Docker技术之Harbor安装与使用
Docker技术之Harbor部署与使用
Harbor介绍
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能
Harbor部署
1.安装DockerCompose
github地址:https://github.com/docker/compose/
root@docker-1:~# mkdir /apps
root@docker-1:~# cd /apps
root@docker-1:/apps# wget https://github.com/docker/compose/releases/download/v2.2.2/docker-compose-linux-x86_64
root@docker-1:/apps# wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
root@docker-1:/apps# tar xvf docker-compose-linux-x86_64
root@docker-1:/apps# tar xvf harbor-offline-installer-v2.4.1.tgz
root@docker-1:/apps# bash docker-install.sh
当前系统是Ubuntu 20.04.3 LTS \n \l,即将开始系统初始化、配置docker-compose与安装docker
docker/
docker/dockerd
docker/docker-proxy
docker/containerd-shim
docker/docker-init
docker/docker
docker/runc
docker/ctr
docker/containerd
su: user jack does not exist
docker 安装完成!
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
root@docker-1:/apps# cd harbor/
root@docker-1:/apps/harbor# cp harbor.yml.tmpl harbor.yml
root@docker-1:/apps/harbor# vim harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 172.16.2.137 //修改主机IP
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config //将https所有信息禁用
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
···(部分省略)···
harbor_admin_password: admin //修改登录密码
···(部分省略)···
root@docker-1:/apps/harbor# ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
root@docker-1:/apps/harbor# ./install.sh --with-trivy --with-chartmuseum
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating redis ... done
Creating harbor-portal ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating chartmuseum ... done
Creating harbor-core ... done
Creating trivy-adapter ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
安装成功
浏览器测试
1.浏览器输入本机ip,输入用户名以及密码
2.点击新建项目
3.创建项目名称,访问的级别设置为公开(如果设置为不公开,需要docker认证),设置存储容量(默认即可,不限制),镜像代理不用开启,默认即可
上传镜像测试
root@docker-1:/apps/harbor# dockerd --help | grep ins
--authorization-plugin list Authorization plugins to load
--dns-search list DNS search domains to use
--insecure-registry list Enable insecure registry communication
root@docker-1:/apps/harbor# vim /usr/lib/systemd/system/docker.service
···(部分省略)···
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 172.16.2.123 --insecure-registry 172.16.2.137 //添加信任 ip
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
···(部分省略)···
root@docker-1:/apps/harbor# systemctl daemon-reload
root@docker-1:/apps/harbor# systemctl restart docker.service
root@docker-1:/apps/harbor# docker login 172.16.2.123
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@docker-1:/apps/harbor# docker tag nginx 172.16.2.123/test-1/nginx
root@docker-1:/apps/harbor# docker push 172.16.2.123/test-1/nginx //上传镜像
The push refers to repository [172.16.2.123/test-1/nginx]
24037b645d66: Pushed
d00147ef6763: Pushed
2793e885dc34: Pushed
8b8ecda1d12d: Pushed
30c00b5281a1: Pushed
3a626bb08c24: Pushed
latest: digest: sha256:1a763cbd30ef4dbc7f8e3fa2e6670fd726f4bddb0ef58868a243c0cb8b35cde1 size: 1570
从harbor下载镜像
root@master-1:/apps# vim /usr/lib/systemd/system/docker.service
···(部分省略)···
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 172.16.2.123 --insecure-registry 172.16.2.137 //添加信任 ip
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
···(部分省略)···
root@docker-1:/apps/harbor# systemctl daemon-reload
root@docker-1:/apps/harbor# systemctl restart docker.service
root@master-1:/apps# docker pull 172.16.2.123/test-1/nginx
Using default tag: latest
latest: Pulling from test-1/nginx
ae13dd578326: Pull complete
6c0ee9353e13: Pull complete
dca7733b187e: Pull complete
352e5a6cac26: Pull complete
9eaf108767c7: Pull complete
be0c016df0be: Pull complete
Digest: sha256:1a763cbd30ef4dbc7f8e3fa2e6670fd726f4bddb0ef58868a243c0cb8b35cde1
Status: Downloaded newer image for 172.16.2.123/test-1/nginx:latest
172.16.2.123/test-1/nginx:latest
root@master-1:/apps# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.2.123/test-1/nginx latest f2f70adc5d89 4 days ago 142MB
