部署harbor私有镜像仓库
环境:所有机器都是centos7.4
一、部署harbor镜像仓库
机器IP:10.0.0.9 harbor服务器
1.下载harbor压缩包到服务器/root目录下
[root@harbor~]#wget https://ghproxy.com/https://github.com/goharbor/harbor/releases/download/v2.5.3/harbor-offline-installer-v2.5.3.tgz
[root@harbor ~]# tar xf harbor-offline-installer-v2.5.3.tgz
2.由于安装harbor需要docker-compose,所以需要再下载compose
[root@harbor ~]# curl -SL https://github.com/docker/compose/releases/download/v2.15.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
[root@harbor ~]# chmod +x /usr/local/bin/docker-compose
[root@harbor ~]# cd harbor/
[root@harbor ~]# cp harbor.yml.tmpl harbor.yml
[root@harbor ~]# vim harbor.yml
hostname=192.168.137.51(也可以用主机名,但前提是能DNS解析出来,如果不能就写IP)
Ui_url_protocol = https(如果用https就加,不用的话不加,并且需要把https的行注释掉
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
保存退出
3.安装docker
[root@harbor harbor]#wget -O /etc/yum.repos.d/docker-ce.repo https://repo.huaweicloud.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor harbor]# sudo sed -i 's+download.docker.com+repo.huaweicloud.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
[root@harbor harbor]# yum install docker-ce -y
[root@harbor harbor]# systemctl start docker && systemctl enable docker
4.安装harbor
[root@harbor harbor]# ./install.sh
安装完成后会有提示
✔ ----Harbor has been installed and started successfully.----
并且查看端口可以看到80端口已占用
[root@harbor harbor]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:1514 0.0.0.0:* LISTEN 8732/docker-proxy
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9273/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 808/sshd
tcp6 0 0 :::80 :::* LISTEN 9277/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 808/sshd
网页访问:
http://10.0.0.9
登录账号:admin
登录密码:就是harbor.yml里设置的密码harbor_admin_password: Harbor12345
harbor仓库的使用
1.创建项目(级别需要点公开,否则curl命令访问接口端口)
2.创建用户
3.项目授权
返回项目,点进jenkins,点击成员,将刚新增的用户添加进去,并授予管理员权限
确定
可在新建的jenkins项目中看到如何推送镜像到harbor仓库的命令:
二、部署Jenkins
IP:10.0.0.9 Jenkins服务器
注意:Jenkins想自动化推拉docker镜像到harbor仓库上,就需要在Jenkins上也部署docker
复制上面harbor服务器安装docker的步骤
[root@localhost ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://repo.huaweicloud.com/docker-ce/linux/centos/docker-ce.repo
--2023-05-09 19:00:58-- https://repo.huaweicloud.com/docker-ce/linux/centos/docker-ce.repo
Resolving repo.huaweicloud.com (repo.huaweicloud.com)... 58.215.92.72, 58.215.92.77, 58.215.92.75
Connecting to repo.huaweicloud.com (repo.huaweicloud.com)|58.215.92.72|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1919 (1.9K) [application/octet-stream]
Saving to: ‘/etc/yum.repos.d/docker-ce.repo’
100%[=================================================================================================================================================>] 1,919 --.-K/s in 0s
2023-05-09 19:00:58 (351 MB/s) - ‘/etc/yum.repos.d/docker-ce.repo’ saved [1919/1919]
[root@localhost ~]# sudo sed -i 's+download.docker.com+repo.huaweicloud.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
[root@localhost ~]# yum install docker-ce -y
[root@localhost ~]# systemctl start docker && systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
三、测试harbor
在Jenkins上推送镜像到harbor
1.在Jenkins上随意拉取一个Nginx镜像
[root@Jenkins ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
9e3ea8720c6d: Pull complete
bf36b6466679: Pull complete
15a97cf85bb8: Pull complete
9c2d6be5a61d: Pull complete
6b7e4a5c7c7a: Pull complete
8db4caa19df8: Pull complete
Digest: sha256:480868e8c8c797794257e2abd88d0f9a8809b2fe956cbfbc05dcc0bca1f7cd43
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@Jenkins ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 448a08f1d2f9 6 days ago 142MB
2.按照harbor推送镜像的规则,先将Nginx镜像打tag
[root@Jenkins ~]# docker tag nginx 10.0.0.9/jenkins/nginx:v0
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.9/jenkins/nginx v0 448a08f1d2f9 6 days ago 142MB
nginx latest 448a08f1d2f9 6 days ago 142MB
3.使用docker login登录harbor
[root@Jenkins ~]# docker login 10.0.0.9
Username: zhaolei
Password:
Error response from daemon: Get "https://10.0.0.9/v2/": dial tcp 10.0.0.9:443: connect: connection refused
报错,因为私有仓库客户端默认使用的是https,需要修改
编辑daemon.json以解决报错
[root@jenkins ~]# vim /etc/docker/daemon.json
{ "insecure-registries":["10.0.0.9:80"] }
[root@jenkins ~]# systemctl daemon-reload
[root@jenkins ~]# systemctl restart docker
再次登录harbor
[root@jenkins ~]# docker login 10.0.0.9:80(账号密码为harbor网页上用户管理里创建的用户和密码)
Username: zhaolei
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4.登录成功后,推送打好tag的Nginx镜像到harbor仓库
[root@jenkins ~]# docker push 10.0.0.9:80/jenkins/nginx:v0
The push refers to repository [10.0.0.9:80/jenkins/nginx]
An image does not exist locally with the tag: 10.0.0.9:80/jenkins/nginx
报错,提示镜像在本地不存在,原因是打的tag没有➕80端口
先删除此tag,重新打tag
[root@jenkins ~]# docker rmi 10.0.0.9/jenkins/nginx:v0
Untagged: 10.0.0.9/jenkins/nginx:v0
[root@jenkins ~]# docker tag nginx 10.0.0.9:80/jenkins/nginx:v0
[root@jenkins ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.9:80/jenkins/nginx v0 448a08f1d2f9 6 days ago 142MB
nginx latest 448a08f1d2f9 6 days ago 142MB
再次推送
[root@jenkins ~]# docker push 10.0.0.9:80/jenkins/nginx:v0
The push refers to repository [10.0.0.9:80/jenkins/nginx]
1040838fe30e: Pushed
93ee76f39c97: Pushed
5684be535bf1: Pushed
6bc8ae8fb3cf: Pushed
a29cc9587af6: Pushed
8553b91047da: Pushed
v0: digest: sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90 size: 1570
成功~!推送完毕后,在harbor的web端检查上传的镜像
点进去可以复制拉取命令
此时可以测试删掉Jenkins上的Nginx镜像及其tag,测试从harbor仓库上拉取
[root@jenkins ~]# docker rmi 448a --force
Untagged: 10.0.0.9:80/jenkins/nginx:v0
Untagged: 10.0.0.9:80/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
Untagged: nginx:latest
Untagged: nginx@sha256:480868e8c8c797794257e2abd88d0f9a8809b2fe956cbfbc05dcc0bca1f7cd43
Deleted: sha256:448a08f1d2f94e8db6db9286fd77a3a4f3712786583720a12f1648abb8cace25
Deleted: sha256:6b33c8bf5207fd88b6e0f942c230c59477990205dbed0ae41d54b5b29ed1051d
Deleted: sha256:a673eda43a02c5a8218e8be171c43912dc9646d588a881a463be970b7f06abf0
Deleted: sha256:e22652bd991fd7a83155d12651d319458cb233d428ca769323ecb0b1d6549844
Deleted: sha256:77350fbf9b519374ed1eee1c2387b1c9af0c7f048d11794fe172006323834954
Deleted: sha256:556cbc099a5c304d0f2fed44d6d153b7d74be08fce2b4ffe74b1183b75c5cae6
Deleted: sha256:8553b91047dad45bedc292812586f1621e0a464a09a7a7c2ce6ac5f8ba2535d7
[root@jenkins ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
复制harbor网页上的拉取命令,然后执行
[root@jenkins ~]# docker pull 10.0.0.9/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
Error response from daemon: Get "https://10.0.0.9/v2/": dial tcp 10.0.0.9:443: connect: connection refused
报错,还是因为没有80端口,加上端口即可
[root@jenkins ~]# docker pull 10.0.0.9:80/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
10.0.0.9:80/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90: Pulling from jenkins/nginx
9e3ea8720c6d: Pull complete
bf36b6466679: Pull complete
15a97cf85bb8: Pull complete
9c2d6be5a61d: Pull complete
6b7e4a5c7c7a: Pull complete
8db4caa19df8: Pull complete
Digest: sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
Status: Downloaded newer image for 10.0.0.9:80/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
10.0.0.9:80/jenkins/nginx@sha256:3f01b0094e21f7d55b9eb7179d01c49fdf9c3e1e3419d315b81a9e0bae1b6a90
[root@jenkins ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.9:80/jenkins/nginx 448a08f1d2f9 6 days ago 142MB
四、harbor如何重启
# docker-compose down
# vim harbor.yml
# ./prepare
# docker-compose up -d五、如何重置harbor登录密码
harbor现使用postgresql 数据库。不再支持mysql
注:
卸载重新重新安装也不可以,原因是没有删除harbor的数据,harbor数据在/data/目录下边,如果真要重新安装需要将这个也删除,备份或者迁移,请使用这个目录的数据。
harbor版本为:1.8.0
官方的安装包为: harbor-offline-installer-v1.8.0.tgz
具体步骤:
1、进入[harbor-db]容器内部
# docker exec -it harbor-db /bin/bash
2、进入postgresql命令行,
psql -h postgresql -d postgres -U postgres #这要输入默认密码:root123 。
psql -U postgres -d postgres -h 127.0.0.1 -p 5432 #或者用这个可以不输入密码。
3、切换到harbor所在的数据库
# \c registry
4、查看harbor_user表
# select * from harbor_user;
5、例如修改admin的密码,修改为初始化密码Harbor12345 ,修改好了之后再可以从web ui上再改一次。
# update harbor_user set password='a71a7d0df981a61cbb53a97ed8d78f3e', salt='ah3fdh5b7yxepalg9z45bu8zb36sszmr' where username='admin';
6、退出 \q 退出postgresql,exit退出容器。
# \q
# exit
完成后通过WEB UI,就可以使用admin 、Harbor12345 这个密码登录了,记得修改这个默认密码哦,避免安全问题。
有更加狠点的招数,将admin账户改成别的名字,减少被攻击面:
# update harbor_user set username='wing' where user_id=1; #更改admin用户名为wing