harbor
harbor
目录
1.什么是harbor
Harbor是VMware公司开源的企业级DockerRegistry项目,其目标是帮助用户迅速搭建一个企业级的Dockerregistry服务。
它以Docker公司开源的registry为基础,提供了管理UI,基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Auditlogging) 等企业用户需求的功能,同时还原生支持中文。
2.harbor的功能
-
多租户内容签名和验证
-
安全性和脆弱性分析
-
审计日志记录
-
身份集成和基于角色的访问控制
-
实例之间的映像复制
-
可扩展的API和图形用户界面
-
国际化(目前为中英文)
3.harbor仓库的部署
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
harbor默认识别https,这里因为没有https的证书,所以不使用https
安装docker
[root@harbor ~]# cd /etc/yum.repos.d/
[root@harbor yum.repos.d]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
[root@harbor yum.repos.d]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' docker-ce.repo
[root@harbor yum.repos.d]# dnf -y install docker-ce
[root@harbor yum.repos.d]# systemctl enable --now docker.service
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
安装docker-compose
//创建下载目录
[root@harbor ~]# mkdir -p $HOME/.docker/cli-plugins
[root@harbor ~]# cd $HOME/.docker/cli-plugins
[root@harbor cli-plugins]# pwd
/root/.docker/cli-plugins
//下载docker-compose最新版本
[root@harbor cli-plugins]# curl -SL https://github.com/docker/compose/releases/download/v2.7.0/docker-compose-linux-x86_64 -o $HOME/.docker/cli-plugins/docker-compose
[root@harbor cli-plugins]# ls
docker-compose
//赋予docker-compose文件执行权限
[root@harbor cli-plugins]# chmod +x docker-compose
//将docker-compose文件软链接到/usr/bin下,让所有用户都可以使用
[root@harbor cli-plugins]# ln -s $HOME/.docker/cli-plugins/docker-compose /usr/bin/
[root@harbor cli-plugins]# ll /usr/bin/docker-compose
lrwxrwxrwx 1 root root 40 Aug 11 18:08 /usr/bin/docker-compose -> /root/.docker/cli-plugins/docker-compose
//查看docker-compose版本
[root@harbor cli-plugins]# cd
[root@harbor ~]# docker-compose version
Docker Compose version v2.7.0
部署harbor仓库
//下载harbor压缩包
[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.5.3/harbor-offline-installer-v2.5.3.tgz
//解压harbor到/usr/local/目录下
[root@harbor ~]# tar xf harbor-offline-installer-v2.5.3.tgz -C /usr/local/
[root@harbor ~]# cd /usr/local/
[root@harbor local]# ls
bin etc games harbor include lib lib64 libexec mysql mysql-5.7.38-linux-glibc2.12-x86_64 sbin share src
[root@harbor local]# cd harbor/
[root@harbor harbor]# ls
common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
//将harbor.yml.tmpl文件复制为harbor.yml
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
//修改harbor.yml文件
[root@harbor harbor]# vim harbor.yml
hostname: harbor.example.com //hostname写自己的主机名并且将所有有关于https的相关信息注释掉
//执行install.sh脚本进行安装
[root@harbor harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.7.0
[Step 2]: loading Harbor images ...
…………
✔ ----Harbor has been installed and started successfully.----
//查看docker正在运行的容器
[root@harbor harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
778a5f7cfc86 goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" About a minute ago Up 55 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
f0f00ee12feb goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" About a minute ago Up 55 seconds (healthy) harbor-jobservice
5589cd0a4652 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" About a minute ago Up 56 seconds (healthy) harbor-core
fccc3f67997e goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" About a minute ago Up 57 seconds (healthy) registry
903d61f57744 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" About a minute ago Up 57 seconds (healthy) registryctl
44e3c5ebff43 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" About a minute ago Up 57 seconds (healthy) redis
9e79f8278663 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" About a minute ago Up 57 seconds (healthy) harbor-portal
03df4a63d4aa goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" About a minute ago Up 57 seconds (healthy) harbor-db
318a3991d684 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" About a minute ago Up 59 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
//查看端口号
[root@harbor harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
//添加防火墙规则,允许http或80端口进行访问
[root@harbor harbor]# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.169.0/24 service name=http accept"
success
[root@harbor harbor]# firewall-cmd --reload
success
在浏览器输入自己的ip进行访问测试
用户名:admin,密码:Harbor12345
设置harbor开机时启动
harbor是由多个容器一起运行起来的,当系统重启后,容器就停掉了,并且手动启动的话需要严格依照启动顺序来进行,所以需要使用docker-compose命令进行管理,并且需要在harbor的安装目录下执行docker-compose命令,或者说拥有harbor.yml文件的目录下执行
//停止harbor
[root@harbor harbor]# docker-compose stop
[+] Running 9/9
⠿ Container harbor-jobservice Stopped 0.4s
⠿ Container registryctl Stopped 10.1s
⠿ Container nginx Stopped 0.5s
⠿ Container harbor-portal Stopped 0.3s
⠿ Container harbor-core Stopped 0.1s
⠿ Container harbor-db Stopped 0.3s
⠿ Container registry Stopped 0.4s
⠿ Container redis Stopped 0.3s
⠿ Container harbor-log Stopped 10.1s
//开启harbor
[root@harbor harbor]# docker-compose start
[+] Running 9/9
⠿ Container harbor-log Started 0.4s
⠿ Container redis Started 2.0s
⠿ Container harbor-db Started 2.2s
⠿ Container registry Started 1.5s
⠿ Container registryctl Started 2.2s
⠿ Container harbor-portal Started 1.1s
⠿ Container harbor-core Started 0.5s
⠿ Container nginx Started 1.6s
⠿ Container harbor-jobservice Started 1.6s
//设置harbor开机时启动
//编辑系统开机时执行的最后一个文件
[root@harbor harbor]# vim /etc/rc.local
cd /usr/local/harbor
docker-compose start
[root@harbor harbor]# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Dec 2 2020 /etc/rc.local -> rc.d/rc.local
[root@harbor harbor]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 516 Aug 11 18:41 /etc/rc.d/rc.local
//因为/etc/rc.local文件是/etc/rc.d/rc.local的软链接,而/etc/rc.d/rc.local是个执行文件,所以需要执行权限
[root@harbor harbor]# chmod +x /etc/rc.d/rc.local
//重启系统,进行验证
[root@harbor harbor]# reboot
[root@harbor ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
778a5f7cfc86 goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 27 minutes ago Up 8 seconds (health: starting) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
f0f00ee12feb goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 27 minutes ago Up 9 seconds (health: starting) harbor-jobservice
5589cd0a4652 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 27 minutes ago Up 9 seconds (health: starting) harbor-core
fccc3f67997e goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 27 minutes ago Up 9 seconds (health: starting) registry
903d61f57744 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 27 minutes ago Up 8 seconds (health: starting) registryctl
44e3c5ebff43 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 27 minutes ago Up 8 seconds (health: starting) redis
9e79f8278663 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 27 minutes ago Up 9 seconds (health: starting) harbor-portal
03df4a63d4aa goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 27 minutes ago Up 8 seconds (health: starting) harbor-db
318a3991d684 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 27 minutes ago Up 9 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
4.harbor仓库的应用
在另一台主机(client)上应用
使用Harbor的注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请--help
//编辑/etc/hosts文件,做ip映射
[root@client ~]# vim /etc/hosts
192.168.169.140 harbor.example.com
//编辑daemon.json文件
[root@client ~]# vim /etc/docker/daemon.json
"insecure-registries": ["harbor.example.com"]
[root@client ~]# systemctl restart docker
//在客户端登录harbor
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
//将本地的任意镜像更改为可以推送到harbor仓库上的名字,镜像自备
[root@client ~]# docker tag ziczhou/httpd:v1.2 harbor.example.com/library/httpd:v1.1
//将镜像对宋到harbor仓库
[root@client ~]# docker push harbor.example.com/library/httpd:v1.1
The push refers to repository [harbor.example.com/library/httpd]
c834b681e8b3: Pushed
74ddd0ec08fa: Pushed
v1.1: digest: sha256:cfccdde4c83229980334ac0dfda33334078ed3c7868e1d4b49597fbfb61e8175 size: 742
去浏览器访问harbor仓库验证
//将本地的harbor.example.com/library/httpd:v1.1删除
[root@client ~]# docker rmi harbor.example.com/library/httpd:v1.1
Untagged: harbor.example.com/library/httpd:v1.1
Untagged: harbor.example.com/library/httpd@sha256:cfccdde4c83229980334ac0dfda33334078ed3c7868e1d4b49597fbfb61e8175
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ziczhou/httpd v1.2 d12b6463ed10 44 hours ago 601MB
ziczhou/httpd v1.1 c1eb5e6a1d69 3 days ago 745MB
busybox latest beae173ccac6 7 months ago 1.24MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 11 months ago 231MB
//将harbor.example.com/library/httpd:v1.1镜像从harbor上拉下来
[root@client ~]# docker pull harbor.example.com/library/httpd:v1.1
v1.1: Pulling from library/httpd
Digest: sha256:cfccdde4c83229980334ac0dfda33334078ed3c7868e1d4b49597fbfb61e8175
Status: Downloaded newer image for harbor.example.com/library/httpd:v1.1
harbor.example.com/library/httpd:v1.1
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ziczhou/httpd v1.2 d12b6463ed10 44 hours ago 601MB
harbor.example.com/library/httpd v1.1 d12b6463ed10 44 hours ago 601MB
ziczhou/httpd v1.1 c1eb5e6a1d69 3 days ago 745MB
busybox latest beae173ccac6 7 months ago 1.24MB
httpd latest dabbfbe0c57b 7 months ago 144MB
centos latest 5d0da3dc9764 11 months ago 231MB
