Docker的镜像的管理,出于各种考虑,很多企业会搭建自己的私有仓库。而为企业提供私有仓库的搭建,从商业的到开源的Harbor都不是第一个。Docker的V2也能方便的提供类似功能,但是原生态的V2给人感觉更接近于原始态,当然这个只是其将用户引导到收费的dockerhub上的工具,自然可以理解。而Vmware给出的开源的企业级Registry的解决方案,让人觉得使用起来更加方便。并且这似乎是vmware中国团队提供的功能,无形之中又有了更多的亲切感,看到越来越多的中国团队出现在开源的前沿,实在是很开心的一件事情。
以下是harbor自己认为自己做的好的地方。
优势 | 详细说明 |
---|---|
安全 | 确保知识产权在自己组织内部的管控之下。 |
效率 | 搭建组织内部的私有容器Registry服务,可显著降低访问公共Registry服务的网络需求。 |
访问控制 | 提供基于角色的访问控制,可集成企业目前拥有的用户管理系统(如:AD/LDAP)。 |
审计 | 所有访问Registry服务的操作均被记录,便于日后审计。 |
管理界面 | 具有友好易用图形管理界面。 |
镜像复制 | 在实例之间复制镜像。 |
Habor提供了两种安装方式,一种是从源码,一种是下载编译好的二进制包。本着没事不找事,有现成的不亲力亲为的懒人原则,咱们使用后者。
参照内容 | link |
---|---|
二进制包 | https://github.com/vmware/harbor/releases |
安装文档 | https://github.com/vmware/harbor/blob/master/docs/installation_guide.md |
wget https://github.com/vmware/harbor/releases/download/0.3.0/harbor-0.3.0.tgz
PS: 10M不到,下载很慢,请准备好零食。
[root@host34 tmp]# ll harbor-0.3.0.tgz
-rw-r--r--. 1 root root 10231101 Aug 15 04:09 harbor-0.3.0.tgz
[root@host34 tmp]#
[root@host34 tmp]# tar xvpf harbor-0.3.0.tgz
解压后生成了habor的目录,这个目录中的habor.cfg文件需要进行自定义的设定,harbor0.30的default的habor.cfg是长成这个样子的。
[root@host34 harbor]# cat harbor.cfg
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = reg.mydomain.com
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http
#Email account settings for sending out password resetting emails.
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin
email_ssl = false
##The password of Harbor admin, change this before any production use.
harbor_admin_password = Harbor12345
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth
#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com
#The basedn template to look up a user in LDAP and verify the user's password.
#For AD server, uses this template:
#ldap_basedn = CN=%s,OU=Dept1,DC=mydomain,DC=com
ldap_basedn = uid=%s,ou=people,dc=mydomain,dc=com
#The password for the root user of mysql db, change this before any production use.
db_password = root123
#Turn on or off the self-registration feature
self_registration = on
#Determine whether the UI should use compressed js files.
#For production, set it to on. For development, set it to off.
use_compressed_js = on
#Maximum number of job workers in job service
max_job_workers = 3
#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on
#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off, a key/certificate must
#be supplied for token generation.
customize_crt = on
#Information of your organization for certicate
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = [email protected]
#####
[root@host34 harbor]#
最低限度要设定一下hostname,设定成IP吧。
hostname = 192.168.32.34
prepare是Harbor提供的一个python脚本,做配置之后启动之前的准备活动。
[root@host34 tmp]# pwd
/tmp
[root@host34 tmp]# cd harbor
[root@host34 harbor]# ll
total 24
drwxr-xr-x. 6 root root 59 Jul 15 05:34 config
drwxr-xr-x. 2 root root 69 Jul 15 05:34 db
-rw-r--r--. 1 root root 1838 Jul 15 04:21 docker-compose.yml
-rw-r--r--. 1 root root 2393 Jul 15 05:34 harbor.cfg
drwxr-xr-x. 2 root root 40 Jul 15 05:34 jobservice
-rwxr-xr-x. 1 root root 666 Jul 15 04:21 load_image.sh
drwxr-xr-x. 2 root root 96 Jul 15 05:34 log
-rwxr-xr-x. 1 root root 6842 Jul 15 05:34 prepare
-rwxr-xr-x. 1 root root 942 Jul 15 04:21 save_image.sh
drwxr-xr-x. 6 root root 56 Jul 15 05:34 templates
drwxr-xr-x. 4 root root 93 Jul 15 05:34 ui
[root@host34 harbor]# ./prepare
Generated configuration file: ./config/ui/env
Generated configuration file: ./config/ui/app.conf
Generated configuration file: ./config/registry/config.yml
Generated configuration file: ./config/db/env
Generated configuration file: ./config/jobservice/env
Clearing the configuration file: ./config/ui/private_key.pem
Clearing the configuration file: ./config/registry/root.crt
Generated configuration file: ./config/ui/private_key.pem
Generated configuration file: ./config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@host34 harbor]#
关于load_image.sh,看了一下,就是一个无比简单的脚本,使用docker load -i将offline下载下来的包load进去,考虑到直接上不了网或者各种proxy设定的情况,很贴心。
代理的设定只有在内网的时候,需要通过代理访问外网才需要执行此步
设定环境变量
# export http_proxy=http://proxyserver.com:8080/
# export https_proxy=http://proxyserver.com:8080/
# export no_proxy=localhost,127.0.0.1
修正docker-compose.yml的ui和jobservice的build段:加上proxy环境变量
ui:
build:
context: ./ui/
args:
- http_proxy
- https_proxy
- no_proxy
jobservice:
build:
context: ./jobservice/
args:
- http_proxy
- https_proxy
- no_proxy
修正docker-compose.yml的logging段的syslog-tag标签,因为我用的docker是1.12版,已经提示不认识了,所以不得不修改如下。
如果是旧的版本的话应该不用修改。
[root@host34 harbor]# grep tag: docker-compose.yml
tag: "registry"
tag: "mysql"
tag: "ui"
tag: "jobservice"
tag: "proxy"
[root@host34 harbor]#
docker-compose up的时候,会自动下载其用到的镜像。第一次执行时会自动进行build,打出类似如下的build信息。
Building log
Step 1 : FROM library/ubuntu:14.04
14.04: Pulling from library/ubuntu
064f9af02539: Pull complete
390957b2f4f0: Pull complete
cee0974db2b8: Pull complete
c8144262002c: Pull complete
Digest: sha256:ef500a237fb51cea075b270d811601c7226097f61b34a8ed4b4aa4e350a2c66d
Status: Downloaded newer image for ubuntu:14.04
---> ff6011336327
Step 2 : RUN mv /etc/cron.daily/logrotate /etc/cron.hourly/ && rm /etc/rsyslog.d/* && rm /etc/rsyslog.conf
---> Running in c6f66b4a119b
---> 7ad3979ac880
Removing intermediate container c6f66b4a119b
Step 3 : ADD rsyslog.conf /etc/rsyslog.conf
---> 3d4233511243
Removing intermediate container 9e4c53d9959f
Step 4 : ADD logrotate_docker.conf /etc/logrotate.d/
---> d5cad8b33084
Removing intermediate container d2328387f34b
Step 5 : ADD rsyslog_docker.conf /etc/rsyslog.d/
---> 935de114769d
Removing intermediate container 63e35fcb9fb7
Step 6 : VOLUME /var/log/docker/
---> Running in 4a3a6a4b2002
---> 60b5221e00eb
Removing intermediate container 4a3a6a4b2002
Step 7 : EXPOSE 514
---> Running in 65d3b24e9362
---> 7ea455bb99c7
Removing intermediate container 65d3b24e9362
Step 8 : CMD cron && rsyslogd -n
---> Running in e44c81ecae56
---> 826257404781
Removing intermediate container e44c81ecae56
Successfully built 826257404781
WARNING: Image for service log was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building ui
Step 1 : FROM golang:1.6.2
1.6.2: Pulling from library/golang
5c90d4a2d1a8: Already exists
ab30c63719b1: Already exists
c6072700a242: Already exists
0ffc1204e0ab: Pull complete
d8a921df8ce9: Pull complete
d34bc98c2770: Pull complete
b0850b14d0d1: Pull complete
Digest: sha256:95875692658d8938644205d5911d655a134b621dd83b94569bd395fb59b08fa9
Status: Downloaded newer image for golang:1.6.2
---> 8ecba0e9bd48
Step 2 : ENV MYSQL_USR root
---> Running in 75421c3fb9d9
---> 671a9449bba1
Removing intermediate container 75421c3fb9d9
Step 3 : ENV MYSQL_PWD root
---> Running in 201fe5e747eb
---> 7f44c3c47a90
Removing intermediate container 201fe5e747eb
Step 4 : ENV MYSQL_PORT_3306_TCP_ADDR localhost
---> Running in 8f340cdd2a4b
---> c0296084029e
Removing intermediate container 8f340cdd2a4b
Step 5 : ENV MYSQL_PORT_3306_TCP_PORT 3306
---> Running in ae5e08e07a42
---> ddb109746d8b
Removing intermediate container ae5e08e07a42
Step 6 : ENV REGISTRY_URL localhost:5000
---> Running in 6d53f6ed644b
---> 5dc6dec3b7b6
Removing intermediate container 6d53f6ed644b
Step 7 : RUN apt-get update -qqy && apt-get install -qqy libldap2-dev
---> Running in 55b3c73e85f2
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libldap2-dev:amd64.
(Reading database ... 14719 files and directories currently installed.)
Preparing to unpack .../libldap2-dev_2.4.40+dfsg-1+deb8u2_amd64.deb ...
Unpacking libldap2-dev:amd64 (2.4.40+dfsg-1+deb8u2) ...
Setting up libldap2-dev:amd64 (2.4.40+dfsg-1+deb8u2) ...
---> d7025c8b962b
Removing intermediate container 55b3c73e85f2
Step 8 : ADD ui /go/bin/harbor_ui
---> f6574df26e8d
Removing intermediate container e1f16e0be353
Step 9 : ADD views /go/bin/views
---> f6889bf5956a
Removing intermediate container 4f690fa9cbe2
Step 10 : ADD static /go/bin/static
---> a791108c3961
Removing intermediate container 44f2f09bca0a
Step 11 : COPY favicon.ico /go/bin/favicon.ico
---> c1f22764e9c5
Removing intermediate container 283f26b66643
Step 12 : COPY jsminify.sh /tmp/jsminify.sh
---> 4e16d1f00fa1
Removing intermediate container f7d884efa187
Step 13 : RUN chmod u+x /go/bin/harbor_ui
---> Running in 57c2dc7d956f
---> 4e723e897f3a
Removing intermediate container 57c2dc7d956f
Step 14 : RUN sed -i 's/TLS_CACERT/#TLS_CAERT/g' /etc/ldap/ldap.conf
---> Running in 6a0be08d0e27
---> cf5bed44ab07
Removing intermediate container 6a0be08d0e27
Step 15 : RUN sed -i '$a\TLS_REQCERT allow' /etc/ldap/ldap.conf
---> Running in 2e63fbf2f811
---> da2a396807b5
Removing intermediate container 2e63fbf2f811
Step 16 : RUN /tmp/jsminify.sh /go/bin/views/sections/script-include.htm /go/bin/static/resources/js/harbor.app.min.js
---> Running in 6ff19a059d32
This shell will minify the Javascript in Harbor project.
Usage: #jsminify [src] [dest]
Concat js files...
Remove space..
Remove '//'and '/*' annotation...
Remove CR ...
Done.
---> c6ddf043a213
Removing intermediate container 6ff19a059d32
Step 17 : WORKDIR /go/bin/
---> Running in 9d4301d17a28
---> 2cca0c38dc14
Removing intermediate container 9d4301d17a28
Step 18 : ENTRYPOINT /go/bin/harbor_ui
---> Running in 9724a3ea66b2
---> f66405331a0a
Removing intermediate container 9724a3ea66b2
Step 19 : EXPOSE 80
---> Running in 3571d2c88e2c
---> 04c5fb1c334d
Removing intermediate container 3571d2c88e2c
Successfully built 04c5fb1c334d
WARNING: Image for service ui was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building mysql
Step 1 : FROM mysql:5.6
5.6: Pulling from library/mysql
357ea8c3d80b: Already exists
256a92f57ae8: Pull complete
d5ee0325fe91: Pull complete
a15deb03758b: Pull complete
7b8a8ccc8d50: Pull complete
1a40eeae36e9: Pull complete
4a09128b6a34: Pull complete
587b9302fad1: Pull complete
c0c47ca2042a: Pull complete
fa370478ab1f: Pull complete
952d92d0e00a: Pull complete
Digest: sha256:dcb7adfd0452994933b64cd9a91f70acc89ac8d3f78261827bd8162bc20a737e
Status: Downloaded newer image for mysql:5.6
---> 5e0f1b09e25e
Step 2 : WORKDIR /tmp
---> Running in eacd8724dc0f
---> 5fc66f8cc86b
Removing intermediate container eacd8724dc0f
Step 3 : ADD registry.sql r.sql
---> fc4c1afe1400
Removing intermediate container 9aaed626a349
Step 4 : ADD docker-entrypoint.sh /entrypoint.sh
---> 8e0e76ce7967
Removing intermediate container 031ccc51d5d4
Step 5 : RUN chmod u+x /entrypoint.sh
---> Running in 0c15f566942b
---> 3f1a78b0bf43
Removing intermediate container 0c15f566942b
Successfully built 3f1a78b0bf43
WARNING: Image for service mysql was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building jobservice
Step 1 : FROM golang:1.6.2
---> 8ecba0e9bd48
Step 2 : MAINTAINER [email protected]
---> Running in 9d2e58613bdf
---> 8402f2cfb451
Removing intermediate container 9d2e58613bdf
Step 3 : RUN apt-get update && apt-get install -y libldap2-dev && rm -r /var/lib/apt/lists/*
---> Running in 198bb3ea5236
Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Ign http://httpredir.debian.org jessie InRelease
Get:2 http://httpredir.debian.org jessie-updates InRelease [142 kB]
Get:3 http://httpredir.debian.org jessie Release.gpg [2373 B]
Get:4 http://security.debian.org jessie/updates/main amd64 Packages [385 kB]
Get:5 http://httpredir.debian.org jessie Release [148 kB]
Get:6 http://httpredir.debian.org jessie-updates/main amd64 Packages [17.6 kB]
Get:7 http://httpredir.debian.org jessie/main amd64 Packages [9032 kB]
Fetched 9790 kB in 40s (242 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
libldap2-dev
0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded.
Need to get 323 kB of archives.
After this operation, 1411 kB of additional disk space will be used.
Get:1 http://httpredir.debian.org/debian/ jessie/main libldap2-dev amd64 2.4.40+dfsg-1+deb8u2 [323 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 323 kB in 3s (82.7 kB/s)
Selecting previously unselected package libldap2-dev:amd64.
(Reading database ... 14719 files and directories currently installed.)
Preparing to unpack .../libldap2-dev_2.4.40+dfsg-1+deb8u2_amd64.deb ...
Unpacking libldap2-dev:amd64 (2.4.40+dfsg-1+deb8u2) ...
Setting up libldap2-dev:amd64 (2.4.40+dfsg-1+deb8u2) ...
---> e2f67c7c3681
Removing intermediate container 198bb3ea5236
Step 4 : ADD jobservice /go/bin/harbor_jobservice
---> a72e84e1293b
Removing intermediate container d28308d7d390
Step 5 : RUN chmod u+x /go/bin/harbor_jobservice
---> Running in 7f09927d26e3
---> 64bea5147f78
Removing intermediate container 7f09927d26e3
Step 6 : WORKDIR /go/bin/
---> Running in 401c44ce58c1
---> 69bbc8de739a
Removing intermediate container 401c44ce58c1
Step 7 : ENTRYPOINT /go/bin/harbor_jobservice
---> Running in f67941a3fed4
---> 44f9b4f5ffa5
Removing intermediate container f67941a3fed4
Successfully built 44f9b4f5ffa5
WARNING: Image for service jobservice was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Pulling registry (library/registry:2.4.0)...
2.4.0: Pulling from library/registry
8b87079b7a06: Pull complete
a3ed95caeb02: Pull complete
ab57f16e019e: Pull complete
87821bf06837: Pull complete
26c4a2196c76: Pull complete
Digest: sha256:6c65924b0d17593f2a05daa5d5403b47dfdb3aba9e3a0a97e4df75fd1bc27238
Status: Downloaded newer image for registry:2.4.0
Pulling proxy (library/nginx:1.9)...
1.9: Pulling from library/nginx
51f5c6a04d83: Pull complete
a3ed95caeb02: Pull complete
640c8f3d0eb2: Pull complete
a4335300aa89: Pull complete
Digest: sha256:54313b5c376892d55205f13d620bc3dcccc8e70e596d083953f95e94f071f6db
Status: Downloaded newer image for nginx:1.9
第一次之后就再也不需要build,启动画面清静很多
[root@host34 harbor]# pwd
/tmp/harbor
[root@host34 harbor]# docker-compose up -d
Starting harbor_log_1
Starting harbor_registry_1
Starting harbor_mysql_1
Starting harbor_ui_1
Starting harbor_jobservice_1
Starting harbor_proxy_1
[root@host34 harbor]#