Adminserver:用来管理系统配置,并提供了相应的 WEB 页面和 API 来供用户操作,改进了之前需用户手动修改配置文件并手动重启系统的用户体验。
Proxy:由Nginx 服务器构成的反向代理。
Registry:由Docker官方的开源registry镜像构成的容器实例。
UI:即架构中的core services, 构成此容器的代码是Harbor项目的主体。
MySQL:由官方MySQL镜像构成的数据库容器。
Log:运行着rsyslogd的容器,通过log-driver的形式收集其他容器的日志。
当系统启动时,UI 和 Job Service 从 Admin Server 处读取各自所需的配置,完成自身启动过程。之后用户可以通过 WEB 界面或者通过 API 修改部分系统配置。修改后的配置会被写入到 Admin Server 中。其他组件重新读取Admin Server的配置信息就可以得到最新的配置。
这几个容器通过Docker link的形式连接在一起,在容器之间通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口。
dockerdaemon从docker registry拉取镜像。
如果dockerregistry需要进行授权时,registry将会返回401 Unauthorized响应,同时在响应中包含了docker client如何进行认证的信息。
dockerclient根据registry返回的信息,向auth server发送请求获取认证token。
auth server则根据自己的业务实现去验证提交的用户信息是否存符合业务要求。
用户数据仓库返回用户的相关信息。
auth server将会根据查询的用户信息,生成token令牌,以及当前用户所具有的相关权限信息。
上述就是完整的授权过程.当用户完成上述过程以后便可以执行相关的pull/push操作。认证信息会每次都带在请求头中。
harbor安装包的二进制文件可以从release页面下载,推荐选择离线安装包。 使用tar命令解压缩包
# tar xvf harbor-offline-installer-.tgz
下面我们选择修改几个常见的参数。请注意,您至少需要更改主机名。
hostname:目标主机的主机名,用于访问UI和注册表服务。它应该是harbor主机的IP地址或完全限定的域名(FQDN),例如192.168.1.10或reg.yourdomain.com。不要使用localhost或127.0.0.1作为主机名,注册表服务需要使用外部客户端访问。
ui_url_protocol
url协议(http或者https),默认为http。
https配置可以参考Configuring Harbor with HTTPS Access。
storage配置
默认情况下,Harbor是把镜像存储在本地文件系统中的。但是在生产环境中你可能会考虑到使用其他的存储方案来代替本地存储。比如S3、Openstack Swift、Ceph等等。那么这个时候你就需要更改common/templates/registry/config.yml中的存储配置部分。例如:
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /storage
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
修改docker-compose.yml文件,替换80端口为任意存在未被占用的端口,比如10080
proxy:
image: nginx:1.9
container_name: nginx
restart: always
volumes:
-./common/config/nginx:/etc/nginx
ports:
- 10080:80
- 10443:443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address:"tcp://127.0.0.1:1514"
tag: "proxy"
修改common/templates/registry/config.yml文件
auth:
token:
issuer:registry-token-issuer
realm: $ui_url:28080/service/token
rootcertbundle:/etc/registry/root.crt
service: token-service
HTTPS协议的修改与自定义监听端口修改一样
配置的邮件可以用户Harbor进行密码重置处理。
# Email accountsettings for sending out password resetting emails.
email_server =smtp.mydomain.com
email_server_port= 25
email_username [email protected]
email_password =abc
email_from =admin
email_ssl =false
其他参数的修改,参见官方文档
这里要修改log、registry、mysql、adminserver、ui、jobservice、proxy服务volumes下面的宿主机路径,我们根据自己主机的文件路径修改。
version: '2'
services:
log:
image: vmware/harbor-log:v1.4.0
container_name: harbor-log
restart: always
volumes:
- /Users/jackyue/data/harbor/data/log/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: vmware/registry-photon:v2.6.2-v1.4.0
container_name: registry
restart: always
volumes:
- /Users/jackyue/data/harbor_data/registry:/storage:z
# harbor的默认镜像存储路径在/data/registry目录下,映射到docker容器里面的/storage目录下。建议harbor的应用程序路径和image存储路径分离,便于后期扩容
- ./common/config/registry/:/etc/registry/:z
ports:
- 5000:5000
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.4.0
container_name: harbor-db
restart: always
volumes:
- /Users/jackyue/data/harbor_data/database:/var/lib/mysql:z
# harbor的mysql数据也要与harbor应用程序分离
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.4.0
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /Users/jackyue/data/harbor/data/config/:/etc/adminserver/config/:z
- /Users/jackyue/data/harbor/data/secretkey:/etc/adminserver/key:z
# 从1.5.2起,secretkey是在harbor主目录下,因此需要整改路径
- /Users/jackyue/data/harbor/data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.4.0
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certificates/:z
- /Users/jackyue/data/harbor/data/secretkey:/etc/ui/key:z
- /Users/jackyue/data/harbor/data/ca_download/:/etc/ui/ca/:z
- /Users/jackyue/data/harbor/data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.4.0
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /Users/jackyue/data/harbor/data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
- /Users/jackyue/data/harbor/data/secretkey:/etc/jobservice/key:z
networks:
- harbor
depends_on:
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
proxy:
image: vmware/nginx-photon:v1.4.0
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 10080:80
- 10443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
修改完之后,还要修改上述宿主机路径下文件夹和文件的权限(我直接设成了777),否则容器启动时会报Operation not permitted的错误。
使用脚本安装
$ sudo ./install.sh
稍等片刻,当出现以下片段后,harbor安装完成
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.43.210.
For more details, please visit https://github.com/vmware/harbor .
使用docker-compose ps
检查7个服务是否启动;若状态都显示up,则harbor安装启动成功
$ sudo docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:10080->80/tcp
registry /entrypoint.sh serve /etc/ ... Restarting
# docker login xx.xxx.xx.xx:5000
在浏览器输入harbor.cfg中配置的主机名和docker-compose.yml文件proxy ports下对应80端口的宿主机端口号,即192.168.43.210:10080。然后使用默认的admin/Harbor12345登录。
你可以使用docker-compose来管理Harbor的生命周期。 一些有用的命令列出如下(必须在与docker-compose.yml相同的目录中运行)。
$ sudo docker-compose stop # 停止harbor
$ sudo docker-compose start # 启动harbor
更改Harbor的配置,首先停止现有的Harbor实例,更新harbour.cfg,然后再次运行install.sh:
$ sudo docker-compose down
$ vim harbor.cfg
$ sudo ./install.sh
# docker push xx.xxx.xx.xx/calico/node
The push refers to a repository [xx.xxx.xx.xx/calico/node]
5a5054a0b567: Preparing
dc759f36d103: Preparing
0ae8598a5313: Preparing
b7fc58bf47e2: Preparing
799d9a47057e: Waiting
503925f2fc18: Waiting
unauthorized: authentication required
如果权限没有问题,那问题就在Harbor里面没有calico项目:Harbor要求xx.xxx.xx.xx/calico/node中第一个/后面的字段为项目名称,必须存在这个项目名称,否则就会报错误。我们可以登陆Harbor的web界面,创建calico项目。
Harbor只支持Registry V2 API,因此你需要使用Docker1.6以及以上的客户端。
# curl https://192.168.1.200/v2/
curl: (60) Peer's Certificate issuer is notrecognized.
More details here:http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verificationby default, using a "bundle"
ofCertificate Authority (CA) public keys (CA certs). If the default
bundlefile isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificatesigned by a CA represented in
thebundle, the certificate verification probably failed due to a
problem with the certificate (it might beexpired, or the name might
notmatch the domain name in the URL).
If you'd like to turn off curl'sverification of the certificate, use
the -k (or --insecure) option.
此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。
解决办法是把签发该证书的私有CA公钥ca.crt文件内容,追加到/etc/pki/tls/certs/ca-bundle.crt。
# cat/etc/docker/certs.d/192.168.1.200/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
# curl https://192.168.1.200/v2/
{"errors":[{"code":"UNAUTHORIZED","message":"authenticationrequired","detail":null}]}
# docker pull xx.xxx.xx.xx:5000/vmware/harbor-db:0.4.5
Error response from daemon: Get https://xx.xxx.xx.xx:5000/v1/_ping:http: server gave HTTP response to HTTPS client
解决方法:修改/usr/lib/systemd/system/docker.service文件,在ExecStart中添加–insecure-registry内容:
ExecStart=/usr/bin/dockerd --insecure-registry=xx.xxx.xx.xx:5000
然后重启Docker服务:
# systemctl restart docker
然后再登录执行pull就可以了:
# docker login xx.xxx.xx.xx:5000
Username: admin
Password:
Login Succeeded
# docker pull xx.xxx.xx.xx:5000/calico/node
Using default tag: latest
latest: Pulling from calico/node
dd951796ec8a: Pull complete
2ed92f708362: Pull complete
1703d9b705ad: Pull complete
a45fbe27e680: Pull complete
8c874d304eb0: Pull complete
0b3e16347231: Pull complete
4670f2d45133: Pull complete
Digest:sha256:2585b48d929f6279637b27c85725cef44ec4cafaee3dafaa99ca3b1756e5a525
Status: Downloaded newer image for xx.xxx.xx.xx:5000/calico/node:latest