docker学习笔记-4.harbor

k8s 学习环境准备工作

在阿里云下载k8s验证的docker版本，即17.03.2

https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/

准备虚拟机

谷歌的容器下载地址

https://console.cloud.google.com/gcr/images/google-containers/GLOBAL

harbor学习安装笔记

harbor是vmware开源的docker镜像仓库

harbor的github地址

https://github.com/vmware/harbor/releases#download

本次实验的版本为 harbor-offline-installer-v1.5.1.tgz

安装docker

本次实验基于的docker版本为 18.03.1.ce

从阿里云下载

https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/

设置docker为开机自动启动

systemcl start docker

systemctl enable docker

关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

安装 pip

yum install python-pip #需要epel源

安装 docker-compose

docker单机版的编排工具

pip install docker-compose

下载上传harbor-offline-installer-v1.5.1.tgz

下载离线的版本

解压 harbor-offline-installer-v1.5.1.tgz 包

编辑harbor.cfg配置文件，修改 host 的地址，改为本机ip地址

  1 ## Configuration file of Harbor
  2 
  3 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
  4 _version = 1.5.0
  5 #The IP address or hostname to access admin UI and registry service.
  6 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
  7 hostname = 192.168.153.135
  8 
  9 #The protocol for accessing the UI and token/notification service, by default it is http.
 10 #It can be set to https if ssl is enabled on nginx.
 11 ui_url_protocol = http
 12 
 13 #Maximum number of job workers in job service  
 14 max_job_workers = 50 
 15 
 16 #Determine whether or not to generate certificate for the registry's token.
 17 #If the value is on, the prepare script creates new root cert and private key 
 18 #for generating token to access the registry. If the value is off the default key/cert will be used.
 19 #This flag also controls the creation of the notary signer's cert.
 20 customize_crt = on
 21 
 22 #The path of cert and key files for nginx, they are applied only the protocol is set to https
 23 ssl_cert = /data/cert/server.crt
 24 ssl_cert_key = /data/cert/server.key
 25 
 26 #The path of secretkey storage
 27 secretkey_path = /data
 28 
 29 #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
 30 admiral_url = NA
 31 
 32 #Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
 33 log_rotate_count = 50
 34 #Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. 
 35 #If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G 
 36 #are all valid.
 37 log_rotate_size = 200M
 38 
 39 #Config http proxy for Clair, e.g. http://my.proxy.com:3128
 40 #Clair doesn't need to connect to harbor ui container via http proxy.
 41 http_proxy =
 42 https_proxy =
 43 no_proxy = 127.0.0.1,localhost,ui
 44 
 45 #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
 46 #only take effect in the first boot, the subsequent changes of these properties 
 47 #should be performed on web ui
 48 
 49 #************************BEGIN INITIAL PROPERTIES************************
 50 
 51 #Email account settings for sending out password resetting emails.
 52 
 53 #Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
 54 #Identity left blank to act as username.
 55 email_identity = 
 56 
 57 email_server = smtp.mydomain.com
 58 email_server_port = 25
 59 email_username = sample_admin@mydomain.com
 60 email_password = abc
 61 email_from = admin <sample_admin@mydomain.com>
 62 email_ssl = false
 63 email_insecure = false
 64 
 65 ##The initial password of Harbor admin, only works for the first time when Harbor starts. 
 66 #It has no effect after the first launch of Harbor.
 67 #Change the admin password from UI after launching Harbor.
 68 harbor_admin_password = Harbor12345
 69 
 70 ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
 71 #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
 72 auth_mode = db_auth
 73 
 74 #The url for an ldap endpoint.
 75 ldap_url = ldaps://ldap.mydomain.com
 76 
 77 #A user's DN who has the permission to search the LDAP/AD server. 
 78 #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
 79 #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
 80 
 81 #the password of the ldap_searchdn
 82 #ldap_search_pwd = password
 83 
 84 #The base DN from which to look up a user in LDAP/AD
 85 ldap_basedn = ou=people,dc=mydomain,dc=com
 86 
 87 #Search filter for LDAP/AD, make sure the syntax of the filter is correct.
 88 #ldap_filter = (objectClass=person)
 89 
 90 # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
 91 ldap_uid = uid 
 92 
 93 #the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
 94 ldap_scope = 2 
 95 
 96 #Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
 97 ldap_timeout = 5
 98 
 99 #Verify certificate from LDAP server
100 ldap_verify_cert = true
101 
102 #The base dn from which to lookup a group in LDAP/AD
103 ldap_group_basedn = ou=group,dc=mydomain,dc=com
104 
105 #filter to search LDAP/AD group
106 ldap_group_filter = objectclass=group
107 
108 #The attribute used to name a LDAP/AD group, it could be cn, name
109 ldap_group_gid = cn
110 
111 #The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
112 ldap_group_scope = 2
113 
114 #Turn on or off the self-registration feature
115 self_registration = on
116 
117 #The expiration time (in minute) of token created by token service, default is 30 minutes
118 token_expiration = 30
119 
120 #The flag to control what users have permission to create projects
121 #The default value "everyone" allows everyone to creates a project. 
122 #Set to "adminonly" so that only admin user can create project.
123 project_creation_restriction = everyone
124 
125 #************************END INITIAL PROPERTIES************************
126 
127 #######Harbor DB configuration section#######
128 
129 #The address of the Harbor database. Only need to change when using external db.
130 db_host = mysql
131 
132 #The password for the root user of Harbor DB. Change this before any production use.
133 db_password = root123
134 
135 #The port of Harbor database host
136 db_port = 3306
137 
138 #The user name of Harbor database
139 db_user = root
140 
141 ##### End of Harbor DB configuration#######
142 
143 #The redis server address. Only needed in HA installation.
144 #address:port[,weight,password,db_index]
145 redis_url = redis:6379
146 
147 ##########Clair DB configuration############
148 
149 #Clair DB host address. Only change it when using an exteral DB.
150 clair_db_host = postgres
151 
152 #The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
153 #Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
154 clair_db_password = password
155 
156 #Clair DB connect port
157 clair_db_port = 5432
158 
159 #Clair DB username
160 clair_db_username = postgres
161 
162 #Clair default database
163 clair_db = postgres
164 
165 ##########End of Clair DB configuration############
166 
167 #The following attributes only need to be set when auth mode is uaa_auth
168 uaa_endpoint = uaa.mydomain.org
169 uaa_clientid = id
170 uaa_clientsecret = secret
171 uaa_verify_cert = true
172 uaa_ca_cert = /path/to/ca.pem
173 
174 
175 ### Docker Registry setting ###
176 #registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
177 registry_storage_provider_name = filesystem
178 #registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
179 #Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
180 registry_storage_provider_config =

harbor.cfg

安装harbor

[root@harbor2 harbor]# ./install.sh

可以手工启动 harbor

docker-compose start

docker-compose stop

查看harbor的web界面，默认是80端口，默认用户名 admin/Harbor12345 #可以在harbor.cfg 配置文件中进行修改

配置docker客户端即docker的容器的宿主机使用harbor镜像仓库

[root@localhost ~]# vi /usr/lib/systemd/system/docker.service

修改如下框所示列

修改docker的启动脚本加上harbor的ip地址

 1 [Unit]
 2 Description=Docker Application Container Engine
 3 Documentation=https://docs.docker.com
 4 After=network-online.target firewalld.service
 5 Wants=network-online.target
 6 
 7 [Service]
 8 Type=notify
 9 # the default is not to use systemd for cgroups because the delegate issues still
10 # exists and systemd currently does not support the cgroup feature set required
11 # for containers run by docker
12 ExecStart=/usr/bin/dockerd --selinux-enabled --log-driver=journald --insecure-registry '192.168.153.135' --insecure-registry '192.168.153.138'
13 ExecReload=/bin/kill -s HUP $MAINPID
14 # Having non-zero Limit*s causes performance problems due to accounting overhead
15 # in the kernel. We recommend using cgroups to do container-local accounting.
16 LimitNOFILE=infinity
17 LimitNPROC=infinity
18 LimitCORE=infinity
19 # Uncomment TasksMax if your systemd version supports it.
20 # Only systemd 226 and above support this version.
21 #TasksMax=infinity
22 TimeoutStartSec=0
23 # set delegate yes so that systemd does not reset the cgroups of docker containers
24 Delegate=yes
25 # kill only the docker process, not all processes in the cgroup
26 KillMode=process
27 # restart the docker process if it exits prematurely
28 Restart=on-failure
29 StartLimitBurst=3
30 StartLimitInterval=60s
31 
32 [Install]
33 WantedBy=multi-user.target