harbor仓库部署
harbor仓库部署
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Project Harbor是一个开源的可信云本地注册项目,用于存储、标记和扫描上下文。
Harbor扩展了开源Docker分发版,增加了用户通常需要的功能,如安全、身份和管理。
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
Harbor的核心功能是存储和管理Artifact
访问控制:访问控制是多个用户使用同一个仓库存储Artifact时的基本需求,也是Harbor早期版本提供的主要功能之一
镜像签名:镜像在本质上是软件的封装形式,从安全角度来看,开发人员在部署镜像前需要保证镜像内容的完整性(integrity)
镜像扫描:容器镜像打包了代码、软件及其所需的运行环境,已发布的软件及其依赖的库都可能存在安全漏洞
高级管理功能:Harbor在版本迭代中还根据社区反馈,为管理员及用户提供了很多高级管理功能以支持更加复杂的使用场景,包括Artifact复制策略、存储配额管理、Tag保留策略(Artifact保留策略)和垃圾回收等
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用一个YAML文件来配置应用程序的服务。然后,使用一个命令创建并启动配置中的所有服务。
Harbor部署
提前进入Harbor官方文档(https://github.com/goharbor/harbor)下载harbor-offline-installer-v2.5.3这个包,操作如下:
在左上角输入harbor搜索
进入 Docker compose官方文档(https://docs.docker.com/compose/)进行部署操作
分别开启两台机子,一台为客户端,一台为镜像仓库端
client为客户端,harbor为镜像仓库端
需要保证两台机子都要有docker
客户端:
[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# bash
[root@client ~]# which docker
/usr/bin/docker
[root@client yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo
[root@client yum.repos.d]# scp docker-ce.repo 192.168.142.134:/etc/yum.repos.d/
The authenticity of host '192.168.142.134 (192.168.142.134)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.142.134' (ECDSA) to the list of known hosts.
root@192.168.142.134's password:
docker-ce.repo 100% 2261 1.0MB/s 00:00
//将客户端的docker传给镜像仓库端
镜像仓库端:
[root@localhost2 ~]# hostnamectl set-hostname harbor
[root@localhost2 ~]# bash
[root@harbor ~]# cd /etc/yum.repos.d/
[root@harbor yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo mysql-community-source.repo mysql-community.repo
//查看是否有docker镜像仓库
[root@harbor yum.repos.d]# dnf -y install docker-ce
//进行安装
[root@harbor yum.repos.d]#systemctl restart docker //重新启动docker
[root@harbor yum.repos.d]#systemctl enable --now docker //docker加入开机自启
在刚刚那个页面的基础上往下翻
往下翻,进行手动安装
[root@harbor ~]# DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
[root@harbor ~]# mkdir -p $DOCKER_CONFIG/cli-plugins //创建.docker
[root@harbor ~]# ls -a
. .bash_profile .docker .wget-hsts
.. .bashrc .mysql_history anaconda-ks.cfg
.bash_history .config .tcshrc mysql57-community-release-el7-11.noarch.rpm
.bash_logout .cshrc .viminfo
[root@harbor ~]# ls .docker/
cli-plugins
[root@harbor cli-plugins]# ls //将提前下载好的包拉取进来
docker-compose
[root@harbor cli-plugins]# chmod +x docker-compose //赋予执行权限
[root@harbor cli-plugins]# ll
total 25188
-rwxr-xr-x 1 root root 25792512 Aug 11 08:11 docker-compose
[root@harbor cli-plugins]# ./docker-compose --help //此下面的命令都可以使用
Usage: docker compose [OPTIONS] COMMAND
Docker Compose
Options:
--ansi string Control when to print ANSI control characters
("never"|"always"|"auto") (default "auto")
--compatibility Run compose in backward compatibility mode
--env-file string Specify an alternate environment file.
-f, --file stringArray Compose configuration files
--profile stringArray Specify a profile to enable
--project-directory string Specify an alternate working directory
(default: the path of the, first specified, Compose
file)
-p, --project-name string Project name
Commands:
build Build or rebuild services
convert Converts the compose file to platform's canonical format
cp Copy files/folders between a service container and the local filesystem
create Creates containers for a service.
down Stop and remove containers, networks
events Receive real time events from containers.
exec Execute a command in a running container.
images List images used by the created containers
kill Force stop service containers.
logs View output from containers
ls List running compose projects
pause Pause services
port Print the public port for a port binding.
ps List containers
pull Pull service images
push Push service images
restart Restart containers
rm Removes stopped service containers
run Run a one-off command on a service.
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker Compose version information
Run 'docker compose COMMAND --help' for more information on a command.
[root@harbor cli-plugins]# pwd
/root/.docker/cli-plugins
//目前是当前用户可以使用这个命令
[root@harbor cli-plugins]# ln -sv /root/.docker/cli-plugins/docker-compose /usr/bin/
'/usr/bin/docker-compose' -> '/root/.docker/cli-plugins/docker-compose'
//做个软链接使其在系统的其他地方也可以使用
[root@harbor cli-plugins]# cd
[root@harbor ~]# which docker-compose
/usr/bin/docker-compose
[root@harbor ~]# docker compose version
Docker Compose version v2.7.0
//查看版本
[root@harbor ~]# cd /usr/src/
[root@harbor src]# ls
debug harbor-offline-installer-v2.5.3.tgz kernels
//将之前下载好的包拉进这里面
[root@harbor src]# tar xf harbor-offline-installer-v2.5.3.tgz -C /usr/local/
[root@harbor src]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
[root@harbor src]# cd /usr/local/harbor/
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl install.sh prepare
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vim harbor.yml
[root@harbor harbor]# hostnamectl set-hostname harbor.example.com
[root@harbor harbor]# bash
//可以提前修改一下主机名
hostname: harbor.example.com //修改为主机名
#https: //注释掉证书相关的
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
·················································
harbor_admin_password: Harbor12345 //此为网页访问时的登录密码
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 //数据库的密码
data_volume: /data //数据存放的目录
# insecure The flag to skip verifying registry certificate
insecure: false //不安全的功能关闭了(验证证书的)
# are all valid.
rotate_size: 200M //日志滚动(每天会自动保存一定数量的日志会重命名为一个不同名字的文件)
# The directory on your host that store log
location: /var/log/harbor //日志存放
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare
[root@harbor harbor]# ./install.sh
//执行这个脚本
....
[Step 5]: starting Harbor ...
[+] Running 10/10
⠿ Network harbor_harbor Created 0.1s
⠿ Container harbor-log Started 0.8s
⠿ Container redis Started 1.9s
⠿ Container registryctl Started 1.9s
⠿ Container registry Started 2.1s
⠿ Container harbor-portal Started 2.1s
⠿ Container harbor-db Started 2.0s
⠿ Container harbor-core Started 2.8s
⠿ Container harbor-jobservice Started 3.7s
⠿ Container nginx Started 3.8s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:80 [::]:*
使用IP登录管理Harbor:
登录成功后界面:
使用Harbor的注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请--help
[root@harbor ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
76d358705acf goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-jobservice
237a7155677e goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
1930fed03071 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-core
480772e4a195 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 10 minutes ago Up 10 minutes (healthy) registryctl
k38c22de9b73 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 10 minutes ago Up 10 minutes (healthy) redis
994560266151 goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 10 minutes ago Up 10 minutes (healthy) registry
182d2180241e goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-db
463c26c94150 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) harbor-portal
9fcbe6d544c9 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 11 minutes ago Up 10 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl prepare
common docker-compose.yml harbor.yml install.sh
[root@harbor harbor]# docker-compose stop
[+] Running 9/9
⠿ Container harbor-jobservice Stopped 0.3s
⠿ Container nginx Stopped 0.4s
⠿ Container registryctl Stopped 10.2s
⠿ Container harbor-portal Stopped 0.2s
⠿ Container harbor-core Stopped 0.3s
⠿ Container harbor-db Stopped 0.3s
⠿ Container redis Stopped 0.3s
⠿ Container registry Stopped 0.3s
⠿ Container harbor-log Stopped 10.2s
[root@harbor harbor]# docker-compose start
[+] Running 9/9
⠿ Container harbor-log Started 0.7s
⠿ Container harbor-db Started 1.3s
⠿ Container redis Started 1.0s
⠿ Container registry Started 0.9s
⠿ Container registryctl Started 1.2s
⠿ Container harbor-portal Started 1.0s
⠿ Container harbor-core Started 0.6s
⠿ Container nginx Started 1.1s
⠿ Container harbor-jobservice Started 0.9s
//创建脚本进行自启动
root@harbor ~]# vim /etc/rc.local
#!/bin/bash //开头位置
cd /usr/lcoal/harbor //添加
docker-compose start //添加
[root@harbor ~]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 516 Aug 12 18:38 /etc/rc.d/rc.local
[root@harbor ~]# chmod +x /etc/rc.d/rc.local
[root@harbor ~]reboot
//重启查看是否开机自启动
[root@harbor ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa9ad9db79b1 goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 2 hours ago Up 3 minutes (healthy) harbor-jobservice
64b9cb9e8b24 goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 2 hours ago Up 3 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
83926667db60 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 2 hours ago Up 3 minutes (healthy) harbor-core
ae4fdc9d5cc0 goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 2 hours ago Up 3 minutes (healthy) harbor-db
3e39a9aa8803 goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 2 hours ago Up 3 minutes (healthy) registry
4d12d5cba2be goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 2 hours ago Up 3 minutes (healthy) redis
960ccf954909 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 2 hours ago Exited (137) 2 hours ago registryctl
b38e80e12295 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 2 hours ago Up 3 minutes (healthy) harbor-portal
1631049b6265 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 2 hours ago Up 3 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
使用Harbor的注意事项:
1.在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
2.在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
3.数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
4.Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请--help
部署客户端
也是需要在安装了docker的环境下部署
//修改名字
[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# bash
//添加服务端IP
[root@client ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.142.134 harbor.example.com //添加
[root@client ~]# ping harbor.example.com
PING 192.168.111.135 (192.168.142.134) 56(84) bytes of data.
64 bytes from 1192.168.142.134: icmp_seq=1 ttl=64 time=0.633 ms
64 bytes from 192.168.142.134: icmp_seq=2 ttl=64 time=0.728 ms
//登录harbor
[root@client ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://w673ojdv.mirror.aliyuncs.com"], //这里加个逗号
"insecure-registries": ["harbor.example.com"] //添加
}
[root@client ~]# systemctl restart docker
[root@client ~]# docker login harbor.example.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest dabbfbe0c57b 7 months ago 144MB
harbor.example.com/library/httpd v6.66 65836c550784 37 hours ago 789MB
[root@client ~]# docker push harbor.example.com/library/httpd:v6.66 //上传镜像
The push refers to repository [harbor.example.com/library/httpd]
a3705dc88dcd: Pushed
74ddd0ec08fa: Pushed
v1.1: digest: sha256:a5b133a68e0bb18860b7c9361e32ae93943f95c188bf0d126d1995d4f16d02b7 size: 742
查看效果
测试拉取
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.example.com/library/httpd v6.66 65836c550784 37 hours ago 789MB
httpd latest dabbfbe0c57b 7 months ago 144MB
[root@client ~]# docker rmi -f harbor.example.com/library/httpd:v6.66
Untagged: harbor.example.com/library/httpd:v1.1
Untagged: harbor.example.com/library/httpd@sha256:a5b133a68e0bb18860b7c9361e32ae93943f95c188bf0d126d1995d4f16d02b7
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest dabbfbe0c57b 7 months ago 144MB
[root@client ~]# docker pull harbor.example.com/library/httpd:v6.66 //拉取镜像
v1.1: Pulling from library/httpd
Digest: sha256:a5b133a68e0bb18860b7c9361e32ae93943f95c188bf0d126d1995d4f16d02b7
Status: Downloaded newer image for harbor.example.com/library/httpd:v6.66
harbor.example.com/library/httpd:v6.66
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.example.com/library/httpd v6.66 65836c550784 37 hours ago 789MB
httpd latest dabbfbe0c57b 7 months ago 144MB
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通