Harbor是VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。使用Harbor可以部署企业自己的私有仓库,将一些核心镜像与软件与外部网络进行隔离与防护。
1. 环境准备
本次在腾讯云ECS服务器上部署Harbor私有仓库,系统与相关信息如下。
硬件信息:
| 资源 | 容量 | 描述 |
|---|
| CPU | 2 核 | 4 CPU is preferred |
| 内存 | 2 GB | 8GB is preferred |
| 磁盘 | 50 GB | 160GB is preferred |
| 网络 | 2 Mbps | 4Mbps is preferred |
软件信息:
注意:Harbor的所有服务组件都是在Docker中部署的,所以官方安装使用Docker-compose快速部署,因此需要安装Docker、Docker-compose。由于Harbor是基于Docker Registry V2版本,所以就要求Docker版本不小于1.10.0,Docker-compose版本不小于1.6.0。
2. 安装Docker与Docker-Compose
2.1 安装Docker
1
2
3
| # yum install -y yum-utils device-mapper-persistent-data lvm2 epel-release
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum install docker-ce
|
2.2 启动Docker
1
2
3
| # systemctl enable docker
# systemctl start docker
# docker --version
|
2.3 安装Docker-Compose
1
2
3
| # curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
# docker-compose --version
|
2.4 配置证书与密钥
通过OpenSSL工具生成自签名的证书,后面将用于对请求进行校验。官方指南参考:Configuring Harbor with HTTPS Access
首先找到OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中,编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:域名|IP地址。如果没有域名填写IP即可。
1
2
| [ v3_ca ]
subjectAltName = IP:193.112.221.230
|
通过OpenSSL生成证书与密钥
1
2
3
4
5
6
7
| [root@VM_95_141_centos data]# cd /data/ssl
[root@VM_95_141_centos ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
[root@VM_95_141_centos ssl]# ls
ca.crt ca.key
[root@VM_95_141_centos ssl]# cp ca.crt /etc/pki/ca-trust/source/anchors/
[root@VM_95_141_centos ssl]# update-ca-trust enable
[root@VM_95_141_centos ssl]# update-ca-trust extract
|
将生成的私有证书追加到系统的证书管理文件中。
1
| [root@VM_95_141_centos harbor]# cat ssl/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
|
重启docker, 该步骤一定不要省略,否则有可能加载私钥失败
1
| [root@VM_95_141_centos harbor]#systemctl restart docker
|
3. 安装Harbor
1
2
3
4
| # wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.2.tgz
# tar xzvf harbor-offline-installer-v1.8.2.tgz
# cd harbor/
# ls
|
下载离线安装包,解压后可以看到里面包含了如下文件:
1
2
| [root@VM_95_141_centos harbor]# ls
harbor.v1.8.2.tar.gz harbor.yml install.sh LICENSE prepare
|
其中harbor.v1.8.2.tar.gz是软件包,harbor.yml是配置文件,install.sh是安装脚本,prepare是准备配置Harbor环境脚本。需要修改harbor.yml如下字段进行配置。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| hostname: 193.112.221.230
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/ssl/ca.crt
private_key: /data/ssl/ca.key
|
然后先后执行prepare与install.sh进行配置与安装。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| [root@VM_95_141_centos harbor]# ./prepare
prepare base dir is set to /root/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@VM_95_141_centos harbor]# ls -l
total 564668
drwxr-xr-x 3 root root 4096 Aug 24 23:09 common
-rw-r--r-- 1 root root 5377 Aug 24 23:09 docker-compose.yml
-rw-r--r-- 1 root root 578167000 Aug 8 15:51 harbor.v1.8.2.tar.gz
-rw-r--r-- 1 root root 4494 Aug 24 23:08 harbor.yml
-rwxr-xr-x 1 root root 5088 Aug 8 15:51 install.sh
-rw-r--r-- 1 root root 11347 Aug 8 15:51 LICENSE
-rwxr-xr-x 1 root root 1654 Aug 8 15:51 prepare
[root@VM_95_141_centos harbor]# vi docker-compose.yml
[root@VM_95_141_centos harbor]# ./install.sh
|
一般都会安装成功。
4. 操作Harbor
Harbor安装成功后,如下图示。我们可以对齐进行启动、停止、修改、上传镜像、下载镜像等操作。
4.1 查看Harbor
可以通过docker ps命令查询当前有哪些docker实例在运行。查询Harbor是否正常运行还可以查询docker-compose运行状态。需要进入Harbor所在目录,执行docker-compose ps。
1
2
3
4
5
6
7
8
9
10
11
12
13
| [root@VM_95_141_centos harbor]# docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
[root@VM_95_141_centos harbor]#
|
4.2 停止与重启Harbor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| [root@VM_95_141_centos ~]# cd harbor
[root@VM_95_141_centos harbor]# ls
common docker-compose.yml harbor.v1.8.2.tar.gz harbor.yml install.sh LICENSE prepare
[root@VM_95_141_centos harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-portal ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
[root@VM_95_141_centos harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
[root@VM_95_141_centos harbor]#
|
如果需要修改Harbor的配置,可以先停止Harbor实例,更新 harbor.yml文件,再执行 prepare 脚本重新构建配置,最终启动Harbor实例:
1
2
3
4
| [root@VM_95_141_centos ~]# docker-compose down -v
[root@VM_95_141_centos ~]# vim harbor.yml
[root@VM_95_141_centos ~]# prepare
[root@VM_95_141_centos ~]# docker-compose up -d
|
清除Harbor实例的时候会保持镜像数据与数据库在系统中:
1
| [root@VM_95_141_centos ~]# docker-compose down -v
|
删除Harbor数据库与镜像数据 (如果需要重新安装):
1
2
| [root@VM_95_141_centos ~]# rm -r /data/database
[root@VM_95_141_centos ~]# rm -r /data/registry
|
4.3 上传镜像到Harbor
查看当前镜像:docker images
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| [root@VM_95_141_centos harbor]# docker images
REPOSITORY TAG IMAGE ID C REATED SIZE
goharbor/chartmuseum-photon v0.9.0-v1.8.2 e72f3e685a37 2 weeks ago 130MB
goharbor/harbor-migrator v1.8.2 c11a64ae3a1e 2 weeks ago 361MB
goharbor/redis-photon v1.8.2 18036ee471bc 2 weeks ago 107MB
goharbor/clair-photon v2.0.8-v1.8.2 68de68a40e66 2 weeks ago 164MB
goharbor/notary-server-photon v0.6.1-v1.8.2 90cf28ef3a84 2 weeks ago 135MB
goharbor/notary-signer-photon v0.6.1-v1.8.2 e9b49ea8ed32 2 weeks ago 132MB
goharbor/harbor-registryctl v1.8.2 ad798fd6e618 2 weeks ago 96.5MB
goharbor/registry-photon v2.7.1-patch-2819-v1.8.2 081bfb3dc181 2 weeks ago 81.6MB
goharbor/nginx-photon v1.8.2 1592a48daeac 2 weeks ago 36.2MB
goharbor/harbor-log v1.8.2 42ad5ef672dd 2 weeks ago 81.8MB
goharbor/harbor-jobservice v1.8.2 623ed0095966 2 weeks ago 119MB
goharbor/harbor-core v1.8.2 03d6daab10c7 2 weeks ago 135MB
goharbor/harbor-portal v1.8.2 41e264a7980b 2 weeks ago 43.2MB
goharbor/harbor-db v1.8.2 927ecd68ee1f 2 weeks ago 144MB
goharbor/prepare v1.8.2 b0d62cc7683d 2 weeks ago 145MB
|
从Docker hub上下载一个最新的Nginx镜像:docker pull nginx:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| [root@VM_95_141_centos harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
1ab2bdfe9778: Pull complete
a17e64cfe253: Pull complete
e1288088c7a8: Pull complete
Digest: sha256:53ddb41e46de3d63376579acf46f9a41a8d7de33645db47a486de9769201fec9
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@VM_95_141_centos harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 5a3221f0137b 8 days ago 126MB
goharbor/chartmuseum-photon v0.9.0-v1.8.2 e72f3e685a37 2 weeks ago 130MB
goharbor/harbor-migrator v1.8.2 c11a64ae3a1e 2 weeks ago 361MB
goharbor/redis-photon v1.8.2 18036ee471bc 2 weeks ago 107MB
goharbor/clair-photon v2.0.8-v1.8.2 68de68a40e66 2 weeks ago 164MB
goharbor/notary-server-photon v0.6.1-v1.8.2 90cf28ef3a84 2 weeks ago 135MB
goharbor/notary-signer-photon v0.6.1-v1.8.2 e9b49ea8ed32 2 weeks ago 132MB
goharbor/harbor-registryctl v1.8.2 ad798fd6e618 2 weeks ago 96.5MB
goharbor/registry-photon v2.7.1-patch-2819-v1.8.2 081bfb3dc181 2 weeks ago 81.6MB
goharbor/nginx-photon v1.8.2 1592a48daeac 2 weeks ago 36.2MB
goharbor/harbor-log v1.8.2 42ad5ef672dd 2 weeks ago 81.8MB
goharbor/harbor-jobservice v1.8.2 623ed0095966 2 weeks ago 119MB
goharbor/harbor-core v1.8.2 03d6daab10c7 2 weeks ago 135MB
goharbor/harbor-portal v1.8.2 41e264a7980b 2 weeks ago 43.2MB
goharbor/harbor-db v1.8.2 927ecd68ee1f 2 weeks ago 144MB
goharbor/prepare v1.8.2 b0d62cc7683d 2 weeks ago 145MB
|
给Nginx镜像打上新标签,push到Harbor:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [root@VM_95_141_centos harbor]# docker tag nginx-mei:v1.0 193.112.221.230/library/nginx:latest
[root@VM_95_141_centos harbor]# docker login 193.112.221.230 -uadmin -pHarbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@VM_95_141_centos harbor]# docker push 193.112.221.230/library/nginx:latest
The push refers to repository [193.112.221.230/library/nginx]
12fdf55172df: Pushed
002a63507c1c: Pushed
1c95c77433e8: Pushed
latest: digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911 size: 948
[root@VM_95_141_centos harbor]#
|
4.4 从Harbor中下载镜像
从Harbor中下载刚上传的Nginx镜像,可以先删除本地的Nginx镜像。然后再从Harbor中Pull下来。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| [root@VM_95_141_centos harbor]# docker rmi 193.112.221.230/library/nginx:latest
Untagged: 193.112.221.230/library/nginx:latest
Untagged: 193.112.221.230/library/nginx@sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911
[root@VM_95_141_centos harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
wordpress latest fc03dc56d371 3 days ago 502MB
193.112.221.230/mei_test/nginx v1.0 5a3221f0137b 9 days ago 126MB
nginx-mei v1.0 5a3221f0137b 9 days ago 126MB
nginx latest 5a3221f0137b 9 days ago 126MB
mysql 5.6 732765f8c7d2 11 days ago 257MB
goharbor/chartmuseum-photon v0.9.0-v1.8.2 e72f3e685a37 2 weeks ago 130MB
goharbor/harbor-migrator v1.8.2 c11a64ae3a1e 2 weeks ago 361MB
goharbor/redis-photon v1.8.2 18036ee471bc 2 weeks ago 107MB
goharbor/clair-photon v2.0.8-v1.8.2 68de68a40e66 2 weeks ago 164MB
goharbor/notary-server-photon v0.6.1-v1.8.2 90cf28ef3a84 2 weeks ago 135MB
goharbor/notary-signer-photon v0.6.1-v1.8.2 e9b49ea8ed32 2 weeks ago 132MB
goharbor/harbor-registryctl v1.8.2 ad798fd6e618 2 weeks ago 96.5MB
goharbor/registry-photon v2.7.1-patch-2819-v1.8.2 081bfb3dc181 2 weeks ago 81.6MB
goharbor/nginx-photon v1.8.2 1592a48daeac 2 weeks ago 36.2MB
goharbor/harbor-log v1.8.2 42ad5ef672dd 2 weeks ago 81.8MB
goharbor/harbor-jobservice v1.8.2 623ed0095966 2 weeks ago 119MB
goharbor/harbor-core v1.8.2 03d6daab10c7 2 weeks ago 135MB
goharbor/harbor-portal v1.8.2 41e264a7980b 2 weeks ago 43.2MB
goharbor/harbor-db v1.8.2 927ecd68ee1f 2 weeks ago 144MB
goharbor/prepare v1.8.2 b0d62cc7683d 2 weeks ago 145MB
[root@VM_95_141_centos harbor]# docker pull 193.112.221.230/library/nginx:latest
latest: Pulling from library/nginx
Digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911
Status: Downloaded newer image for 193.112.221.230/library/nginx:latest
193.112.221.230/library/nginx:latest
[root@VM_95_141_centos harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
wordpress latest fc03dc56d371 3 days ago 502MB
193.112.221.230/library/nginx latest 5a3221f0137b 9 days ago 126MB
193.112.221.230/mei_test/nginx v1.0 5a3221f0137b 9 days ago 126MB
nginx-mei v1.0 5a3221f0137b 9 days ago 126MB
nginx latest 5a3221f0137b 9 days ago 126MB
mysql 5.6 732765f8c7d2 11 days ago 257MB
goharbor/chartmuseum-photon v0.9.0-v1.8.2 e72f3e685a37 2 weeks ago 130MB
goharbor/harbor-migrator v1.8.2 c11a64ae3a1e 2 weeks ago 361MB
goharbor/redis-photon v1.8.2 18036ee471bc 2 weeks ago 107MB
goharbor/clair-photon v2.0.8-v1.8.2 68de68a40e66 2 weeks ago 164MB
goharbor/notary-server-photon v0.6.1-v1.8.2 90cf28ef3a84 2 weeks ago 135MB
goharbor/notary-signer-photon v0.6.1-v1.8.2 e9b49ea8ed32 2 weeks ago 132MB
goharbor/harbor-registryctl v1.8.2 ad798fd6e618 2 weeks ago 96.5MB
goharbor/registry-photon v2.7.1-patch-2819-v1.8.2 081bfb3dc181 2 weeks ago 81.6MB
goharbor/nginx-photon v1.8.2 1592a48daeac 2 weeks ago 36.2MB
goharbor/harbor-log v1.8.2 42ad5ef672dd 2 weeks ago 81.8MB
goharbor/harbor-jobservice v1.8.2 623ed0095966 2 weeks ago 119MB
goharbor/harbor-core v1.8.2 03d6daab10c7 2 weeks ago 135MB
goharbor/harbor-portal v1.8.2 41e264a7980b 2 weeks ago 43.2MB
goharbor/harbor-db v1.8.2 927ecd68ee1f 2 weeks ago 144MB
goharbor/prepare v1.8.2 b0d62cc7683d 2 weeks ago 145MB
[root@VM_95_141_centos harbor]#
|
全文完。
