Harbor介紹與搭建並使用
Harbor
無論是使用Docker-distribution去自建倉庫,還是通過官方鏡像跑容器的方式去自建倉庫,通過前面的演示我們可以發現其是非常的簡陋的,還不如直接使用官方的Docker Hub去管理鏡像來得方便,至少官方的Docker Hub能夠通過web界面來管理鏡像,還能在web界面執行搜索,還能基於Dockerfile利用Webhooks和Automated Builds實現自動構建鏡像的功能,用戶不需要在本地執行docker build,而是把所有build上下文的文件作為一個倉庫推送到github上,讓Docker Hub可以從github上去pull這些文件來完成自動構建。
但無論官方的Docker Hub有多強大,它畢竟是在國外,所以速度是最大的瓶頸,我們很多時候是不可能去考慮使用官方的倉庫的,但是上面說的兩種自建倉庫方式又十分簡陋,不便管理,所以后來就出現了一個被 CNCF 組織青睞的項目,其名為Harbor。
Harbor簡介
Harbor是由VMWare在Docker Registry的基礎之上進行了二次封裝,加進去了很多額外程序,而且提供了一個非常漂亮的web界面。
-
Project Harbor是一個開源的受信任的雲本地注冊表項目,用於存儲、標記和掃描上下文。
-
Harbor擴展了開源Docker發行版,增加了用戶通常需要的功能,如安全、身份和管理。
-
Harbor支持高級特性,如用戶管理、訪問控制、活動監視和實例之間的復制。
Harbor的功能
例如:
- 多租戶內容簽名和驗證
- 安全性與漏洞分析
- 審計日志記錄
- 身份集成和基於角色的訪問控制
- 實例間的鏡像復制
- 可擴展的API和圖形UI
- 國際化(目前為英文和中文)
Docker compose
Harbor在物理機上部署是非常難的,而為了簡化Harbor的應用,Harbor官方直接把Harbor做成了在容器中運行的應用,而且這個容器在Harbor中依賴類似redis、mysql、pgsql等很多存儲系統,所以它需要編排很多容器協同起來工作,因此VMWare Harbor在部署和使用時,需要借助於Docker的單機編排工具(Docker compose)來實現。
Compose是一個用於定義和運行多容器Docker應用程序的工具。使用Compose,您可以使用YAML文件來配置應用程序的服務。然后,只需要一個命令,就可以從配置中創建並啟動所有服務。
訪問網站
Harbor部署
訪問網站,詳情步驟如下:
安裝過程
- 確保您的目標主機滿足安裝先決條件 Harbor Installer Precondition
- 下載並安裝Harbor Download the Harbor Installer
- 配置HTTPS訪問端口 Configure HTTPS Access to Harbor
- 配置Harbor YML文件 Configure the Harbor YML File
- 配置啟用內部TLS Configure Enabling Internal TLS
- 運行安裝程序腳本 Run the Installer Script
准備工作
下載安裝包
下載需要的版本,使用xftp傳進來
配置環境
環境說明:
| Software | version | Description |
|---|---|---|
| Docker engine | Version 17.06.0-ce+ or higher | For installation instructions, see Docker Engine documentation |
| Docker Compose | Version 1.18.0 or higher | For installation instructions, see Docker Compose documentation |
| Openssl | Latest is preferred | Used to generate certificate and keys for Harbor |
- 安裝docker引擎
具體方法請見:Docker的基本用法
- 安裝Docker Compose
通過幫助文檔進行一下配置安裝
//下載
[root@localhost ~]# curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 633 100 633 0 0 29 0 0:00:21 0:00:21 --:--:-- 173
//查看下載好的包
[root@localhost ~]# ls /usr/local/bin/
docker-compose
//修改執行權限
[root@localhost ~]# chmod +x /usr/local/bin/docker-compose
//映射到/usr/bin/
[root@localhost ~]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
[root@localhost ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
//查看命令路徑,已經可以使用了
[root@localhost ~]# which docker-compose
/usr/local/bin/docker-compose
- 安裝openssl
//安裝docker的時候自動安裝了
[root@localhost ~]# rpm -qa|grep openssl
xmlsec1-openssl-1.2.25-4.el8.x86_64
openssl-1.1.1c-15.el8.x86_64
openssl-pkcs11-0.4.10-2.el8.x86_64
openssl-libs-1.1.1c-15.el8.x86_64
開始部署
- 解壓harbor安裝包
[root@localhost ~]# tar xf harbor-offline-installer-v2.2.0.tgz -C /usr/local/
[root@localhost ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
//查看內容
[root@localhost ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
- 編輯harbor.yml文件
//復制一個yml文件
[root@localhost harbor]# ls
common.sh harbor.v2.2.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# ls
common.sh harbor.yml install.sh prepare
harbor.v2.2.0.tar.gz harbor.yml.tmpl LICENSE
//編輯yml文件
[root@localhost harbor]# vim harbor.yml
#修改為當前主機的IP
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.110.20
#注釋https功能
# https related config
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
#可以修改密碼,這里使用默認密碼
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
#默認存儲卷位置
# The default data volume
data_volume: /data
#日志記錄
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
- 運行./install.sh文件
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.28.5
[Step 2]: loading Harbor images ...
07ed3fe22282: Loading layer 34.51MB/34.51MB
632651017131: Loading layer 8.071MB/8.071MB
cff019bd8e54: Loading layer 3.584kB/3.584kB
db8113c9a129: Loading layer 2.56kB/2.56kB
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
//查看端口
[root@localhost harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//查看運行的容器
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9dae957ece18 goharbor/harbor-jobservice:v2.2.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
d77b0d1b0587 goharbor/nginx-photon:v2.2.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp nginx
f0a645068b70 goharbor/harbor-core:v2.2.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
565abbba323e goharbor/harbor-portal:v2.2.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
99bafb875561 goharbor/redis-photon:v2.2.0 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
10efa0d1a3b8 goharbor/registry-photon:v2.2.0 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
3fb33e3ed6a5 goharbor/harbor-registryctl:v2.2.0 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
f6f7abf741f0 goharbor/harbor-db:v2.2.0 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
bad95cfee8df goharbor/harbor-log:v2.2.0 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
端口起來了,配置成功
設置harbor開機自啟動
//寫一個啟動腳本
[root@localhost harbor]# vim startall.sh
#!/bin/bash
cd /usr/local/harbor
docker-compose stop && docker-compose start
//給這個啟動腳本設置執行權限
[root@localhost harbor]# chmod +x startall.sh
[root@localhost harbor]# ll startall.sh
-rwxr-xr-x. 1 root root 78 Mar 9 18:13 startall.sh
//把啟動腳本加到系統啟動之后最后一個執行的文件
#把rc.local文件設置執行權限
[root@localhost harbor]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 474 Mar 24 2020 /etc/rc.d/rc.local
[root@localhost harbor]# chmod +x /etc/rc.d/rc.local
[root@localhost harbor]# ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 474 Mar 24 2020 /etc/rc.d/rc.local
#編輯rc.local文件,執行啟動腳本
[root@localhost harbor]# vim /etc/rc.d/rc.local
#!/bin/bash
/bin/bash /usr/local/harbor/startall.sh
//驗證一下
[root@localhost harbor]# reboot
//查看端口
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
GUI界面使用
訪問網站
輸入本機IP訪問
輸入信息登錄(用戶名:admin 密碼:Harbor12345)
創建用戶
點擊 系統管理--->用戶管理--->創建用戶
輸入身份信息,點擊確認
成功創建用戶
創建項目
點擊 項目--->新建項目
輸入信息,點擊確認
創建成功,點擊創建好的項目
點擊推送命令可以查看幫助命令
查看幫助命令
上傳鏡像
鏡像的創建方法,詳情見:
//查看鏡像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
goharbor/trivy-adapter-photon v2.2.0 658abcdfe7e3 2 weeks ago 120MB
goharbor/notary-server-photon v2.2.0 5117cee34e76 2 weeks ago 101MB
goharbor/notary-signer-photon v2.2.0 5d8879c476a8 2 weeks ago 98.4MB
goharbor/harbor-registryctl v2.2.0 6833a758fcfb 2 weeks ago 128MB
goharbor/registry-photon v2.2.0 c5797c8f62f1 2 weeks ago 77.2MB
goharbor/nginx-photon v2.2.0 39fcd9da1a47 2 weeks ago 40.2MB
goharbor/harbor-log v2.2.0 27a38464bdcd 2 weeks ago 108MB
goharbor/harbor-jobservice v2.2.0 62b4ae79b159 2 weeks ago 163MB
goharbor/harbor-core v2.2.0 049ef19b7080 2 weeks ago 148MB
goharbor/harbor-portal v2.2.0 d9eff87cd8b5 2 weeks ago 51MB
goharbor/harbor-db v2.2.0 2f84c1cc9b71 2 weeks ago 174MB
goharbor/prepare v2.2.0 c632fc058adf 2 weeks ago 165MB
goharbor/harbor-exporter v2.2.0 700422c549b0 2 weeks ago 76.1MB
busybox latest b97242f89c8a 7 weeks ago 1.23MB
httpd latest 683a7aad17d3 8 weeks ago 138MB
使用docker login +本機IP 登錄
//編輯daemon.json文件
#加上本機的IP
[root@localhost ~]# vim /etc/docker/daemon.json
{
"insecure-registries":["192.168.110.20"]
}
//重讀文件,並重啟服務
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
//使用IP地址登錄
#username是:admin(默認)
#密碼是:Harbor123456(默認)
[root@localhost ~]# docker login 192.168.110.20
Username: admin
Password: Harbor123456
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
更改鏡像版本名稱,並上傳
//這里以leidazhuang/web:v0.3鏡像為例
[root@localhost ~]# docker tag leidazhuang/web:v0.3 192.168.110.20/ldaz/web:v0.1
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.110.20/ldaz/web v0.1 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
goharbor/trivy-adapter-photon v2.2.0 658abcdfe7e3 2 weeks ago 120MB
goharbor/notary-server-photon v2.2.0 5117cee34e76 2 weeks ago 101MB
goharbor/notary-signer-photon v2.2.0 5d8879c476a8 2 weeks ago 98.4MB
goharbor/harbor-registryctl v2.2.0 6833a758fcfb 2 weeks ago 128MB
goharbor/registry-photon v2.2.0 c5797c8f62f1 2 weeks ago 77.2MB
goharbor/nginx-photon v2.2.0 39fcd9da1a47 2 weeks ago 40.2MB
goharbor/harbor-log v2.2.0 27a38464bdcd 2 weeks ago 108MB
goharbor/harbor-jobservice v2.2.0 62b4ae79b159 2 weeks ago 163MB
goharbor/harbor-core v2.2.0 049ef19b7080 2 weeks ago 148MB
goharbor/harbor-portal v2.2.0 d9eff87cd8b5 2 weeks ago 51MB
goharbor/harbor-db v2.2.0 2f84c1cc9b71 2 weeks ago 174MB
goharbor/prepare v2.2.0 c632fc058adf 2 weeks ago 165MB
goharbor/harbor-exporter v2.2.0 700422c549b0 2 weeks ago 76.1MB
busybox latest b97242f89c8a 7 weeks ago 1.23MB
httpd latest 683a7aad17d3 8 weeks ago 138MB
//上傳
[root@localhost ~]# docker push 192.168.110.20/ldaz/web:v0.1
The push refers to repository [192.168.110.20/ldaz/web]
3793c5ba5e71: Pushed
0064d0478d00: Pushed
v0.1: digest: sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd size: 734
查看鏡像,創建成功
拉取鏡像
//刪除192.168.110.20/ldaz/web:v0.1鏡像
[root@localhost ~]# docker rmi 192.168.110.20/ldaz/web:v0.1
Untagged: 192.168.110.20/ldaz/web:v0.1
Untagged: 192.168.110.20/ldaz/web@sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
//拉取鏡像
[root@localhost ~]# docker pull 192.168.110.20/ldaz/web:v0.1
v0.1: Pulling from ldaz/web
Digest: sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd
Status: Downloaded newer image for 192.168.110.20/ldaz/web:v0.1
192.168.110.20/ldaz/web:v0.1
//成功拉取鏡像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.110.20/ldaz/web v0.1 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
使用Harbor的注意事項:
- 在客戶端上傳鏡像時一定要記得執行docker login進行用戶認證,否則無法直接push
- 在客戶端使用的時候如果不是用的https則必須要在客戶端的/etc/docker/daemon.json配置文件中配置insecure-registries參數
- 數據存放路徑應在配置文件中配置到一個容量比較充足的共享存儲中
- Harbor是使用docker-compose命令來管理的,如果需要停止Harbor也應用docker-compose stop來停止,其他參數請--help
[root@localhost ~]# docker-compose --help
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f <arg>...] [--profile <name>...] [options] [--] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name
(default: directory name)
--profile NAME Specify a profile to enable
-c, --context NAME Specify a context name
--verbose Show more output
--log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
--ansi (never|always|auto) Control when to print ANSI control characters
--no-ansi Do not print ANSI control characters (DEPRECATED)
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the
name specified in the client certificate
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
--compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent (DEPRECATED)
--env-file PATH Specify an alternate environment file
Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove resources
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show version information and quit