1. Harbor概述
Habor是由VMWare公司开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的 企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访 问控制 ,AD/LDAP集成以及审计日志等,足以满足基本企业需求。
官方地址:https://vmware.github.io/harbor/cn/
harbor github 地址: https://github.com/goharbor/harbor
安装硬件软件要求:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
| 组件 | 功能 |
|---|---|
| harbor-adminserver | 配置管理中心 |
| harbor-db | Mysql数据库 |
| harbor-jobservice | 负责镜像复制 |
| harbor-log | 记录操作日志 |
| harbor-ui | Web管理页面和API |
| nginx | 前端代理,负责前端页面和镜像上传/下载转发 |
| redis | 会话 |
| registry | 镜像存储 |
2. Harbor部署
Harbor安装有3种方式:
• 在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
• 离线安装:安装包包含部署的相关镜像,因此安装包比较大
• OVA安装程序:当用户具有vCenter环境时,使用此安装程序,在部署OVA后启动Harbor
离线安装:
(1) 安装docker compose
安装依赖 docker compose
安装文档URL:https://docs.docker.com/compose/install/
# sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
(2) 安装harbor
# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0-rc1.tgz
# tar zxvf harbor-offline-installer-v1.5.1.tgz
# cd harbor
# vim harbor.yml
hostname = 10.40.6.165
ui_url_protocol = http
harbor_admin_password = Harbor12345
# ./install.sh
...
[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating redis ... done
Creating registry ... done
Creating harbor-core ... done
Creating harbor-portal ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://10.40.6.165.
For more details, please visit https://github.com/goharbor/harbor .
### 安装完成之后会有一个docker-compose.yml 文件,编排安装的功能组件镜像是怎么启动容器的
# docker-compose ps ## 列出功能组件,每个组件一个容器运行状态UP
Name Command State Ports
------------------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up (health: starting)
harbor-db /entrypoint.sh postgres Up (health: starting) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (health: starting) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (health: starting) 80/tcp
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (health: starting) 5000/tcp
registryctl /harbor/start.sh Up (health: starting)
然后登陆用浏览访问http://10.40.6.165 登陆
3. 基本使用
推送镜像说明.png
推送镜像步骤及格式:
在项目中标记镜像(打标签):
docker tag SOURCE_IMAGE[:TAG] 10.40.6.165/library/IMAGE[:TAG]
推送镜像到当前项目(上传镜像):
docker push 10.40.6.165/library/IMAGE[:TAG]
# docker tag nginx:v1 10.40.6.165/library/nginx:v1
# docker push 10.40.6.165/library/nginx:v1
The push refers to repository [10.40.6.165/library/nginx]
Get https://10.40.6.165/v2/: dial tcp 10.40.6.165:443: connect: connection refused
因为我们使用的是http,得做可信任配置
# docker info
...
Insecure Registries:
127.0.0.0/8
...
(1)、配置http镜像仓库可信任
# cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://f1361db2.m.daocloud.io"],
"insecure-registries":["http://10.40.6.165"]
}
# systemctl restart docker
# docker-compose ps ## 有些是UP有些是Exit状态
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Exit 137
harbor-db /entrypoint.sh postgres Exit 255
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Exit 128
redis docker-entrypoint.sh redis ... Exit 137
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Exit 137
# docker-compose up -d
harbor-log is up-to-date
registry is up-to-date
Starting registryctl ... done
Starting harbor-db ... done
Starting redis ... done
Starting harbor-core ... done
harbor-jobservice is up-to-date
harbor-portal is up-to-date
Starting nginx ... done
# docker-compose ps ## 在去看docker harbor 容器都是UP状态
Name Command State Ports
------------------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up (health: starting)
harbor-db /entrypoint.sh postgres Up (health: starting) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (health: starting)
# docker info ## 再看配置是否生效
...
Insecure Registries:
10.40.6.165
127.0.0.0/8
...
# docker push 10.40.6.165/library/nginx:v1
The push refers to repository [10.40.6.165/library/nginx]
ff7a247499ae: Preparing
9974fca73fe1: Preparing
d69483a6face: Preparing
denied: requested access to the resource is denied
### 要向公开项目library 未登陆用户只能下载, push 镜像得先登陆用户
### 到管理平台创建用户,并赋权限到某个项目(项目--->library-->成员--->+用户)
# docker login 10.40.6.165 ## 登陆一个镜像仓库
Username: liuzhousheng
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# docker push 10.40.6.165/library/nginx:v1
The push refers to repository [10.40.6.165/library/nginx]
ff7a247499ae: Pushed
9974fca73fe1: Pushed
d69483a6face: Pushed
v1: digest: sha256:eb8e3d3901922952fb52d350a1a7c57394a81bf1d4e2fd4338c5dc9f80026c9c size: 953
###成功 push nginx:v1 镜像
### 再多推几个镜像
# docker tag tomcat:v1 10.40.6.165/library/tomcat:v1
# docker push 10.40.6.165/library/tomcat:v1
The push refers to repository [10.40.6.165/library/tomcat]
0920bccbc0aa: Pushed
368bda959904: Pushed
d69483a6face: Mounted from library/nginx
v1: digest: sha256:03c8fe3c389bc36ab066d5e59d9d0c057df4844f5be3fa56ae2add321754b299 size: 952
# docker tag php:v1 10.40.6.165/library/php:v1
# docker push 10.40.6.165/library/php:v1
The push refers to repository [10.40.6.165/library/php]
e7d3d1d0a7bb: Pushed
a29a1e5944d2: Pushed
8a4de8d39ad9: Pushed
5cacb70641e2: Pushed
d69483a6face: Mounted from library/tomcat
v1: digest: sha256:1f7093d0d36d82289ce4385429fb902cb0d4cc421bd4496442333a2615326115 size: 1370
创建一个私有项目project并给项目添加用户授权:项目---> +新建项目(不勾选“公开”)
创建project.png
往私有仓库推送镜像nginx:v2
# docker tag nginx:v2 10.40.6.165/project/nginx:v2
# docker push 10.40.6.165/project/nginx:v2
The push refers to repository [10.40.6.165/project/nginx]
c90325a75f68: Pushed
ff7a247499ae: Mounted from library/nginx
9974fca73fe1: Mounted from library/nginx
d69483a6face: Mounted from library/php
v2: digest: sha256:c2313027dc3ec3085fd0ebdb0b07d811d29561b63a72caa85dbb69c62086fd96 size: 1160
测试公共仓库与私有仓库下载镜像权限:
# docker logout http://10.40.6.165 ## 退出登录
Removing login credentials for 10.40.6.165
# docker pull 10.40.6.165/library/nginx:v1 ## 可以成功下载公共仓库library的nginx:v1镜像
v1: Pulling from library/nginx
Digest: sha256:eb8e3d3901922952fb52d350a1a7c57394a81bf1d4e2fd4338c5dc9f80026c9c
Status: Image is up to date for 10.40.6.165/library/nginx:v1
# docker pull 10.40.6.165/project/nginx:v2 ## 下载私有仓库project 的nginx:v2镜像
Error response from daemon: pull access denied for 10.40.6.165/project/nginx, repository does not exist or may require 'docker login'
###登录liuzhousheng用户去下载私有仓库project 的nginx:v2镜像,可以成功下载
# docker login 10.40.6.165
Username: liuzhousheng
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# docker pull 10.40.6.165/project/nginx:v2
v2: Pulling from project/nginx
Digest: sha256:c2313027dc3ec3085fd0ebdb0b07d811d29561b63a72caa85dbb69c62086fd96
Status: Image is up to date for 10.40.6.165/project/nginx:v2
REPOSITORY: 镜像仓库中心(中心地址,默认官方地址)
TAG: 标签
IMAGE ID: 镜像ID
CREATED :镜像创建时间
SIZE: 镜像大小
# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
10.40.6.165/library/tomcat v2 59592f04baa9 6 hours ago 501MB
10.40.6.165/project/tomcat v2 59592f04baa9 6 hours ago 501MB
tomcat v2 59592f04baa9 6 hours ago 501MB
10.40.6.165/library/tomcat v1 e35360e86854 6 hours ago 426MB
tomcat v1 e35360e86854 6 hours ago 426MB
10.40.6.165/library/php v1 1c2bb6668116 6 hours ago 521MB
php v1 1c2bb6668116 6 hours ago 521MB
10.40.6.165/project/nginx v2 64f743ec5b18 7 hours ago 395MB
nginx v2 64f743ec5b18 7 hours ago 395MB
10.40.6.165/library/nginx v2 64f743ec5b18 7 hours ago 395MB
10.40.6.165/library/nginx v1 db3cfa07d4a5 7 hours ago 395MB
nginx v1 db3cfa07d4a5 7 hours ago 395MB
nginx nginx04 8868f915bd47 28 hours ago 109MB
busybox latest 64f5d945efcc 5 days ago 1.2MB
mysql 5.7 7faa3c53e6d6 7 days ago 373MB
centos 7 9f38484d220f 2 months ago 202MB
centos latest 9f38484d220f 2 months ago 202MB
使用远程镜像仓库启一个容器:
# docker run -d 10.40.6.165/library/tomcat:v2
e805a8457b34132e652b0fd6e41308616d5708af87b7865be21c99ad96e3a50c
# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e805a8457b34 10.40.6.165/library/tomcat:v2 "catalina.sh run" 5 seconds ago Up 4 seconds 8080/tcp keen_shannon
启动:
# docker-compose start
# docker-compose up -d是不是初次启动?
停止
# docker-compose stop