扩展-docker harbor
Harbor安装
本章要点:dockek私有仓库搭建,dockek私有仓库harbor
参考: harbor-1, 官方安装, 离线安装-1, 离线安装-2
Harbor是什么?
Harbor是VMware公司开源的企业级DockerRegistry项目,其目标是帮助用户迅速搭建一个企业级的Docker registry服务;
Harbor封装了docker的register v2, 给用户提供了许多便捷管理的特性,比如:管理UI,基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Auditlogging) 等企业用户需求的功能,同时还原生支持中文。
Harbor组件
| 名称 | 说明 |
|---|---|
| harbor-adminserver | 配置管理中心 |
| harbor-db | 数据库 |
| harbor-jobservice | 镜像复制等操作 |
| harbor-log | 日志功能 |
| harbor-ui | Web管理页面和API |
| nginx/proxy | 前端代理,负责前端页面 |
| redis | 会话 |
| registry | 镜像存储、仓库 |
特性
- 易于部署:可通过Docker compose或Helm Chart 部署 Harbor。
- 云原生注册表:Harbor 支持容器镜像和Helm图表,可作为容器原生运行时和编排平台等云原生环境的注册表。
- 基于角色控制:用户通过项目访问不同的存储库,并且用户可以对项目下的镜像或Helm图表具有不同的权限。
- 基于策略的复制:可以使用过滤器基于策略在多个注册表实例之间复制(同步)镜像和图表。
- 镜像删除和垃圾收集:系统管理员可以运行垃圾收集作业,以便可以删除镜像,并可以定期释放其空间。
- 漏洞扫描:Harbor会定期扫描映像中的漏洞,并进行策略检查以防止部署易受攻击的映像。
- 公证人:支持对容器镜像进行签名,以确保真实性和出处。
- 审核:通过日志跟踪对存储库的所有操作。
- 图形门户:用户可以轻松浏览,搜索存储库和管理项目。
- 外部集成:提供RESTful API有助于管理操作,并且易于与外部系统集成。
安装部署前置
安装方式
- 在线安装: 直接上docker hub 上下载image
- 离线安装:
https://github.com/goharbor/harbor/tags下载包安装
网络端口
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor门户和核心API在此端口上接受HTTPS请求。您可以在配置文件中更改此端口 |
| 4443 | HTTPS | 与Harbor的Docker内容信任服务的连接。仅在启用公证人的情况下才需要。您可以在配置文件中更改此端口 |
| 80 | HTTP | Harbor门户和核心API在此端口上接受HTTP请求。您可以在配置文件中更改此端口 |
硬件
下表列出了用于部署Harbor的最低和建议的硬件配置。
| 资源资源 | 最低要求 | 推荐 |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
软件
表格中的软件必须安装在目标主机上
| Software | Version | Description |
|---|---|---|
| Docker引擎 | 17.06.0-ce +或更高版本 | 安装说明, see docker engine doc |
| Docker Compose | 版本1.18.0或更高 | 安装说明, see docker compose doc |
| Openssl | 最好为最新 | 用于给harbor生成证书和keys |
安装步骤
- 安装过程包括以下步骤:
- 下载安装程序。
- 配置Harbor.yml文件。
- 运行install.sh脚本安装应用选项、安装或者启动harbor
- 下载安装
- 下载界面: Harbor releases page.
- 选择在线或离线版本
- 使用 tar 提供安装包
- 在线:
bash $ tar xvf harbor-online-installer-version.tgz - 离线:
bash $ tar xvf harbor-offline-installer-version.tgz
- 在线:
- 配置选项
安装 docker-compose
-
下载compose: https://github.com/docker/compose/releases
-
下载完之后复制到服务器上
~]# mv docker-compose-Linux-x86_64 /usr/local/bin/ ~]# chmod +x /usr/local/bin/docker-compose-Linux-x86_64 ~]# mv /usr/local/bin/docker-compose-Linux-x86_64 /usr/local/bin/docker-compose~]# docker-compose -vdocker-compose version 1.26.0, build d4451659~]# docker --version Docker version 19.03.5, build 633a0ea
生成证书
# 创建证书目录
mkdir -p /data/docker/harbor/cert && cd /data/docker/harbor/cert# 生成私钥,需要设置密码
openssl genrsa -des3 -out harbor.key 2048# 生成CA证书,需要输入密码
openssl req -sha512 -new -subj "/C=CN/ST=BJ/L=BJ/O=DEV/OU=DEV/CN=192.168.9.62" -key harbor.key -out harbor.csrecho subjectAltName = IP:192.168.9.62 > extfile.cnf# 备份证书
cp harbor.key harbor.key.org# 退掉私钥密码,以便docker访问
openssl rsa -in harbor.key.org -out harbor.key# 使用证书进行签名
openssl x509 -req -days 3650 -in harbor.csr -signkey harbor.key -extfile extfile.cnf -out harbor.crt
安装harbor
-
下载地址: 我们使用offine,https://github.com/goharbor/harbor/tags
-
解压
-
修改配置文件
]# egrep -v "^#|^$|[[:space:]]*#" harbor.yml hostname: 192.168.9.62 # 主机名, 也可以是域名 http:port: 20888 # http端口 https:port: 20443 # 访问的https端口certificate: /data/docker/harbor/cert/harbor.crt # 修改证书private_key: /data/docker/harbor/cert/harbor.key harbor_admin_password: uziKAb32sZFeYQ #这里是登陆密码 database:password: root123max_idle_conns: 50max_open_conns: 100 data_volume: /data/docker/harbor/harbor_data # 数据卷 clair:updaters_interval: 12 jobservice:max_job_workers: 10 notification:webhook_job_max_retry: 10 chart:absolute_url: disabled log:level: infolocal:rotate_count: 50rotate_size: 200Mlocation: /var/log/harbor -
安装
]# ./install.sh [Step 0]: checking if docker is installed ...Note: docker version: 19.03.5[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.26.0[Step 2]: loading Harbor images ... Loaded image: goharbor/clair-adapter-photon:v1.0.1-v1.10.1 Loaded image: goharbor/harbor-jobservice:v1.10.1 Loaded image: goharbor/redis-photon:v1.10.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.10.1 Loaded image: goharbor/clair-photon:v2.1.1-v1.10.1 Loaded image: goharbor/harbor-log:v1.10.1 Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.10.1 Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.10.1 Loaded image: goharbor/harbor-registryctl:v1.10.1 Loaded image: goharbor/nginx-photon:v1.10.1 Loaded image: goharbor/harbor-migrator:v1.10.1 Loaded image: goharbor/prepare:v1.10.1 Loaded image: goharbor/harbor-portal:v1.10.1 Loaded image: goharbor/harbor-core:v1.10.1 Loaded image: goharbor/harbor-db:v1.10.1[Step 3]: preparing environment ...[Step 4]: preparing harbor configs ... prepare base dir is set to /data/docker/harbor/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir[Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating registry ... done Creating registryctl ... done Creating harbor-portal ... done Creating redis ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- -
查看运行状态
]# docker-compose psName Command State Ports ------------------------------------------------------------------------------- harbor-core /harbor/harbor_core Up (healthy) harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp harbor-jobservice /harbor/harbor_jobservice ... Up (healthy) harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp nginx nginx -g daemon off; Up (healthy) 0.0.0.0:20888->8080/tcp, 0.0.0.0:20443->8443/tcp redis redis-server /etc/redis.conf Up (healthy) 6379/tcp registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp registryctl /home/harbor/start.sh Up (healthy) -
启动\停止
]# /usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml up]# /usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml down Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-core ... done Stopping harbor-portal ... done 。。。。。。。 Removing network harbor_harbor -
配置开机自启脚本
cat /usr/lib/systemd/system/harbor.service [Unit] Description=Harbor After=docker.service systemd-networkd.service systemd-resolved.service Requires=docker.service Documentation=http://github.com/vmware/harbor [Service] Type=simple Restart=on-failure RestartSec=5 ExecStart=/usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml up ExecStop=/usr/local/bin/docker-compose -f /data/docker/harbor/harbor/docker-compose.yml down [Install] WantedBy=multi-user.target
访问
仓库使用
创建用户\项目
设置http仓库地址
]# docker login https://192.168.9.62:20443
Username: test
Password:
Error response from daemon: Get https://192.168.9.62:20443/v2/: x509: certificate signed by unknown authority# 由于是私有仓库,采用的自建的 https 证书,这里就需要提供 ca 证书和私钥文件了,否则会出现证书校验失败的错误x509: certificate signed by unknown authority]# cat /etc/docker/daemon.json
{"registry-mirrors": [ # 镜像加速"https://kfwkfulq.mirror.aliyuncs.com","https://2lqq34jg.mirror.aliyuncs.com","https://pee6w651.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com"],"exec-opts": ["native.cgroupdriver=systemd"], # 使用systemd"insecure-registries": ["192.168.9.62:20443"], # 忽略证书问题"log-driver": "json-file","log-opts": {"max-size": "100m"},"storage-driver": "overlay2","storage-opts": ["overlay2.override_kernel_check=true"]
}]# docker login https://192.168.9.62:20443 # 最后在登陆
Username: test
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
上传镜像
可以查看命令: 登陆harbor --> test项目 --> 镜像仓库 --> 推送镜像的docker命令
# 先打标签
]# docker tag v6-test:v8.5.51-jdk8u181-6 192.168.9.62:20443/test/v6-test:v8.5.51-jdk8u181-6# 推送到仓库
]# docker push 192.168.9.62:20443/test/v6-test:v8.5.51-jdk8u181-6
