Docker----Harbor简单部署

一、Harbor简介

详细介绍见官方文档：https://goharbor.io/docs/1.10/

1、什么是Harbor

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，通过添加一些企业必须的功能特性，例如安全、标识和管理等，扩展了开源Dockerfile Distribution。作为一个企业级私有Registry服务器，Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制，镜像全部保存在私有Registry中，确保数据和知识产权在公司内部网络中管控。另外，Harbor也提供了高级的安全特性，诸如管理、访问控制和活动审计等。

2、Harbor特性

• 基于角色的访问控制：用户与Docker镜像仓库通过“项目”进行组织管理，一个用户可以对多个镜像仓库在同一个命名空间（project）里有不同的权限。
• 镜像复制：镜像可以在多个Registry实例中复制（同步）。尤其适合于负载均衡、高可用，混合云和多云的场景。
• 图形化用户界面：用户可以通过浏览器来浏览，检索当前Docker镜像仓库，管理项目和命名空间。
• AD/LDAP支持：Harbor可以集成企业内部已有的AD/LDAP，用于鉴权认证管理。
• 审计管理：所有针对于镜像仓库的操作都可以被记录追溯，用于审计管理。
• 国际化：已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
• RESTful API：RESTful API 提供给管理员对于Harbor更多的操控，使得其它管理软件集成变得更容易。
• 部署简单：提供在线和离线两种安装工具，也可以安装到vSphere平台（OVA方式）虚拟设备。

3、Harbor组件

• Harbor的Registry，UI，token等服务，通过一个前置的反向代理统一接收浏览器、Dockerfile客户端的请求，并将请求转发给后端不同的服务。
• Registry：负责存储Docker镜像，并处理docker push/pull 命令。由于我们要对用户进行访问控制，即不同用户对Docker image有不同的读写权限，Registry会指向一个token服务，强制用户的每次docker pull/push请求都要携带一个合法的token，Registry会通过公钥对token进行解密验证。
• Core services：这是Harbor的核心功能，主要提供以下服务：
  • UI：提供图形化界面，帮助用户管理Registry上的镜像，并对用户进行授权
  • WebHook：为了及时获取Registry上image状态变化的情况，在Registry上配置webhook，把状态变化传递给UI模块。
  • Token：负责根据用户权限给每个docker push/pull命令签发token，Docker客户端向-Registry服务发起的请求，如果不包含token，会被重定向到这里，获得token后再重新向Registry进行请求
• Database：为core services提供数据库服务，负责储存用户权限、审计日志、Docker image分组信息等数据
• Job Services：提供镜像远程复制功能，可以把本地镜像同步到其他Harbor实例中。
• Log Collector：为了帮助监控Harbor运行，负责收集其组件的log，供日后进行分析。
  

二、安装部署

官方下载地址：https://github.com/goharbor/harbor/releases
下载离线包

wget https://github.com/goharbor/harbor/releases/download/v1.10.3/harbor-offline-installer-v1.10.3.tgz
tar -zxvf harbor-offline-installer-v1.10.3.tgz

修改配置文件harbor.yml，配置hostname（ip就可以），注释掉https以免报错ERROR:root:Error: The protocol is https but attribute ssl_cert is not set

...
hostname: 192.168.10.38
...
#https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path
...

执行如下操作安装（启用Charts）
sudo ./prepare和sudo ./install.sh --with-chartmuseum

--with-chartmuseum：表示启用Helm Charts
--with-clair：表示启用Chair
--with-notary：表示启动Notary，必须https

qj@deepin:/data/docker/harbor$ ./prepare 
prepare base dir is set to /data/docker/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
qj@deepin:/data/docker/harbor$ sudo ./install.sh --with-chartmuseum

[Step 0]: checking if docker is installed ...

Note: docker version: 18.09.6

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.26.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-core:v1.10.3
Loaded image: goharbor/harbor-db:v1.10.3
Loaded image: goharbor/clair-photon:v1.10.3
Loaded image: goharbor/harbor-registryctl:v1.10.3
Loaded image: goharbor/redis-photon:v1.10.3
Loaded image: goharbor/nginx-photon:v1.10.3
Loaded image: goharbor/clair-adapter-photon:v1.10.3
Loaded image: goharbor/harbor-log:v1.10.3
Loaded image: goharbor/notary-server-photon:v1.10.3
Loaded image: goharbor/notary-signer-photon:v1.10.3
Loaded image: goharbor/harbor-migrator:v1.10.3
Loaded image: goharbor/chartmuseum-photon:v1.10.3
Loaded image: goharbor/prepare:v1.10.3
Loaded image: goharbor/harbor-portal:v1.10.3
Loaded image: goharbor/harbor-jobservice:v1.10.3
Loaded image: goharbor/registry-photon:v1.10.3

[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /data/docker/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/chartserver/env
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/db/env
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /config/chartserver/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating harbor-log ... done
Creating registry      ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating redis         ... done
Creating registryctl   ... done
Creating chartmuseum   ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

浏览器访问hostname设置的ip，默认登录账号密码：admin/Harbor12345