Harbor （上）

 

一，Harbor简介

• VMware的开源项目https://github.com/vmware/harbor
• Harbor可帮助用户迅速搭建企业级的注册服务。它提供了管理图形界面，基于角色的访问控制（Role Based Access Control），镜像远程复制（同步），AD/LDAP集成，以及审计日志等企业用户需求的功能，同时还原生支持中文，深受中国用户的喜爱。
• 该项目自推出以来，在GitHub获得了超过3300多个star和900多个forks。

 

1.1 基于角色的访问控制

用户与Docker镜像仓库通过“项目”进行组织管理，一个用户可以对多个镜像仓库在同一命名空间（project）里有不同的权限。

 

1.2 图形化用户界面

用户可以通过浏览器来浏览，检索当前Docker镜像仓库，管理项目和命名空间

 

1.3 审计管理

所有针对镜像仓库的操作都可以被记录追溯，用于审计管理。

 

1.4 国际化

基于英文与中文语言进行了本地化。可以增加更多的语言支持。

 

1.5 RESTful API：

提供给管理员对于Harbor更多的操控，使得与其他管理软件集成变得更容易。

 

1.6 LDAP认证

 

1.7 镜像复制

基于策略的Docker镜像复制功能，可在不同的数据中心，不同的运行环境之间同步镜像，并提供友好的管理界面，大大简化了实际运维中的镜像管理工作。

 

1.8 与Clair集成

与Clair集成，添加漏洞扫描功能。Clair是coreos开源的容器漏洞扫描工具，在容器逐渐普及的今天，容器镜像安全问题日益严重。Clair是目前少数的开源安全扫描工具。

 

1.9 Notary签名工具

Notary是Docker镜像的签名工具，用来保证镜像在pull，push和传输工程中的一致性和完整性，避免中间人攻击，避免非法的镜像更新和运行。

 

二，为Harbor签发域名证书

openssl是目前最流行的SSL密码库工具，提供了一个通用，功能完备的工具套件，用以支持SSL/TLS协议的实现。 
官网：https://www.openssl.org/source/

环境准备

主机名	IP	用途	最小资源配比	最佳资源配比
harbor	192.168.200.145	harbor私有镜像仓库	2CPU	4CPU
			4GBMEM	8GB

 

1. [root@Harbor ~]# hostname -I
2. 192.168.200.145
3. [root@Harbor ~]# cat /etc/redhat-release
4. CentOS Linux release 7.5.1804 (Core)
5. [root@Harbor ~]# uname -r
6. 3.10.0-862.3.3.el7.x86_64

官方文档：https://github.com/vmware/harbor/blob/master/docs/configure_https.md

 

1. #创建自己的CA证书
2. [[root@harbor ~]# mkdir -p /data/ssl
3. [root@harbor ~]# cd /data/ssl
4. [root@harbor ssl]# which openssl
5. /usr/bin/openssl
6. [root@harbor ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
7. Generating a 4096 bit RSA private key
8. ...............................................++
9. ...........................................................................................................................................................................................................................................................................................................++
10. writing new private key to 'ca.key'
11. -----
12. You are about to be asked to enter information that will be incorporated
13. into your certificate request.
14. What you are about to enter is what is called a Distinguished Name or a DN.
15. There are quite a few fields but you can leave some blank
16. For some fields there will be a default value,
17. If you enter '.', the field will be left blank.
18. -----
19. Country Name (2 letter code) [XX]:CN
20. State or Province Name (full name) []:Beijing
21. Locality Name (eg, city) [Default City]:Beijing
22. Organization Name (eg, company) [Default Company Ltd]:yunjisuan
23. Organizational Unit Name (eg, section) []:yunjisuan
24. Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
25. Email Address []:
27. #生成证书签名请求
28. [root@harbor ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
29. Generating a 4096 bit RSA private key
30. .........................................................................................................................................................................................++
31. .................................................++
32. writing new private key to 'www.yunjisuan.com.key'
33. -----
34. You are about to be asked to enter information that will be incorporated
35. into your certificate request.
36. What you are about to enter is what is called a Distinguished Name or a DN.
37. There are quite a few fields but you can leave some blank
38. For some fields there will be a default value,
39. If you enter '.', the field will be left blank.
40. -----
41. Country Name (2 letter code) [XX]:CN
42. State or Province Name (full name) []:Beijing
43. Locality Name (eg, city) [Default City]:Beijing
44. Organization Name (eg, company) [Default Company Ltd]:yunjisuan
45. Organizational Unit Name (eg, section) []:yunjisuan
46. Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
47. Email Address []:
49. Please enter the following 'extra' attributes
50. to be sent with your certificate request
51. A challenge password []:
52. An optional company name []:
54. #生成注册表主机的证书
55. [root@harbor ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
56. Signature ok
57. subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
58. Getting CA Private Key
60. #查看证书情况
61. [root@harbor ssl]# ll
62. 总用量 24
63. -rw-r--r-- 1 root root 2049 7月 18 01:16 ca.crt
64. -rw-r--r-- 1 root root 3272 7月 18 01:16 ca.key
65. -rw-r--r-- 1 root root 17 7月 18 01:19 ca.srl
66. -rw-r--r-- 1 root root 1931 7月 18 01:19 www.yunjisuan.com.crt
67. -rw-r--r-- 1 root root 1716 7月 18 01:17 www.yunjisuan.com.csr
68. -rw-r--r-- 1 root root 3272 7月 18 01:17 www.yunjisuan.com.key

 

三，信任自签发的域名证书

由于CA证书是我们自己签发的Linux操作系统是不信任的，因此我们需要把证书加入到系统的信任证书里

 

1. #将自签ca证书添加到系统信任
2. [root@harbor ssl]# pwd
3. /data/ssl
4. [root@harbor ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
6. #让系统ca信任设置立刻生效
7. [root@harbor ssl]# update-ca-trust enable
8. [root@harbor ssl]# update-ca-trust extract

 

四，Harbor 1.4 版本配置与安装

 

4.1 安装docker-ce社区版

 

1. [root@docker ssl]# sestatus
2. SELinux status: disabled
3. [root@Harbor ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
4. [root@Harbor yum.repos.d]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
5. [root@Harbor ~]# yum -y install docker-ce
6. [root@Harbor ~]# systemctl start docker
7. [root@Harbor ~]# systemctl enable docker
8. Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
9. [root@Harbor ~]# docker version
10. Client:
11. Version: 18.03.1-ce
12. API version: 1.37
13. Go version: go1.9.5
14. Git commit: 9ee9f40
15. Built: Thu Apr 26 07:20:16 2018
16. OS/Arch: linux/amd64
17. Experimental: false
18. Orchestrator: swarm
20. Server:
21. Engine:
22. Version: 18.03.1-ce
23. API version: 1.37 (minimum version 1.12)
24. Go version: go1.9.5
25. Git commit: 9ee9f40
26. Built: Thu Apr 26 07:23:58 2018
27. OS/Arch: linux/amd64
28. Experimental: false

 

4.2 下载并安装harbor私有仓库

 

1. #创建harbor的证书目录，并复制
2. [root@harbor ssl]# mkdir -p /etc/ssl/harbor
3. [root@harbor ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
4. [root@harbor ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
5. [root@harbor ssl]# ll /etc/ssl/harbor/
6. 总用量 8
7. -rw-r--r-- 1 root root 1931 7月 18 01:28 www.yunjisuan.com.crt
8. -rw-r--r-- 1 root root 3272 7月 18 01:28 www.yunjisuan.com.key
11. #创建harbor下载目录并下载harbor-offline-installer-v1.5.0.tgz
12. [root@harbor ssl]# mkdir -p /data/install
13. [root@harbor ssl]# cd /data/install
14. [root@harbor install]# pwd
15. /data/install
16. [root@Harbor install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
17. [root@Harbor install]# ls
18. harbor-offline-installer-v1.5.0.tgz
19. [root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz
20. [root@Harbor install]# ls
21. harbor harbor-offline-installer-v1.5.0.tgz
22. [root@Harbor install]# cd harbor
23. [root@Harbor harbor]# ll
24. 总用量 854960
25. drwxr-xr-x 3 root root 23 7月 16 22:29 common #模板目录
26. -rw-r--r-- 1 root root 1185 5月 2 23:34 docker-compose.clair.yml
27. -rw-r--r-- 1 root root 1725 5月 2 23:34 docker-compose.notary.yml
28. -rw-r--r-- 1 root root 3596 5月 2 23:34 docker-compose.yml
29. drwxr-xr-x 3 root root 156 5月 2 23:34 ha #harbor高可用配置
30. -rw-r--r-- 1 root root 6687 5月 2 23:34 harbor.cfg #harbor配置文件
31. -rw-r--r-- 1 root root 875401338 5月 2 23:36 harbor.v1.5.0.tar.gz
32. -rwxr-xr-x 1 root root 5773 5月 2 23:34 install.sh
33. -rw-r--r-- 1 root root 10771 5月 2 23:34 LICENSE
34. -rw-r--r-- 1 root root 482 5月 2 23:34 NOTICE
35. -rwxr-xr-x 1 root root 27379 5月 2 23:34 prepare
36. [root@Harbor harbor]# cp harbor.cfg{,.bak}
38. #修改harbor.cfg配置文件
39. [root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p'
40. 7 hostname = reg.mydomain.com #要修改成我们证书的域名
41. 11 ui_url_protocol = http #启用加密传输协议https
42. 23 ssl_cert = /data/cert/server.crt #证书的位置
43. 24 ssl_cert_key = /data/cert/server.key #证书密钥位置
44. 68 harbor_admin_password = Harbor12345 #默认管理员及密码
46. #修改成如下配置
47. [root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
48. 7 hostname = www.yunjisuan.com
49. 11 ui_url_protocol = https
50. 23 ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
51. 24 ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
52. 68 harbor_admin_password = Harbor12345
54. #安装命令docker-compose(需要1.21版本)
55. [root@Harbor ~]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
56. % Total % Received % Xferd Average Speed Time Time Time Current
57. Dload Upload Total Spent Left Speed
58. 100 617 0 617 0 0 136 0 --:--:-- 0:00:04 --:--:-- 176
59. 100 10.3M 100 10.3M 0 0 161k 0 0:01:05 0:01:05 --:--:-- 181k
60. [root@Harbor ~]# ll /usr/local/bin/docker-compose
61. -rw-r--r-- 1 root root 10858808 7月 16 23:08 /usr/local/bin/docker-compose
62. [root@Harbor ~]# chmod +x /usr/local/bin/docker-compose
63. [root@Harbor ~]# which docker-compose
64. /usr/local/bin/docker-compose
65. [root@Harbor ~]# docker-compose --version
66. docker-compose version 1.21.2, build a133471
68. #安装harbor私有镜像仓库
69. [root@Harbor harbor]# ./install.sh --with-notary --with-clair #--with-notary启用镜像签名；--with-clair启用漏洞扫描
71. #查看harbor启动的镜像
72. [root@Harbor harbor]# docker ps -a
73. CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
74. 5c6fa83f89d8 vmware/nginx-photon:v1.5.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
75. c6b5c26bbbb9 vmware/harbor-jobservice:v1.5.0 "/harbor/start.sh" About a minute ago Up About a minute harbor-jobservice
76. bcfdd6c2ef34 vmware/notary-server-photon:v0.5.1-v1.5.0 "/bin/server-start.sh" About a minute ago Up About a minute notary-server
77. 43c6ecfa7c89 vmware/harbor-ui:v1.5.0 "/harbor/start.sh" About a minute ago Up About a minute (healthy) harbor-ui
78. b66330fdc3a3 vmware/clair-photon:v2.0.1-v1.5.0 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 6060-6061/tcp clair
79. 57ec2b07dc55 vmware/notary-signer-photon:v0.5.1-v1.5.0 "/bin/signer-start.sh" About a minute ago Up About a minute notary-signer
80. 1ba4893733ef vmware/registry-photon:v2.6.2-v1.5.0 "/entrypoint.sh serv…" About a minute ago Up About a minute (healthy) 5000/tcp registry
81. 4822f0ca1ea8 vmware/postgresql-photon:v1.5.0 "/entrypoint.sh post…" About a minute ago Up About a minute (healthy) 5432/tcp clair-db
82. 36761f96e8fd vmware/harbor-adminserver:v1.5.0 "/harbor/start.sh" About a minute ago Up About a minute (healthy) harbor-adminserver
83. eb250cb9b378 vmware/mariadb-photon:v1.5.0 "/usr/local/bin/dock…" About a minute ago Up About a minute 3306/tcp notary-db
84. 122a2e8b7296 vmware/redis-photon:v1.5.0 "docker-entrypoint.s…" About a minute ago Up About a minute 6379/tcp redis
85. 7a0df0e8bb35 vmware/harbor-db:v1.5.0 "/usr/local/bin/dock…" About a minute ago Up About a minute (healthy) 3306/tcp harbor-db
86. 4e4734f8acfa vmware/harbor-log:v1.5.0 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log

通过浏览器进行访问测试

https://192.168.200.145

最后我还需要修改一下安全模式

项目创建：设定为仅管理 
不允许自动注册

 

五，镜像管理与安全：漏洞扫描和镜像签名

 

5.1 添加docker国内公有镜像源

 

1. [root@harbor harbor]# cat /etc/docker/daemon.json
2. {
3. "registry-mirrors":[ "https://registry.docker-cn.com" ]
4. }
5. [root@harbor harbor]# systemctl daemon-reload
6. [root@harbor harbor]# systemctl restart docker

 

5.2 重新启动Harbor私有镜像仓库

 

1. #让harbor修改过的配置立刻生效
2. [root@harbor harbor]# ./prepare
3. Clearing the configuration file: ./common/config/adminserver/env
4. Clearing the configuration file: ./common/config/ui/env
5. Clearing the configuration file: ./common/config/ui/app.conf
6. Clearing the configuration file: ./common/config/ui/private_key.pem
7. Clearing the configuration file: ./common/config/db/env
8. Clearing the configuration file: ./common/config/jobservice/env
9. Clearing the configuration file: ./common/config/jobservice/config.yml
10. Clearing the configuration file: ./common/config/registry/config.yml
11. Clearing the configuration file: ./common/config/registry/root.crt
12. Clearing the configuration file: ./common/config/nginx/conf.d/notary.upstream.conf
13. Clearing the configuration file: ./common/config/nginx/conf.d/notary.server.conf
14. Clearing the configuration file: ./common/config/nginx/cert/www.yunjisuan.com.crt
15. Clearing the configuration file: ./common/config/nginx/cert/www.yunjisuan.com.key
16. Clearing the configuration file: ./common/config/nginx/nginx.conf
17. Clearing the configuration file: ./common/config/log/logrotate.conf
18. Clearing the configuration file:
20. #清理所有harbor容器进程
21. [root@harbor harbor]# docker-compose down
22. Stopping harbor-jobservice ... done
23. Stopping nginx ... done
24. Stopping harbor-ui ... done
25. Stopping harbor-adminserver ... done
26. Stopping redis ... done
27. Stopping registry ... done
28. Stopping harbor-log ... done
29. WARNING: Found orphan containers (notary-server, notary-signer, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
30. Removing harbor-jobservice ... done
31. Removing nginx ... done
32. Removing harbor-ui ... done
33. Removing harbor-db ... done
34. Removing harbor-adminserver ... done
35. Removing redis ... done
36. Removing registry ... done
37. Removing harbor-log ... done
38. Removing network harbor_harbor
40. #后台启动所有harbor容器进程
41. [root@harbor harbor]# docker-compose up -d
42. Creating network "harbor_harbor" with the default driver
43. WARNING: Found orphan containers (notary-server, notary-signer, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
44. Creating harbor-log ... done
45. Creating harbor-adminserver ... done
46. Creating registry ... done
47. Creating harbor-db ... done
48. Creating redis ... done
49. Creating harbor-ui ... done
50. Creating harbor-jobservice ... done
51. Creating nginx ... done

 

5.3 下载一个公有镜像并上传到harbor

 

1. #harbor本地下载一个公有仓库镜像centos:7
2. [root@harbor harbor]# docker pull centos:7
3. 7: Pulling from library/centos
4. 7dc0dca2b151: Pull complete
5. Digest: sha256:b67d21dfe609ddacf404589e04631d90a342921e81c40aeaf3391f6717fa5322
6. Status: Downloaded newer image for centos:7
8. #本地映射私有仓库域名
9. [root@harbor harbor]# tail -1 /etc/hosts
10. 192.168.200.145 www.yunjisuan.com
12. #将centos:7镜像改名并上传私有镜像仓库
13. [root@harbor harbor]# docker tag centos:7 www.yunjisuan.com/library/centos:7
14. [root@harbor harbor]# docker images | grep centos
15. centos 7 49f7960eb7e4 6 weeks ago 200MB
16. www.yunjisuan.com/library/centos 7 49f7960eb7e4 6 weeks ago 200MB
17. [root@harbor harbor]# docker push www.yunjisuan.com/library/centos:7
18. The push refers to repository [www.yunjisuan.com/library/centos]
19. bcc97fbfc9e1: Preparing
20. denied: requested access to the resource is denied #我们发现与私有仓库的连接被拒绝，这是因为我们还没有登陆验证
22. #登陆验证harbor私有仓库，并上传镜像
23. [root@harbor harbor]# docker login www.yunjisuan.com
24. Username: admin
25. Password:
26. Login Succeeded
27. [root@harbor harbor]# docker push www.yunjisuan.com/library/centos:7
28. The push refers to repository [www.yunjisuan.com/library/centos]
29. bcc97fbfc9e1: Pushed
30. 7: digest: sha256:eed5b251b615d1e70b10bcec578d64e8aa839d2785c2ffd5424e472818c42755 size: 529

 

5.4 登陆浏览器查看镜像上传结果，并扫描漏洞

 

5.5 设置镜像仓库安全等级

 

5.6 为docker客户端下发域名证书

主机名	IP	用途	最小资源配比	最佳资源配比
docker-client	192.168.200.142	docker客户端
harbor	192.168.200.145	harbor私有镜像仓库	2CPU	4CPU
			4GBMEM	8GB
			40GBDISK	160GB

 

1. #映射harbor私有仓库域名
2. [root@docker-client ~]# cat /etc/redhat-release
3. CentOS Linux release 7.5.1804 (Core)
4. [root@docker-client ~]# uname -r
5. 3.10.0-862.3.3.el7.x86_64
6. [root@docker-client ~]# hostname -I
7. 192.168.200.142 172.17.0.1
8. [root@docker-client ~]# tail -1 /etc/hosts
9. 192.168.200.145 www.yunjisuan.com
11. #安装docker-ce社区版
12. [root@docker-client ~]# sestatus
13. SELinux status: disabled
14. [root@docker-client ~]# systemctl stop firewalld
15. [root@docker-client ~]# systemctl disable firewalld
16. [root@docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
17. [root@docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
18. % Total % Received % Xferd Average Speed Time Time Time Current
19. Dload Upload Total Spent Left Speed
20. 100 2424 100 2424 0 0 437 0 0:00:05 0:00:05 --:--:-- 601
21. [root@docker-client ~]# yum -y install docker-ce
22. [root@docker-client ~]# systemctl start docker
23. [root@docker-client ~]# systemctl enable docker
24. Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
25. [root@docker-client ~]# docker version
27. #配置国内公有镜像源
28. [root@docker-client ~]# cat /etc/docker/daemon.json
29. {
30. "registry-mirrors":[ "https://registry.docker-cn.com" ]
31. }
32. [root@docker-client ~]# systemctl daemon-reload
33. [root@docker-client ~]# systemctl restart docker
35. #下载mongo公有镜像
36. [root@docker-client ~]# docker pull mongo
37. Using default tag: latest
38. latest: Pulling from library/mongo
39. 3620e2d282dc: Pull complete
40. ef22f5e4b3b2: Pull complete
41. 99f229f854da: Pull complete
42. 4fe433abe16a: Pull complete
43. c9b72a16d85e: Pull complete
44. f1757e0920c9: Pull complete
45. 6ad61d16333c: Pull complete
46. 1b55b55716bc: Pull complete
47. b9e1a31a5de8: Pull complete
48. a871e8da652e: Pull complete
49. 0015ffced2ab: Pull complete
50. ee8e51b51b8e: Pull complete
51. 210e26b24d82: Pull complete
52. a2f5ff21092f: Pull complete
53. Digest: sha256:2e5e54f94429839d4904c9962b6933ef631b1938b6223c1cf84a0442421f111d
54. Status: Downloaded newer image for mongo:latest
55. [root@docker-client ~]# docker images
56. REPOSITORY TAG IMAGE ID CREATED SIZE
57. mongo latest af93d1bb9e2a 23 hours ago 379MB
59. #为docker客户端下发域名（在harbor本地执行操作）
60. #将harbor上自签发的域名证书www.yunjisuan.com.crt复制到docker客户端对应目录下
61. [root@harbor ssl]# scp www.yunjisuan.com.crt 192.168.200.142:/etc/pki/ca-trust/source/anchors/
62. root@192.168.200.142 s password:
63. www.yunjisuan.com.crt 100% 1931
65. #在docker客户端上执行操作，让证书立刻生效
66. [root@docker-client ~]# update-ca-trust enable
67. [root@docker-client ~]# update-ca-trust extract
69. #下发证书后必须重启动docker-client的docker服务
70. [root@docker-client anchors]# systemctl restart docker
72. #docker-client登陆harbor仓库进行登陆验证
73. [root@docker-client anchors]# docker login www.yunjisuan.com
74. Username: admin
75. Password:
76. Login Succeeded
78. #修改镜像的名字并上传harbor私有仓库
79. [root@docker-client ~]# docker tag mongo:latest www.yunjisuan.com/library/mongo
80. [root@docker-client ~]# docker images
81. REPOSITORY TAG IMAGE ID CREATED SIZE
82. www.yunjisuan.com/library/mongo latest af93d1bb9e2a 23 hours ago 379MB
83. mongo latest af93d1bb9e2a 23 hours ago 379MB
84. [root@docker-client anchors]# docker push www.yunjisuan.com/library/mongo #上传镜像仓库
85. The push refers to repository [www.yunjisuan.com/library/mongo]
86. 286bc1096109: Pushed
87. 4a7d1d8fcfa6: Pushed
88. 1dcddd0f87ed: Pushed
89. ca717ad13c2c: Pushed
90. 5a025566f67e: Pushed
91. 2cfea46080b7: Pushed
92. 892f0d18231e: Pushed
93. 1bf645743d38: Pushed
94. defd6b59a2f3: Pushed
95. 709bdd00b1a4: Pushed
96. 07b9c3c04cbd: Pushed
97. 6eaddaf493f1: Pushed
98. a0e188d0e278: Pushed
99. 711e4cb62f50: Pushed
100. latest: digest: sha256:810e499962b39a05131c5d25230fc92ba385f9353fc44ee8ed27a14ce49c8bac size: 3235

浏览器登陆harbor进行查看：

出现漏洞的镜像截图：

 

六，harbor镜像的复制与同步

harbor私有仓库的主从复制，类似于MySQL，属于1对多的复制

主机名	IP	用途	最小资源配比	最佳资源配比
docker-client	192.168.200.142	docker客户端
harbor	192.168.200.145	harbor私有镜像仓库	2CPU	4CPU
			4GBMEM	8GB
harbor-slave	192.168.200.146	harbor从库	2CPU	4CPU
			4GBMEM	8GB

 

6.1 部署Habor-Slave

再安装一个harbor私有仓库作为harbor的从库，域名为www2.yunjisuan.com

请参考Harbor-Master搭建过程

在Harbor-Master和Harbor-Slave上做域名映射

 

1. #主Harbor
2. [root@harbor ~]# tail -2 /etc/hosts
3. 192.168.200.145 www.yunjisuan.com
4. 192.168.200.146 www2.yunjisuan.com
6. #从Harbor
7. [root@harbor-slave ~]# tail -2 /etc/hosts
8. 192.168.200.145 www.yunjisuan.com
9. 192.168.200.146 www2.yunjisuan.com

特别提示： 
离线方式安装的Habor容器默认会从LDNS处获取对应的域名的IP解析，并不找本地的hosts文件 
由于我们是自己是自己设定的域名，因此，需要搭建用于内网解析的LDNS域名解析服务器

 

6.2 搭建LDNS域名解析服务器

主机名	IP	用途	最小资源配比	最佳资源配比
docker-client	192.168.200.142	docker客户端
harbor	192.168.200.145	harbor私有镜像仓库	2CPU	4CPU
			4GBMEM	8GB
harbor-slave	192.168.200.146	harbor从库	2CPU	4CPU
			4GBMEM	8GB
LDNS	192.168.200.147	本地DNS

 

1. [root@LDNS ~]# yum -y install bind bind-chroot bind-utils
2. [root@LDNS ~]# cd /etc
3. [root@LDNS etc]# cp named.conf{,.bak}
5. #配置文件修改成如下所示：
6. [root@LDNS named]# cat /etc/named.conf
7. options {
8. listen-on port 53 { 192.168.200.147; };
9. // listen-on-v6 port 53 { ::1; };
10. directory "/var/named";
11. dump-file "/var/named/data/cache_dump.db";
12. statistics-file "/var/named/data/named_stats.txt";
13. memstatistics-file "/var/named/data/named_mem_stats.txt";
14. allow-query { any; };
15. forwarders { 192.168.200.2; };
17. recursion yes;
19. dnssec-enable no;
20. dnssec-validation no;
22. /* Path to ISC DLV key */
23. bindkeys-file "/etc/named.iscdlv.key";
25. managed-keys-directory "/var/named/dynamic";
27. pid-file "/run/named/named.pid";
28. session-keyfile "/run/named/session.key";
29. };
31. logging {
32. channel default_debug {
33. file "data/named.run";
34. severity dynamic;
35. };
36. };
38. zone "." IN {
39. type hint;
40. file "named.ca";
41. };
43. zone "yunjisuan.com" IN {
44. type master;
45. file "yunjisuan.com.zone";
46. };
48. include "/etc/named.rfc1912.zones";
49. include "/etc/named.root.key";
52. #检查配置文件是否有错
53. [root@LDNS named]# named-checkconf /etc/named.conf
55. #创建正向解析文件
56. [root@LDNS named]# cd /var/named
57. [root@LDNS named]# ls
58. chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
59. [root@LDNS named]# cp -p named.empty yunjisuan.com.zone
60. [root@LDNS named]# vim yunjisuan.com.zone
61. [root@LDNS named]# cat yunjisuan.com.zone
62. $TTL 1D
63. @ IN SOA yunjisuan.com. root.ns1.yunjisuan.com. (
64. 20180719 ; serial
65. 1D ; refresh
66. 1H ; retry
67. 1W ; expire
68. 3H ) ; minimum
69. NS ns1.yunjisuan.com.
70. ns1 A 192.168.200.147
71. www A 192.168.200.145
72. www2 A 192.168.200.146
74. #测试正向解析文件是否有错
75. [root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone
76. zone yunjisuan.com/IN: loaded serial 20180719
77. OK
79. #启动域名解析服务
80. [root@LDNS named]# systemctl start named
81. [root@LDNS named]# ss -antup | grep named
82. udp UNCONN 0 0 192.168.200.147:53 *:* users:(("named",pid=1576,fd=512))
83. tcp LISTEN 0 10 192.168.200.147:53 *:* users:(("named",pid=1576,fd=21))
84. tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=1576,fd=22))
85. tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=1576,fd=23))
87. #将本地DNS改成自己，进行解析测试
88. [root@LDNS named]# cat /etc/resolv.conf
89. # Generated by NetworkManager
90. nameserver 192.168.200.147
91. [root@LDNS named]# nslookup www.baidu.com
92. Server: 192.168.200.147
93. Address: 192.168.200.147#53
95. Non-authoritative answer:
96. www.baidu.com canonical name = www.a.shifen.com.
97. Name: www.a.shifen.com
98. Address: 61.135.169.125
99. Name: www.a.shifen.com
100. Address: 61.135.169.121
102. [root@LDNS named]# nslookup www.yunjisuan.com
103. Server: 192.168.200.147
104. Address: 192.168.200.147#53
106. Name: www.yunjisuan.com
107. Address: 192.168.200.145
109. [root@LDNS named]# nslookup www2.yunjisuan.com
110. Server: 192.168.200.147
111. Address: 192.168.200.147#53
113. Name: www2.yunjisuan.com
114. Address: 192.168.200.146

 

6.3 构建Harbor主从同步

提示：如果Harbor不是已经绑定的公网域名，那么必须构建自己的本地LDNS

 

1. #修改Harbor-master上的域名解析DNS服务器为本地构建的LDNS
2. [root@harbor harbor]# cat /etc/resolv.conf
4. nameserver 192.168.200.147
5. [root@harbor harbor]# nslookup www2.yunjisuan.com
6. Server: 192.168.200.147
7. Address: 192.168.200.147#53
9. Name: www2.yunjisuan.com
10. Address: 192.168.200.146

至此，Harbor仓库主从复制已经构建完毕。 
备注：如果勾选了阻止潜在漏洞的选项会影响harbor主从复制

特别提示： 
如果是harbor经历过vmware虚拟机的暂停和恢复。那么很可能之前能够访问的harbor仓库，恢复后却不行了。此时，需要重启dorker进程并重新harbor容器进程。