harbor安装记录

harbor安装记录_第1张图片

1. Harbor架构

harbor安装记录_第2张图片

  • Adminserver:用来管理系统配置,并提供了相应的 WEB 页面和 API 来供用户操作,改进了之前需用户手动修改配置文件并手动重启系统的用户体验。

  • Proxy:由Nginx 服务器构成的反向代理。

  • Registry:由Docker官方的开源registry镜像构成的容器实例。

  • UI:即架构中的core services, 构成此容器的代码是Harbor项目的主体。

  • MySQL:由官方MySQL镜像构成的数据库容器。

  • Log:运行着rsyslogd的容器,通过log-driver的形式收集其他容器的日志。

当系统启动时,UI 和 Job Service 从 Admin Server 处读取各自所需的配置,完成自身启动过程。之后用户可以通过 WEB 界面或者通过 API 修改部分系统配置。修改后的配置会被写入到 Admin Server 中。其他组件重新读取Admin Server的配置信息就可以得到最新的配置。

这几个容器通过Docker link的形式连接在一起,在容器之间通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口。

2. Harbor认证过程

harbor安装记录_第3张图片

  • dockerdaemon从docker registry拉取镜像。

  • 如果dockerregistry需要进行授权时,registry将会返回401 Unauthorized响应,同时在响应中包含了docker client如何进行认证的信息。

  • dockerclient根据registry返回的信息,向auth server发送请求获取认证token。

  • auth server则根据自己的业务实现去验证提交的用户信息是否存符合业务要求。

  • 用户数据仓库返回用户的相关信息。

  • auth server将会根据查询的用户信息,生成token令牌,以及当前用户所具有的相关权限信息。

上述就是完整的授权过程.当用户完成上述过程以后便可以执行相关的pull/push操作。认证信息会每次都带在请求头中。

3. 下载安装文件

harbor安装包的二进制文件可以从release页面下载,推荐选择离线安装包。 使用tar命令解压缩包

# tar xvf harbor-offline-installer-.tgz

4. 修改配置文件harbor.cfg

下面我们选择修改几个常见的参数。请注意,您至少需要更改主机名。

  • hostname:目标主机的主机名,用于访问UI和注册表服务。它应该是harbor主机的IP地址或完全限定的域名(FQDN),例如192.168.1.10或reg.yourdomain.com。不要使用localhost或127.0.0.1作为主机名,注册表服务需要使用外部客户端访问。

  • ui_url_protocol
    url协议(http或者https),默认为http。
    https配置可以参考Configuring Harbor with HTTPS Access。

  • storage配置
    默认情况下,Harbor是把镜像存储在本地文件系统中的。但是在生产环境中你可能会考虑到使用其他的存储方案来代替本地存储。比如S3、Openstack Swift、Ceph等等。那么这个时候你就需要更改common/templates/registry/config.yml中的存储配置部分。例如:

storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /storage
    maintenance:
        uploadpurging:
            enabled: false
    delete:
        enabled: true
  • 自定义ngnix监听端口

修改docker-compose.yml文件,替换80端口为任意存在未被占用的端口,比如10080

proxy:
    image: nginx:1.9
    container_name: nginx
    restart: always
    volumes:
      -./common/config/nginx:/etc/nginx
    ports:
      - 10080:80
      - 10443:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address:"tcp://127.0.0.1:1514"
        tag: "proxy"

修改common/templates/registry/config.yml文件

auth:
  token:
    issuer:registry-token-issuer
    realm: $ui_url:28080/service/token
    rootcertbundle:/etc/registry/root.crt
    service: token-service

HTTPS协议的修改与自定义监听端口修改一样

  • Email设定

配置的邮件可以用户Harbor进行密码重置处理。

# Email accountsettings for sending out password resetting emails.

email_server =smtp.mydomain.com

email_server_port= 25

email_username [email protected]

email_password =abc

email_from =admin 

email_ssl =false

其他参数的修改,参见官方文档

5. 修改docker-compose.yml文件

这里要修改log、registry、mysql、adminserver、ui、jobservice、proxy服务volumes下面的宿主机路径,我们根据自己主机的文件路径修改。

version: '2'
services:
  log:
    image: vmware/harbor-log:v1.4.0
    container_name: harbor-log 
    restart: always
    volumes:
      - /Users/jackyue/data/harbor/data/log/:/var/log/docker/:z
      - ./common/config/log/:/etc/logrotate.d/:z
    ports:
      - 127.0.0.1:1514:10514
    networks:
      - harbor
  registry:
    image: vmware/registry-photon:v2.6.2-v1.4.0
    container_name: registry
    restart: always
    volumes:
      - /Users/jackyue/data/harbor_data/registry:/storage:z  
# harbor的默认镜像存储路径在/data/registry目录下,映射到docker容器里面的/storage目录下。建议harbor的应用程序路径和image存储路径分离,便于后期扩容
      - ./common/config/registry/:/etc/registry/:z
    ports:
     - 5000:5000
    networks:
      - harbor
    environment:
      - GODEBUG=netdns=cgo
    command:
      ["serve", "/etc/registry/config.yml"]
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"
  mysql:
    image: vmware/harbor-db:v1.4.0
    container_name: harbor-db
    restart: always
    volumes:
      - /Users/jackyue/data/harbor_data/database:/var/lib/mysql:z
 # harbor的mysql数据也要与harbor应用程序分离
    networks:
      - harbor
    env_file:
      - ./common/config/db/env
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "mysql"
  adminserver:
    image: vmware/harbor-adminserver:v1.4.0
    container_name: harbor-adminserver
    env_file:
      - ./common/config/adminserver/env
    restart: always
    volumes:
      - /Users/jackyue/data/harbor/data/config/:/etc/adminserver/config/:z
      - /Users/jackyue/data/harbor/data/secretkey:/etc/adminserver/key:z
      # 从1.5.2起,secretkey是在harbor主目录下,因此需要整改路径
      - /Users/jackyue/data/harbor/data/:/data/:z
    networks:
      - harbor
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "adminserver"
  ui:
    image: vmware/harbor-ui:v1.4.0
    container_name: harbor-ui
    env_file:
      - ./common/config/ui/env
    restart: always
    volumes:
      - ./common/config/ui/app.conf:/etc/ui/app.conf:z
      - ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
      - ./common/config/ui/certificates/:/etc/ui/certificates/:z
      - /Users/jackyue/data/harbor/data/secretkey:/etc/ui/key:z
      - /Users/jackyue/data/harbor/data/ca_download/:/etc/ui/ca/:z
      - /Users/jackyue/data/harbor/data/psc/:/etc/ui/token/:z
    networks:
      - harbor
    depends_on:
      - log
      - adminserver
      - registry
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "ui"
  jobservice:
    image: vmware/harbor-jobservice:v1.4.0
    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
    volumes:
      - /Users/jackyue/data/harbor/data/job_logs:/var/log/jobs:z
      - ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
      - /Users/jackyue/data/harbor/data/secretkey:/etc/jobservice/key:z
    networks:
      - harbor
    depends_on:
      - ui
      - adminserver
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "jobservice"
  proxy:
    image: vmware/nginx-photon:v1.4.0
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z
    networks:
      - harbor
    ports:
      - 10080:80
      - 10443:443
      - 4443:4443
    depends_on:
      - mysql         
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"
networks:
  harbor:
    external: false

修改完之后,还要修改上述宿主机路径下文件夹和文件的权限(我直接设成了777),否则容器启动时会报Operation not permitted的错误。

6. 安装并启动harbor

使用脚本安装

$ sudo ./install.sh

稍等片刻,当出现以下片段后,harbor安装完成

----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.43.210. 
For more details, please visit https://github.com/vmware/harbor .

使用docker-compose ps检查7个服务是否启动;若状态都显示up,则harbor安装启动成功

$ sudo docker-compose ps

  Name                     Command                 State                                     Ports                               
--------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/start.sh                 Up                                                                              
harbor-db            /usr/local/bin/docker-entr ...   Up           3306/tcp                                                           
harbor-jobservice    /harbor/start.sh                 Up                                                                              
harbor-log           /bin/sh -c /usr/local/bin/ ...   Up           127.0.0.1:1514->10514/tcp                                          
harbor-ui            /harbor/start.sh                 Up                                                                              
nginx                nginx -g daemon off;             Up           0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:10080->80/tcp
registry             /entrypoint.sh serve /etc/ ...   Restarting 

# docker login xx.xxx.xx.xx:5000           

在浏览器输入harbor.cfg中配置的主机名和docker-compose.yml文件proxy ports下对应80端口的宿主机端口号,即192.168.43.210:10080。然后使用默认的admin/Harbor12345登录。

harbor安装记录_第4张图片

7. harbor生命周期管理

你可以使用docker-compose来管理Harbor的生命周期。 一些有用的命令列出如下(必须在与docker-compose.yml相同的目录中运行)。

$ sudo docker-compose stop  # 停止harbor

$ sudo docker-compose start # 启动harbor

8. 更改Harbor的配置,重新安装

更改Harbor的配置,首先停止现有的Harbor实例,更新harbour.cfg,然后再次运行install.sh:

$ sudo docker-compose down

$ vim harbor.cfg

$ sudo ./install.sh

9. 问题总结

  • 记录1
# docker push xx.xxx.xx.xx/calico/node

The push refers to a repository [xx.xxx.xx.xx/calico/node]

5a5054a0b567: Preparing

dc759f36d103: Preparing

0ae8598a5313: Preparing

b7fc58bf47e2: Preparing

799d9a47057e: Waiting

503925f2fc18: Waiting

unauthorized: authentication required

如果权限没有问题,那问题就在Harbor里面没有calico项目:Harbor要求xx.xxx.xx.xx/calico/node中第一个/后面的字段为项目名称,必须存在这个项目名称,否则就会报错误。我们可以登陆Harbor的web界面,创建calico项目。

  • 记录2

Harbor只支持Registry V2 API,因此你需要使用Docker1.6以及以上的客户端。

  • 记录3
# curl https://192.168.1.200/v2/

curl: (60) Peer's Certificate issuer is notrecognized.

More details here:http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verificationby default, using a "bundle"

ofCertificate Authority (CA) public keys (CA certs). If the default

bundlefile isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificatesigned by a CA represented in

thebundle, the certificate verification probably failed due to a

problem with the certificate (it might beexpired, or the name might

notmatch the domain name in the URL).

If you'd like to turn off curl'sverification of the certificate, use

the -k (or --insecure) option.

此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。

解决办法是把签发该证书的私有CA公钥ca.crt文件内容,追加到/etc/pki/tls/certs/ca-bundle.crt。

# cat/etc/docker/certs.d/192.168.1.200/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt


# curl https://192.168.1.200/v2/

{"errors":[{"code":"UNAUTHORIZED","message":"authenticationrequired","detail":null}]}
  • 记录4
# docker pull xx.xxx.xx.xx:5000/vmware/harbor-db:0.4.5

Error response from daemon: Get https://xx.xxx.xx.xx:5000/v1/_ping:http: server gave HTTP response to HTTPS client

解决方法:修改/usr/lib/systemd/system/docker.service文件,在ExecStart中添加–insecure-registry内容:

ExecStart=/usr/bin/dockerd --insecure-registry=xx.xxx.xx.xx:5000

然后重启Docker服务:

# systemctl restart docker

然后再登录执行pull就可以了:

# docker login xx.xxx.xx.xx:5000

Username: admin
Password:
Login Succeeded

# docker pull xx.xxx.xx.xx:5000/calico/node

Using default tag: latest
latest: Pulling from calico/node
dd951796ec8a: Pull complete
2ed92f708362: Pull complete
1703d9b705ad: Pull complete
a45fbe27e680: Pull complete
8c874d304eb0: Pull complete
0b3e16347231: Pull complete
4670f2d45133: Pull complete
Digest:sha256:2585b48d929f6279637b27c85725cef44ec4cafaee3dafaa99ca3b1756e5a525

Status: Downloaded newer image for xx.xxx.xx.xx:5000/calico/node:latest

你可能感兴趣的:(Docker)