Docker 搭建私有仓库 Harbor
文章目录
- Harbor 概述
-
- 简介
- 特性
- Harbor组件
- 安装 Harbor
Harbor 概述
简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
特性
- 基于角色的访问控制 :用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
- 镜像复制 : 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
- 图形化用户界面 : 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
- AD/LDAP 支持 : Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
- 审计管理 : 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
- RESTful API : RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
Harbor组件
- Harbor在架构上主要由6个组件构成:
- Proxy:Harbor的registry, UI, token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
- Registry: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。
- Core services: 这是Harbor的核心功能,主要提供以下服务:
- UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
- webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
- token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
- Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
- Job Services:提供镜像远程复制功能,可以把本地镜像同步到其他Harbor实例中。
- Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
安装 Harbor
1、上传 harbor-offline-installer-v1.2.2.tgz 压缩包 到 /opt 目录,并解压
[root@harbor opt]# ll
总用量 521256
drwx--x--x 4 root root 28 8月 30 17:18 containerd
-rw-r--r-- 1 root root 533765727 8月 30 19:02 harbor-offline-installer-v1.2.2.tgz
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@harbor opt]# tar zxf harbor-offline-installer-v1.2.2.tgz -C /usr/local
2、配置 harbor 参数文件
[root@harbor opt]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.2.tar.gz LICENSE prepare
docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
[root@harbor harbor]# vim harbor.cfg
1 ## Configuration file of Harbor
2
3 #The IP address or hostname to access admin UI and registry service.
4 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 hostname = 192.168.177.106
3、执行 install.sh 安装脚本
[root@harbor harbor]# sh install.sh
......省略部分内容
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.177.106.
For more details, please visit https://github.com/vmware/harbor .
[root@harbor harbor]#
[root@harbor harbor]# docker-compose ps //docker-compose需要提前安装好
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:4443->4443/tcp,:::4443->4443/tcp,
0.0.0.0:80->80/tcp,:::80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
[root@harbor harbor]#
Harbor是通过docker compose来部署的,这也是为什么在装Harbor之前,需要安装docker-compose.接下来讲一下上图中设计到的各个模块的详细部分.
- Proxy:对应启动组件nginx,是一个nginx反向代理.Harbor的registry,UI,token services等组件,都处在一个反向代理后边,该代理负责将来自浏览器,docker clients的请求转发到后端服务上
- Registry:对应启动组件registry.负责存储Docker镜像文件,以及处理Docker的push,pull等请求.Harbor对镜像进行强制的访问控制,Registry会将客户端的每个pull,push请求转发到token服务来获取有效的token.
- Core services:Harbor的核心功能,主要包括3个服务:UI,Job services和Log collector.
- UI:对应启动组件harbor-ui.以图像用户界面的方式,辅助用户管理镜像,我个人觉得这样使得使用Harbor时,更加友好.
- Job services:对应启动组件harbor-jobservice,主要用于镜像复制,和registry通信,本地镜像可以push到Harbor镜像仓库中,同样也可以从Harbor镜像仓库中pull到本地,同时记录job_log.
- Log collector:对应启动组件harbor-log.负责收集其他模块的日志到一个地方
- Database:对应启动组件harbor-db.负责存储project,user,role,replication等的metadata数据.
- adminserver:对应启动组件harbor-adminserver.是系统的配置管理中心,当ui和jobserver启动时,需要加载adminserver的配置
这几个容器通过Docker link的形式连接在一起,这样,在容器之间可以通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口
4、在宿主机浏览器访问harbor页面
输入:192.168.177.106:80
用户名是 admin ,密码可以在harbor.cfg 配置文件中找到
5、测试镜像的上传下载
[root@harbor harbor]# docker pull cirros //拉取官方提供的测试镜像
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@harbor harbor]#
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cirros latest f9cae1daf5f6 5 months ago 12.6MB
vmware/harbor-log v1.2.2 36ef78ae27df 3 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 3 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 3 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 3 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 3 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 3 years ago 144MB
......省略
[root@harbor harbor]# docker tag cirros:latest 192.168.177.106/test/cirros:test //上传镜像之前需要先打标签
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.177.106/test/cirros test f9cae1daf5f6 5 months ago 12.6MB
cirros latest f9cae1daf5f6 5 months ago 12.6MB
vmware/harbor-log v1.2.2 36ef78ae27df 3 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 3 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 3 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 3 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 3 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 3 years ago 144MB
......省略
[root@harbor harbor]# docker login -u admin -p Harbor http://192.168.177.106 //登录harbor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://192.168.177.106/v2/": dial tcp 192.168.177.106:443: connect: connection refused
//报错原因:默认登陆的是443端口,而我们并没有启用
[root@harbor harbor]#
解决登录报错
[root@harbor harbor]# vim /usr/lib/systemd/system/docker.service
//跳转到13行,添加 --insecure-registry 192.168.177.106
13 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.177.106 --containerd=/run/containerd/containerd.sock
[root@harbor harbor]# systemctl daemon-reload
[root@harbor harbor]# systemctl restart docker
登录harbor仓库
[root@harbor harbor]# docker-compose ps //登录之前查看harbor的所有容器状态是否都是UP状态
Name Command State Ports
----------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Exit 128
registry /entrypoint.sh serve /etc/ ... Exit 2
[root@harbor harbor]# docker-compose up -d //发现nginx和registry退出了,需要重新启动
harbor-log is up-to-date
harbor-adminserver is up-to-date
harbor-db is up-to-date
Starting registry ... done
harbor-ui is up-to-date
Starting nginx ...
Starting nginx ... done
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://192.168.177.106 //登录harbor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded //登录成功
[root@harbor harbor]#
测试推送镜像到harbor仓库
[root@harbor harbor]# docker push 192.168.177.106/test/cirros:test
The push refers to repository [192.168.177.106/test/cirros]
984ad441ec3d: Pushed
f0a496d92efa: Pushed
e52d19c3bee2: Pushed
test: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
[root@harbor harbor]#
删除原本的镜像之后,测试从harbor仓库拉取镜像
[root@harbor harbor]# docker rmi 192.168.177.106/test/cirros:test
Untagged: 192.168.177.106/test/cirros:test
Untagged: 192.168.177.106/test/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
[root@harbor harbor]# docker rmi cirros:latest
Untagged: cirros:latest
Untagged: cirros@sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Deleted: sha256:f9cae1daf5f682cb6403a766b3e6afd73a102296910f27ea1ec392b54dc0c188
Deleted: sha256:b6a4b8a7f1df2b043c77d6e745f69bba4a7aacbb0b4838ecde454ed0168a83e5
Deleted: sha256:96b1d95161fdf5dadd619c5f06ae9fa0c80bd501747ddad3da110439df019880
Deleted: sha256:e52d19c3bee2bad632c72694ab1239f360f52e989629969eb7e51b66c32430fa
[root@harbor harbor]# docker pull 192.168.177.106/test/cirros:test
test: Pulling from test/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for 192.168.177.106/test/cirros:test
192.168.177.106/test/cirros:test
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.177.106/test/cirros test f9cae1daf5f6 5 months ago 12.6MB
vmware/harbor-log v1.2.2 36ef78ae27df 3 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 3 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 3 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 3 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 3 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 3 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 4 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 4 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 4 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 4 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 4 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 4 years ago 157MB
photon 1.0 e6e4e4a2ba1b 5 years ago 128MB
[root@harbor harbor]#