Docker 搭建私有仓库 Harbor

文章目录

  • Harbor 概述
    • 简介
    • 特性
    • Harbor组件
  • 安装 Harbor

Harbor 概述

简介

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

特性

  • 基于角色的访问控制 :用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
  • 镜像复制 : 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  • 图形化用户界面 : 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
  • AD/LDAP 支持 : Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
  • 审计管理 : 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  • RESTful API : RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。

Harbor组件

Docker 搭建私有仓库 Harbor_第1张图片

  • Harbor在架构上主要由6个组件构成:
    • Proxy:Harbor的registry, UI, token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
    • Registry: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。
    • Core services: 这是Harbor的核心功能,主要提供以下服务:
      • UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
      • webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
      • token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
    • Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
    • Job Services:提供镜像远程复制功能,可以把本地镜像同步到其他Harbor实例中。
    • Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。

安装 Harbor

1、上传 harbor-offline-installer-v1.2.2.tgz 压缩包 到 /opt 目录,并解压

[root@harbor opt]# ll
总用量 521256
drwx--x--x  4 root root        28 8月  30 17:18 containerd
-rw-r--r--  1 root root 533765727 8月  30 19:02 harbor-offline-installer-v1.2.2.tgz
drwxr-xr-x. 2 root root         6 10月 31 2018 rh
[root@harbor opt]# tar zxf harbor-offline-installer-v1.2.2.tgz -C /usr/local

2、配置 harbor 参数文件

[root@harbor opt]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common                    docker-compose.notary.yml  harbor_1_1_0_template  harbor.v1.2.2.tar.gz  LICENSE  prepare
docker-compose.clair.yml  docker-compose.yml         harbor.cfg             install.sh            NOTICE   upgrade
[root@harbor harbor]# vim harbor.cfg 

  1 ## Configuration file of Harbor
  2 
  3 #The IP address or hostname to access admin UI and registry service.
  4 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
  5 hostname = 192.168.177.106 

3、执行 install.sh 安装脚本

[root@harbor harbor]# sh install.sh
......省略部分内容
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating registry           ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.177.106. 
For more details, please visit https://github.com/vmware/harbor .

[root@harbor harbor]# 
[root@harbor harbor]# docker-compose ps //docker-compose需要提前安装好
       Name                     Command               State                                                       Ports                                                    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                                                                                                   
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp                                                                                                     
harbor-jobservice    /harbor/harbor_jobservice        Up                                                                                                                   
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp                                                                                      
harbor-ui            /harbor/harbor_ui                Up                                                                                                                   
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:4443->4443/tcp,:::4443->4443/tcp,                              
                                                              0.0.0.0:80->80/tcp,:::80->80/tcp                                                                             
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp                                                                                                     
[root@harbor harbor]# 

Harbor是通过docker compose来部署的,这也是为什么在装Harbor之前,需要安装docker-compose.接下来讲一下上图中设计到的各个模块的详细部分.

  • Proxy:对应启动组件nginx,是一个nginx反向代理.Harbor的registry,UI,token services等组件,都处在一个反向代理后边,该代理负责将来自浏览器,docker clients的请求转发到后端服务上
  • Registry:对应启动组件registry.负责存储Docker镜像文件,以及处理Docker的push,pull等请求.Harbor对镜像进行强制的访问控制,Registry会将客户端的每个pull,push请求转发到token服务来获取有效的token.
  • Core services:Harbor的核心功能,主要包括3个服务:UI,Job services和Log collector.
    • UI:对应启动组件harbor-ui.以图像用户界面的方式,辅助用户管理镜像,我个人觉得这样使得使用Harbor时,更加友好.
    • Job services:对应启动组件harbor-jobservice,主要用于镜像复制,和registry通信,本地镜像可以push到Harbor镜像仓库中,同样也可以从Harbor镜像仓库中pull到本地,同时记录job_log.
    • Log collector:对应启动组件harbor-log.负责收集其他模块的日志到一个地方
  • Database:对应启动组件harbor-db.负责存储project,user,role,replication等的metadata数据.
  • adminserver:对应启动组件harbor-adminserver.是系统的配置管理中心,当ui和jobserver启动时,需要加载adminserver的配置

这几个容器通过Docker link的形式连接在一起,这样,在容器之间可以通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口
4、在宿主机浏览器访问harbor页面
输入:192.168.177.106:80
Docker 搭建私有仓库 Harbor_第2张图片
用户名是 admin ,密码可以在harbor.cfg 配置文件中找到
在这里插入图片描述
Docker 搭建私有仓库 Harbor_第3张图片
Docker 搭建私有仓库 Harbor_第4张图片

5、测试镜像的上传下载

[root@harbor harbor]# docker pull cirros //拉取官方提供的测试镜像
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete 
bd054094a037: Pull complete 
c6a00de1ec8a: Pull complete 
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@harbor harbor]# 
[root@harbor harbor]# docker images
REPOSITORY                  TAG               IMAGE ID       CREATED        SIZE
cirros                      latest            f9cae1daf5f6   5 months ago   12.6MB
vmware/harbor-log           v1.2.2            36ef78ae27df   3 years ago    200MB
vmware/harbor-jobservice    v1.2.2            e2af366cba44   3 years ago    164MB
vmware/harbor-ui            v1.2.2            39efb472c253   3 years ago    178MB
vmware/harbor-adminserver   v1.2.2            c75963ec543f   3 years ago    142MB
vmware/harbor-db            v1.2.2            ee7b9fa37c5d   3 years ago    329MB
vmware/nginx-photon         1.11.13           6cc5c831fc7f   3 years ago    144MB
......省略
[root@harbor harbor]# docker tag cirros:latest 192.168.177.106/test/cirros:test //上传镜像之前需要先打标签
[root@harbor harbor]# docker images
REPOSITORY                    TAG               IMAGE ID       CREATED        SIZE
192.168.177.106/test/cirros   test              f9cae1daf5f6   5 months ago   12.6MB
cirros                        latest            f9cae1daf5f6   5 months ago   12.6MB
vmware/harbor-log             v1.2.2            36ef78ae27df   3 years ago    200MB
vmware/harbor-jobservice      v1.2.2            e2af366cba44   3 years ago    164MB
vmware/harbor-ui              v1.2.2            39efb472c253   3 years ago    178MB
vmware/harbor-adminserver     v1.2.2            c75963ec543f   3 years ago    142MB
vmware/harbor-db              v1.2.2            ee7b9fa37c5d   3 years ago    329MB
vmware/nginx-photon           1.11.13           6cc5c831fc7f   3 years ago    144MB
......省略
[root@harbor harbor]# docker login -u admin -p Harbor http://192.168.177.106 //登录harbor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://192.168.177.106/v2/": dial tcp 192.168.177.106:443: connect: connection refused
//报错原因:默认登陆的是443端口,而我们并没有启用
[root@harbor harbor]# 

解决登录报错

[root@harbor harbor]# vim /usr/lib/systemd/system/docker.service
//跳转到13行,添加 --insecure-registry 192.168.177.106 
13 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.177.106 --containerd=/run/containerd/containerd.sock

[root@harbor harbor]# systemctl daemon-reload
[root@harbor harbor]# systemctl restart docker

登录harbor仓库

[root@harbor harbor]# docker-compose ps //登录之前查看harbor的所有容器状态是否都是UP状态
       Name                     Command                State              Ports         
----------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                
harbor-db            docker-entrypoint.sh mysqld      Up         3306/tcp               
harbor-jobservice    /harbor/harbor_jobservice        Up                                
harbor-log           /bin/sh -c crond && rm -f  ...   Up         127.0.0.1:1514->514/tcp
harbor-ui            /harbor/harbor_ui                Up                                
nginx                nginx -g daemon off;             Exit 128                          
registry             /entrypoint.sh serve /etc/ ...   Exit 2                            
[root@harbor harbor]# docker-compose up -d //发现nginx和registry退出了,需要重新启动
harbor-log is up-to-date
harbor-adminserver is up-to-date
harbor-db is up-to-date
Starting registry ... done
harbor-ui is up-to-date
Starting nginx    ... 
Starting nginx    ... done
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://192.168.177.106 //登录harbor
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded //登录成功
[root@harbor harbor]# 

测试推送镜像到harbor仓库

[root@harbor harbor]# docker push 192.168.177.106/test/cirros:test
The push refers to repository [192.168.177.106/test/cirros]
984ad441ec3d: Pushed 
f0a496d92efa: Pushed 
e52d19c3bee2: Pushed 
test: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
[root@harbor harbor]#

Docker 搭建私有仓库 Harbor_第5张图片
删除原本的镜像之后,测试从harbor仓库拉取镜像

[root@harbor harbor]# docker rmi 192.168.177.106/test/cirros:test 
Untagged: 192.168.177.106/test/cirros:test
Untagged: 192.168.177.106/test/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
[root@harbor harbor]# docker rmi cirros:latest 
Untagged: cirros:latest
Untagged: cirros@sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Deleted: sha256:f9cae1daf5f682cb6403a766b3e6afd73a102296910f27ea1ec392b54dc0c188
Deleted: sha256:b6a4b8a7f1df2b043c77d6e745f69bba4a7aacbb0b4838ecde454ed0168a83e5
Deleted: sha256:96b1d95161fdf5dadd619c5f06ae9fa0c80bd501747ddad3da110439df019880
Deleted: sha256:e52d19c3bee2bad632c72694ab1239f360f52e989629969eb7e51b66c32430fa
[root@harbor harbor]# docker pull 192.168.177.106/test/cirros:test
test: Pulling from test/cirros
d0b405be7a32: Pull complete 
bd054094a037: Pull complete 
c6a00de1ec8a: Pull complete 
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for 192.168.177.106/test/cirros:test
192.168.177.106/test/cirros:test
[root@harbor harbor]# docker images
REPOSITORY                    TAG               IMAGE ID       CREATED        SIZE
192.168.177.106/test/cirros   test              f9cae1daf5f6   5 months ago   12.6MB
vmware/harbor-log             v1.2.2            36ef78ae27df   3 years ago    200MB
vmware/harbor-jobservice      v1.2.2            e2af366cba44   3 years ago    164MB
vmware/harbor-ui              v1.2.2            39efb472c253   3 years ago    178MB
vmware/harbor-adminserver     v1.2.2            c75963ec543f   3 years ago    142MB
vmware/harbor-db              v1.2.2            ee7b9fa37c5d   3 years ago    329MB
vmware/nginx-photon           1.11.13           6cc5c831fc7f   3 years ago    144MB
vmware/registry               2.6.2-photon      5d9100e4350e   4 years ago    173MB
vmware/postgresql             9.6.4-photon      c562762cbd12   4 years ago    225MB
vmware/clair                  v2.0.1-photon     f04966b4af6c   4 years ago    297MB
vmware/harbor-notary-db       mariadb-10.1.10   64ed814665c6   4 years ago    324MB
vmware/notary-photon          signer-0.5.0      b1eda7d10640   4 years ago    156MB
vmware/notary-photon          server-0.5.0      6e2646682e3c   4 years ago    157MB
photon                        1.0               e6e4e4a2ba1b   5 years ago    128MB
[root@harbor harbor]# 

你可能感兴趣的:(docker)