Docker CE安装
系统建议版本:Ubuntu 16.04
官方安装文档连接:https://docs.docker.com/install/linux/docker-ce/ubuntu/#prerequisites
自动匹配系统版本安装:
apt-get install -y docker.io
ubuntu搜索:
apt-cache madison kubeadm
安装步骤
在shell中执行如下即可,如果使用kubernetes,建议使用17.03版本(此建议出自K8S官方:https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-docker)。
apt-get update
apt-get install -y \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository \
"deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
$(lsb_release -cs) \
stable"
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
然后执行docker info
命令,如果成功,应该可以看到已安装docker的详情。
使用官方镜像安装docker时,速度会比较慢,可以使用国内阿里源地址进行安装。
Ubuntu 14.04 16.04 (使用apt-get进行安装):
# step 1: 安装必要的一些系统工具
apt-get update
apt-get -y install apt-transport-https ca-certificates curl software-properties-common
# step 2: 安装GPG证书
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | apt-key add -
# 或者使用清华的源
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | apt-key add -
# Step 3: 写入软件源信息
add-apt-repository "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
# add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
# Step 4: 更新并安装 Docker-CE
apt-get -y update
apt-get -y install docker-ce
# 安装指定版本的Docker-CE:
# Step 1: 查找Docker-CE的版本:
# apt-cache madison docker-ce
# docker-ce | 17.03.1~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages
# docker-ce | 17.03.0~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages
# Step 2: 安装指定版本的Docker-CE: (VERSION 例如上面的 17.03.1~ce-0~ubuntu-xenial)
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
CentOS 7 (使用yum进行安装)
# step 1: 安装必要的一些系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2 ca-certificates
# Step 2: 添加软件源信息
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#或者用清华的镜像也可
yum-config-manager --add-repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装 Docker-CE
yum makecache fast
yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
# 注意:
# 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,你可以通过以下方式开启。同理可以开启各种测试或边缘版本等。
# vim /etc/yum.repos.d/docker-ce.repo
# 将 [docker-ce-test] 下方的 enabled=0 修改为 enabled=1
#或者执行 yum-config-manager --enable docker-ce-edge
#或者 yum-config-manager --enable docker-ce-test
# 安装指定版本的Docker-CE:
# Step 1: 查找Docker-CE的版本:
# yum list docker-ce.x86_64 --showduplicates | sort -r
# Loading mirror speeds from cached hostfile
# Loaded plugins: branch, fastestmirror, langpacks
# docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
# docker-ce.x86_64 17.03.1.ce-1.el7.centos @docker-ce-stable
# docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
# Available Packages
# Step2 : 安装指定版本的Docker-CE: (VERSION 例如上面的 17.03.0.ce.1-1.el7.centos)
# sudo yum -y install docker-ce-[VERSION]
harbor安装
Harbor是一个企业级的注册服务器(registry),用于保存和管理docker的镜像文件。Harbor主要提供 Dcoker Registry 的WEB管理界面,同时支持多个注册服务器之间进行镜像同步,还提供了高级的安全特性,如用户管理、访问控制和活动审计。
harbor有两种安装方式,一种是在线源码安装,另一种是离线安装包方式,因为包比较大,所以建议使用离线方式安装。官方下载地址:https://github.com/vmware/harbor/releases ,也可以使用国内镜像地址:http://harbor.orientsoft.cn 进行下载。
wget http://harbor.orientsoft.cn/harbor-v1.4.0/harbor-offline-installer-v1.4.0.tgz
下载完成后解压得到离线安装包。
生成免费的TLS证书
可以在互联网申请免费的证书,地址:https://freessl.org,如果有域名,可以使用DNS进行验证,需要指定域名的TXT记录。
点击验证可以获取到如下信息:
将如下信息保存到服务器。分别保存为/data/harbor_cert/server.crt
、/data/harbor_cert/server.key
。
安装docker-compose
harbor安装时需要docker-compose工具,需要提前安装。
apt-get install python-pip -y && pip install docker-compose
修改配置文件
配置文件为harbor.cfg
:
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
##此处修改为你要使用的域名,本文使用已有的域名。
hostname = harbor.jdpoc.com
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
#如果已有TLS证书,可以在此处配置为https
ui_url_protocol = https
#Maximum number of job workers in job service
#后台任务进程数,
max_job_workers = 5
#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on
#The path of cert and key files for nginx, they are applied only the protocol is set to https
#此处配置https证书的位置
ssl_cert = /data/harbor_cert/server.crt
ssl_cert_key = /data/harbor_cert/server.key
#The path of secretkey storage
#密钥存放位置
secretkey_path = /data
#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA
#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
log_rotate_count = 50
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
#are all valid.
log_rotate_size = 200M
#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui
#************************BEGIN INITIAL PROPERTIES************************
#Email account settings for sending out password resetting emails.
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin
email_ssl = false
email_insecure = false
##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
#配置harbor web UI的管理员密码
harbor_admin_password = Harbor12345
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
#此处配置认证方式,默认是db_auth,即mysql认证,还支持本地文件或者LDAP认证。
auth_mode = db_auth
#The url for an ldap endpoint.
#LDAP访问地址
ldap_url = ldaps://ldap.mydomain.com
#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#LDAP/AD 基本查询位置单元
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#the password of the ldap_searchdn
#ldap_search_pwd = password
#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com
#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)
# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid
#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_scope = 2
#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5
#Verify certificate from LDAP server
ldap_verify_cert = true
#Turn on or off the self-registration feature
self_registration = on
#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30
#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone
#************************END INITIAL PROPERTIES************************
#######Harbor DB configuration section#######
#The address of the Harbor database. Only need to change when using external db.
#harbor MySQL数据库的配置信息
db_host = mysql
#The password for the root user of Harbor DB. Change this before any production use.
db_password = root123
#The port of Harbor database host
db_port = 3306
#The user name of Harbor database
db_user = root
##### End of Harbor DB configuration#######
#The redis server address. Only needed in HA installation.
redis_url =
##########Clair DB configuration############
#Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgres
#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password
#Clair DB connect port
clair_db_port = 5432
#Clair DB username
clair_db_username = postgres
#Clair default database
clair_db = postgres
##########End of Clair DB configuration############
#The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
### Docker Registry setting ###
#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =
安装harbor
修改好配置文件后,执行install.sh
即可:
/opt/harbor/install.sh
如下为安装成功的界面:
指定DNS:
访问https://harbor.jdpoc.com ,可以正常访问,并且Chrome浏览器提示为安全。
如下为页面
用户名为admin,默认密码为Harbor12345,如果配置文件中修改过,请使用之前配置的密码。
登陆后如下:
harbor的日常运维管理
Harbor 的日常运维管理是通过docker-compose来完成的,Harbor本身有多个服务进程,都放在docker容器之中运行,我们可以通过docker ps命令查看。
日常维护命令
#启动服务
docker-compose start
#停止服务
docker-compose stop
#重启服务
docker-compose restart
#修改配置文件后,重新启动,默认情况,如果该服务的容器已经存在, docker-compose up 将会停止并尝试重新创建他们(保持使用 volumes-from 挂载的卷),以保证 docker-compose.yml的修改生效。
docker-compose up -d
harbor的使用方式
创建项目
登陆harbor网站,创建一个项目,访问级别可以选择是否公开,如果不选择公开,其他用户无法访问。
harbor本机设置
将之前申请的crt公钥copy到/etc/docker/certs.d/harbor.jdpoc.com下
mkdir -p /etc/docker/certs.d/harbor.jdpoc.com
cp /data/harbor_cert/server.crt !$
然后测试是否能够登陆成功:
docker login harbor.jdpoc.com
然后输入用户名密码,密钥配置正确的话,会提示登陆成功。
从hub上下载一个测试镜像,并修改tag:
docker pull alpine:latest && docker tag alpine:latest harbor.jdpoc.com/poctest/alpine:latest
查看本机镜像如下:
然后push到我们创建的仓库项目中:
docker push harbor.jdpoc.com/poctest/alpine:latest
push成功。
pull镜像,比如admin账号中有一个poctest/photon:1.0
的镜像:
docker pull harbor.jdpoc.com/poctest/photon:1.0
查看镜像:
当然我们也可以在web页面中看到:
客户机的使用
客户机使用方式与本机设置相同,即:
- 客户机创建
/etc/docker/certs.d/harbor.jdpoc.com
目录。 - 将域名
harbor.jdpoc.com
的crt密钥copy至创建的目录。 docker login harbor.jdpoc.com
登陆即可上传下载。
访问权限管理
Harbor的用户是一种简单的认证方式,在Harbor的用户管理界面创建用户以后,可以将给用户分配到不同的项目权限。
可以实现多用户权限控制。
harbor中的一些坑
修改数据库密码
第一次安装Harbor后,mysql的数据会存储在/data/database文件夹下。如果你想修改mysql root密码的话(不管你有没有重装),都要先把/data/database删掉,否则UI容器会一直报“Access denied”的错误,即便是重下镜像也无法解决。强烈建议预先配置好各类环境参数,避免改动。
nginx端口修改
Harbor的Nginx端口映射到宿主机的80端口上了,如果不希望80端口被占用,例如使用9999替换80端口,需要修改docker-compose.yml文件:
proxy:
image: nginx:1.9
container_name: nginx
restart: always
volumes:
-./common/config/nginx:/etc/nginx
ports:
- 9999:80
- 443:443
depends_on:
- mysql
- registry
- ui
- log
common/templates/registry/config.yml文件
也必须修改:
auth:
token:
issuer:registry-token-issuer
realm: $ui_url:9999/service/token
rootcertbundle:/etc/registry/root.crt
service: token-service
修改完成后执行sudo ./prepare
重新生成配置文件。
Registry端口修改(非必需)
按照惯例,开放5000端口给registry使用,则修改docker-compose.yml文件,为registry节点添加posts属性,步骤与修改Nginx配置一样。
设置信赖列表
默认情况下,docker对registry的操作是基于https协议的,而Harbor默认是以http协议访问的,如果你没有配置https证书,这时候执行docker login
的操作,会得到这样的错误信息:
Error response from daemon: Get https://xx.xxx.xx.xx/v1/users/: dial tcp xx.xxx.xx.xx:443:getsockopt: connection refused
这时候需要修改docker的启动文件,Ubuntu16.04下,文件为/lib/systemd/system/docker.service
:
# Modified,origin: ExecStart=/usr/bin/dockerd -H fd://
ExecStart=/usr/bin/docker daemon -H fd:// --insecure-registry xx.xxx.xx.xx:5000
然后执行命令:
sudo systemctl daemon-reload
sudo systemctl restart docker