私有鏡像倉庫Harbor
1、Harbor概述
Habor是由VMWare公司開源的容器鏡像倉庫。事實上,Habor是在Docker Registry上進行了相應的企業級擴展,從而獲得了更加廣泛的應用,這些新的企業級特性包括:管理用戶界面,基於角色的訪問控制 ,AD/LDAP集成以及審計日志等,足以滿足基本企業需求。
官方地址:https://vmware.github.io/harbor/cn/
各組件功能如下:
harbor-adminserver:配置管理中心
harbor-dbMysql:數據庫
harbor-jobservice:負責鏡像復制
harbor-log:記錄操作日志
harbor-ui:Web管理頁面和API
nginx:前端代理,負責前端頁面和鏡像上傳/下載轉發
redis:會話
registry:鏡像存儲
2、harbor部署
Harbor安裝有3種方式:
- 在線安裝:從Docker Hub下載Harbor相關鏡像,因此安裝軟件包非常小
- 離線安裝:安裝包包含部署的相關鏡像,因此安裝包比較大
- OVA安裝程序:當用戶具有vCenter環境時,使用此安裝程序,在部署OVA后啟動Harbor
本文記錄通過離線安裝的方式部署。
版本說明:
docker-compose:1.24.0
harbor:1.7.5
2.1、安裝docker-compose
$ curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
2.2、安裝harbor
$ tar zxvf harbor-offline-installer-v1.7.5.tgz -C /usr/local
$ cd /usr/local/harbor
$ vim harbor.cfg
hostname = 192.168.10.10
ui_url_protocol = http
harbor_admin_password = Harbor12345
$ ./prepare
$ ./install.sh
2.3、配置https
上面步驟2.2已經可以滿足harbor作為實驗安裝,但是大多數情況我們需要harbor能夠更為安全一些,harbor的一些新的功能特性也在新版本更新說明中有相應說明,例如此1.7.5版本就額外具備着鏡像簽名,鏡像漏洞掃描,存儲helm chart、垃圾回收等功能。
https方式分為自簽https和向官方機構申請頒發獲得https證書,其中后種方式需要的步驟更少,下面內容為自簽https步驟。
2.3.1 創建CA密鑰對
[root@registry harbor]# pwd
/usr/local/harbor
[root@registry harbor]# openssl genrsa -out ca.key 4096
[root@registry harbor]# openssl req -x509 -new -nodes -sha512 -days 36500 -subj "/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.com" -key ca.key -out ca.crt
2.3.2 創建web服務器端秘鑰對
[root@registry harbor]# openssl genrsa -out yourdomain.com.key 4096
[root@registry harbor]# openssl req -sha512 -new -subj "/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.com" -key yourdomain.com.key -out yourdomain.com.csr
2.3.3 使web服務器到CA進行簽約
無論是使用類似yourdomain.com的 FQDN 還是IP來連接注冊表主機,運行此命令以生成符合主題備用名稱(SAN)和x509 v3擴展要求的注冊表主機證書
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
[root@registry harbor]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in yourdomain.com.csr -out yourdomain.com.crt
Signature ok
subject=/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.com
Getting CA Private Key
2.3.4 配置harbor.cfg
[root@registry harbor]# vim harbor.cfg
ui_url_protocol = https
......
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /usr/local/harbor/harbor.test.cn.crt
ssl_cert_key = /usr/local/harbor/harbor.test.cn.key
#The path of secretkey storage
secretkey_path = /usr/local/harbor
2.3.5 生成配置和安裝
[root@registry harbor]# ./prepare
[root@registry harbor]# ./install.sh
2.4、docker客戶端主機配置
Docker守將.crt文件解釋為CA證書,將.cert文件解釋為客戶端證書。
所以需要將服務器轉換yourdomain.com.crt為yourdomain.com.cert
[root@registry harbor]# openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
拷貝yourdomain.com.cert,yourdomain.com.key和ca.crt到需要訪問倉庫的docker主機
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
以下說明了使用自定義證書的配置
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
配置完成后登錄
[root@node02 ~]# docker login yourdomain.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
2.5、故障排除
1、可以從證書頒發者那里獲得中間證書。在這種情況下,應該將中間證書與您自己的證書合並以創建證書包。您可以通過以下命令實現此目的:
cat intermediate-certificate.pem >> yourdomain.com.crt
2、在某些運行docker守護程序的系統上,您可能需要在操作系統級別信任該證書。
在Ubuntu上,可以通過以下命令完成:
cp yourdomain.com.crt /usr/local/share/ca-certificates/yourdomain.com.crt
update-ca-certificates
在Red Hat(CentOS等)上,命令是:
cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt
update-ca-trust
3、經實驗如果是從證書頒發者獲得的證書,則不需要在客戶端主機配置證書,因為此證書是可信任的,直接在docker客戶端主機執行docker login即可成功登錄
2.6、harbor啟用鏡像簽名、漏洞掃描及helm chart功能
鏡像簽名簡單來說就是為了驗證鏡像的正確性,保證在鏡像傳輸過程中沒有中間人篡改;
漏洞掃描功能是利用的開源clair工具,利用網絡更新漏洞庫,並且對鏡像進行掃描;
helm chart是kubernetes的包管理器helm的相關應用文件,相當於Linux的yum。
要啟用這些功能,只需要在安裝時添加參數"--with-notary --with-clair --with-chartmuseum"即可:
[root@registry harbor]# ./prepare --with-notary --with-clair --with-chartmuseum
Generated and saved secret to file: /usr/local/harbor/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt
Copying sql file for notary DB
Generated certificate, key file: ./cert_tmp/notary-signer-ca.key, cert file: ./cert_tmp/notary-signer-ca.crt
Generated certificate, key file: ./cert_tmp/notary-signer.key, cert file: ./cert_tmp/notary-signer.crt
Copying certs for notary signer
Copying notary signer configuration file
Generated configuration file: ./common/config/notary/signer-config.postgres.json
Generated configuration file: ./common/config/notary/server-config.postgres.json
Copying nginx configuration file for notary
Generated configuration file: ./common/config/nginx/conf.d/notary.server.conf
Generated and saved secret to file: /usr/local/harbor/defaultalias
Generated configuration file: ./common/config/notary/signer_env
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.
[root@registry harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[Step 0]: checking installation environment ...
Note: docker version: 18.06.1
Note: docker-compose version: 1.24.0
[Step 1]: loading Harbor images ...
Loaded image: goharbor/harbor-adminserver:v1.7.5
Loaded image: goharbor/harbor-portal:v1.7.5
Loaded image: goharbor/harbor-db:v1.7.5
Loaded image: goharbor/registry-photon:v2.6.2-v1.7.5
Loaded image: goharbor/harbor-migrator:v1.7.5
Loaded image: goharbor/harbor-core:v1.7.5
Loaded image: goharbor/harbor-log:v1.7.5
Loaded image: goharbor/redis-photon:v1.7.5
Loaded image: goharbor/nginx-photon:v1.7.5
Loaded image: goharbor/harbor-registryctl:v1.7.5
Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.7.5
Loaded image: goharbor/harbor-jobservice:v1.7.5
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.5
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.5
Loaded image: goharbor/clair-photon:v2.0.8-v1.7.5
[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/core/env
Clearing the configuration file: ./common/config/core/app.conf
Clearing the configuration file: ./common/config/core/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/registryctl/env
Clearing the configuration file: ./common/config/registryctl/config.yml
Clearing the configuration file: ./common/config/nginx/conf.d/notary.upstream.conf
Clearing the configuration file: ./common/config/nginx/conf.d/notary.server.conf
Clearing the configuration file: ./common/config/nginx/cert/harbor.test.cn.crt
Clearing the configuration file: ./common/config/nginx/cert/harbor.test.cn.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
Clearing the configuration file: ./common/config/notary/notary-signer.crt
Clearing the configuration file: ./common/config/notary/notary-signer.key
Clearing the configuration file: ./common/config/notary/notary-signer-ca.crt
Clearing the configuration file: ./common/config/notary/root.crt
Clearing the configuration file: ./common/config/notary/signer-config.postgres.json
Clearing the configuration file: ./common/config/notary/server-config.postgres.json
Clearing the configuration file: ./common/config/notary/signer_env
Clearing the configuration file: ./common/config/notary/server_env
Clearing the configuration file: ./common/config/clair/postgresql-init.d/README.md
Clearing the configuration file: ./common/config/clair/postgres_env
Clearing the configuration file: ./common/config/clair/config.yaml
Clearing the configuration file: ./common/config/clair/clair_env
loaded secret from file: /usr/local/harbor/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt
Copying sql file for notary DB
Generated certificate, key file: ./cert_tmp/notary-signer-ca.key, cert file: ./cert_tmp/notary-signer-ca.crt
Generated certificate, key file: ./cert_tmp/notary-signer.key, cert file: ./cert_tmp/notary-signer.crt
Copying certs for notary signer
Copying notary signer configuration file
Generated configuration file: ./common/config/notary/signer-config.postgres.json
Generated configuration file: ./common/config/notary/server-config.postgres.json
Copying nginx configuration file for notary
Generated configuration file: ./common/config/nginx/conf.d/notary.server.conf
loaded secret from file: /usr/local/harbor/defaultalias
Generated configuration file: ./common/config/notary/signer_env
Copying offline data file for clair DB
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating registry ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-adminserver ... done
Creating clair ... done
Creating notary-signer ... done
Creating harbor-core ... done
Creating notary-server ... done
Creating harbor-jobservice ... done
Creating harbor-portal ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://harbor.test.cn.
For more details, please visit https://github.com/goharbor/harbor .
上述功能的具體使用,可參考官方文檔
3、harbor高可用
為了使harbor高可用,即harbor內保存的鏡像能夠高可用,在一個harbor down掉的時候,還有另外一個存儲着相同鏡像的harbor倉庫供使用,harbor后期的版本包括此版本支持了鏡像復制的功能。
在使用鏡像復制功能之前,當然是需要安裝兩個harbor服務(一主一備)
3.1、新增復制目標
“系統管理”—>“倉庫管理”—>“新建目標”
填寫目標名,目標URL,用戶名,密碼等
3.2、新增復制規則
“系統管理”—>“復制管理”—>“新建規則”
填寫名稱、描述、源項目、過濾器、目標、觸發模式等
其中過濾器支持以下寫法:
*:匹配任何非分隔符字符序列/。
**:匹配任何字符序列,包括路徑分隔符/。
?:匹配任何單個非分隔符/。
{alt1,...}:如果其中一個以逗號分隔的替代項匹配,則匹配一系列字符。
3.3、測試
按照設置的規則,觀察是否立即復制或者push鏡像到主harbor中,觀察備harbor中的鏡像是否被復制
4、harbor常規操作
暫停harbor docker-compose stop docker容器stop,並不刪除容器
恢復harbor docker-compose start 恢復docker容器運行
停止harbor docker-compose down -v 停止並刪除docker容器
啟動harbor docker-compose up -d 啟動所有docker容器
修改harbor的運行配置,需要如下步驟:
停止harbor
docker-compose down -v
修改配置
vim harbor.cfg
執行./prepare已更新配置到docker-compose.yml文件
./prepare
啟動 harbor
docker-compose up -d