虽然前面也介绍了Docker自带的私有仓库Registry,也能满足小公司或团队的需求,但是在一些大公司企业环境中还存在一定的不足。所以这里介绍一款企业级的镜像仓库软件——Harbor。
Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。Harbor的github地址为:https://github.com/goharbor/harbor ,上面有其详细介绍,下面尝试在Centos7上部署Harbor镜像仓库。
1、环境准备
Harbor是以多个Docker容器的方式部署,因此其可以安装在任何支Docker的Linux发行版上,安装的前提条件是需要先安装好Docker、Python和Docker Compose等软件。
硬件要求:
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
| Software | Version | Description |
|---|---|---|
| Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
| Docker engine | version 1.10 or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
| Docker Compose | version 1.6.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
网络端口:
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
[root@centos7 ~]# grep processor /proc/cpuinfo |wc -l 2 [root@centos7 ~]# free -m total used free shared buff/cache available Mem: 3774 138 3363 8 272 3363 Swap: 3071 0 3071 [root@centos7 ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@centos7 ~]# python -V Python 2.7.5 [root@centos7 ~]# docker --version Docker version 1.13.1, build 8633870/1.13.1
2、下载Harbor离线安装包
Harbor有在线和离线两种安装方式,一般采用离线安装包进行安装。可以从 https://github.com/goharbor/harbor/releases 下载最新的offline安装包,目前最新版是1.74。
3、安装Docker
因为之前已经安装过Docker,所以该步省略。
4、安装Docker-compose
[root@centos7 ~]# wget https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` [root@centos7 ~]# ll docker-compose* -rw-r--r-- 1 root root 8273264 May 26 2017 docker-compose-Linux-x86_64 [root@centos7 ~]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose [root@centos7 ~]# chmod +x /usr/bin/docker-compose [root@centos7 ~]# docker-compose --version docker-compose version 1.13.0, build 1719ceb
5、自签TLS证书
[root@centos7 opt]# tar -zxf harbor-offline-installer-v1.7.4.tgz [root@centos7 opt]# cd harbor [root@centos7 harbor]# mkdir ssl [root@centos7 harbor]# cd ssl [root@centos7 ssl]# openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus .......................................................................................................................++ ........................................................................................................................................................................................++ e is 65537 (0x10001) [root@centos7 ssl]# ll total 4 -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key [root@centos7 ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 \ > -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com" \ > -key ca.key \ > -out ca.crt [root@centos7 ssl]# ll total 8 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key [root@centos7 ssl]# openssl genrsa -out harbor.contoso.com.key 4096 Generating RSA private key, 4096 bit long modulus ................++ .......................++ e is 65537 (0x10001) [root@centos7 ssl]# ll total 12 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key [root@centos7 ssl]# openssl req -sha512 -new \ > -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com" \ > -key harbor.contoso.com.key \ > -out harbor.contoso.com.csr [root@centos7 ssl]# ll total 16 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 1691 Mar 16 13:38 harbor.contoso.com.csr -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key [root@centos7 ssl]# cat > v3.ext <<-EOF > authorityKeyIdentifier=keyid,issuer > basicConstraints=CA:FALSE > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment > extendedKeyUsage = serverAuth > subjectAltName = @alt_names > > [alt_names] > DNS.1=contoso.com > DNS.2=contoso > DNS.3=centos7 > EOF [root@centos7 ssl]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in harbor.contoso.com.csr \ > -out harbor.contoso.com.crt Signature ok subject=/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com Getting CA Private Key [root@centos7 ssl]# ll total 28 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 17 Mar 16 13:43 ca.srl -rw-r--r-- 1 root root 2061 Mar 16 13:43 harbor.contoso.com.crt -rw-r--r-- 1 root root 1691 Mar 16 13:38 harbor.contoso.com.csr -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key -rw-r--r-- 1 root root 259 Mar 16 13:42 v3.ext
6、安装Harbor并配置
[root@centos7 harbor]# cp harbor.cfg harbor.cfg.ori [root@centos7 harbor]# vi harbor.cfg [root@centos7 harbor]# diff harbor.cfg.ori harbor.cfg 8c8 < hostname = reg.mydomain.com --- > hostname = harbor.contoso.com 12c12 < ui_url_protocol = http --- > ui_url_protocol = https 24,25c24,25 < ssl_cert = /data/cert/server.crt < ssl_cert_key = /data/cert/server.key --- > ssl_cert = ./ssl/harbor.contoso.com.crt > ssl_cert_key = ./ssl/harbor.contoso.com.key [root@centos7 harbor]# ./prepare Generated and saved secret to file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [root@centos7 harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.13.1 Note: docker-compose version: 1.13.0 [Step 1]: loading Harbor images ... ...... [Step 2]: preparing environment ... ...... [Step 3]: checking existing instance of Harbor ... ...... [Step 4]: starting Harbor ... ...... ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://harbor.contoso.com. For more details, please visit https://github.com/goharbor/harbor .
7、Docker主机访问Harbor
因为Docker的宿主机安装在VMware Workstation虚拟机中,所以我需要从VMware Workstation的宿主机中进行访问。首先,配置宿主机的hosts,添加harbor域名的解析:
192.168.49.40 harbor.contoso.com # IP地址即是Docker宿主机的IP地址
然后,使用浏览器进行访问:
使用Harbor配置文件中指定的账号密码登录,如下:
初始的界面如上图所示,我们可以看到系统各个模块如下:
项目:新增/删除项目,查看镜像仓库,给项目添加成员、查看操作日志、复制项目等
日志:仓库各个镜像create、push、pull等操作日志
系统管理
用户管理:新增/删除用户、设置管理员等
复制管理:新增/删除从库目标、新建/删除/启停复制规则等
配置管理:认证模式、复制、邮箱设置、系统设置等
其他设置
用户设置:修改用户名、邮箱、名称信息
修改密码:修改用户密码
注意:非系统管理员用户登录,只能看到有权限的项目和日志,其他模块不可见。
8、Harbor的使用示例
1)创建新项目
2)使用admin用户上传镜像到harbor中
# 将harbor的域名写入到本机的hosts中 [root@centos7 ~]# grep harbor /etc/hosts 127.0.0.1 harbor.contoso.com [root@centos7 ~]# ping harbor.contoso.com -c 2 -w 1 PING harbor.contoso.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.033 ms --- harbor.contoso.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.033/0.052/0.071/0.019 ms # 尝试登录harbor镜像仓库 [root@centos7 ~]# docker login harbor.contoso.com Username: admin Password: Login Succeeded # 给本地镜像打标签 [root@centos7 ~]# docker tag mynginx:v1 harbor.contoso.com/lnmp/nginx:latest [root@centos7 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE harbor.contoso.com/lnmp/nginx latest 5cd531df9a2d 13 days ago 361 MB mynginx v1 5cd531df9a2d 13 days ago 361 MB ...... # 推送镜像到harbor镜像仓库中 [root@centos7 ~]# docker push harbor.contoso.com/lnmp/nginx:latest The push refers to a repository [harbor.contoso.com/lnmp/nginx] 611a87313170: Pushed 37b32146938c: Pushed 053c7964c2c3: Pushed 071d8bd76517: Pushed latest: digest: sha256:69643447fe8ba118763793df8d399ac39e1e7b27df4a53c8853f543b47881f57 size: 1158
到harbor的图形界面中验证:
3)创建新用户
4)新用户测试镜像拉取
[root@centos7 ~]# docker login harbor.contoso.com Username (admin): zhangsan Password: Login Succeeded [root@centos7 ~]# docker pull harbor.contoso.com/lnmp/nginx:latest Trying to pull repository harbor.contoso.com/lnmp/nginx ... latest: Pulling from harbor.contoso.com/lnmp/nginx Digest: sha256:69643447fe8ba118763793df8d399ac39e1e7b27df4a53c8853f543b47881f57 Status: Image is up to date for harbor.contoso.com/lnmp/nginx:latest [root@centos7 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE harbor.contoso.com/lnmp/nginx latest 5cd531df9a2d 13 days ago 361 MB ......
此外,Harbor还能跟LDAP集成、日志审计、镜像复制、空间回收等功能,因为篇幅有限准备不足,就不再一一演示。