Docker-企业级私有仓库harbor

官方软件下载地址:https://github.com/goharbor/harbor/releases

1 .  harbor的安装部署

部署前一定要删除正在运行的容器,否则会因为端口冲突,安装部署失败

1.1. harbor解压

[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0  harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# tar zxf harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0  harbor  harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# ls
common.sh  harbor.v2.5.0.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare

1.2  harbor配置


[root@lnmp0 harbor]# cp harbor.yml.tmpl harbor.yml        ##从模板复制一份配置文件          
[root@lnmp0 harbor]# vim harbor.yml

  1 # Configuration file of Harbor
  2
  3 # The IP address or hostname to access admin UI and registry service.
  4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by     external clients.
  5 hostname: reg.westos.org                            ##指定仓库的域名
  6
  7 # http related config
  8 http:
  9   # port for http, default is 80. If https enabled, this port will redirect     to https port
 10   port: 80
 11
 12 # https related config
 13 https:
 14   # https port for harbor, default is 443
 15   port: 443
 16   # The path of cert and key files for nginx
 17   certificate: /data/certs/westos.org.crt          ##指定仓库的证书
 18   private_key: /data/certs/westos.org.key          ##指定仓库的证书
 19
 20 # # Uncomment following will enable tls communication between all harbor com    ponents
 21 # internal_tls:
 22 #   # set enabled to true means internal tls is enabled
 23 #   enabled: true
 24 #   # put your cert and key files on dir
 25 #   dir: /etc/harbor/tls/internal
 26
 27 # Uncomment external_url if you want to enable external proxy
 28 # And when it enabled the hostname will no longer used
 29 # external_url: https://reg.mydomain.com:8433
 30
 31 # The initial password of Harbor admin
 32 # It only works in first time to install harbor
 33 # Remember Change the admin password from UI after launching Harbor.
 34 harbor_admin_password: westos                     ##之后登录harbor仓库的密码
......

1.3  建立配置文件中的证书目录

[root@lnmp0 harbor]# mkdir /data/
[root@lnmp0 harbor]# cd
[root@lnmp0 ~]# cp certs/ /data/ -r
[root@lnmp0 ~]# cd /data/
[root@lnmp0 data]# ls
certs
[root@lnmp0 data]# cd certs/
[root@lnmp0 certs]# ls
westos.org.crt  westos.org.key
[root@lnmp0 certs]#

##一定要保持和配置文件中的证书位置保持一致,否则不生效

1.4  解决依赖性

[root@lnmp0 ~]# cd docker/
[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0  harbor  harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# mv docker-compose-linux-x86_64-v2.5.0 /usr/local/bin/docker-compose
[root@lnmp0 docker]# chmod +x /usr/local/bin/docker-compose
[root@lnmp0 docker]# which docker-compose
/usr/local/bin/docker-compose

##docker-compose-linux-x86_64-v2.5.0是一个二进制文件,直接移动到/usr/local/bin/下,赋予其权限,即可生效

1.5  安装harbor

[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# ./install.sh           ##执行harbor的安装脚本./install.sh
[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.17

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.5.0

[Step 2]: loading Harbor images ...
.......
.......
 ⠿ Container harbor-core        Started                                                                                                             2.2s
 ⠿ Container harbor-jobservice  Started                                                                                                             3.2s
 ⠿ Container nginx              Started                                                                                                             3.2s
✔ ----Harbor has been installed and started successfully.----

1.6  安装完毕后,可直接在浏览器访问主机IP,来登录harbor仓库

 2. harbor仓库的安装及使用

2.1 上传镜像到harbor仓库

[root@lnmp0 harbor]# docker tag nginx:latest reg.westos.org/library/nginx:latest    ##更改镜像标签
[root@lnmp0 harbor]# docker push reg.westos.org/library/nginx                       ##上传镜像
Using default tag: latest
The push refers to repository [reg.westos.org/library/nginx]
33e3df466e11: Pushed
747b7a567071: Pushed
57d3fc88cb3f: Pushed
53ae81198b64: Pushed
58354abe5f0e: Pushed
ad6562704f37: Pushed
latest: digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 size: 1570

 2.1.1  在harbor仓看查看

2.2 模拟客户端拉取镜像

2.2.1 在一台新的客户端主机安装docker

第一步
在已经安装好docker的服务端,将客户端安装所需要的文件传输过去

[root@lnmp0 harbor]# cd /etc/yum.repos.d/
[root@lnmp0 yum.repos.d]# ls
CentOS-Base.repo  docker-ce.repo  dvd.repo  redhat.repo
[root@lnmp0 yum.repos.d]# scp CentOS-Base.repo docker-ce.repo  
192.168.2.101:/etc/yum.repos.d/              ##传输所需要的软件仓库
The authenticity of host '192.168.2.101 (192.168.2.101)' can't be established.
ECDSA key fingerprint is SHA256:oxRnSm4XrBlUdoFCUSi1NBOeYPPBORULxDng7a3I9FU.
ECDSA key fingerprint is MD5:5b:9c:8a:6b:86:b9:3a:0f:fe:89:02:a0:f3:e2:b6:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.101' (ECDSA) to the list of known hosts.
root@192.168.2.101's password:
CentOS-Base.repo                                                                                     100%  949   896.9KB/s   00:00
docker-ce.repo                                                                                       100%  151   198.1KB/s   00:00
第二步
在客户端下载,启动docker-ce

[root@lnmp1 ~]# cd /etc/yum.repos.d/
[root@lnmp1 yum.repos.d]# ls
CentOS-Base.repo  docker-ce.repo  dvd.repo  redhat.repo
[root@lnmp1 yum.repos.d]# yum repolist       ##刷新软件源
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
base                                                                                                            | 3.6 kB  00:00:00
docker-ce-stable                                                                                                | 3.5 kB  00:00:00
file:///media/repodata/repomd.xml: [Errno 14] curl#37 - "Couldn't open file /media/repodata/repomd.xml"
Trying other mirror.
extras                                                                                                          | 2.9 kB  00:00:00
.......
[root@lnmp1 yum.repos.d]# yum install docker-ce -y     ##下载docker-ce
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
file:///media/repodata/repomd.xml: [Errno 14] curl#37 - "Couldn't open file /media/repodata/repomd.xml"
Trying other mirror.
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 3:20.10.17-3.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: containerd.io >= 1.4.1 for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: docker-ce-rootless-extras for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Running transaction check
.........
第三步
现在直接拉取镜像,会因为没有用户认证失败的,所以还要将服务端的认证文件传输到客户端
[root@lnmp0 docker]# scp -r certs.d/ 192.168.2.101:/etc/docker/    ##认证文件
root@192.168.2.101's password:
redhat-entitlement-authority.crt                                                                     100% 2626     1.5MB/s   00:00
ca.crt                                                                                               100% 2159     5.3MB/s   00:00
[root@lnmp0 docker]# scp /etc/docker/daemon.json 192.168.2.101:/etc/docker/    ##镜像加速器文件
root@192.168.2.101's password:
daemon.json                                                                                          100%   65   136.0KB/s   00:00
第四步
在客户端添加服务端的主机解析,更改镜像加速器文件
[root@lnmp1 yum.repos.d]# vim /etc/hosts
[root@lnmp1 yum.repos.d]# cat /etc/hosts    
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.100 lnmp0   reg.westos.org          ##添加服务端的解析
[root@lnmp1 yum.repos.d]# cd
[root@lnmp1 ~]# cd /etc/docker/
[root@lnmp1 docker]# ls
certs.d  daemon.json  key.json
[root@lnmp1 docker]# vim daemon.json
[root@lnmp1 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]   ##将镜像加速文件中的域名更改为服务端的域名和解析文件保持一致
}
[root@lnmp1 docker]# systemctl restart docker.service   ##重新启动docker

2.3 客户端拉取镜像测试

[root@lnmp1 docker]# systemctl restart docker.service
[root@lnmp1 docker]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
42c077c10790: Pull complete
62c70f376f6a: Pull complete
915cc9bd79c2: Pull complete
75a963e94de0: Pull complete
7b1fab684d70: Pull complete
db24d06d5af4: Pull complete
Digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

2.4 在harbor仓库查看是否有客户端拉取镜像的记录

harbor仓库有客户端拉取镜像日志记录,证明在客户端拉取镜像成功

3. docker-compose的使用

 docker-compose ps        ##查看正在运行中的容器
 docker-compose restart   ##重新启动停止运行的仓库

docker-compose只能在harbor目录下使用,其他目录下不可使用

[root@lnmp0 docker]# docker-compose ps
no configuration file provided: not found
[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# docker-compose ps
NAME                COMMAND                  SERVICE             STATUS              PORTS
harbor-core         "/harbor/entrypoint.…"   core                running (healthy)
harbor-db           "/docker-entrypoint.…"   postgresql          running (healthy)
harbor-jobservice   "/harbor/entrypoint.…"   jobservice          running (healthy)
harbor-log          "/bin/sh -c /usr/loc…"   log                 running (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       "nginx -g 'daemon of…"   portal              running (healthy)
nginx               "nginx -g 'daemon of…"   proxy               running (healthy)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp, :::80->8080/tcp, :::443->8443/tcp
redis               "redis-server /etc/r…"   redis               running (healthy)
registry            "/home/harbor/entryp…"   registry            running (healthy)
registryctl         "/home/harbor/start.…"   registryctl         running (healthy)

3.1 增加harbor的容器选项

[root@lnmp0 harbor]# ./install.sh --halp              ##查看可增加的选项

Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@lnmp0 harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum   ##添加完选项后重新运行脚本

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.17

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.5.0
.........
 ⠿ Container nginx                    Started                                                                                     4.1s
✔ ----Harbor has been installed and started successfully.----

3.2 在harbor仓库查看新增的选项(要重新登录)

 4 . 镜像签名的部署

4.1 部署根证书

[root@lnmp0 ~]# mkdir -p ~/.docker/tls/reg.westos.org:4443/
[root@lnmp0 ~]# cp /etc/docker/certs.d/reg.westos.org/ca.crt ~/.docker/tls/reg.westos.org\:4443/

4.2 启用docker内容信任

[root@lnmp0 harbor]# export DOCKER_CONTENT_TRUST=1    ##激活内容信任
[root@lnmp0 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443  ##告诉docker内容信任服务器及端口

4.3 上传镜像

[root@lnmp0 ~]# docker tag centos:latest reg.westos.org/library/centos:latest
[root@lnmp0 ~]# docker push reg.westos.org/library/centos:latest

4. 4 删除签名

[root@lnmp0 ~]# docker trust revoke reg.westos.org/library/nginx:latest

5 docker 仓库子命令

docker search                 ##查询镜像
docker pull                   ##拉取镜像
docker push                   ##上传镜像
docker login                  ##登录仓库
docker logout                 ##登出仓库

posted @ 2023-03-16 19:48  yunyeblog  阅读(151)  评论(0编辑  收藏  举报  来源