企业级仓库harbor搭建
1、Harbor是什么?
Harbor是Vmvare中国团队开发的开源registry仓库,相比docker官方拥有更丰富的权限权利和完善的架构设计,适用大规模docker集群部署提供仓库服务。在企业中很受欢迎,并且还是开源免费的,可接入LDAP进行认证权限管理。
Harbor主要有五大组件:
- Proxy:Harbor的registry, UI, token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
- Registry: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。
- Core services: 这是Harbor的核心功能,主要提供以下三个服务:
- UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
- webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
- token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
- Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据
- Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
架构如图所示:
2、搭建Harbor
1、安装docker部分:
1)安装docker的yum源。
wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
2)安装docker社区版,也就是docker-ce
yum install -y docker-ce
3)配置docker支持http协议
在/etc/docker目录下创建一个文件daomon.json文件,然后输入如下内容:
[root@chaofeng harbor]#cat /etc/docker/daemon.json { "registry-mirrors": ["https://registry.docker-cn.com"], "insecure-registries": ["chaofeng.com"] }
第一行是下载镜像加速的作用。主要是第二行内容,配置使其支持http协议。
3)启动docker,并设置开机自启动
systemctl start docker
systemctl enable docker
2、安装docker-compose
在这里踩了个坑,Harbor对docker-compose做了个限制,必须要docker-compose的版本是1.6以上才可以使用。此外可能不同的源获取到的docker-compose的写法不太一样,比如1.6.0版本,有的写法是:docker-compose1.6.0,而有的版本是docker-compose1.16.0,那么对于后者的写法来说,在现在这个2019年,你见到的docker-compose版本基本大部分是1.23.0版本以上了,但是并不是说1.23 < 1.6版本,你认为这是docker-compose版本过低,其实并不是这样子。只是他们的写法不同罢了。实际是:1.6.0 < 2.3.0。
1)可以使用yum一键安装:
yum install -y docker-compose
2)也可以使用如下所示的方法来安装:
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
不过对于这种方式来安装,或许你需要授权可执行权限操作
chmod +x /usr/local/bin/docker-compose
3)最后我们验证一下:
[root@chaofeng src]#docker-compose -v docker-compose version 1.23.2, build 1110ad01
3、安装Harbor部分
1)下载Harbor
下载地址:https://github.com/goharbor/harbor/releases?after=v1.5.4
找到这个:
我现在下载的这个版本都是比较老的版本了,是2018年8月份的。
2)解压等操作
tar -xf harbor.v1.5.2.tar.gz -C /usr/local
3)更改配置文件
#vim harbor.cfg 将hostname更改为域名。 hostname = chaofeng.com
其他的操作保持默认即可,如果需要修改密码的可以修改一下密码。
4)(这一步不是必须做的,酌情选择。)当然你也可以安装如下所示的修改的详细一些:
# 这里建议使用https协议,免费的ssl证书在阿里云上很容易就申请到了,因为不用https协议docker那边需要修改配置如果是一两台docker修改倒也无所谓,多的时候就很麻烦了 ui_url_protocol = https customize_crt = off ssl_cert = /data/harbor/ssl_cert/reg.xxxxx.com.crt ssl_cert_key = /data/harbor/ssl_cert/reg.xxxxx.com.key
# 需要注意的是docker-compose必须要安装,及本机上不能监听80,443端口 ## 修改所有存储数据目录为/data/harbor,默认harbor所属的组件的数据均存储在/data目录下,很不方便,如果本机部署有其他服务的数据也存储在/data目录的话 管理会很不方便 docker-compose.yml prepare docker-compose.chartmuseum.yml # 分别打开上述文件搜索data关键字,在每一个/data替换为/data/harbor
5)执行安装,注意,必须在harbor的目录下执行安装install.sh脚本文件。
#bash install.sh [Step 0]: checking installation environment ... Note: docker version: 17.12.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... 52ef9064d2e4: Loading layer [==================================================>] 135.9MB/135.9MB 4a6862dbadda: Loading layer [==================================================>] 23.25MB/23.25MB 58b7d0c522b2: Loading layer [==================================================>] 24.4MB/24.4MB 9cd4bb748634: Loading layer [==================================================>] 7.168kB/7.168kB c81302a14908: Loading layer [==================================================>] 10.56MB/10.56MB 7848e9ba72a3: Loading layer [==================================================>] 24.39MB/24.39MB Loaded image: vmware/harbor-ui:v1.5.1 f1691b5a5198: Loading layer [==================================================>] 73.15MB/73.15MB a529013c99e4: Loading layer [==================================================>] 3.584kB/3.584kB d9b4853cff8b: Loading layer [==================================================>] 3.072kB/3.072kB 3d305073979e: Loading layer [==================================================>] 4.096kB/4.096kB c9e17074f54a: Loading layer [==================================================>] 3.584kB/3.584kB 956055840e30: Loading layer [==================================================>] 9.728kB/9.728kB Loaded image: vmware/harbor-log:v1.5.1 185db06a02d0: Loading layer [==================================================>] 23.25MB/23.25MB 835213979c70: Loading layer [==================================================>] 20.9MB/20.9MB f74eeb41c1c9: Loading layer [==================================================>] 20.9MB/20.9MB Loaded image: vmware/harbor-jobservice:v1.5.1 9bd5c7468774: Loading layer [==================================================>] 23.25MB/23.25MB 5fa6889b9a6d: Loading layer [==================================================>] 2.56kB/2.56kB bd3ac235b209: Loading layer [==================================================>] 2.56kB/2.56kB cb5d493833cc: Loading layer [==================================================>] 2.048kB/2.048kB 557669a074de: Loading layer [==================================================>] 22.8MB/22.8MB f02b4f30a9ac: Loading layer [==================================================>] 22.8MB/22.8MB Loaded image: vmware/registry-photon:v2.6.2-v1.5.1 5d3b562db23e: Loading layer [==================================================>] 23.25MB/23.25MB 8edca1b0e3b0: Loading layer [==================================================>] 12.16MB/12.16MB ce5f11ea46c0: Loading layer [==================================================>] 17.3MB/17.3MB 93750d7ec363: Loading layer [==================================================>] 15.87kB/15.87kB 36f81937e80d: Loading layer [==================================================>] 3.072kB/3.072kB 37e5df92b624: Loading layer [==================================================>] 29.46MB/29.46MB Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1 0a2f8f90bd3a: Loading layer [==================================================>] 401.3MB/401.3MB 41fca4deb6bf: Loading layer [==================================================>] 9.216kB/9.216kB f2e28262e760: Loading layer [==================================================>] 9.216kB/9.216kB 68677196e356: Loading layer [==================================================>] 7.68kB/7.68kB 2b006714574e: Loading layer [==================================================>] 1.536kB/1.536kB Loaded image: vmware/mariadb-photon:v1.5.1 a8c4992c632e: Loading layer [==================================================>] 156.3MB/156.3MB 0f37bf842677: Loading layer [==================================================>] 10.75MB/10.75MB 9f34c0cd38bf: Loading layer [==================================================>] 2.048kB/2.048kB 91ca17ca7e16: Loading layer [==================================================>] 48.13kB/48.13kB 5a7e0da65127: Loading layer [==================================================>] 10.8MB/10.8MB Loaded image: vmware/clair-photon:v2.0.1-v1.5.1 0e782fe069e7: Loading layer [==================================================>] 23.25MB/23.25MB 67fc1e2f7009: Loading layer [==================================================>] 15.36MB/15.36MB 8db2141aa82c: Loading layer [==================================================>] 15.36MB/15.36MB Loaded image: vmware/harbor-adminserver:v1.5.1 3f87a34f553c: Loading layer [==================================================>] 4.772MB/4.772MB Loaded image: vmware/nginx-photon:v1.5.1 Loaded image: vmware/photon:1.0 ad58f3ddcb1b: Loading layer [==================================================>] 10.95MB/10.95MB 9b50f12509bf: Loading layer [==================================================>] 17.3MB/17.3MB 2c21090fd212: Loading layer [==================================================>] 15.87kB/15.87kB 38bec864f23e: Loading layer [==================================================>] 3.072kB/3.072kB 6e81ea7b0fa6: Loading layer [==================================================>] 28.24MB/28.24MB Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1 897a26fa09cb: Loading layer [==================================================>] 95.02MB/95.02MB 16e3a10a21ba: Loading layer [==================================================>] 6.656kB/6.656kB 85ecac164331: Loading layer [==================================================>] 2.048kB/2.048kB 37a2fb188706: Loading layer [==================================================>] 7.68kB/7.68kB Loaded image: vmware/postgresql-photon:v1.5.1 bed9f52be1d1: Loading layer [==================================================>] 11.78kB/11.78kB d731f2986f6e: Loading layer [==================================================>] 2.56kB/2.56kB c3fde9a69f96: Loading layer [==================================================>] 3.072kB/3.072kB Loaded image: vmware/harbor-db:v1.5.1 7844feb13ef3: Loading layer [==================================================>] 78.68MB/78.68MB de0fd8aae388: Loading layer [==================================================>] 3.072kB/3.072kB 3f79efb720fd: Loading layer [==================================================>] 59.9kB/59.9kB 1c02f801c2e8: Loading layer [==================================================>] 61.95kB/61.95kB Loaded image: vmware/redis-photon:v1.5.1 454c81edbd3b: Loading layer [==================================================>] 135.2MB/135.2MB e99db1275091: Loading layer [==================================================>] 395.4MB/395.4MB 051e4ee23882: Loading layer [==================================================>] 9.216kB/9.216kB 6cca4437b6f6: Loading layer [==================================================>] 9.216kB/9.216kB 1d48fc08c8bc: Loading layer [==================================================>] 7.68kB/7.68kB 0419724fd942: Loading layer [==================================================>] 1.536kB/1.536kB 543c0c1ee18d: Loading layer [==================================================>] 655.2MB/655.2MB 4190aa7e89b8: Loading layer [==================================================>] 103.9kB/103.9kB Loaded image: vmware/harbor-migrator:v1.5.0 [Step 2]: preparing environment ... Generated and saved secret to file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/ui/app.conf Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. Creating harbor-log ... done [Step 3]: checking existing instance of Harbor ... Creating harbor-adminserver ... done Creating harbor-ui ... done Creating network "harbor_harbor" with the default driver Creating nginx ... done Creating harbor-adminserver ... Creating registry ... Creating harbor-db ... Creating redis ... Creating harbor-ui ... Creating nginx ... Creating harbor-jobservice ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://192.168.111.5. For more details, please visit https://github.com/vmware/harbor .
至此,Harbor就算是安装成功了。
6)查看一下服务
[root@chaofeng data]#docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 61aed845023f vmware/harbor-jobservice:v1.5.2 "/harbor/start.sh" 3 hours ago Up 3 hours harbor-jobservice b3e4835a56a0 vmware/nginx-photon:v1.5.2 "nginx -g 'daemon of…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx 5d6dcd64148e vmware/harbor-ui:v1.5.2 "/harbor/start.sh" 3 hours ago Up 3 hours (healthy) harbor-ui 18a2c2e2350d vmware/harbor-adminserver:v1.5.2 "/harbor/start.sh" 3 hours ago Up 3 hours (healthy) harbor-adminserver 6a35ec058cd7 vmware/registry-photon:v2.6.2-v1.5.2 "/entrypoint.sh serv…" 3 hours ago Up 3 hours (healthy) 5000/tcp registry 5a87e0483fc7 vmware/harbor-db:v1.5.2 "/usr/local/bin/dock…" 3 hours ago Up 3 hours (healthy) 3306/tcp harbor-db 034a730d3070 vmware/redis-photon:v1.5.2 "docker-entrypoint.s…" 3 hours ago Up 3 hours 6379/tcp redis 10d87125e327 vmware/harbor-log:v1.5.2 "/bin/sh -c /usr/loc…" 3 hours ago Up 3 hours (healthy) 127.0.0.1:1514->10514/tcp harbor-log
7)在浏览器中访问我们的仓库。登录账号密码:admin/Harbor12345
8)创建一个普通账户
9)创建一个项目devops,然后加入上面我们创建的普通账户使其为devops项目的成员
10)接下来是设置上传镜像的REPOSITORY名字,需要点击查看如下图片的内容:
11)设置标签名字:
12)登录用户chaofeng
[root@chaofeng harbor]#docker login chaofeng.com Username: chaofeng Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
如果这一步报错了,往下看解决方法。
13)上传镜像
[root@chaofeng harbor]#docker push chaofeng.com/devops/busybox:latest The push refers to repository [chaofeng.com/devops/busybox] adab5d09ba79: Layer already exists latest: digest: sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e size: 527
14)在harbor中查看是否上传成功
成功了。
报错总结:
1)在docker login那一步报错,比如:
[root@elk-chaofeng02 harbor]#docker login chaofeng.com Username: admin Password: Error response from daemon: Get http://chaofeng.com/v2/: dial tcp: lookup chaofeng.com on 192.168.1.1:53: read udp 172.16.0.52:38799->192.168.1.1:53: i/o timeout
这是因为chaofeng.com不能正确解析IP导致的,我们可以在/etc/hosts文件中添加域名ip映射,例如:
2)如果是在push镜像的时候出错了(前提是你要确认好是真的登录成功了,显示"login succeed",你再看这个问题解决方法),如下所示:
这里的docker.io是一个docker的一个官方仓库,之所以没有上传到我们本地搭建的仓库而是自动寻找dockerhub仓库是因为我们的镜像标签没有做好导致的,URL没有做好,默认是提交到官方的docker仓库中的。我上面的elk-chaofeng02是自己把当作了域名,但是docker却不认这是域名。解决方法就是在harbor目录在的harbor.cfg文件中,将hostname修改为带有.com结尾的域名,多加几个点号就好了。或者你可以参考这个文章所说的来解决:https://blog.csdn.net/qq_39623859/article/details/79752803 。
也有可能是你要上传的那个仓库没有你的权限,那你照样上传不了。
3)如果报错:Error response from daemon: Get https:// 172.16.1.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client。
这是因为docker客户端没有配置免https证书导致的。是docker客户端需要配置。
如果你安装的是docker-ce社区版,那么就在:
如果你直接就是yum一键安装的docker,那么你需要修改启动程序才行,如下:
这是不同版本的docker的不同配置模式,核心是一样的。
4)还有一个需要说明的是:一旦你修改了harbor的配置文件,那么你要使用docker-compose命令将harbor停止了,然后执行install.sh脚本文件进行安装。
5)此外,harbor默认的数据存放目录是在/data目录下,这样子导致的结果就是/data目录下的数据比较混乱,不易于管理。因为我们的/data目录多用于存放数据,最好规格一点。因此我们最好在配置文件中修改harbor存放数据的目录位置,我上面介绍的有,网上看看。
我也参考了三位博主的文章,然后自己亲身测试并做的总结:
私有仓库搭建过程小结:
1,安装docker-compose rpm -ivh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm yum install docker docker-compose -y systemctl start docker systemctl enable docker 2,安装harbor # 申请ssl证书,在阿里云或腾讯云上申请免费的ssl证书并上传到服务器 # 放置/data/harbor/ssl_cert目录下 mkdir /data/harbor/ssl_cert -pv ls /data/harbor/ssl_cert/ reg.xxxxx.com.crt reg.xxxxx.com.key # 在线安装 下载在线安装包 https://github.com/goharbor/harbor/releases 在上述链接中下载对应的版本,这里使用的是1.5.2版本的,可自行下载最新版的 wget https://storage.googleapis.com/harbor-releases/harbor-online-installer-v1.5.2.tgz tar xvf harbor-online-installer-v1.5.2.tgz cd harbor vim harbor.cfg hostname = reg.xxxxx.com # 这里建议使用https协议,免费的ssl证书在阿里云上很容易就申请到了,因为不用https协议docker那边需要修改配置如果是一两台docker修改倒也无所谓,多的时候就很麻烦了 ui_url_protocol = https customize_crt = off ssl_cert = /data/harbor/ssl_cert/reg.xxxxx.com.crt ssl_cert_key = /data/harbor/ssl_cert/reg.xxxxx.com.key # 其他的参数根据需要修改 # end # 需要注意的是docker-compose必须要安装,及本机上不能监听80,443端口 ## 修改所有存储数据目录为/data/harbor,默认harbor所属的组件的数据均存储在/data目录下,很不方便,如果本机部署有其他服务的数据也存储在/data目录的话 管理会很不方便 docker-compose.yml prepare docker-compose.chartmuseum.yml # 分别打开上述文件搜索data关键字,在每一个/data替换为/data/harbor # 执行安装脚本 ./install.sh # 直到出现以下信息则表示安装成功 ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.xxxxx.com. For more details, please visit https://github.com/vmware/harbor . # 测试 浏览器打开https://reg.xxxxx.com 默认用户密码为 admin/Harbor12345 # 命令行登录 registry docker login reg.xxxxx.com
nginx反向代理harbor小结:
应用场景是这样的,假设我们的harbor所部署的主机上运行有其他的http/https协议的服务 而想要两者都兼顾则需要用到反向代理技术,让两者都能够运行在同一台主机上 harbor本身的容器中有运行nginx,修改它的nginx也不太方便,索性就再装一个nginx来做反代 先说下环境,这里的机器上此前运行了nginx用于做http,80/https,443的yum仓库服务,还有apache提供的http,88端口的svn服务 所以这里如果再安装harbor就会有端口冲突,80跟443都会冲突,因为harbor默认监听主机的80跟443所以这里就介绍如何让他们共存 原环境端口监听情况如下: nginx 80/443 提供的yum仓库服务 apache/svn 88 提供的http的svn访问接口 装上harbor后的端口监听情况 nginx 80/443 提供yum仓库服务(http/https),提供apache/svn的反代(http),提供harbor的反代(https) apache 88 提供的http的svn访问接口 harbor 8443 提供Registry的pull、push及页面管理(https) 最终目的是 http 80端口对外提供yum,svn服务 https 443端口对外提供yum,跟Registry的pull、push及页面管理 如上环境,首先需要知道的是harbor默认监听80跟443端口 这里需要修改下,由于这里我没有使用http协议提供服务,而是使用的https 所以80端口这里可以将其关闭,而443端口需要修改为8443以免跟nginx冲突 提供https服务的ssl证书建议去阿里云申请免费的ssl证书,如果用自签证书要修改docker的配置,我觉得申请个证书是一劳永逸的事情,你觉得呢? 这里只简单介绍harbor修改端口的配置 nginx反代这些自行思考 1,停止原有的nginx 2,安装配置harbor(端口修改可直接在此步直接修改然后在执行./install.sh) 3,配置nginx反代 # 修改harbor的端口暴露配置,因为我这里使用的https协议提供服务,80端口就不需要了,所以将其注释,如下 # 安装请参考harbor的安装 cd /usr/local/harbor docker-compose stop vim docker-compose.yml # 搜索到80那行将其注释掉或修改为其他端口,如果使用的是https协议可直接将80那行注释掉 ports: #- 80:80 - 8443:443 - 4443:4443 ./install.sh 执行完成后netstat -tnlp 看看是不是只监听了8443端口,剩下的就是nginx反代了 nginx反代harbor的话 两者的ssl证书应该是一样的 这里贴下我的nginx server的配置仅供参考 server { listen 80; server_name mirror.xxxxx.com yum.xxxxx.com mirror.centos.org; limit_rate 50M; charset utf8; location / { root /data/soft_repos/; access_log /var/log/nginx/mirror.log main; } location /svn/ { proxy_pass http://127.0.0.1:88/svn/; access_log /var/log/nginx/svn.log main; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 443; server_name mirror.xxxxx.com yum.xxxxx.com mirror.centos.org; access_log /var/log/nginx/mirror_ssl.log main; limit_rate 50M; charset utf8; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_certificate /etc/nginx/.ssl/mirror.crt; ssl_certificate_key /etc/nginx/.ssl/mirror.key; ssl_prefer_server_ciphers on; location / { root /data/soft_repos/; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 443; server_name reg.xxxxx.com; access_log /var/log/nginx/harbor.log main; ssl on; ssl_certificate /data/harbor/ssl_cert/1293901_reg.xxxxx.com.pem; ssl_certificate_key /data/harbor/ssl_cert/1293901_reg.xxxxx.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { proxy_pass https://127.0.0.1:8443/; } }
https://blog.csdn.net/junzixing1985/article/details/80628839
https://blog.csdn.net/qq_30062125/article/details/80942998
http://www.eryajf.net/2314.html