f3e07de1: Loading layer [==================================================>]  10.75MB/10.75MB
7b6c7bf54f5c: Loading layer [==================================================>]  2.048kB/2.048kB
42f8acdb7fe3: Loading layer [==================================================>]  48.13kB/48.13kB
5b6299d0a1df: Loading layer [==================================================>]   10.8MB/10.8MB
Loaded image: vmware/clair-photon:v2.0.1-v1.4.0
6534131f457c: Loading layer [==================================================>]  94.76MB/94.76MB
73f582101e4b: Loading layer [==================================================>]  6.656kB/6.656kB
86d847823c48: Loading layer [==================================================>]  6.656kB/6.656kB
Loaded image: vmware/postgresql-photon:v1.4.0
5cd250d5a352: Loading layer [==================================================>]  23.24MB/23.24MB
ad3fd52b54f3: Loading layer [==================================================>]  14.99MB/14.99MB
13b1e24cc368: Loading layer [==================================================>]  14.99MB/14.99MB
Loaded image: vmware/harbor-adminserver:v1.4.0
c26c69706710: Loading layer [==================================================>]  23.24MB/23.24MB
223f6fe02cc8: Loading layer [==================================================>]  23.45MB/23.45MB
1fc843c8698a: Loading layer [==================================================>]  7.168kB/7.168kB
e09293610ee7: Loading layer [==================================================>]  10.39MB/10.39MB
d59f9780b1d8: Loading layer [==================================================>]  23.44MB/23.44MB
Loaded image: vmware/harbor-ui:v1.4.0
dd4753242e59: Loading layer [==================================================>]  73.07MB/73.07MB
95aed61ca251: Loading layer [==================================================>]  3.584kB/3.584kB
1864f9818562: Loading layer [==================================================>]  3.072kB/3.072kB
da2a19f80b81: Loading layer [==================================================>]  4.096kB/4.096kB
058531639e75: Loading layer [==================================================>]  3.584kB/3.584kB
a84e69fb619b: Loading layer [==================================================>]  10.24kB/10.24kB
Loaded image: vmware/harbor-log:v1.4.0
b1056051f246: Loading layer [==================================================>]  23.24MB/23.24MB
07678065e08b: Loading layer [==================================================>]  19.19MB/19.19MB
a2d9bdb8f5fb: Loading layer [==================================================>]  19.19MB/19.19MB
Loaded image: vmware/harbor-jobservice:v1.4.0
7f58ce57cd5e: Loading layer [==================================================>]  4.805MB/4.805MB
Loaded image: vmware/nginx-photon:v1.4.0
4c8965978b77: Loading layer [==================================================>]  23.24MB/23.24MB
1466c942edde: Loading layer [==================================================>]  2.048kB/2.048kB
ac5c17331735: Loading layer [==================================================>]  2.048kB/2.048kB
86824c7c466a: Loading layer [==================================================>]  2.048kB/2.048kB
fd3bd0e70d67: Loading layer [==================================================>]   22.8MB/22.8MB
b02195d77636: Loading layer [==================================================>]   22.8MB/22.8MB
Loaded image: vmware/registry-photon:v2.6.2-v1.4.0
Loaded image: vmware/photon:1.0
Loaded image: vmware/mariadb-photon:v1.4.0
454c81edbd3b: Loading layer [==================================================>]  135.2MB/135.2MB
e99db1275091: Loading layer [==================================================>]  395.4MB/395.4MB
051e4ee23882: Loading layer [==================================================>]  9.216kB/9.216kB
6cca4437b6f6: Loading layer [==================================================>]  9.216kB/9.216kB
1d48fc08c8bc: Loading layer [==================================================>]   7.68kB/7.68kB
0419724fd942: Loading layer [==================================================>]  1.536kB/1.536kB
526b2156bd7a: Loading layer [==================================================>]  637.8MB/637.8MB
9ebf6900ecbd: Loading layer [==================================================>]  78.34kB/78.34kB
Loaded image: vmware/harbor-db-migrator:1.4

[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

[Step 3]: checking existing instance of Harbor ...

[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.69.128\. 
For more details, please visit https://github.com/vmware/harbor .

3) 查询Harbor运行状态

# docker ps
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                            PORTS                                                              NAMES
10b95448f80f        vmware/nginx-photon:v1.4.0             "nginx -g 'daemon of…"   5 seconds ago       Up 4 seconds                      0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
64893e6ba9d3        vmware/harbor-jobservice:v1.4.0        "/harbor/start.sh"       5 seconds ago       Up 4 seconds (health: starting)                                                                      harbor-jobservice
62220b07e57f        vmware/harbor-ui:v1.4.0                "/harbor/start.sh"       5 seconds ago       Up 5 seconds (health: starting)                                                                      harbor-ui
ce166d26724e        vmware/harbor-db:v1.4.0                "/usr/local/bin/dock…"   7 seconds ago       Up 6 seconds (health: starting)   3306/tcp                                                           harbor-db
a62d8f460c35        vmware/registry-photon:v2.6.2-v1.4.0   "/entrypoint.sh serv…"   7 seconds ago       Up 5 seconds (health: starting)   5000/tcp                                                           registry
5e5e4bcee123        vmware/harbor-adminserver:v1.4.0       "/harbor/start.sh"       7 seconds ago       Up 6 seconds (health: starting)                                                                      harbor-adminserver
cb6dbc564382        vmware/harbor-log:v1.4.0               "/bin/sh -c /usr/loc…"   7 seconds ago       Up 6 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log

4) 访问

首先我们用curl命令访问一下:

# curl -X GET http://192.168.69.128 -k -IL
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 Apr 2018 02:43:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 810
Connection: keep-alive
Set-Cookie: beegosessionID=1720767232a3cdcb58a54cd13eead058; Path=/; HttpOnly

然后我们再用浏览器访问。

5) 向Harbor push/pull镜像

  • 停止Harbor
# docker-compose stop
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-db          ... done
Stopping registry           ... 
Stopping registry           ... done
Stopping harbor-adminserver ... done
Stopping harbor-log         ... done
  • 修改dockerd启动脚本

这里修改/lib/systemd/system/docker.service文件,将ExecStart修改为:

ExecStart=/usr/bin/dockerd \
        --insecure-registry=192.168.69.128 \
        -H tcp://0.0.0.0:2375 \
        -H unix://var/run/docker.sock \
        -H tcp://0.0.0.0:7654

上面添加了--insecure-registry选项。然后执行再执行如下命令重启dockerd:

# systemctl daemon-reload

# systemctl restart docker

6) 重启Harbor

# docker-compose start
Starting log         ... done
Starting registry    ... done
Starting mysql       ... done
Starting adminserver ... done
Starting ui          ... done
Starting jobservice  ... done
Starting proxy       ... done
# docker ps
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                            PORTS                                                              NAMES
10b95448f80f        vmware/nginx-photon:v1.4.0             "nginx -g 'daemon of…"   21 minutes ago      Up Less than a second             0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
64893e6ba9d3        vmware/harbor-jobservice:v1.4.0        "/harbor/start.sh"       21 minutes ago      Up 4 seconds (health: starting)                                                                      harbor-jobservice
62220b07e57f        vmware/harbor-ui:v1.4.0                "/harbor/start.sh"       21 minutes ago      Up 4 seconds (health: starting)                                                                      harbor-ui
ce166d26724e        vmware/harbor-db:v1.4.0                "/usr/local/bin/dock…"   21 minutes ago      Up 57 seconds (healthy)           3306/tcp                                                           harbor-db
a62d8f460c35        vmware/registry-photon:v2.6.2-v1.4.0   "/entrypoint.sh serv…"   21 minutes ago      Up 57 seconds (healthy)           5000/tcp                                                           registry
5e5e4bcee123        vmware/harbor-adminserver:v1.4.0       "/harbor/start.sh"       21 minutes ago      Up 4 seconds (health: starting)                                                                      harbor-adminserver
cb6dbc564382        vmware/harbor-log:v1.4.0               "/bin/sh -c /usr/loc…"   21 minutes ago      Up 57 seconds (healthy)           127.0.0.1:1514->10514/tcp                                          harbor-log

7) 往Harbor中push/pull镜像

  • 登录
# docker login 192.168.69.128
Username: admin
Password: 
Login Succeeded
  • 重新为镜像打tag
# docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
test-image                    latest              fe9c46d12863        7 days ago          195MB
friendlyhello                 latest              f2ae8dec6267        9 days ago          150MB
redis                         alpine              c27f56585938        3 weeks ago         27.7MB

//这里我们用Harbor中的默认库
# docker tag redis:alpine 192.168.69.128/library/redis:alpine
# docker images | grep redis
192.168.69.128/library/redis          alpine              c27f56585938        3 weeks ago         27.7MB
redis                         alpine              c27f56585938        3 weeks ago         27.7MB
  • 上传镜像到Harbor
# docker push 192.168.69.128/library/redis:alpine
The push refers to repository [192.168.69.128/library/redis]
f6b9463783dc: Pushed 
222a85888a99: Pushed 
1925395eabdd: Pushed 
c3d278563734: Pushed 
ad9247fe8c63: Pushed 
cd7100a72410: Pushed 
alpine: digest: sha256:9d017f829df3d0800f2a2582c710143767f6dda4df584b708260e73b1a1b6db3 size: 1568

然后我们登录网站,可以看到镜像上传成功。(注: 这里Harbor默认采用Www-Authenticate: Bearer认证)

  • 下载镜像
//这里我们先把原来本地的镜像删除
# docker rmi 192.168.69.128/library/redis:alpine

//从Harbor镜像库拉取镜像
# docker pull 192.168.69.128/library/redis:alpine
alpine: Pulling from library/redis
Digest: sha256:9d017f829df3d0800f2a2582c710143767f6dda4df584b708260e73b1a1b6db3
Status: Downloaded newer image for 192.168.69.128/library/redis:alpine

[参考]

  1. harbor官网

  2. Centos7上Docker仓库Harbor的搭建

你可能感兴趣的:(基于Harbor搭建docker registry)