一、簡介
1、官方已經提供registry鏡像為什么還需要用harbor
1)registry缺少鏡像清理機制,可以push但是不能刪除,耗費空間
2)registry缺乏相應的擴展機制
3)harbor特點:
- Cloud native registry:雲本地環境 With support for both container images and Helm charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.
- Role based access control:RBAC基於角色的權限控制 Users and repositories are organized via 'projects' and a user can have different permission for images or Helm charts under a project.
- Policy based replication: 基於策略的鏡像復制 Images and charts can be replicated (synchronized) between multiple registry instances based on policies with multiple filters (repository, tag and label). Harbor automatically retries a replication if it encounters any errors. Great for load balancing, high availability, multi-datacenter, hybrid and multi-cloud scenarios.
- Vulnerability Scanning: 漏洞掃描 Harbor scans images regularly and warns users of vulnerabilities.
- LDAP/AD support: LDAP/AD支持 Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor and assigning proper project roles to them.
- OIDC support: 身份驗證 Harbor leverages OpenID Connect (OIDC) to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.
- Image deletion & garbage collection: 鏡像刪除和垃圾清理 Images can be deleted and their space can be recycled.
- Notary: 鏡像簽名 Image authenticity can be ensured.
- Graphical user portal: 用戶界面 User can easily browse, search repositories and manage projects.
- Auditing: 審計 All the operations to the repositories are tracked.
- RESTful API: RESTful api RESTful APIs for most administrative operations, easy to integrate with external systems. An embedded Swagger UI is available for exploring and testing the API.
- Easy deployment: 安裝簡單 Provide both an online and offline installer. In addition, a Helm Chart can be used to deploy Harbor on Kubernetes.
2、什么是harbor
VMware公司開源的企業級registry項目,基於docker registry開發的,harbor是一個用於存儲和分發docker鏡像的企業級registry服務器,通過添加需要的功能如安全性、身份認證、管理來擴展了源Docker Distribution,提升了鏡像的傳輸效率,支持registry之間復制鏡像,還提供了更高級的安全功能,比如:漏洞分析、用戶管理、訪問控制、活動審計等。該項目已經在github上獲得超過了4600顆星。
官方網址:https://goharbor.io/
github安裝指南:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
下載:https://github.com/goharbor/harbor/releases
注意:這里直接使用offline版本即可
3、harbor圖標
二、harbor架構原理
1、架構圖
2、主要包含7個組件
Proxy:harbor的registry、UI、token server等組件都在反向代理后面,代理來自瀏覽器和Docker客戶端的請求轉發到各種后端服務
Registry:負責存儲Docker鏡像和處理docker推/拉命令,由於harbor需要強制執行對鏡像的訪問控制,因此registry將引導客戶端使用令牌服務,以便於每個請i去提供有效的令牌
Core services:harbor的核心服務,主要提供以下服務:
UI:圖形用戶界面,可以幫助用戶管理注冊表的圖形
Webhook:webhook是在注冊表中配置的一種機制,因此可以將registry中的鏡像狀態更改填充到harbor的webhook端點。harbor使用webhook更新日志,啟動復制和其他一些功能。
Token service:令牌服務負責更加項目用戶的角色未每個docker push/pull命令發布令牌。如果從Docker客戶端發送的請求中沒有令牌,則registry將請求重定向到令牌服務。
Database:數據庫存儲,項目、用戶、角色、復制策略和鏡像的元數據。
Job services:用戶鏡像的復制,可以將本地鏡像復制(同步)到其他harbor實例。
Log collector:負責在一個地方收集其他模塊的日志。
redis:用於存儲session。
3、實驗架構圖
環境軟件版本:docker engine 19.03.2
docker-compose version 1.18.0
CentOS Linux release 7.7.1908 (Core)
harbor.v1.9.1
三、harbor的安裝
1、安裝方法
可以有兩種方式安裝:online installer/offline installer
online installer :從docker hub下載安裝,下載地址請見安裝步驟章節
offline installer:無internet時,下載離線安裝包安裝
還可以使用helm chart 在kubernetes上部署
2、安裝要求
1)Hardware
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
2)Software
| Software | Version | Description |
|---|---|---|
| Docker engine | version 17.06.0-ce+ or higher | For installation instructions, please refer to: docker engine doc |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: docker compose doc |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
3)Network ports
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol, this port can change in config file |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled, This port can change in config file |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
3、官方安裝步驟
The installation steps boil down to the following
Download the installer;
下載地址:https://github.com/goharbor/harbor/releases
Configure harbor.yml;
主要修改hostname主機名及hoarbor_admin_password初始密碼
Run install.sh to install and start Harbor;
運行安裝腳本
4、開始部署
1)、部署說明:harbor支持docker-compose和kubernetes的部署方式,默認是docker-compose單機部署
2)、安裝docker步驟省略
請參考Docker4-docker私庫的搭建及常用方法-docker-registry方式
systemctl start docker
systemctl enable docker
3)、下載安裝包
創建自定義harbor目錄:
mkdir /harbor
cd /harbor
把下載的包上傳到此自定義的harbor目錄
解壓:
tar -zxvf harbor-offline-installer-v1.9.0.tgz
4)、修改harbor.yml
暫時必須修改的兩個值:
hostname必須指定
初始密碼自己改一個,這里改成harbor
默認的用戶名/密碼為admin / Harbor12345
[root@web2 harbor]# cat harbor.yml |grep hostname # The IP address or hostname to access admin UI and registry service. hostname: 192.168.216.52 #---標准域名或ip # And when it enabled the hostname will no longer used [root@web2 harbor]# cat harbor.yml |grep harbor_ad* harbor_admin_password: harbor #---初始密碼
5)安裝docker-compose
[root@web2 harbor]# ll total 607872 -rw-r--r-- 1 root root 622428100 Sep 27 14:52 harbor.v1.9.1.tar.gz -rw-r--r-- 1 root root 5798 Oct 9 15:55 harbor.yml -rwxr-xr-x 1 root root 5088 Sep 27 14:52 install.sh -rw-r--r-- 1 root root 11347 Sep 27 14:52 LICENSE -rwxr-xr-x 1 root root 1748 Sep 27 14:52 prepare [root@web2 harbor]# ./install.sh #---先運行安裝腳本,提示環境需要compose [Step 0]: checking installation environment ... Note: docker version: 19.03.2 ?.Need to install docker-compose(1.18.0+) by yourself first and run this script again. #---提示安裝compose
安裝compose
yum -y install python-pip pip install --upgrade pip pip install docker-compose docker-compose version
[root@web2 harbor]# docker-compose version docker-compose version 1.18.0, build 8dd22a9 docker-py version: 2.6.1 CPython version: 3.6.8 OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 [root@web2 harbor]#
6)運行安裝腳本
./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.2 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... b80136ee24a4: Loading layer [> ] 360.4kB/34.25MB b80136ee24a4: Loading layer [====> ] 2.884MB/34.25MB b80136ee24a4: Loading layer [=========> ] 6.488MB/34.25MB b80136ee24a4: Loading layer [==============> ] 10.09MB/34.25MB b80136ee24a4: Loading layer [======================> ] 15.14MB/34.25MB 。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略loading步驟。。。。。。。。。。。。。。。。。。。。
✔ ----Harbor has been installed and started successfully.---- #---安裝成功 Now you should be able to visit the admin portal at http://192.168.216.52. For more details, please visit https://github.com/goharbor/harbor .
到這里就安裝完成了,此時有9個容器運行如下:
[root@web2 harbor]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e70ce2270a2b goharbor/nginx-photon:v1.9.1 "nginx -g 'daemon of?? 30 minutes ago Up 30 minutes (healthy) 0.0.0.0:80->8080/tcp nginx f8c165eb8f4e goharbor/harbor-jobservice:v1.9.1 "/harbor/harbor_jobs?? 30 minutes ago Up 30 minutes (healthy) harbor-jobservice ba46b285ff14 goharbor/harbor-core:v1.9.1 "/harbor/harbor_core" 30 minutes ago Up 30 minutes (healthy) harbor-core 5179d37b0029 goharbor/harbor-db:v1.9.1 "/docker-entrypoint.?? 30 minutes ago Up 30 minutes (healthy) 5432/tcp harbor-db 8d210e049b95 goharbor/harbor-portal:v1.9.1 "nginx -g 'daemon of?? 30 minutes ago Up 30 minutes (healthy) 8080/tcp harbor-portal 9bb9ea0b891b goharbor/harbor-registryctl:v1.9.1 "/harbor/start.sh" 30 minutes ago Up 30 minutes (healthy) registryctl 6af51f3478c5 goharbor/redis-photon:v1.9.1 "redis-server /etc/r?? 30 minutes ago Up 30 minutes (healthy) 6379/tcp redis 93656b06f470 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.1 "/entrypoint.sh /etc?? 30 minutes ago Up 30 minutes (healthy) 5000/tcp registry be49e0941ce4 goharbor/harbor-log:v1.9.1 "/bin/sh -c /usr/loc?? 30 minutes ago Up 30 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log [root@web2 harbor]#
7)訪問web界面
四、如何使用harbor-registry
1、客戶端登陸,使用http協議需要修改不安全的注冊來用允許http鏈接
注意:客戶端在login之前需要添加 “--insecure-registry” 不安全的注冊。 即通信使用 http 協
不修改登陸報錯:
[root@web1 docker]# docker login 192.168.216.52 Authenticating with existing credentials... Login did not succeed, error: Error response from daemon: Get https://192.168.216.52/v2/: dial tcp 192.168.216.52:443: connect: connection refused Username (admin): admin^H^H^H Password: Error response from daemon: Get https://192.168.216.52/v2/: dial tcp 192.168.216.52:443: connect: connection refused
修改/etc/docker/daemon.json文件,如沒有就創建一個:(修改的是客戶端的)
[root@web1 docker]# pwd /etc/docker [root@web1 docker]# ll total 8 -rw-r--r-- 1 root root 52 Oct 10 17:42 daemon.json.bak -rw------- 1 root root 244 Jul 25 11:16 key.json [root@web1 docker]# mv daemon.json.bak daemon.json [root@web1 docker]# cat daemon.json { "insecure-registries":["http://192.168.216.52"] } #---然后重啟docker [root@web1 docker]# systemctl daemon-reload&&systemctl restart docker
登陸:
docker login 192.168.216.52
注:這里其實是需要用戶名密碼的,就用之前修改harbor.yml里面默認密碼admin/harbor,下面實例是因為已經登陸過所以沒有提示密碼
[root@web1 docker]# docker login 192.168.216.52 Authenticating with existing credentials... WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@web1 docker]#
也可以直接加用戶密碼參數登陸
[root@web1 docker]# docker login -u admin -p harbor 192.168.216.52 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@web1 docker]#
2、上傳鏡像
使用docker push 命令
docker push 192.168.216.52/library/zxg/centos_nginx:v1
1)打標簽
[root@web1 docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB atlassian/jira-software latest c4b90dede4f3 7 weeks ago 624MB zxg/my_nginx v1 b164f4c07c64 2 months ago 126MB zxg/my_nginx latest f07837869dfc 2 months ago 126MB nginx latest e445ab08b2be 2 months ago 126MB alpine latest b7b28af77ffe 3 months ago 5.58MB centos latest 9f38484d220f 6 months ago 202MB [root@web1 docker]# docker tag 7c6604cacec1 192.168.216.52/library/zxg/centos_nginx:v1
[root@web1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.216.52/library/zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB
2)上傳
[root@web1 docker]# docker push 192.168.216.52/library/zxg/centos_nginx:v1 The push refers to repository [192.168.216.52/library/zxg/centos_nginx] 7b4de0c97fbb: Pushed d69483a6face: Pushed v1: digest: sha256:2654d7a4fbab3b1be85ca177ac08ce9e13177f9ad45b827ca3ed1e1629050078 size: 742
3)檢查是否成功
3、驗證daemon.json格式
1)把剛才客戶端的daemon.json文件發送到當前節點
[root@web1 docker]# scp daemon.json root@192.168.216.52:/etc/docker/ The authenticity of host '192.168.216.52 (192.168.216.52)' can't be established. ECDSA key fingerprint is SHA256:kvAeuWOn6RFSXvl5qFIszQEx9gLizuZER+I4VJkpAso. ECDSA key fingerprint is MD5:b7:ef:e0:3c:8f:97:01:c2:5c:9a:2e:fc:4d:e2:99:83. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.216.52' (ECDSA) to the list of known hosts. root@192.168.216.52's password: daemon.json 100% 52 9.4KB/s 00:00 [root@web1 docker]#
2)修改一下格式看看行不行
[root@web2 harbor]# cat /etc/docker/daemon.json { "insecure-registries":["192.168.216.52"] ##之前的格式是["http://192.168.216.52"] } [root@web2 harbor]#
修改后,需要重啟docker及compose
systemctl daemon-reload&&systemctl restart docker docker-compose down -v docker-compose up -d
3)login測試是否可以登陸
[root@web2 harbor]# docker login 192.168.216.52 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #登陸正常看來不是格式問題,應該就是版本問題了,低版本應該是需要修改別的配置文件
4、下載鏡像
docker pull 192.168.216.52/library/zxg/centos_nginx:v1
[root@web2 harbor]# docker pull 192.168.216.52/library/zxg/centos_nginx:v1 v1: Pulling from library/zxg/centos_nginx 8ba884070f61: Pull complete 75754525faad: Pull complete Digest: sha256:2654d7a4fbab3b1be85ca177ac08ce9e13177f9ad45b827ca3ed1e1629050078 Status: Downloaded newer image for 192.168.216.52/library/zxg/centos_nginx:v1 192.168.216.52/library/zxg/centos_nginx:v1 [root@web2 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/chartmuseum-photon v0.9.0-v1.9.1 0aa7451af9b8 13 days ago 131MB goharbor/harbor-migrator v1.9.1 a83f1be1ec94 13 days ago 362MB goharbor/redis-photon v1.9.1 4d8d79a557df 13 days ago 110MB goharbor/clair-photon v2.0.9-v1.9.1 98b318ca3cb0 13 days ago 165MB goharbor/notary-server-photon v0.6.1-v1.9.1 78dac4ed14d8 13 days ago 138MB goharbor/notary-signer-photon v0.6.1-v1.9.1 5d9f413e14a8 13 days ago 135MB goharbor/harbor-registryctl v1.9.1 f4b2b72cdf71 13 days ago 99.6MB goharbor/registry-photon v2.7.1-patch-2819-2553-v1.9.1 d460d658f383 13 days ago 82.3MB goharbor/nginx-photon v1.9.1 0db1e12b9d30 13 days ago 43.9MB goharbor/harbor-log v1.9.1 368dd79ef99f 13 days ago 82.6MB goharbor/harbor-jobservice v1.9.1 71d4a3eaff94 13 days ago 141MB goharbor/harbor-core v1.9.1 d105210d9924 13 days ago 155MB goharbor/harbor-portal v1.9.1 2dced1823043 13 days ago 51.3MB goharbor/harbor-db v1.9.1 91784692a954 13 days ago 147MB goharbor/prepare v1.9.1 44775181c88d 13 days ago 148MB 192.168.216.51:5000/busybox v1 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.51:5000/busybox v2 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52:5000/busybox latest 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52:5000/busybox v2 19485c79a9bb 5 weeks ago 1.22MB busybox v1 19485c79a9bb 5 weeks ago 1.22MB busybox v2 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52/library/zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB [root@web2 harbor]#
五、其他設定
1、使用https訪問配置harbor
請參考https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
2、管理harbor的生命周期
1)停止
docker-compose stop
2)重新啟動
docker-compose start
3)修改配置
停止harbor---》更新harbor.yml---》運行prepare腳本填充配置---》啟動harbor
docker-compose down -v #---此命令關閉harbor同時保存鏡像數據及harbor的數據庫文件在文件系統上
vim harbor.yml
docker-compose up -d
4)刪除harbor的數據庫和圖像數據(進行重新安裝)
rm -r /data/database
rm -r /data/registry
3、安裝notary(公正服務)
./install.sh --with-notry
必要設置:ui_url_protocol HTTPS
4、安裝clair服務
./install.sh --with-clair
5、安裝chart repository服務
./install.sh --with-chartmuseum
6、如果都安裝必須使用同一個命令
./install.sh --with-notary --with-clair --with-chartmuseum
7、docker-compose命令幫助
https://docs.docker.com/compose/reference/
8、數據及日志文件
默認在/data/目錄中,可以修改harbor.yml更改配置
9、外部數據庫
目前harbor只支持postgreSQL數據庫,使用外部數據庫,需要取消注釋external_database部分,然后首先應該創建harbor core,clair、notaryserver、notary signer這四個數據庫
10、管理harbor用戶配置命令行配置請見下面鏈接:
https://github.com/goharbor/harbor/blob/master/docs/configure_user_settings.md
總結流程:
安裝docker---》安裝docker-compose---》下載harbor-offline壓縮包---》上傳到linux---》解壓harbor-offline-installer-v1.9.1-rc1.tgz---》編輯解壓的harbor文件里的harbor.yml文件---》修改關鍵值(域名/初始密碼)---》執行./install.sh腳本開始安裝---》修改客戶端的daemon.json文件,添加非信任授權---》客戶端登陸執行docker pull/push命令。
轉載請注明出處:https://www.cnblogs.com/zhangxingeng/p/11598708.html