一、Harbor介绍
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能
二、环境准备
Harbor的所有服务组件都是在Docker中部署的,所以官方安装使用Docker-compose快速部署,所以需要安装Docker、Docker-compose。由于Harbor是基于Docker Registry V2版本,所以就要求Docker版本不小于1.10.0,Docker-compose版本不小于1.6.0
1)、安装并启动Docker
安装所需的包。yum-utils提供了yum-config-manager 效用,并device-mapper-persistent-data和lvm2由需要 devicemapper存储驱动程序
[root@node-1 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
设置稳定存储库
[root@node-1 ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
安装Docker CE
[root@node-1 ~]# yum install -y docker-ce docker-ce-cli containerd.io
2)、安装Docker-compose
1.下载docker-compose的最新版本
[root@node-1 ~]# curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
如果访问github缓慢的话,可以登录daocloud查看国内下载地址链接
http://get.daocloud.io/
因为访问github过慢,我使用daocloud进行安装
curl -L https://get.daocloud.io/docker/compose/releases/download/v2.3.4/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
2.为docker-compose添加可执行权限
[root@node-1 ~]# chmod +x /usr/local/bin/docker-compose
3.查看版本
[root@node-1 ~]# docker-compose --version
3)、安装Harbor
Harbor支持在线和离线安装方式,这里,我们使用离线方式,先下载Harbor安装包:
[root@node-1 ~]# wget https://github.com/goharbor/harbor/releases/download/v2.4.2/harbor-offline-installer-v2.4.2.tgz
3.1 解压离线安装包
[root@node-1 ~]# cd /home/setup/
[root@node-1 setup]# tar -zxvf harbor-offline-installer-v2.4.2.tgz #解压离线安装包
[root@node-1 setup]# ll #查看目录内容
drwxr-xr-x 4 root root 256 3月 25 16:49 harbor
3.2 配置Harbor
切到harbor目录
[root@node-1 setup]# cd harbor
[root@node-1 harbor]# ll #查看目录内容
编辑配置,并执行安装
[root@node-1 /home/setup/harbor]# cp harbor.yml.tmpl harbor.yml
[root@node-1 /home/setup/harbor]# vim harbor.cfg
修改以下内容
hostname = 10.130.77.28 #修改harbor的启动ip,这里需要依据系统ip设置
harbor_admin_password = admin@123 #修改harbor的admin用户的密码
配置文件harbor.cfg详解:
# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
hostname = 192.168.126.162
# 访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http
# mysql数据库root用户默认密码root123,实际使用时修改下
db_password = 123456
max_job_workers = 3
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
# 邮件设置,发送重置密码邮件时使用
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin sample_admin@mydomain.com
email_ssl = false
# 启动Harbor后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = 123456
# 认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth
# LDAP认证时配置项
ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
ldap_uid = uid
ldap_scope = 3
ldap_timeout = 5
# 是否开启自注册
self_registration = on
# token有效时间,默认30分钟
token_expiration = 30
# 用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员)
project_creation_restriction = everyone
verify_remote_cert = on
3)、启动Harbor
修改完配置文件后,在当前目录执行./install.sh,Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动各个服务
Harbor依赖的镜像及启动服务如下:
[root@node-1 /home/setup/harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:4443->4443/tcp,:::4443->4443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
启动完成后,访问刚设置的hostname即可,默认是80端口,如果端口占用,可以去修改docker-compose.yml文件中,对应服务的端口映射
三、Harbor仓库使用
1)登录Web Harbor
使用admin用户登录,密码为harbor.cfg配置的密码
2)上传镜像到Harbor仓库
我们新建一个名称为harbor的项目,设置不公开。当项目设为公开后,任何人都有此项目下镜像的读权限。命令行用户不需要docker login就可以拉取此项目下的镜像。
新建项目后,使用admin用户提交本地nginx镜像到Harbor仓库
1. admin登录
使用docker login出现如下问题:
[root@node-3 ~]# docker login 10.130.77.48
Username: admin
Password:
Error response from daemon: Get "https://10.130.77.48/v2/": dial tcp 10.130.77.48:443: connect: no route to host
解决方法:
查找docker.service所在的位置
[root@node-3 ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry 10.130.77.48
修改配置文件,ExecStart之后添加–insecure-registry=http://192.168.126.162
重启docker
[root@node-3 ~]# systemctl daemon-reload
[root@node-3 ~]# systemctl restart docker
再次进行登录
[root@node-3 ~]# docker login 10.130.77.48 -uadmin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
2. 给镜像打tag
[root@node-3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest f2f70adc5d89 11 days ago 142MB
centos 7 eeb6ee3f44bd 6 months ago 204MB
[root@node-3 ~]# docker tag nginx:latest 10.130.77.48/harbor/nginx:latest
[root@node-3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.130.77.48/harbor/nginx latest f2f70adc5d89 11 days ago 142MB
nginx latest f2f70adc5d89 11 days ago 142MB
centos 7 eeb6ee3f44bd 6 months ago 204MB
3. push到仓库
[root@node-3 ~]# docker push 10.130.77.48/harbor/nginx:latest
The push refers to repository [10.130.77.48/harbor/nginx]
24037b645d66: Pushed
d00147ef6763: Pushed
2793e885dc34: Pushed
8b8ecda1d12d: Pushed
30c00b5281a1: Pushed
3a626bb08c24: Pushed
latest: digest: sha256:1a763cbd30ef4dbc7f8e3fa2e6670fd726f4bddb0ef58868a243c0cb8b35cde1 size: 1570
上传成功后,登录Web Harbor,选择项目harbor,就可以查看刚刚上传的nginx镜像了
3)创建用户并分配权限
点击系统管理下的用户管理,点击创建用户,输入相关信息
将刚刚创建的用户添加到harbor项目成员中,点击项目,选择harbor项目,点击成员,点击添加成员,添加姓名选择角色
使用新建的用户将刚刚上传的nginx镜像拉取下来
先将刚刚nginx镜像删除
[root@node-3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.130.77.48/harbor/nginx latest f2f70adc5d89 11 days ago 142MB
nginx latest f2f70adc5d89 11 days ago 142MB
centos 7 eeb6ee3f44bd 6 months ago 204MB
[root@node-3 ~]# docker rmi 10.130.77.48/harbor/nginx:latest
Untagged: 10.130.77.48/harbor/nginx:latest
Untagged: 10.130.77.48/harbor/nginx@sha256:1a763cbd30ef4dbc7f8e3fa2e6670fd726f4bddb0ef58868a243c0cb8b35cde1
退出admin帐号,使用刚刚创建的用户登录
[root@node-3 ~]# docker logout 10.130.77.48
Removing login credentials for 10.130.77.48
[root@node-3 ~]# docker login 10.130.77.48
Username: harbor
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
将harbor中的nginx镜像拉取到本地
[root@node-3 ~]# docker pull 10.130.77.48/harbor/nginx:latest
latest: Pulling from harbor/nginx
Digest: sha256:1a763cbd30ef4dbc7f8e3fa2e6670fd726f4bddb0ef58868a243c0cb8b35cde1
Status: Downloaded newer image for 10.130.77.48/harbor/nginx:latest
10.130.77.48/harbor/nginx:latest
[root@node-3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.130.77.48/harbor/nginx latest f2f70adc5d89 11 days ago 142MB
nginx latest f2f70adc5d89 11 days ago 142MB
centos 7 eeb6ee3f44bd 6 months ago 204MB
评论区