harbor 構建企業級映象倉庫
阿新 • • 發佈:2021-08-09
安裝harbor
構建企業級映象倉庫
Harbor是由VMware公司開源的映象倉庫,harbor是在docker Registry上進行了企業級擴充套件,從而獲得了更廣泛的應用,這些新的企業級特性包括:管理使用者介面,基於角色的訪問控制,AD/LDAP繼承以及審計日誌的功能,足以滿足企業需求.
官方地址: https://vmware.github.io/barbor/cn/
安裝harbor
docker-harbor-2-3-0.tar.gz wget https://github.com/goharbor/harbor/releases/download/v2.3.1/harbor-offline-installer-v2.3.1.tgz tar xf harbor-offline-installer-v2.3.1.tgz -C /usr/local cd harbor vi harbor.yml 修改hostname為本機IP地址 #hostname: reg.mydomain.com hostname: 192.168.3.250 修改完畢後儲存. 準備harbor倉庫: [root@master1 harbor]# ./prepare #注意安裝harbor需要依賴兩個環境 一個是docker 一個是docker compose docker已經安裝完畢.現在安裝docker compose 同時你直接安裝也會提醒你 沒有安裝docke-compose: Note: docker version: 19.03.7 ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again 0. 生成ca證書: mkdir /data/ssl -p cd /data/ssl/ openssl genrsa -out ca.key 3072 #生成一個3072位的key,也就是私鑰 openssl req -new -x509 -days 3650 -key ca.key -out ca.pem [root@localhost ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #<---------寫 CN State or Province Name (full name) []:SH #<---------- 寫 SH Locality Name (eg, city) [Default City]:SH #<---------- 寫 SH Organization Name (eg, company) [Default Company Ltd]: #<---------- 下面的全部回車 Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: # 生成的證書目錄: /data/ssl [root@localhost ssl]# ll total 8 -rw-r--r-- 1 root root 2459 Aug 8 23:39 ca.key -rw-r--r-- 1 root root 1574 Aug 8 23:41 ca.pem #生成一個數字證書ca.pem,3650表示證書的有效時間是3年,按箭頭提示填寫即可,沒有箭頭標註的為空: # 再生成一個域名的證書: openssl genrsa -out harbor.key 3072 [root@localhost ssl]# openssl req -new -key harbor.key -out harbor.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SH Locality Name (eg, city) [Default City]:SH Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:harbor Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 簽發證書: [root@localhost ssl]# openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650 #提示: Signature ok subject=/C=CN/ST=SH/L=SH/O=Default Company Ltd/CN=harbor Getting CA Private Key 1. 安裝docker compose: git clone https://github.com/docker/compose.git 或者上傳 compose https://www.chenleilei.net/soft/docker/docker-compose-Linux-x86_64.tar.gz 課件:第一階段重新認識Docker課件.zip中也有,上傳docker-compose [root@master1 harbor]# tar xf docker-compose-Linux-x86_64.tar.gz [root@master1 harbor]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose [root@master1 harbor]# chmod +x /usr/bin/docker-compose 2. 安裝harbor wget https://www.chenleilei.net/soft/k8s/harbor-offline-installer-v2.3.0-rc3.tgz [root@master1 ~]# tar -xf harbor-offline-installer-v2.3.0-rc3.tgz -C /usr/local/ [root@master1 ~]# cd /usr/local/harbor [root@master1 ~]# vi harbor.yml 1. 修改hostname為本機IP地址 #hostname: reg.mydomain.com 這行註釋,下面寫本機IP: hostname: 192.168.3.250 2. 新增ssl證書 #生成的證書位置: /data/ssl/harbor.pem /data/ssl/harbor.key #新增到harbor.yaml中 找到以下內容: # https related config # https: # https port for harbor, default is 443 # port: 443 # The path of cert and key files for nginx # certificate: /your/certificate/path # private_key: /your/private/key/path 改為: # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/ssl/harbor.pem private_key: /data/ssl/harbor.key 修改完畢後儲存. # 可選: 如果有安裝包的話直接匯入就好,沒有就讓系統自動下載 # 直接匯入: [root@localhost harbor]# docker load -i docker-harbor-2-3-0.tar.gz # 沒有的話直接下面的初始化。 3. 初始化harbor: [root@master1 harbor]# ./prepare #出現報錯: ERROR:root:Error: The protocol is https but attribute ssl_cert is not set # 註釋 https port: 443 然後再次執行 [root@master1 harbor]# ./install.sh # 安裝,之後如果要啟動則使用: /harbor/start.sh 即可 正確輸出: Note: stopping existing Harbor instance ... Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-core ... done Stopping registryctl ... done Stopping harbor-portal ... done Stopping registry ... done Stopping harbor-db ... done Stopping redis ... done Stopping harbor-log ... done Removing harbor-jobservice ... done Removing nginx ... done Removing harbor-core ... done Removing registryctl ... done Removing harbor-portal ... done Removing registry ... done Removing harbor-db ... done Removing redis ... done Removing harbor-log ... done Removing network harbor_harbor [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating harbor-portal ... done Creating redis ... done Creating registryctl ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- #看到這個就是安裝成功了 4. 如果沒有正常啟動harbor,需要手動啟動: [root@master1 harbor]# docker-compose up [root@master1 harbor]# docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting portal ... done Starting redis ... done Starting core ... done Starting jobservice ... done Starting proxy ... done 啟動成功後檢視狀態: [root@localhost harbor]# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------------------------ harbor-core /harbor/entrypoint.sh Up (healthy) harbor-db /docker-entrypoint.sh 96 13 Up (healthy) harbor-jobservice /harbor/entrypoint.sh Up (healthy) harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up (healthy) nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,:::80->8080/tcp, 0.0.0.0:443->8443/tcp,:::443->8443/tcp redis redis-server /etc/redis.conf Up (healthy) registry /home/harbor/entrypoint.sh Up (healthy) registryctl /home/harbor/start.sh Up (healthy) #如果你看到的狀態事這樣: Can't find a suitable configuration file in this directory or any parent. Are you in the right directory? Supported filenames: docker-compose.yml, docker-compose.yaml 那麼可能是 你不在harbor目錄中或者命令沒有配置..需要先進入harbor目錄再次檢視. 4. 檢擦harbor啟動狀態: [root@k8s-master2 harbor]# ps -ef|grep harbor root 101657 101620 0 16:18 ? 00:00:00 /bin/sh /harbor/start.sh root 101934 101657 0 16:18 ? 00:00:00 sudo -E -u #10000 /harbor/harbor_registryctl -c /etc/registryctl/config.yml 10000 101939 101934 0 16:18 ? 00:00:00 /harbor/harbor_registryctl -c /etc/registryctl/config.yml 10000 101970 101952 0 16:18 ? 00:00:00 /harbor/harbor_core 10000 102052 102035 0 16:18 ? 00:00:00 /harbor/harbor_jobservice -c /etc/jobservice/config.yml root 102587 45443 0 16:19 pts/1 00:00:00 grep --color=auto harbor 5. 訪問harbor前配置: 因為配置了https,則需要新增host解析[Windows上的hosts新增解析]: 192.168.3.250 harbor.com 5. 登入harbor 預設賬號密碼: admin Harbor12345
harbor中建立一個專案
harbor的日常使用
harbor需要建立使用者,分配給運維或開發人員使用.
如何推送映象到harbor中?
本地先dockerfile製作個映象: FROM centos:7 LABEL maintainer www.chenleilei.net RUN useradd www -u 1200 -M -s /sbin/nologin RUN mkdir -p /var/log/nginx RUN yum install -y cmake pcre pcre-devel openssl openssl-devel gd-devel \ zlib-devel gcc gcc-c++ net-tools iproute telnet wget curl &&\ yum clean all && \ rm -rf /var/cache/yum/* RUN wget https://www.chenleilei.net/soft/nginx-1.16.1.tar.gz RUN tar xf nginx-1.16.1.tar.gz WORKDIR nginx-1.16.1 RUN ./configure --prefix=/usr/local/nginx --with-http_image_filter_module --user=www --group=www \ --with-http_ssl_module --with-http_v2_module --with-http_stub_status_module \ --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx/nginx.pid RUN make -j 4 && make install && \ rm -rf /usr/local/nginx/html/* && \ echo "leilei hello" >/usr/local/nginx/html/index.html && \ rm -rf nginx* && \ ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\ ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log RUN chown -R www.www /var/log/nginx ENV LOG_DIR /var/log/nginx ENV PATH $PATH:/usr/local/nginx/sbin #COPY nginx.conf /usr/local/nginx/conf/nginx.conf EXPOSE 80 WORKDIR /usr/local/nginx CMD ["nginx","-g","daemon off;"] #執行映象: docker run --name ngix-test-001 -d -p 81:80 nginx-test-v001 訪問測試:
推送映象到harbor
推送映象: 1. 給映象打 tag 標籤 docker tag nginx:v1 192.168.31 harbor推送失敗: [root@k8s-master2 ~]# docker push 192.168.3.250/library/nginx-test-v001:v1 The push refers to repository [192.168.3.250/library/nginx-test-v001] Get https://192.168.3.250/v2/: dial tcp 192.168.3.250:443: connect: connection refused 原因: harbor預設是https訪問的,需要新增可信任,而我們通過 docker info檢視到的信任IP段只有本地127.0.0.0網段 Insecure Registries: 127.0.0.0/8 為此,我們需要新增可信任的IP網段才行,那麼如何新增呢? 解決harbor推送失敗: 1. 修改 /etc/docker/daemon.json 新增如下行: "Insecure-registries" :["192.168.3.250"] 這裡的IP是harbor倉庫地址. 修改結果: [root@k8s-master2 ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"], "insecure-registries": ["192.168.3.250"] } 2. 重啟docker systemctl restart docker 3. 重啟docker-compose [root@k8s-master2 ~]# cd /usr/local/harbor [root@k8s-master2 harbor]# docker-compose up -d harbor-log is up-to-date Starting redis ... done Starting registryctl ... done Starting harbor-portal ... done Starting harbor-db ... done Starting registry ... done Starting harbor-core ... done Starting nginx ... done Starting harbor-jobservice ... done 4. 訪問測試: [root@k8s-master2 harbor]# docker push 192.168.3.250/library/nginx-test-v001:v1 The push refers to repository [192.168.3.250/library/nginx-test-v001] 16993e70a899: Preparing 0421a59391fa: Preparing f05ef613e381: Preparing 4ab7410d5afa: Preparing b27e978348d3: Preparing d22782d861b3: Waiting 0ce0bd1d9b33: Waiting cf2a9408f4c6: Waiting 77b174a6a187: Waiting denied: requested access to the resource is denied ## 訪問拒絕,這裡需要登入. 5. 登入docker harbor 預設賬號密碼: admin Harbor12345 [root@k8s-master2 harbor]# docker login 192.168.3.250 Username: admin Password: Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded <---- 登入成功 6. harbor的web頁面建立 test專案 7. 推送映象: [root@k8s-master2 harbor]# docker tag nginx:1.20 192.168.3.250/test/nginx:1.20 [root@k8s-master2 harbor]# docker push 192.168.3.250/test/nginx:1.20 The push refers to repository [192.168.3.250/library/nginx-test-v001] 16993e70a899: Pushed 0421a59391fa: Pushed f05ef613e381: Pushed 4ab7410d5afa: Pushed b27e978348d3: Pushed d22782d861b3: Pushed 0ce0bd1d9b33: Pushed cf2a9408f4c6: Pushed 77b174a6a187: Pushed v1: digest: sha256:6483a2324e2e0653d19df3f8fdc2aa46c77f83cd9f2d0ae7f3d5a6be8c42a74f size: 2206 檢查映象:
推送映象步驟整理
1. 新增harbor信任 然後重啟 docker
[root@harbor harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["192.168.3.250"],
"insecure-registries": ["192.168.3.82"]
}
[root@harbor harbor]# systemctl restart docker
2. 給需要上傳的映象打tag標籤 docker tag nginx:1.20 192.168.3.250/test/nginx:1.20
打標籤注意 harbor 上的專案名,如果專案名不是test就應該重新打標籤為正確的專案名
3. 登入到倉庫 預設賬號 admin 預設密碼 Harbor12345
docker login 192.168.3.250
4. 推送到指定倉庫.
docker push 192.168.3.250/test/nginx:1.20
檢視映象倉庫:
其他伺服器下載映象
docker pull 192.168.3.250/library/nginx-test-v001:v1
下載映象:
1. 新增映象信任:
[root@k8s-node2 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.3.250"] #<---------這裡新增harbor映象伺服器地址,做複製最好兩邊都寫
}
2. 重啟docker
[root@k8s-node2 ~]# systemctl restart docker.service
3. 下載映象:
[root@k8s-node02 ~]# docker pull 192.168.3.250/test/nginx:1.20
1.20: Pulling from test/nginx
33847f680f63: Pull complete
b89def51dd13: Pull complete
f3c07eca8dff: Pull complete
2f0bc188d92e: Pull complete
412cc00cedb9: Pull complete
b7768597b864: Pull complete
Digest: sha256:fcc42aef11edacef6408663bb3e8ebb0f83cf1d958a0cb97973106cb7f618e49
Status: Downloaded newer image for 192.168.3.250/test/nginx:1.20
192.168.3.250/test/nginx:1.20
4. 檢視列表:
[root@k8s-node02 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.3.250/test/nginx 1.20 766b39f5021c 2 weeks ago 133MB
harbor複製[映象複製]
1. 新伺服器安裝harbor
scp -r [email protected]:/usr/local/harbor/docker-harbor-2-3-0.tar.gz ./
scp -r [email protected]:/root/harbor-offline-installer-v2.3.0-rc3.tgz ./
docker load -i docker-harbor-2-3-0.tar.gz
tar xf harbor-offline-installer-v2.3.0-rc3.tgz -C /usr/local
cd /usr/local/harbor
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
修改hostname為本機IP地址
#hostname: reg.mydomain.com
hostname: 192.168.3.82
#配置https
https:
# https port for harbor, default is 443
port: 443
# 這是生成的證書
certificate: /data/ssl/harbor.pem
private_key: /data/ssl/harbor.key
修改完畢後儲存.
#注意安裝harbor需要依賴兩個環境 一個是docker 一個是docker compose
docker已經安裝完畢.現在安裝docker compose
同時你直接安裝也會提醒你 沒有安裝docke-compose:
Note: docker version: 19.03.7
✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again
0. 生成ca證書:
mkdir /data/ssl -p
cd /data/ssl/
openssl genrsa -out ca.key 3072
#生成一個3072位的key,也就是私鑰
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
[root@localhost ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #<---------寫 CN
State or Province Name (full name) []:SH #<---------- 寫 SH
Locality Name (eg, city) [Default City]:SH #<---------- 寫 SH
Organization Name (eg, company) [Default Company Ltd]: #<---------- 下面的全部回車
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
# 生成的證書目錄: /data/ssl
[root@localhost ssl]# ll
total 8
-rw-r--r-- 1 root root 2459 Aug 8 23:39 ca.key
-rw-r--r-- 1 root root 1574 Aug 8 23:41 ca.pem
#生成一個數字證書ca.pem,3650表示證書的有效時間是3年,按箭頭提示填寫即可,沒有箭頭標註的為空:
# 再生成一個域名的證書:
openssl genrsa -out harbor.key 3072
[root@localhost ssl]# openssl req -new -key harbor.key -out harbor.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:harbor
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 簽發證書:
[root@localhost ssl]# openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
#提示:
Signature ok
subject=/C=CN/ST=SH/L=SH/O=Default Company Ltd/CN=harbor
Getting CA Private Key
[root@k8s-master02 ssl]# ll
total 24
-rw-r--r-- 1 root root 2459 Aug 9 18:30 ca.key
-rw-r--r-- 1 root root 1574 Aug 9 18:32 ca.pem
-rw-r--r-- 1 root root 17 Aug 9 18:39 ca.srl
-rw-r--r-- 1 root root 1305 Aug 9 18:36 harbor.csr
-rw-r--r-- 1 root root 2459 Aug 9 18:33 harbor.key
-rw-r--r-- 1 root root 1456 Aug 9 18:39 harbor.pem
1. 安裝docker compose:
git clone https://github.com/docker/compose.git 或者上傳 compose
https://www.chenleilei.net/soft/docker/docker-compose-Linux-x86_64.tar.gz
課件:第一階段重新認識Docker課件.zip中也有,上傳docker-compose
[root@master1 harbor]# tar xf docker-compose-Linux-x86_64.tar.gz
[root@master1 harbor]# mv docker-compose-Linux-x86_64.64 /usr/bin/docker-compose
[root@master1 harbor]# chmod +x /usr/bin/docker-compose
2. 安裝harbor
wget https://www.chenleilei.net/soft/k8s/harbor-offline-installer-v2.3.0-rc3.tgz
[root@master1 ~]# tar -xf harbor-offline-installer-v2.3.0-rc3.tgz -C /usr/local/
[root@master1 ~]# cd /usr/local/harbor
[root@master1 ~]# vi harbor.yml
1. 修改hostname為本機IP地址
#hostname: reg.mydomain.com 這行註釋,下面寫本機IP:
hostname: 192.168.3.250
3. 新增ssl證書
#生成的證書位置:
/data/ssl/harbor.pem
/data/ssl/harbor.key
#新增到harbor.yaml中
找到以下內容:
# https related config
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
改為:
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/ssl/harbor.pem
private_key: /data/ssl/harbor.key
修改完畢後儲存.
3. 初始化harbor:
[root@master1 harbor]# ./prepare
#出現報錯: ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
# 註釋 https port: 443 然後再次執行
[root@master1 harbor]# ./install.sh # 安裝,之後如果要啟動則使用: /harbor/start.sh 即可
正確輸出:
Note: stopping existing Harbor instance ...
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping harbor-portal ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing registryctl ... done
Removing harbor-portal ... done
Removing registry ... done
Removing harbor-db ... done
Removing redis ... done
Removing harbor-log ... done
Removing network harbor_harbor
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating redis ... done
Creating registryctl ... done
Creating registry ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
#看到這個就是安裝成功了
4. 如果沒有正常啟動harbor,需要手動啟動:
[root@master1 harbor]# docker-compose up
[root@master1 harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
啟動成功後檢視狀態:
[root@k8s-master02 harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------------------------------
harbor-core /harbor/entrypoint.sh Up (health: starting)
harbor-db /docker-entrypoint.sh 96 13 Up (health: starting)
harbor-jobservice /harbor/entrypoint.sh Up (health: starting)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (health: starting) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (health: starting)
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:80->8080/tcp,:::80->8080/tcp, 0.0.0.0:443->8443/tcp,:::443->8443/tcp
redis redis-server /etc/redis.conf Up (health: starting)
registry /home/harbor/entrypoint.sh Up (health: starting)
registryctl /home/harbor/start.sh Up (health: starting)
#如果你看到的狀態事這樣:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml
那麼可能是 你不在harbor目錄中或者命令沒有配置..需要先進入harbor目錄再次檢視.
4. 檢擦harbor啟動狀態:
[root@k8s-master2 harbor]# ps -ef|grep harbor
root 101657 101620 0 16:18 ? 00:00:00 /bin/sh /harbor/start.sh
root 101934 101657 0 16:18 ? 00:00:00 sudo -E -u #10000 /harbor/harbor_registryctl -c /etc/registryctl/config.yml
10000 101939 101934 0 16:18 ? 00:00:00 /harbor/harbor_registryctl -c /etc/registryctl/config.yml
10000 101970 101952 0 16:18 ? 00:00:00 /harbor/harbor_core
10000 102052 102035 0 16:18 ? 00:00:00 /harbor/harbor_jobservice -c /etc/jobservice/config.yml
root 102587 45443 0 16:19 pts/1 00:00:00 grep --color=auto harbor
5. 訪問harbor前配置:
因為配置了https,則需要新增host解析[Windows上的hosts新增解析]:
192.168.3.82 harbor.com
6. 登入harbor
預設賬號密碼:
admin
Harbor12345
- 第一個harbor中新增從harbor 192.168.3.82
-
第二個harbor中新增從harbor1 192.168.3.250 複製
harbor2配置
harbor1配置:
測試映象複製
上傳映象到habor
harbor高可用配置
haproxy配置
master01配置:
[root@k8s-master01 etc]# yum install keepalived haproxy -y
[root@k8s-master01 etc]# mkdir /etc/haproxy
[root@k8s-master01 etc]# vim /etc/haproxy/haproxy.cfg
global
maxconn 2000
ulimit-n 16384
log 127.0.0.1 local0 err
stats timeout 30s
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 15s
timeout http-keep-alive 15s
frontend monitor-in
bind *:33305
mode http
option httplog
monitor-uri /monitor
frontend k8s-master
bind 0.0.0.0:16443
bind 127.0.0.1:16443
mode tcp
option tcplog
tcp-request inspect-delay 5s
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server harbor 192.168.3.250:6443 check
server k8s-master02 192.168.3.82:6443 check
#master02配置:
[root@k8s-master01 etc]# yum install keepalived haproxy -y
[root@k8s-master01 etc]# mkdir /etc/haproxy
[root@k8s-master01 etc]# vim /etc/haproxy/haproxy.cfg
global
maxconn 2000
ulimit-n 16384
log 127.0.0.1 local0 err
stats timeout 30s
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 15s
timeout http-keep-alive 15s
frontend monitor-in
bind *:33305
mode http
option httplog
monitor-uri /monitor
frontend k8s-master
bind 0.0.0.0:16443
bind 127.0.0.1:16443
mode tcp
option tcplog
tcp-request inspect-delay 5s
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server harbor 192.168.3.250:6443 check
server k8s-master02 192.168.3.82:6443 check
keepalived配置
192.168.3.82:
mkdir -p /etc/keepalived
vim /etc/keepalived/keepalived.conf
#--------------------------------------
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
script_user root
enable_script_security
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 192.168.3.82
virtual_router_id 51
priority 101
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.3.200
}
track_script {
chk_apiserver
}
}
#--------------------------------------
192.168.3.250:
mkdir -p /etc/keepalived
vim /etc/keepalived/keepalived.conf
#--------------------------------------
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
script_user root
enable_script_security
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 192.168.3.250
virtual_router_id 51
priority 101
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.3.120
}
track_script {
chk_apiserver
}
}
#--------------------------------------
健康檢查:
兩臺伺服器都配置健康檢查指令碼:
vim /etc/keepalived/check_apiserver.sh
#!/bin/bash
err=0
for k in $(seq 1 3)
do
check_code=$(pgrep haproxy)
if [[ $check_code == "" ]]; then
err=$(expr $err + 1)
sleep 1
continue
else
err=0
break
fi
done
#加權啟動
chmod +x /etc/keepalived/check_apiserver.sh
systemctl daemon-reload
systemctl enable --now haproxy
systemctl enable --now keepalived
#測試兩臺vip是否可用:
[root@harbor harbor]# ping 192.168.3.120
PING 192.168.3.120 (192.168.3.120) 56(84) bytes of data.
64 bytes from 192.168.3.120: icmp_seq=1 ttl=64 time=0.032 ms
[root@k8s-master02 harbor]# ping 192.168.3.120
PING 192.168.3.120 (192.168.3.120) 56(84) bytes of data.
64 bytes from 192.168.3.120: icmp_seq=1 ttl=64 time=0.392 ms
#新增 host 配置檔案
192.168.3.120 harbor.com
#重啟一次docker-compose
[root@harbor harbor]# docker-compose up -d
harbor-log is up-to-date
Starting registry ...
Starting registry ... done
Starting harbor-portal ...
Starting registryctl ... done
Starting redis ... done
harbor-core is up-to-date
Starting harbor-jobservice ... done
Starting nginx ... done
[root@harbor harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
將高可用IP和自定義域名寫入Windows中的 hosts檔案中 訪問域名測試
檢查 各個IP是否訪問正常
支付寶讚賞