Harbor倉庫搭建及使用

一、Harbor介紹
Docker容器應用的開發和運行離不開可靠的鏡像管理，雖然Docker官方也提供了公共的鏡像倉庫，但是從安全和效率等方面考慮，部署私有環境內的Registry也是非常必要的。Harbor是由VMware公司開源的企業級的Docker Registry管理項目，它包括權限管理(RBAC)、LDAP、日志審核、管理界面、自我注冊、鏡像復制和中文支持等功能

二、環境准備
Harbor的所有服務組件都是在Docker中部署的，所以官方安裝使用Docker-compose快速部署，所以需要安裝Docker、Docker-compose。由於Harbor是基於Docker Registry V2版本，所以就要求Docker版本不小於1.10.0，Docker-compose版本不小於1.6.0

1）、安裝並啟動Docker

安裝所需的包。yum-utils提供了yum-config-manager 效用，並device-mapper-persistent-data和lvm2由需要 devicemapper存儲驅動程序

[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2

設置穩定存儲庫

[root@localhost ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

安裝Docker CE

[root@localhost ~]# yum install -y docker-ce docker-ce-cli containerd.io

[root@localhost ~]# systemctl start docker

2）、安裝Docker-compose

下載指定版本的docker-compose

[root@localhost ~]# curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
對二進制文件賦可執行權限

[root@localhost ~]# chmod +x /usr/local/bin/docker-compose

測試下docker-compose是否安裝成功

[root@localhost ~]# docker-compose --version 

docker-compose version 1.13.0, build 1719ceb

三、Harbor服務搭建及啟動

 

1）、下載Harbor安裝文件

從GitHub上https://github.com/goharbor/harbor/releases下載指定版本的安裝包

[root@localhost ~]# mkdir -p /harbor
[root@localhost ~]# cd /harbor/
[root@localhost harbor]# yum -y install wget
[root@localhost harbor]# wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgz
[root@localhost harbor]# ls
harbor-online-installer-v1.1.2.tgz
[root@localhost harbor]# tar -zxf harbor-online-installer-v1.1.2.tgz
2）、配置Harbor

[root@localhost harbor]# ls
harbor harbor-online-installer-v1.1.2.tgz
[root@localhost harbor]# cd harbor
[root@localhost harbor]# ls
common docker-compose.notary.yml docker-compose.yml harbor_1_1_0_template harbor.cfg install.sh LICENSE NOTICE prepare upgrade
[root@localhost harbor]# vi harbor.cfg
配置文件harbor.cfg詳解：

# hostname設置訪問地址，可以使用ip、域名，不可以設置為127.0.0.1或localhost
hostname = 192.168.126.162

# 訪問協議，默認是http，也可以設置https，如果設置https，則nginx ssl需要設置on
ui_url_protocol = http

# mysql數據庫root用戶默認密碼root123，實際使用時修改下
db_password = 123456

max_job_workers = 3

customize_crt = on

ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key

secretkey_path = /data

admiral_url = NA
# 郵件設置，發送重置密碼郵件時使用
email_identity =

email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

# 啟動Harbor后，管理員UI登錄的密碼，默認是Harbor12345
harbor_admin_password = 123456

# 認證方式，這里支持多種認證方式，如LADP、本次存儲、數據庫認證。默認是db_auth，mysql數據庫認證
auth_mode = db_auth

# LDAP認證時配置項
ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
ldap_uid = uid
ldap_scope = 3
ldap_timeout = 5

# 是否開啟自注冊
self_registration = on

# token有效時間，默認30分鍾
token_expiration = 30

# 用戶創建項目權限控制，默認是everyone（所有人），也可以設置為adminonly（只能管理員）
project_creation_restriction = everyone

verify_remote_cert = on

3）、啟動Harbor

修改完配置文件后，在的當前目錄執行./install.sh，Harbor服務就會根據當期目錄下的docker-compose.yml開始下載依賴的鏡像，檢測並按照順序依次啟動各個服務

[root@localhost harbor]# ./install.sh

Harbor依賴的鏡像及啟動服務如下：

[root@localhost harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp

啟動完成后，訪問剛設置的hostname即可，默認是80端口，如果端口占用，可以去修改docker-compose.yml文件中，對應服務的端口映射

四、Harbor倉庫使用

1）、登錄Web Harbor

 

 使用admin用戶登錄，密碼為harbor.cfg配置的密碼

 

 

2）、上傳鏡像到Harbor倉庫

我們新建一個名稱為harbor的項目，設置不公開。當項目設為公開后，任何人都有此項目下鏡像的讀權限。命令行用戶不需要docker login就可以拉取此項目下的鏡像。

 

 

新建項目后，使用admin用戶提交本地nginx鏡像到Harbor倉庫

1）admin登錄

使用docker login出現如下問題：

[root@localhost ~]# docker login 192.168.126.162
Username: admin
Password:
Error response from daemon: Get https://192.168.126.162/v2/: read tcp 192.168.126.162:49654->192.168.126.162:443: read: connection reset by
peer
解決方法：

查找docker.service所在的位置

[root@localhost ~]# find / -name docker.service -type f

/usr/lib/systemd/system/docker.service

修改配置文件，ExecStart之后添加--insecure-registry=http://192.168.126.162

重啟Docker服務

再次進行登錄

[root@localhost ~]# docker login 192.168.126.162
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
2）給鏡像打tag

[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-jobservice v1.1.2 4ef0a7a33734 24 months ago 163MB
vmware/harbor-ui v1.1.2 4ee8f190f366 24 months ago 183MB
vmware/harbor-adminserver v1.1.2 cdcf1bed7eb4 24 months ago 142MB
vmware/harbor-db v1.1.2 fcb8aa7a0640 24 months ago 329MB
vmware/registry 2.6.1-photon 0f6c96580032 2 years ago 150MB
vmware/nginx 1.11.5-patched 8ddadb143133 2 years ago 199MB
vmware/harbor-log v1.1.2 9c46a7b5e517 2 years ago 192MB
[root@localhost ~]# docker tag vmware/nginx:1.11.5-patched 192.168.126.162/harbor/nginx:latest
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-jobservice v1.1.2 4ef0a7a33734 24 months ago 163MB
vmware/harbor-ui v1.1.2 4ee8f190f366 24 months ago 183MB
vmware/harbor-adminserver v1.1.2 cdcf1bed7eb4 24 months ago 142MB
vmware/harbor-db v1.1.2 fcb8aa7a0640 24 months ago 329MB
vmware/registry 2.6.1-photon 0f6c96580032 2 years ago 150MB
192.168.126.162/harbor/nginx latest 8ddadb143133 2 years ago 199MB
vmware/nginx 1.11.5-patched 8ddadb143133 2 years ago 199MB
vmware/harbor-log v1.1.2 9c46a7b5e517 2 years ago 192MB

3）push到倉庫

[root@localhost ~]# docker push 192.168.126.162/harbor/nginx:latest
The push refers to repository [192.168.126.162/harbor/nginx]
3569f62067e2: Pushed
3f117c44afbb: Pushed
c4a8b7411af4: Pushed
fe4c16cbf7a4: Pushed
latest: digest: sha256:3dce35afeadd7195877b17bf1514b9e388ed671afe428441fe5e0b02cdc26eeb size: 1160

上傳成功后，登錄Web Harbor，選擇項目harbor，就可以查看剛剛上傳的nginx鏡像了

 

 

4）、創建用戶並分配權限

點擊系統管理下的用戶管理，點擊創建用戶，輸入相關信息

 

 

將剛剛創建的用戶添加到harbor項目成員中，點擊項目，選擇harbor項目，點擊成員，點擊添加成員，添加姓名選擇角色

 

 

 

 使用新建的用戶將剛剛上傳的nginx鏡像拉取下來

先將剛剛nginx鏡像刪除

[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-jobservice v1.1.2 4ef0a7a33734 24 months ago 163MB
vmware/harbor-ui v1.1.2 4ee8f190f366 24 months ago 183MB
vmware/harbor-adminserver v1.1.2 cdcf1bed7eb4 24 months ago 142MB
vmware/harbor-db v1.1.2 fcb8aa7a0640 24 months ago 329MB
vmware/registry 2.6.1-photon 0f6c96580032 2 years ago 150MB
192.168.126.162/harbor/nginx latest 8ddadb143133 2 years ago 199MB
vmware/nginx 1.11.5-patched 8ddadb143133 2 years ago 199MB
vmware/harbor-log v1.1.2 9c46a7b5e517 2 years ago 192MB
[root@localhost ~]# docker rmi 192.168.126.162/harbor/nginx:latest
Untagged: 192.168.126.162/harbor/nginx:latest
Untagged: 192.168.126.162/harbor/nginx@sha256:3dce35afeadd7195877b17bf1514b9e388ed671afe428441fe5e0b02cdc26eeb

退出admin帳號，使用剛剛創建的用戶登錄

[root@localhost ~]# docker logout 192.168.126.162
Removing login credentials for 192.168.126.162
[root@localhost ~]# docker login 192.168.126.162
Username: harbor
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

將harbor中的nginx鏡像拉取到本地

[root@localhost ~]# docker pull 192.168.126.162/harbor/nginx:latest
latest: Pulling from harbor/nginx
Digest: sha256:3dce35afeadd7195877b17bf1514b9e388ed671afe428441fe5e0b02cdc26eeb
Status: Downloaded newer image for 192.168.126.162/harbor/nginx:latest
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-jobservice v1.1.2 4ef0a7a33734 24 months ago 163MB
vmware/harbor-ui v1.1.2 4ee8f190f366 24 months ago 183MB
vmware/harbor-adminserver v1.1.2 cdcf1bed7eb4 24 months ago 142MB
vmware/harbor-db v1.1.2 fcb8aa7a0640 24 months ago 329MB
vmware/registry 2.6.1-photon 0f6c96580032 2 years ago 150MB
192.168.126.162/harbor/nginx latest 8ddadb143133 2 years ago 199MB
vmware/nginx 1.11.5-patched 8ddadb143133 2 years ago 199MB
vmware/harbor-log v1.1.2 9c46a7b5e517 2 years ago 192MB