docker-harbor仓库
参考: harbor-1, 官方安装, 离线安装-1, 离线安装-2
Harbor
Harbor是什么?
Harbor是VMware公司开源的企业级DockerRegistry项目,其目标是帮助用户迅速搭建一个企业级的Docker registry服务;
Harbor封装了docker的register v2, 给用户提供了许多便捷管理的特性,比如:管理UI,基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Auditlogging) 等企业用户需求的功能,同时还原生支持中文。
Harbor组件
| 名称 | 说明 |
|---|---|
| harbor-adminserver | 配置管理中心 |
| harbor-db | 数据库 |
| harbor-jobservice | 镜像复制等操作 |
| harbor-log | 日志功能 |
| harbor-ui | Web管理页面和API |
| nginx/proxy | 前端代理,负责前端页面 |
| redis | 会话 |
| registry | 镜像存储、仓库 |
特性
- 易于部署:可通过Docker compose或Helm Chart 部署 Harbor。
- 云原生注册表:Harbor 支持容器镜像和Helm图表,可作为容器原生运行时和编排平台等云原生环境的注册表。
- 基于角色控制:用户通过项目访问不同的存储库,并且用户可以对项目下的镜像或Helm图表具有不同的权限。
- 基于策略的复制:可以使用过滤器基于策略在多个注册表实例之间复制(同步)镜像和图表。
- 镜像删除和垃圾收集:系统管理员可以运行垃圾收集作业,以便可以删除镜像,并可以定期释放其空间。
- 漏洞扫描:Harbor会定期扫描映像中的漏洞,并进行策略检查以防止部署易受攻击的映像。
- 公证人:支持对容器镜像进行签名,以确保真实性和出处。
- 审核:通过日志跟踪对存储库的所有操作。
- 图形门户:用户可以轻松浏览,搜索存储库和管理项目。
- 外部集成:提供RESTful API有助于管理操作,并且易于与外部系统集成。
安装部署前置
安装方式
- 在线安装: 直接上docker hub 上下载image
- 离线安装:
https://github.com/goharbor/harbor/tags下载包安装
网络端口
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor门户和核心API在此端口上接受HTTPS请求。您可以在配置文件中更改此端口 |
| 4443 | HTTPS | 与Harbor的Docker内容信任服务的连接。仅在启用公证人的情况下才需要。您可以在配置文件中更改此端口 |
| 80 | HTTP | Harbor门户和核心API在此端口上接受HTTP请求。您可以在配置文件中更改此端口 |
硬件
下表列出了用于部署Harbor的最低和建议的硬件配置。
| 资源资源 | 最低要求 | 推荐 |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
软件
表格中的软件必须安装在目标主机上
| Software | Version | Description |
|---|---|---|
| Docker引擎 | 17.06.0-ce +或更高版本 | 安装说明, see docker engine doc |
| Docker Compose | 版本1.18.0或更高 | 安装说明, see docker compose doc |
| Openssl | 最好为最新 | 用于给harbor生成证书和keys |
安装步骤
- 安装过程包括以下步骤:
- 下载安装程序。
- 配置Harbor.yml文件。
- 运行install.sh脚本安装应用选项、安装或者启动harbor
- 下载安装
- 下载界面: Harbor releases page.
- 选择在线或离线版本
- 使用 tar 提供安装包
- 在线:
bash $ tar xvf harbor-online-installer-version.tgz - 离线:
bash $ tar xvf harbor-offline-installer-version.tgz
- 配置选项
安装 docker-compose
-
下载compose: https://github.com/docker/compose/releases
-
下载完之后复制到服务器上
~]# mv docker-compose-Linux-x86_64 /usr/local/bin/
~]# chmod +x /usr/local/bin/docker-compose-Linux-x86_64
~]# mv /usr/local/bin/docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
~]# docker-compose -v
docker-compose version 1.26.0, build d4451659
~]# docker --version
Docker version 19.03.5, build 633a0ea
生成证书
# 创建证书目录
mkdir -p /data/docker/harbor/cert && cd /data/docker/harbor/cert
# 生成私钥,需要设置密码
openssl genrsa -des3 -out harbor.key 2048
# 生成CA证书,需要输入密码
openssl req -sha512 -new -subj "/C=CN/ST=BJ/L=BJ/O=DEV/OU=DEV/CN=192.168.9.62" -key harbor.key -out harbor.csr
echo subjectAltName = IP:192.168.9.62 > extfile.cnf
# 备份证书
cp harbor.key harbor.key.org
# 退掉私钥密码,以便docker访问
openssl rsa -in harbor.key.org -out harbor.key
# 使用证书进行签名
openssl x509 -req -days 3650 -in harbor.csr -signkey harbor.key -extfile extfile.cnf -out harbor.crt
安装harbor
- 下载地址: 我们使用offine,https://github.com/goharbor/harbor/tags
-
解压
-
修改配置文件
]# egrep -v "^#|^$|[[:space:]]*#" harbor.yml
hostname: 192.168.9.62 # 主机名, 也可以是域名
http:
port: 20888 # http端口
https:
port: 20443 # 访问的https端口
certificate: /data/docker/harbor/cert/harbor.crt # 修改证书
private_key: /data/docker/harbor/cert/harbor.key
harbor_admin_password: uziKAb32sZFeYQ #这里是登陆密码
database:
password: root123
max_idle_conns: 50
max_open_conns: 100
data_volume: /data/docker/harbor/harbor_data # 数据卷
clair:
updaters_interval: 12
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
- 安装
]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.5
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.26.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/clair-adapter-photon:v1.0.1-v1.10.1
Loaded image: goharbor/harbor-jobservice:v1.10.1
Loaded image: goharbor/redis-photon:v1.10.1
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.10.1
Loaded image: goharbor/clair-photon:v2.1.1-v1.10.1
Loaded image: goharbor/harbor-log:v1.10.1
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.10.1
Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.10.1
Loaded image: goharbor/harbor-registryctl:v1.10.1
Loaded image: goharbor/nginx-photon:v1.10.1
Loaded image: goharbor/harbor-migrator:v1.10.1
Loaded image: goharbor/prepare:v1.10.1
Loaded image: goharbor/harbor-portal:v1.10.1
Loaded image: goharbor/harbor-core:v1.10.1
Loaded image: goharbor/harbor-db:v1.10.1
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /data/docker/harbor/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
- 查看运行状态
]# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:20888->8080/tcp, 0.0.0.0:20443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
- 启动\停止
]# /usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml up
]# /usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-portal ... done
。。。。。。。
Removing network harbor_harbor
- 配置开机自启脚本
cat /usr/lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
访问
仓库使用
创建用户\项目
设置http仓库地址
]# docker login https://192.168.9.62:20443
Username: test
Password:
Error response from daemon: Get https://192.168.9.62:20443/v2/: x509: certificate signed by unknown authority
# 由于是私有仓库,采用的自建的 https 证书,这里就需要提供 ca 证书和私钥文件了,否则会出现证书校验失败的错误x509: certificate signed by unknown authority
]# cat /etc/docker/daemon.json
{
"registry-mirrors": [ # 镜像加速
"https://kfwkfulq.mirror.aliyuncs.com",
"https://2lqq34jg.mirror.aliyuncs.com",
"https://pee6w651.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com"
],
"exec-opts": ["native.cgroupdriver=systemd"], # 使用systemd
"insecure-registries": ["192.168.9.62:20443"], # 忽略证书问题
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
]# docker login https://192.168.9.62:20443 # 最后在登陆
Username: test
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传镜像
可以查看命令: 登陆harbor --> test项目 --> 镜像仓库 --> 推送镜像的docker命令
# 先打标签
]# docker tag v6-test:v8.5.51-jdk8u181-6 192.168.9.62:20443/test/v6-test:v8.5.51-jdk8u181-6
# 推送到仓库
]# docker push 192.168.9.62:20443/test/v6-test:v8.5.51-jdk8u181-6
