一、Harbor
容器應用的開發和運行離不開可靠的鏡像管理。從安全和效率等方面考慮,部署在私有環境內的Registry是非常必要的。Harbor 是由 VMware 公司中國團隊為企業用戶設計的 Registry server 開源項目,包括了權限管理(RBAC)、LDAP、審計、管理界面、自我注冊、HA 等企業必需的功能,同時針對中國用戶的特點,設計鏡像復制和中文支持等功能。
二、安裝Harbor的前提條件
根據官網說明,簡單描述一下安裝Harbor前需要的主要條件:
| 硬件 | 最低要求 | 推薦 |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| 內存 | 4 GB | 8 GB |
| 硬盤 | 40 GB | 160 GB |
| 軟件 | 版本 |
|---|---|
| Docker engine | 17.06.0-ce+或更高 |
| Docker Compose | 1.18.0或更高 |
三、部署規划
| 說明 | 規划 |
|---|---|
| 服務器IP | 192.168.113.48 |
| 端口 | 8930 |
| 安裝目錄 | /home/work/harbor |
| 數據映射目錄 | /home/work/harbor/data |
| 日志映射目錄 | /home/work/harbor/logs |
| Harbor管理員密碼 | h12345 |
Harbor的http協議默認端口為80,https協議默認端口為443;本次安裝屬於公司內網,無需https,采用http即可。為避免產生端口沖突,可以自己修改端口。
Harbor的數據映射目錄默認為/data,日志映射目錄默認為/var/log/harbor;此處為了統一管理,將數據目錄和日志目錄統一放在安裝目錄之下。
Harbor安裝成功后,會生成一個管理員用戶,用戶名為admin,密碼默認為Harbor12345,密碼可改可不改。
四、安裝Harbor
-
安裝方式:可在線安裝或離線安裝。本次安裝采用離線安裝方式。
-
下載安裝包,本次安裝時最新版本為2.1.0,可自行選擇安裝版本。將harbor-offline-installer-v2.1.0.tgz下載到windows本地,然后通過ftp工具將文件上傳到/home/work目錄下。官方最新版地址
-
解壓安裝包,解壓后就會在當前目錄生成一個harbor目錄
tar xvf harbor-offline-installer-v2.1.0.tgz
解壓后會目錄中就會包含上圖中所示文件,其中harbor.yml.tmpl文件就是Harbor的模板配置文件。
-
拷貝一份harbor.yml.tmpl文件命名為harbor.yml,並按照規划編輯並保存該文件
cp harbor.yml.tmpl harbor.yml vim harbor.yml
-
由於沒有使用https,為了避免Harbor啟動后不能從Docker中登錄到Harbor當中,需要修改並保存Docker的配置
vim /usr/lib/systemd/system/docker.service#需要修改的地方 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=192.168.113.48:8930
在ExecStart這一行的末尾加上--insecure-registry=IP:端口
-
重新加載配置,並重啟Docker服務(生產環境慎用!!!)
#重新加載配置 systemctl daemon-reload #重啟Docker服務 systemctl restart docker -
每次修改harbor的配置文件之后,都需要在安裝目錄下執行prepare命令,否則配置文件不生效
[root@node03 harbor]# ./prepare prepare base dir is set to /home/work/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir命令執行完成之后,目錄內容如下圖所示:
-
編輯並保存docker-compose.yml文件
proxy: image: goharbor/nginx-photon:v2.1.0 container_name: nginx restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - ./common/config/nginx:/etc/nginx:z - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor dns_search: . ports: #此處原本為80:8080,將80端口修改為8930端口 - 8930:8080 depends_on: - registry - core - portal - log -
利用docker-compose啟動harbor
docker-compose up -d啟動成功如下圖所示:
五、驗證Harbor
-
在瀏覽器中輸入ip:端口,訪問Harbor的Web頁面,用戶名為admin,密碼為自己設置的密碼。
-
在docker中登錄harbor,用戶和密碼同上
[root@node03 harbor]# docker login 192.168.113.48:8930 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded You have new mail in /var/spool/mail/root [root@node03 harbor]# -
將本地鏡像打上tag,然后將鏡像push到harborn當中(push鏡像步驟:login-->tag-->push)
[root@node03 harbor]# docker tag mysql:5.7 192.168.113.48:8930/library/mysql:5.7 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB 192.168.113.48:8930/library/mysql 5.7 42cdba9f1b08 9 days ago 448MB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]# docker push 192.168.113.48:8930/library/mysql:5.7 The push refers to repository [192.168.113.48:8930/library/mysql] bdda49371b83: Pushed 78a9edf56b5f: Pushed 2e19acd09cf6: Pushed 30f9c7764a3f: Pushed 15b463db445c: Pushed c21e35e55228: Pushed 36b89ee4c647: Pushed 9dae2565e824: Pushed ec8c80284c72: Pushed 329fe06a30f0: Pushed d0fe97fa8b8c: Pushed 5.7: digest: sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 size: 2621 [root@node03 harbor]#到harbor中查看,發現鏡像已經成功push:
-
從harbor當中拉取鏡像
先將鏡像刪除,然后從harbor中pull鏡像:
[root@node03 harbor]# docker rmi 192.168.113.48:8930/library/mysql:5.7 Untagged: 192.168.113.48:8930/library/mysql:5.7 Untagged: 192.168.113.48:8930/library/mysql@sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]# docker pull 192.168.113.48:8930/library/mysql:5.7 5.7: Pulling from library/mysql Digest: sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 Status: Downloaded newer image for 192.168.113.48:8930/library/mysql:5.7 192.168.113.48:8930/library/mysql:5.7 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB 192.168.113.48:8930/library/mysql 5.7 42cdba9f1b08 9 days ago 448MB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]#拉取鏡像是否有權限需要根據harbor項目權限和項目的成員權限共同決定,若harbor中項目為公開項目,則不用登錄harbor即可pull鏡像;若項目為私有,則只有項目中的成員能夠對鏡像進行下一步操作。具體權限請參照官方文檔。