Harbor 是Vmware公司開源的企業級Docker Registry管理項目,開源項目地址:
https://github.com/vmware/harbor
Harbor的所有組件都在Docker中部署,所以Harbor可使用Docker Compose快速部署。(由於Harbor是基於Docker Registry V2版本,所以docker版本至少1.10.0、docker-compose版本至少1.6.0)
主要組件:
(1)proxy:nginx前端代理,分發前端頁面ui訪問和鏡像上傳和下載流量;
(2)ui:提供前端頁面和后端API,底層使用mysql數據庫;
(3)registry:鏡像倉庫,負責存儲鏡像文件,當鏡像上傳完畢后通過hook通知ui創建repository,registry的token認證也是通過ui組件完成;
(4)adminserver是系統的配置管理中心附帶檢查存儲用量,ui和jobserver啟動時候回需要加載adminserver的配置
(5)jobsevice:負責鏡像復制工作,和registry通信,從一個registry pull鏡像然后push到另一個registry,並記錄job_log;
(6)log:日志匯總組件,通過docker的log-driver把日志匯總到一起。
部署過程:
下面采用的是下載tgz離線安裝包的方式(假設docker、docker-compose都已經部署好)
[root@localhost harbor]#tar xvf harbor-offline-installer-v1.7.0.tgz [root@localhost harbor]# ll 總用量 589956 drwxr-xr-x. 4 root root 37 1月 2 13:25 common -rw-r--r--. 1 root root 939 12月 12 13:44 docker-compose.chartmuseum.yml -rw-r--r--. 1 root root 975 12月 12 13:44 docker-compose.clair.yml -rw-r--r--. 1 root root 1434 12月 12 13:44 docker-compose.notary.yml -rw-r--r--. 1 root root 5608 12月 12 13:44 docker-compose.yml -rw-r--r--. 1 root root 8026 1月 2 13:27 harbor.cfg -rw-r--r--. 1 root root 603276115 12月 12 13:45 harbor.v1.7.0.tar.gz -rwxr-xr-x. 1 root root 5739 12月 12 13:44 install.sh -rw-r--r--. 1 root root 11347 12月 12 13:44 LICENSE -rw-r--r--. 1 root root 748160 12月 12 13:44 open_source_license -rwxr-xr-x. 1 root root 35378 12月 12 13:44 prepare
修改配置文件harbor.cfg
## Configuration file of Harbor #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version = 1.5.0 #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname = 132.252.128.67 ##設置訪問地址,可以使用ip、主機名,不可以設置為127.0.0.1或localhost #The protocol for accessing the UI and token/notification service, by default it is http. #It can be set to https if ssl is enabled on nginx. ui_url_protocol = http ##設置訪問協議,默認http,若設為https則nginx ssl需要設置on #Maximum number of job workers in job service max_job_workers = 50 #Determine whether or not to generate certificate for the registry's token. #If the value is on, the prepare script creates new root cert and private key #for generating token to access the registry. If the value is off the default key/cert will be used. #This flag also controls the creation of the notary signer's cert. customize_crt = on #The path of cert and key files for nginx, they are applied only the protocol is set to https ssl_cert = /data/cert/server.crt ##若沒有此目錄則需要手動建立 ssl_cert_key = /data/cert/server.key #The path of secretkey storage secretkey_path = /data #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone admiral_url = NA #Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. log_rotate_count = 50 #Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. #If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G #are all valid. log_rotate_size = 200M #Config http proxy for Clair, e.g. http://my.proxy.com:3128 #Clair doesn't need to connect to harbor ui container via http proxy. http_proxy = https_proxy = no_proxy = 127.0.0.1,localhost,ui #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES #only take effect in the first boot, the subsequent changes of these properties #should be performed on web ui #************************BEGIN INITIAL PROPERTIES************************ #下面是郵件設置,發送重置密碼郵件時使用,沒配的法不能通過郵件重置密碼 #Email account settings for sending out password resetting emails. #Email server uses the given username and password to authenticate on TLS connections to host and act as identity. #Identity left blank to act as username. email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false email_insecure = false ##The initial password of Harbor admin, only works for the first time when Harbor starts. #It has no effect after the first launch of Harbor. #Change the admin password from UI after launching Harbor. harbor_admin_password = 12345 ##啟動Harbor后,管理員UI登錄的密碼,默認是Harbor12345 ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database. #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server. auth_mode = db_auth ##認證方式,這里支持多種認證方式,如LADP、本次存儲、數據庫認證。默認是db_auth,mysql數據庫認證 #The url for an ldap endpoint. ##LDAP認證時配置項 ldap_url = ldaps://ldap.mydomain.com #A user's DN who has the permission to search the LDAP/AD server. #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd. #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #the password of the ldap_searchdn #ldap_search_pwd = password #The base DN from which to look up a user in LDAP/AD ldap_basedn = ou=people,dc=mydomain,dc=com #Search filter for LDAP/AD, make sure the syntax of the filter is correct. #ldap_filter = (objectClass=person) # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD ldap_uid = uid #the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE ldap_scope = 2 #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds. ldap_timeout = 5 #Verify certificate from LDAP server ldap_verify_cert = true #The base dn from which to lookup a group in LDAP/AD ldap_group_basedn = ou=group,dc=mydomain,dc=com #filter to search LDAP/AD group ldap_group_filter = objectclass=group #The attribute used to name a LDAP/AD group, it could be cn, name ldap_group_gid = cn #The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE ldap_group_scope = 2 #Turn on or off the self-registration feature self_registration = on ##是否開啟自注冊 #The expiration time (in minute) of token created by token service, default is 30 minutes token_expiration = 30 ##Token有效時間,默認30分鍾 #The flag to control what users have permission to create projects #The default value "everyone" allows everyone to creates a project. #Set to "adminonly" so that only admin user can create project. project_creation_restriction = everyone ##用戶創建項目權限控制,默認是everyone(所有人),也可以設置為adminonly(只能管理員) #************************END INITIAL PROPERTIES************************ #######Harbor DB configuration section####### #The address of the Harbor database. Only need to change when using external db. db_host = mysql #The password for the root user of Harbor DB. Change this before any production use. db_password = root123 #The port of Harbor database host db_port = 3306 #The user name of Harbor database db_user = root ##### End of Harbor DB configuration####### #The redis server address. Only needed in HA installation. #address:port[,weight,password,db_index] #redis_url = redis:6379 redis_url = ##########Clair DB configuration############ #Clair DB host address. Only change it when using an exteral DB. clair_db_host = postgres #The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair. #Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database. clair_db_password = password #Clair DB connect port clair_db_port = 5432 #Clair DB username clair_db_username = postgres #Clair default database clair_db = postgres ##########End of Clair DB configuration############ #The following attributes only need to be set when auth mode is uaa_auth uaa_endpoint = uaa.mydomain.org uaa_clientid = id uaa_clientsecret = secret uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem ### Harbor Storage settings ### #Please be aware that the following storage settings will be applied to both docker registry and helm chart repository. #registry_storage_provider can be: filesystem, s3, gcs, azure, etc. registry_storage_provider_name = filesystem #registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2". #To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry. #Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration. registry_storage_provider_config = #registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore #of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. registry_custom_ca_bundle = #If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings. #reload_config=true #Regular expression to match skipped environment variables #skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)
執行./install.sh,Harbor服務就會根據當期目錄下的docker-compose.yml開始下載依賴的鏡像,檢測並通過docker-compose啟動各服務
各服務以容器的形式存在:nginx、vmware/harbor-jobservice、vmware/harbor-db、library/registry、harbor-ui、vmware/harbor-log
啟動完成后,訪問http://132.252.128.67:80(端口映射可以去docker-compose.yml中修改)
以后執行docker-compose start/stop命令或者 docker-compose up/down -v就可以快速開關服務。
主要功能:
(1)Docker Registry管理UI
部分配置項可以在UI頁面上直接修改,如郵件服務器配置、LDMA配置等
(2)角色訪問控制
除了admin,用戶分為三種角色:項目管理員(MDRWS)、開發人員(RWS)和訪客(RS)
M:管理、D:刪除、R:讀取、W:寫入、S:查詢
用戶只能新建自己的項目,並push/pull自己所在項目的鏡像,其他人的私有倉庫都不能操作。
用戶創建私有項目project_name后,只有該用戶允許的用戶才向該項目中上傳鏡像:
$ docker login 132.252.128.67:80 Username: admin Password: Login Succeeded $ docker tag XXX 132.252.128.67:80/project_name/container_name $ docker push 132.252.128.67:80/project_name/container_name
(2)復制備份
新建復制目標-新建復制規則,就可以通過docker registry的API去拷貝
(3)集成了clair鏡像掃描功能
它是cereos開發的一款漏洞掃描工具,可以檢查鏡像操作系統以及上面安裝包是否與已知不安全的包版本相匹配,從而提高鏡像安全性。
(4)AD/LDAP集成
默認認證模式把用戶憑證存儲在本地Mysql數據庫。
配置LDAP完成后,即可使用ldap帳戶登錄harbor,但是項目權限無法通過ldap組去控制。
通過ldap組控制harbor權限,需滿足以下條件:支持導入ldap組(harbor版本1.6及以上)、支持memberOf屬性
(5)日志管理