安裝Docker
使用如下腳本一鍵安裝docker:
[root@harbor ~]# cat dockerInstall.sh
#!/bin/bash
Version="20.10.4-3.el7"
# 下載docker安裝源
wget -P /etc/yum.repos.d/ https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安裝docker
yum -y install docker-ce-$Version || echo -e '\033[1;31m安裝失敗,請檢查網絡和yum源配置!\033[0m'
# 使用國內鏡像加速
# 阿里雲(需要登錄賬號分配地址)
# 網易雲 https://vgunv6qp.mirror.aliyuncs.com
# 騰訊雲 https://mirror.ccs.tencentyun.com
# 中科大 https://docker.mirrors.ustc.edu.cn
# docker中國 https://registry.docker-cn.com
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com",
"https://docker.mirrors.ustc.edu.cn",
"https://registry.docker-cn.com"
]
}
EOF
# 重新加載配置並啟動docker
systemctl daemon-reload
systemctl enable --now docker
docker version && echo -e "\033[1;32m${Version}安裝成功!\033[0m" || echo -e '\033[1;31m安裝失敗!\033[0m'
安裝DockerCompose
DockerCompose下載后直接移動到/usr/bin目錄下,加上執行權限即可。
[root@harbor ~]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
[root@harbor ~]# chmod +x /usr/bin/docker-compose
[root@harbor ~]# ll /usr/bin/docker-compose
-rwxr-xr-x 1 root root 12211728 Mar 2 17:30 /usr/bin/docker-compose
[root@harbor ~]# docker-compose -v
docker-compose version 1.28.5, build c4eb3a1f
部署Harbor
安裝
這里以最新的2.2版本為例:
# 解壓
[root@harbor ~]# tar xvf harbor-offline-installer-v2.2.0.tgz -C /usr/local
[root@harbor ~]# cd /usr/local/harbor
# 復制配置文件並修改,這里修改了服務器地址和admin管理賬號的登錄密碼
# 並將https相關的內容注釋掉了,為了簡單我們先不配置https
# 后面單獨配置一次帶https的harbor
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vim harbor.yml
hostname: harbor.wuvikr.top
harbor_admin_password: 12345678
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# 這里使用harbor.wuvikr.top作為harbor服務器域名。
# 因為是本地使用,這里我們自己在hosts文件里面加上。
# 為了后續訪問方便,本地機器最后也在hosts文件里添加一下。
[root@harbor certs.d]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.59 harbor.wuvikr.top
# 運行安裝腳本
# 這里會檢查Docker和DockerCompose的版本是否符合要求
# 沒有問題的話就會開始拉取鏡像並啟動了
# 運行install.sh腳本的時候會自動加載harbor.yml文件中的配置
[root@harbor harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.28.5
[Step 2]: loading Harbor images ...
...
[Step 3]: preparing environment ...
...
[Step 4]: preparing harbor configs ...
...
[Step 5]: starting Harbor ...
...
# 注意:
# 如果后續重新配置了harbor.yml文件,需要先停止harbor服務。
# 然后運行prepare腳本進行配置重載才行。
# 可以看到拉取了很多鏡像
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 7 days ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 7 days ago 68.9MB
goharbor/trivy-adapter-photon v2.2.0 658abcdfe7e3 7 days ago 120MB
goharbor/notary-server-photon v2.2.0 5117cee34e76 7 days ago 101MB
goharbor/notary-signer-photon v2.2.0 5d8879c476a8 7 days ago 98.4MB
goharbor/harbor-registryctl v2.2.0 6833a758fcfb 7 days ago 128MB
goharbor/registry-photon v2.2.0 c5797c8f62f1 7 days ago 77.2MB
goharbor/nginx-photon v2.2.0 39fcd9da1a47 7 days ago 40.2MB
goharbor/harbor-log v2.2.0 27a38464bdcd 7 days ago 108MB
goharbor/harbor-jobservice v2.2.0 62b4ae79b159 7 days ago 163MB
goharbor/harbor-core v2.2.0 049ef19b7080 7 days ago 148MB
goharbor/harbor-portal v2.2.0 d9eff87cd8b5 7 days ago 51MB
goharbor/harbor-db v2.2.0 2f84c1cc9b71 7 days ago 174MB
goharbor/prepare v2.2.0 c632fc058adf 7 days ago 165MB
goharbor/harbor-exporter v2.2.0 700422c549b0 7 days ago 76.1MB
# 這里我們先關閉一下harbor,改用service來啟動,方便后續管理
# 需要在harbor安裝目錄下,否者需要使用-f參數來指定docker-compose.yml文件位置
[root@harbor harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing registryctl ... done
Removing redis ... done
Removing registry ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
# 編寫service文件
[root@harbor harbor]# cat > /lib/systemd/system/harbor.service <<EOF
[Unit]
Description=Docker Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
ExecStart=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml down
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
# 改用systemclt來啟動Harbor
[root@harbor harbor]# systemctl enable --now harbor.service
# 查看一下容器是否真的都起來了
[root@harbor harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/entrypoint.sh Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy)
harbor-jobservice /harbor/entrypoint.sh Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp
redis redis-server /etc/redis.conf Up (healthy)
registry /home/harbor/entrypoint.sh Up (healthy)
registryctl /home/harbor/start.sh Up (healthy)
登錄Web界面
在瀏覽器輸入harbor.wuvikr.top 跳轉到Harbor的Web登錄界面。
默認管理員帳號為admin,密碼為我們自己修改的12345678。
Harbor的使用
Docker登錄Harbor倉庫
默認docker不支持http連接,直接login會報如下錯誤:
[root@harbor harbor]#docker login harbor.wuvikr.top
Username: admin
Password:
Error response from daemon: Get https://192.168.0.59/v2/: dial tcp 192.168.0.59:443: connect: connection refused
需要去配置docker,來讓它支持http鏈接。
-
方法一:直接編輯docker.service文件
# 在ExecStart后面跟上--insecure-registry參數指定不安全的倉庫地址 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.0.59 -
方法二(推薦):編輯/etc/docker/daemon.json文件
[root@harbor harbor]#cat /etc/docker/daemon.json { "registry-mirrors": [ "https://mirror.ccs.tencentyun.com", "https://docker.mirrors.ustc.edu.cn", "https://registry.docker-cn.com" ], "insecure-registries": [ "192.168.0.59" ] }
修改完成后重新加載配置並重啟docker服務:
[root@harbor harbor]#systemctl daemon-reload
[root@harbor harbor]#systemctl restart docker.service
再次登錄harbor:
[root@harbor harbor]#docker login harbor.wuvikr.top
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上傳鏡像到Harbor倉庫
上傳到Harbor倉庫的鏡像命令必須滿足以下格式:
Harbor主機名/項目名/鏡像名:版本號
因此,首先要在Harbor的Web端建立一個項目:
點擊新建項目,填寫項目信息。
創建好項目之后,就可以開始上傳鏡像了:
# 給要上傳的鏡像打標簽
[root@harbor harbor]#docker tag alpine:latest 192.168.0.59/alpine/alpine:latest
# 上傳鏡像
[root@harbor harbor]#docker push 192.168.0.59/alpine/alpine:latest
The push refers to repository [192.168.0.59/alpine/alpine]
c04d1437198b: Pushed
latest: digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 size: 528
打開web界面,點擊剛剛創建的alpine項目,就能看到我們剛剛上傳的鏡像了:
拉取上傳的鏡像
切換到另一台機器上拉取我們剛剛上傳的鏡像。
拉取鏡像無需登錄,但也必須修改配置,將harbor服務器地址,加入到insecure-registries的列表中去。配置方法與上面一樣,修改一下daemon.json文件即可。
# 拉取鏡像
[root@centos7 ~]# docker pull 192.168.0.59/alpine/alpine:latest
latest: Pulling from alpine/alpine
Digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515
Status: Downloaded newer image for 192.168.0.59/alpine/alpine:latest
# 查看鏡像
[root@centos7 ~]# docker images 192.168.0.59/alpine/alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.59/alpine/alpine latest 7731472c3f2a 6 weeks ago 5.61MB
Harbor配置HTTPS認證
創建證書
這里采用openssl命令工具生成自簽名證書的方式來演示,如果是生產環境,安全要求很高的話還是去買個證書吧。
# 創建目錄
[root@harbor ~]# mkdir /usr/local/harbor/certs
[root@harbor ~]# cd /usr/local/harbor/certs
# 生成CA證書
[root@harbor certs]# openssl req -newkey rsa:2048 -nodes -x509 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=wuvikr/OU=IT/CN=ca.wuvikr.top/emailAddress=ca.wuvikr.top" -set_serial 01 -keyout ca.key -days 3650 -out ca.crt
# 生成harbor證書申請
[root@harbor certs]# openssl req -newkey rsa:2048 -nodes -subj "/C=CN/ST=Shanghai/L=Shanghai/O=wuvikr/OU=devops/CN=harbor.wuvikr.top" -set_serial 02 -keyout harbor.key -out harbor.csr
# 為harbor頒發證書
[root@harbor certs]# openssl x509 -req -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.crt
# 查看證書
[root@harbor certs]# ls
ca.crt ca.key ca.srl harbor.crt harbor.csr harbor.key
修改harbor.yml
打開之前被我們注釋掉的https配置,並配置好crt和key的路徑:
[root@harbor harbor]# vim harbor.yml
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /root/harbor/certs/Harbor.crt
private_key: /root/harbor/certs/Harbor.key
停止harbor服務,重新加載配置:
# 停止服務
[root@harbor harbor]#systemctl stop harbor.service
# 使用prepare腳本重新加載harbor.yml中的配置
[root@harbor harbor]#./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
# 稍等一會harbor會自動啟動起來
# 查看一下,可以看到nginx的443端口已經打開了
[root@harbor harbor]#docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/entrypoint.sh Up (health: starting)
harbor-db /docker-entrypoint.sh Up (health: starting)
harbor-jobservice /harbor/entrypoint.sh Up (health: starting)
harbor-log /bin/sh -c Up (health: starting) 127.0.0.1:1514->10514/t
/usr/local/bin/ ... cp
harbor-portal nginx -g daemon off; Up (health: starting)
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:80->8080/tcp,
0.0.0.0:443->8443/tcp
redis redis-server Up (health: starting)
/etc/redis.conf
registry /home/harbor/entrypoint Up (health: starting)
.sh
registryctl /home/harbor/start.sh Up (health: starting)
這時候我們在瀏覽器輸入Harbor的ip地址登錄會發現自動跳轉到HTTPS連接上去了。
因為這里使用的是自簽名證書,所以不被信任,下面的截圖中我使用的是火狐瀏覽器,可以選擇高級,接受風險並繼續登錄進去,其他瀏覽器操作類似。
HTTPS下Harbor的使用
在使用HTTPS證書的情況下,在一台新的客戶端機器上,如果直接使用docker login會有如下錯誤:
[root@harbor ~]# docker login harbor.wuvikr.top
Username: admin
Password:
Error response from daemon: Get https://192.168.0.59/v2/: x509: cannot validate certificate for 192.168.0.59 because it doesn't contain any IP SANs
客戶端需要下載ca的證書,下載完成后需要在/etc/docker/目錄下建立 certs.d/harbor.wuvikr.top 目錄,將證書放在該目錄下,需要注意的是這個目錄名需要和證書中的一致,我這里創建證書的時候CN=harbor.wuvikr.top,所以目錄名就是這個。
[root@harbor ~]# mkdir -pv /etc/docker/certs.d/harbor.wuvikr.top
[root@harbor ~]# mv ca.crt /etc/docker/certs.d/harbor.wuvikr.top/
# 目錄結構
[root@harbor ~]#tree /etc/docker/certs.d/
/etc/docker/certs.d/
└── harbor.wuvikr.top
└── ca.crt
1 directory, 1 file
這時候我們再次登錄就沒有問題了:
[root@harbor ~]#docker login harbor.wuvikr.top
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Harbor的高可用
在第二台機器上安裝部署好 Harbor ,安裝方法和前面介紹的一致,最好使用相同的版本。
安裝完成后登錄管理界面,點擊 系統管理 -> 倉庫管理 -> 新建目標 設置要復制的倉庫信息。
其中帶 * 號的為必填項,目標名隨便取,重要的是目標URL和帳號密碼要填寫正確,然后我這里沒開啟http,因此將驗證遠程證書一項的勾選給去掉,設置好后可以點擊一下測試連接,沒問題后選擇確定。
這里設置好后再點擊 系統管理 -> 復制管理 -> 新建規則 設置復制規則。
這里的復制模式選擇 Pull 模式,然后觸發模式我這里選擇定時,下面是一個 corntab 式的定時設置,不同的是這里可以精確到秒。當然也可以設置為手動觸發的模式,設置好之后就可以使用了。
這里只是第二台機器到第一台機器的單向復制,如果僅作備份這樣就可以了,如果是使用 VIP 隨機往這兩台機器上調度的高可用模式則還需要去第一台機器上,按照上面的步驟也操作一遍,實現雙向復制。