Harbor私有镜像仓库(下)

Harbor私有镜像仓库(下)

链接:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
提取码:ldt5
复制这段内容后打开百度网盘手机App,操作更方便哦

7. Harbor HA:环境与准备

  • 全新安装两台harbor,但不要着急执行 ./install (如果用旧的要清理下数据)
  • 要做Harbor高可用,我们需要准备一台NFS服务器共享两台Harbor的数据存储目录,在生产环境中,我们可以选择 Ceph或Glusterfs
  • 我们需要一台Postgres数据库给Harbor的clair漏洞扫描组件使用
  • 我们需要一台MySQL数据库给Harbor使用
  • 我们需要一台redis数据库给session使用
主机名 IP 用途 VIP
Harbor-master 192.168.200.16 Harbor镜像仓库-主 192.168.200.20
Harbor-slave 192.168.200.18 Harbor镜像仓库-备
Docker-client 192.168.200.17 NFS服务器端(Harbor HA文件存储)
LDNS 192.168.200.19 DNS服务器

7.1 在Docker-client上搭建nfs服务端

[root@Docker-client ~]# mkdir -p /data/nfs
[root@Docker-client ~]# yum -y install nfs-utils
[root@Docker-client ~]# rpm -qa nfs-utils
nfs-utils-1.3.0-0.61.el7.x86_64

[root@Docker-client ~]# cat /etc/exports
/data/nfs 192.168.200.0/24(rw,no_root_squash)
[root@Docker-client ~]# systemctl start nfs

7.2 在harbor主和备上创建数据挂载目录,并安装nfs节点支持包

#harbor主备都进行如下操作
[root@Harbor-master ~]# yum -y install nfs-utils
[root@Harbor-master ~]# rpm -qa nfs-utils
nfs-utils-1.3.0-0.61.el7.x86_64
[root@Harbor-master ~]# mkdir -p /data/storage
[root@Harbor-master ~]# mount 192.168.200.17:/data/nfs /data/storage

[root@Harbor-master ~]# df -hT | grep /data/nfs
192.168.200.17:/data/nfs    nfs4       17G  2.8G   15G   17% /data/storage
[root@Harbor-slave ~]# df -hT | grep /data/nfs
192.168.200.17:/data/nfs    nfs4       17G  2.8G   15G   17% /data/storage

7.3 在docker-client(NFS服务器端)启动一个redis容器

#下载一个redis镜像(alpine系统目前docker领域很火,因为它容量很小,比centos小很多)
[root@Docker-client ~]# docker pull redis:alpine
[root@Docker-client ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
mongo                             latest              9c02a5a12c52        41 hours ago        413MB
www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        41 hours ago        413MB
redis                             alpine              d975eaec5f68        13 days ago         51.1MB

#启动redis镜像,映射端口
[root@Docker-client ~]# docker run -dit --name redis_test -p 6379:6379 redis:alpine
448de2a11cf1677c20e7280301ce869d878c2a0a6627019082e44cc337a6d71f
[root@Docker-client ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
448de2a11cf1        redis:alpine        "docker-entrypoint.s…"   5 seconds ago       Up 3 seconds        0.0.0.0:6379->6379/tcp   redis_test

7.4 在docker-client(NFS服务器端)启动一个postgreSQL数据库容器

#下载postgres
[root@Docker-client ~]# docker pull postgres
[root@Docker-client ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
mongo                             latest              9c02a5a12c52        43 hours ago        413MB
www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        43 hours ago        413MB
postgres                          latest              53912975086f        7 days ago          312MB
redis                             alpine              d975eaec5f68        13 days ago         51.1MB
[root@Docker-client ~]# docker run -dit --name postgres_test -p 5432:5432 -e POSTGRES_PASSWORD=123123 postgres
04c883f32fdc8fffb6c9f90539a0093ffb302cbb9d2ec4c4bcb73b90133d3952
[root@Docker-client ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS                    NAMES
04c883f32fdc        postgres            "docker-entrypoint.s…"   12 seconds ago      Up 11 seconds               0.0.0.0:5432->5432/tcp   postgres_test
448de2a11cf1        redis:alpine        "docker-entrypoint.s…"   2 hours ago         Exited (0) 52 minutes ago                            redis_test

7.5 在docker-client(NFS)服务器端启动一个MySQL数据库容器

#下载MySQL5.6版镜像
[root@Docker-client ~]# docker pull mysql:5.6
[root@Docker-client ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
mongo                             latest              9c02a5a12c52        43 hours ago        413MB
www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        43 hours ago        413MB
mysql                             5.6                 7b01f1418bd7        2 days ago          256MB
postgres                          latest              53912975086f        7 days ago          312MB
redis                             alpine              d975eaec5f68        13 days ago         51.1MB
#启动MySQL容器,并映射端口
[root@Docker-client ~]# docker run -dit --name mysql_test -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123123 mysql:5.6 --character-set-server=utf8
bfe4d57f424e27e48553a735aee8e2e1f0d65dc51691069db43bc92986ca4b70
[root@Docker-client ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS                    NAMES
bfe4d57f424e        mysql:5.6           "docker-entrypoint.s…"   11 seconds ago      Up 10 seconds               0.0.0.0:3306->3306/tcp   mysql_test
04c883f32fdc        postgres            "docker-entrypoint.s…"   5 minutes ago       Up 5 minutes                0.0.0.0:5432->5432/tcp   postgres_test
448de2a11cf1        redis:alpine        "docker-entrypoint.s…"   2 hours ago        Up 1 seconds       0.0.0.0:6379->6379/tcp   session

7.6 最后按照用途,我们分别给数据库改一下名称

[root@Docker-client ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS                    NAMES
bfe4d57f424e        mysql:5.6           "docker-entrypoint.s…"   50 seconds ago      Up 49 seconds               0.0.0.0:3306->3306/tcp   mysql_test
04c883f32fdc        postgres            "docker-entrypoint.s…"   6 minutes ago       Up 6 minutes                0.0.0.0:5432->5432/tcp   postgres_test
448de2a11cf1        redis:alpine        "docker-entrypoint.s…"   2 hours ago         Exited (0) 58 minutes ago                            redis_test

[root@Docker-client ~]# docker rename postgres_test clair_db
[root@Docker-client ~]# docker rename mysql_test harbor_db
[root@Docker-client ~]# docker rename redis_test session

[root@Docker-client ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS                      PORTS                    NAMES
bfe4d57f424e        mysql:5.6           "docker-entrypoint.s…"   About a minute ago   Up About a minute           0.0.0.0:3306->3306/tcp   harbor_db
04c883f32fdc        postgres            "docker-entrypoint.s…"   6 minutes ago        Up 6 minutes                0.0.0.0:5432->5432/tcp   clair_db
448de2a11cf1        redis:alpine        "docker-entrypoint.s…"   2 hours ago          Up 10 seconds       0.0.0.0:6379->6379/tcp   session

8. Harbor HA:修改配置

8.1 向mysql_db容器里导入数据表(192.168.200.17)

#在解压后的harbor目录里的ha目录下的registry.sql表导入到我们之前在NFS服务端上创建的MySQL容器里
[root@Harbor-master ~]# cd /data/install/harbor
[root@Harbor-master harbor]# ls
common                    docker-compose.notary.yml  ha          harbor.cfg.bak        install.sh  NOTICE
docker-compose.clair.yml  docker-compose.yml         harbor.cfg  harbor.v1.5.0.tar.gz  LICENSE     prepare

[root@Harbor-master harbor]# tree ha
ha
├── docker-compose.clair.tpl
├── docker-compose.clair.yml
├── docker-compose.tpl
├── docker-compose.yml     #需要修改的配置文件
├── registry.sql           #需要导入的mysql表格
└── sample
    ├── active_active
    │   ├── check.sh
    │   └── keepalived_active_active.conf
    └── active_standby
        ├── check_harbor.sh
        └── keepalived_active_standby.conf

3 directories, 9 files
#Harbor-master本地安装mysql客户端连接程序
[root@Harbor-master harbor]# yum -y install mysql
[root@Harbor-master harbor]# which mysql
/usr/bin/mysql

#远程连接到192.168.200.17(NFS服务器端)的3306端口,导入表registry.sql
[root@Harbor-master harbor]# mysql -uroot -p123123 -h192.168.200.17 -P3306
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.45 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)

MySQL [(none)]> source ha/registry.sql    #导入表格
#以下省略若干。。。
MySQL [registry]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| registry           |
+--------------------+
4 rows in set (0.00 sec)

MySQL [registry]> 

特别提示:如果导入表格出现如下错误
specified key was too long max key length is 767bytes
这是因为导入的表格建立的索引超过mysql默认上线767bytes >=254,因此我们需要修改导入的表

[root@harbor harbor]# cat -n ha/registry.sql | sed -n '220p;291p'
220 repository varchar(256) NOT NULL,    #将256修改成254
291 resource_name varchar(256),          #将256修改成254

#改完之后再进行表格导入就不会报错了

8.2 修改配置文件

#修改/data/install/ha/docker-compose.yml配置文件
[root@Harbor-master harbor]# cat -n ha/docker-compose.yml | sed -n '19p'
    19	      - /data/registry:/storage:z

#修改成我们的nfs共享目录
[root@Harbor-master harbor]# cat -n ha/docker-compose.yml | sed -n '19p'
    19	      - /data/storage:/storage:z
#修改/data/install/harbor.cfg文件
[root@Harbor-master harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p;130p;133p;136p;139p;145p;150p;154p;157p;160p;163p'
    7 hostname = reg.mydomain.com             #harbor的访问域名(不能用IP地址)
   11 ui_url_protocol = http                  #web访问连接方式
   23 ssl_cert = /data/cert/server.crt        #ca证书路径
   24 ssl_cert_key = /data/cert/server.key    #ca密钥路径
   68 harbor_admin_password = Harbor12345     #harbor默认初始密码
  130 db_host = mysql                         #harbor连接的mysql_db的IP
  133 db_password = root123                   #MySQL连接密码
  136 db_port = 3306                          #Mysql连接端口
  139 db_user = root                          #MySQL连接用户
  145 redis_url = redis:6379                  #session连接的redis数据库路径
  150 clair_db_host = postgres                #clair漏洞检测组件连接的数据库IP
  154 clair_db_password = password            #postgres数据库连接密码
  157 clair_db_port = 5432                    #postgres数据库连接端口
  160 clair_db_username = postgres            #默认的连接用户名
  163 clair_db = postgres                     #默认的库名

#修改成如下所示
[root@Harbor-master harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p;130p;133p;136p;139p;145p;150p;154p;157p;160p;163p'
     7	hostname = www.yunjisuan.com
    11	ui_url_protocol = https
    23	ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
    24	ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
    68	harbor_admin_password = Harbor12345
   130	db_host = 192.168.200.17
   133	db_password = 123123
   136	db_port = 3306
   139	db_user = root
   145	redis_url = 192.168.200.17:6379
   150	clair_db_host = 192.168.200.17
   154	clair_db_password = 123123
   157	clair_db_port = 5432
   160	clair_db_username = postgres
   163	clair_db = postgres

9. Harbor HA:启动Harbor

[root@Harbor-master harbor]# pwd
/data/install/harbor
[root@Harbor-master harbor]# ./install.sh --with-clair --ha
#因此使用了自定义存储路径,安装中途需要yes确认

浏览器进行访问测试:http://192.168.200.16

image.png-208.5kB

#在docker-client(NFS共享存储服务器端)进行镜像上传测试:
[root@Docker-client ~]# docker login www.yunjisuan.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@Docker-client ~]# docker tag redis:alpine www.yunjisuan.com/library/redis
[root@Docker-client ~]# docker push www.yunjisuan.com/library/redis
The push refers to repository [www.yunjisuan.com/library/redis]
8fdd7da74c31: Pushed 
2166e8ad934d: Pushed 
c921f5478449: Pushed 
9b8719029b64: Pushed 
bd23b36e1125: Pushed 
1bfeebd65323: Pushed 
latest: digest: sha256:6eed01a8bd56b7b400ddd6c232567b05aa9295e58c92f48b1377642b80a3dfd4 size: 1571

image.png-204.2kB

#查看NFS服务器共享目录
[root@Docker-client ~]# tree /data/nfs/
/data/nfs/
└── docker
    └── registry
        └── v2
            ├── blobs
            │   └── sha256
            │       ├── 05
            │       │   └── 0503825856099e6adb39c8297af09547f69684b7016b7f3680ed801aa310baaa
            │       │       └── data
            │       ├── 33
            │       │   └── 3348f84e43d019f5288bf0f3143725683ec3e95d771af1dc60b2ec08ab33e919
            │       │       └── data
            │       ├── 6e
            │       │   └── 6eed01a8bd56b7b400ddd6c232567b05aa9295e58c92f48b1377642b80a3dfd4
            │       │       └── data
            │       ├── 7a
            │       │   └── 7a3fdc0143e12cb63356b93af0fae6daacaf9fda239e776a8ab5c121ff184dc7
            │       │       └── data
            │       ├── ab
            │       │   └── ab70e0f222721845b57e1a38fa16eee604153e6430df3e209ffc47b2874f3d5d
            │       │       └── data
            │       ├── d4
            │       │   └── d48f315c369d800f68a3c7b2ed1b713df08231f439f3dcdcb7110fa87609fe4e
            │       │       └── data
            │       ├── d9
            │       │   └── d975eaec5f68eddceab6bbc3f8c96fa3418978acd431c2a8cab1d7860372b1d1
            │       │       └── data
            │       └── ec
            │           └── ecf40235d2c75d0220ad5f7c654d05cff5b527ca9f231f4a0203f0c19e5fc519
            │               └── data
            └── repositories
                └── library
                    └── redis
                        ├── _layers
                        │   └── sha256
                        │       ├── 0503825856099e6adb39c8297af09547f69684b7016b7f3680ed801aa310baaa
                        │       │   └── link
                        │       ├── 3348f84e43d019f5288bf0f3143725683ec3e95d771af1dc60b2ec08ab33e919
                        │       │   └── link
                        │       ├── 7a3fdc0143e12cb63356b93af0fae6daacaf9fda239e776a8ab5c121ff184dc7
                        │       │   └── link
                        │       ├── ab70e0f222721845b57e1a38fa16eee604153e6430df3e209ffc47b2874f3d5d
                        │       │   └── link
                        │       ├── d48f315c369d800f68a3c7b2ed1b713df08231f439f3dcdcb7110fa87609fe4e
                        │       │   └── link
                        │       ├── d975eaec5f68eddceab6bbc3f8c96fa3418978acd431c2a8cab1d7860372b1d1
                        │       │   └── link
                        │       └── ecf40235d2c75d0220ad5f7c654d05cff5b527ca9f231f4a0203f0c19e5fc519
                        │           └── link
                        ├── _manifests
                        │   ├── revisions
                        │   │   └── sha256
                        │   │       └── 6eed01a8bd56b7b400ddd6c232567b05aa9295e58c92f48b1377642b80a3dfd4
                        │   │           └── link
                        │   └── tags
                        │       └── latest
                        │           ├── current
                        │           │   └── link
                        │           └── index
                        │               └── sha256
                        │                   └── 6eed01a8bd56b7b400ddd6c232567b05aa9295e58c92f48b1377642b80a3dfd4
                        │                       └── link
                        └── _uploads

44 directories, 18 files

10. Harbor HA:Keepalived安装配置与测试

10.1 首先我们再安装一个harbor-slave备库(192.168.200.18)

重复之前的操作,过程略(harbor HA,域名需要相同)

10.2 进行上传测试

[root@Docker-client ~]# cd /data/nfs/
[root@Docker-client nfs]# docker tag mysql:5.6 www.yunjisuan.com/library/mysql
[root@Docker-client nfs]# docker push www.yunjisuan.com/library/mysql
The push refers to repository [www.yunjisuan.com/library/mysql]
a1e3e0513114: Pushed 
6c621d0720e2: Pushed 
d86d34816513: Pushed 
b314ec235321: Pushed 
812e5f94ac49: Pushed 
d355dacb791d: Pushed 
2f1b41b24201: Pushed 
007a7f930352: Pushed 
c6926fcee191: Pushed 
b78ec9586b34: Pushed 
d56055da3352: Pushed 
latest: digest: sha256:ce58204b5f01bac11838b2ce2f379492841a11206a71a379bb47a68f63d057bf size: 2621

浏览器访问测试:
https://192.168.200.16
https://192.168.200.18

image.png-379.5kB

10.3 Harbor-master和Harbor-slave安装keepalived

#在Harbor-master进行如下操作
[root@Harbor-master harbor]# yum -y install keepalived
[root@Harbor-master harbor]# which keepalived
/usr/sbin/keepalived

[root@Harbor-master harbor]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
    router_id harbor01
}

vrrp_instance VI_1 {
    state MASTER
    interface ens32
    virtual_router_id 55
    priority 150     
    advert_int 1
    authentication {
       auth_type PASS
       auth_pass 1111
   }
   virtual_ipaddress {
   192.168.200.20 dev ens32
   }  
}

[root@Harbor-master harbor]# systemctl start keepalived
[root@Harbor-master harbor]# systemctl enable keepalived
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.

[root@Harbor-master harbor]# ip addr | grep 192.168.200.20
    inet 192.168.200.20/32 scope global ens32
#在Harbor-slave进行如下操作
[root@Harbor-slave harbor]# yum -y install keepalived
[root@Harbor-slave harbor]# which keepalived
/usr/sbin/keepalived

[root@Harbor-slave harbor]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
    router_id harbor01
}

vrrp_instance VI_1 {
    state MASTER
    interface ens32
    virtual_router_id 55
    priority 100
    advert_int 1
    authentication {
       auth_type PASS
       auth_pass 1111
   }
   virtual_ipaddress {
   192.168.200.20 dev ens32
   }  
}


[root@Harbor-slave harbor]# systemctl start keepalived
[root@Harbor-slave harbor]# systemctl enable keepalived
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.

[root@Harbor-slave harbor]# systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: active (running) since 五 2019-07-26 11:56:38 CST; 1min 31s ago
 Main PID: 69765 (keepalived)
   CGroup: /system.slice/keepalived.service
           ├─69765 /usr/sbin/keepalived -D
           ├─69766 /usr/sbin/keepalived -D
           └─69767 /usr/sbin/keepalived -D

7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: Registering gratuitous ARP shared channel
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: Opening file '/etc/keepalived/keepalived.conf'.
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: VRRP_Instance(VI_1) removing protocol VIPs.
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: Using LinkWatch kernel netlink reflector...
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: VRRP sockpool: [ifindex(2), proto(112), unicast(0...1)]
7月 26 11:56:38 Harbor-slave Keepalived_healthcheckers[69766]: Opening file '/etc/keepalived/keepalived...'.
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: VRRP_Instance(VI_1) Transition to MASTER STATE
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: VRRP_Instance(VI_1) Received advert with higher p...100
7月 26 11:56:38 Harbor-slave Keepalived_vrrp[69767]: VRRP_Instance(VI_1) Entering BACKUP STATE
7月 26 11:56:38 Harbor-slave systemd[1]: Started LVS and VRRP High Availability Monitor.
Hint: Some lines were ellipsized, use -l to show in full.

10.4 进行VIP切换测试

在Harbor-master上操作
[root@Harbor-master harbor]# ip addr | grep 192.168.200.20
    inet 192.168.200.20/32 scope global ens32
[root@Harbor-master harbor]# systemctl stop keepalived
[root@Harbor-master harbor]# ip addr | grep 192.168.200.20

在Harbor-slave上验证
[root@Harbor-slave harbor]# ip addr | grep 192.168.200.20
    inet 192.168.200.20/32 scope global ens32

在Harbor-master上操作
[root@Harbor-master harbor]# ip addr | grep 192.168.200.20
[root@Harbor-master harbor]# systemctl start keepalived
[root@Harbor-master harbor]# ip addr | grep 192.168.200.20
    inet 192.168.200.20/32 scope global ens32

在Harbor-slave上验证
[root@Harbor-slave harbor]# ip addr | grep 192.168.200.20