Harbor鏡像倉庫部署
一、簡介
Harbor是VMware中國研發團隊開發並開源企業級Registry,對中文支持很友好。
Harbor是一個用於存儲和分發Docker鏡像的企業級Registry服務器。
Harbor具有如下特點:
1.基於角色的訪問控制 - 用戶與Docker鏡像倉庫通過“項目”進行組織管理,一個用戶可以對多個鏡像倉庫在同一命名空間(project)裏有不同的權限。
2.鏡像復制 - 鏡像可以在多個Registry實例中復制(同步)。尤其適合於負載均衡,高可用,混合雲和多雲的場景。
3.圖形化用戶界面 - 用戶可以通過瀏覽器來瀏覽,檢索當前Docker鏡像倉庫,管理項目和命名空間。
4.AD/LDAP 支持 - Harbor可以集成企業內部已有的AD/LDAP,用於鑒權認證管理。
5.審計管理 - 所有針對鏡像倉庫的操作都可以被記錄追溯,用於審計管理。
6.國際化 - 已擁有英文、中文、德文、日文和俄文的本地化版本。更多的語言將會添加進來。
7.RESTful API - RESTful API 提供給管理員對於Harbor更多的操控, 使得與其它管理軟件集成變得更容易。
8.部署簡單 - 提供在線和離線兩種安裝工具, 也可以安裝到vSphere平臺(OVA方式)虛擬設備。
二、Harbor 獲取地址
1.Harbor中文官網:https://vmware.github.io/harbor/cn/
2.Github地址:https://github.com/vmware/harbor
3.Harbor下載地址:https://github.com/vmware/harbor/releases
4.Harbor二進制離線包鏡像站點:http://harbor.orientsoft.cn/
三、Harbor 安裝前準備
1.安裝 docker
# yum install -y yum-utils device-mapper-persistent-data lvm2 # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum -y install docker-ce # docker --version Docker version 17.06.2-ce, build cec0b72 # systemctl start docker # systemctl status docker # systemctl enable docker
2.安裝 docker-compose
# yum -y install python-pip # pip install --upgrade pip # pip -V pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7) # pip install docker-compose # docker-compose version docker-compose version 1.16.1, build 6d1ac219 docker-py version: 2.5.1 CPython version: 2.7.5 OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
四、安裝 Habor
1.解壓並載入鏡像(註:制作本文檔時harbor版本已更新至1.2.2,請自行下載)
# tar -zxvf harbor-offline-installer-v1.2.0.tgz # cd harbor # docker load -i harbor.v1.2.0.tar.gz # docker images REPOSITORY TAG IMAGE ID CREATED SIZE vmware/harbor-log v1.2.0 c7887347f435 7 weeks ago 200MB vmware/harbor-jobservice v1.2.0 1fb18427db11 7 weeks ago 164MB vmware/harbor-ui v1.2.0 b7069ac3bd4b 7 weeks ago 178MB vmware/harbor-adminserver v1.2.0 a18331f0c1ae 7 weeks ago 142MB vmware/harbor-db v1.2.0 deb8033b1c86 7 weeks ago 329MB vmware/registry 2.6.2-photon 5d9100e4350e 2 months ago 173MB vmware/postgresql 9.6.4-photon c562762cbd12 2 months ago 225MB vmware/clair v2.0.1-photon f04966b4af6c 3 months ago 297MB vmware/nginx-photon 1.11.13 285492ff20d6 4 months ago 147MB vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 6 months ago 324MB vmware/notary-photon signer-0.5.0 b1eda7d10640 7 months ago 156MB vmware/notary-photon server-0.5.0 6e2646682e3c 7 months ago 157MB photon 1.0 e6e4e4a2ba1b 16 months ago 127MB
2.配置 harbor
# sed -i "s/reg.mydomain.com/192.168.100.100/g" harbor.cfg # sed -i "s/sample_admin/admin/g" harbor.cfg ##該命令純屬為了好看,並沒有使用相關配置 # grep ^[a-z] harbor.cfg ###能看則看 ### 指定 harbor 的主機名,可以是IP地址,也可以是域名(不能註釋再指定) hostname = 192.168.100.100 ### 指定用戶訪問使用的協議,默認http ui_url_protocol = http ### 指定 mysql 數據庫管理員密碼 db_password = root123 ### 作業服務中的最大復制worker數(缺省值為3) max_job_workers = 3 ### 是否允許創建用於生成/驗證註冊表令牌的私鑰和根證書(默認為on) customize_crt = on ### 設置證書文件路徑 ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA clair_db_password = password ### 郵件相關信息配置 email_identity = ### 配置郵件服務器地址 email_server = smtp.mydomain.com ### 配置郵件服務器端口 email_server_port = 25 ### 配置用戶 email_username = [email protected] ### 配置密碼 email_password = abc ### 配置發件人地址 email_from = admin <[email protected]> ### 配置是否進行ssl加密 email_ssl = false ### 指定 harbor 管理員密碼 harbor_admin_password = Harbor12345 ### 使用的認證類型。默認為db_auth,即憑據存儲在MySQL數據庫中(Harbor還 支持本地及LDAP認證方式) auth_mode = db_auth ### LDAP端點URL,僅當auth_mode設置為ldap_auth時使用 ldap_url = ldaps://ldap.mydomain.com ### 查找用戶的基本DN,僅當auth_mode設置為ldap_auth時使用 ldap_basedn = ou=people,dc=mydomain,dc=com ### 用於在LDAP搜索期間匹配用戶的屬性 ldap_uid = uid ### 用於搜索用戶的範圍 ldap_scope = 3 ## 設置LDAP超時時間 ldap_timeout = 5 ### 是否允許開放註冊(默認允許) self_registration = on ### 令牌服務創建的令牌的過期時間(以分鐘為單位,默認30分鐘) token_expiration = 30 ### 用戶創建項目的權限,默認是everyone(所有人),也可以設置為adminonly(只有管理員才能創建) project_creation_restriction = everyone ### 確定當 Harbor 與遠程註冊表實例通信時是否驗證SSL / TLS證書 verify_remote_cert = on
註:harbor 的主機名 hostname 不能註釋再指定,必須刪除默認設置再指定主機名,不然會產生錯誤。
3.安裝 harbor
# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 17.06.2 Note: docker-compose version: 1.16.1 [Step 1]: loading Harbor images ... Loaded image: vmware/registry:2.6.2-photon Loaded image: photon:1.0 Loaded image: vmware/notary-photon:signer-0.5.0 Loaded image: vmware/clair:v2.0.1-photon Loaded image: vmware/harbor-ui:v1.2.0 Loaded image: vmware/harbor-log:v1.2.0 Loaded image: vmware/harbor-db:v1.2.0 Loaded image: vmware/nginx-photon:1.11.13 Loaded image: vmware/postgresql:9.6.4-photon Loaded image: vmware/harbor-adminserver:v1.2.0 Loaded image: vmware/harbor-jobservice:v1.2.0 Loaded image: vmware/notary-photon:server-0.5.0 Loaded image: vmware/harbor-notary-db:mariadb-10.1.10 [Step 2]: preparing environment ... loaded secret from file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/app.conf Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [Step 3]: checking existing instance of Harbor ... [Step 4]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... Creating harbor-log ... done Creating harbor-adminserver ... Creating registry ... Creating harbor-db ... Creating harbor-adminserver Creating registry Creating registry ... done Creating harbor-db ... done Creating harbor-ui ... done Creating harbor-jobservice ... Creating nginx ... Creating nginx Creating nginx ... done ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://192.168.100.100. For more details, please visit https://github.com/vmware/harbor .
4.查看容器狀況
# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcpHarbor共由七個容器組成:
a.harbor-adminserver:harbor系統管理服務
b.harbor-db: 由官方mysql鏡像構成的數據庫容器
c.harbor-jobservice:harbor的任務管理服務
d.harbor-log:harbor的日誌收集、管理服務
e.harbor-ui:harbor的web頁面服務
f.nginx:負責流量轉發和安全驗證
g.registry:官方的Docker registry,負責保存鏡像
5.應用 harbor
瀏覽器輸入 http://harborip 登陸 harbor 鏡像倉庫頁面(帳號admin,密碼為harbor.cfg默認密碼Harbor12345)
進入harbor後界面如下
新建項目(註:默認項目是私有的,公開請打勾)
新建完成之後就可以上傳鏡像到 harbor 鏡像倉庫了。
a.更改 docker 配置
# grep "ExecStart" /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd --insecure-registry=192.168.100.100 # systemctl daemon-reload # systemctl restart docker
註:docker默認使用https傳輸鏡像,這裏使用的是http,所以需要指定,無論上傳還是下載都需要指定
b.登陸 harbor(註:第一種方便,第二種安全,實際中請使用第二種)
# docker login -u admin -p Harbor12345 192.168.100.100 Login Succeeded
# docker login 192.168.100.100 Username: admin Password: Login Succeeded
c.給鏡像打 tag 並上傳至 harbor
# docker tag 99e59f495ffa 192.168.100.100/k8s/pause-amd64:3.0 # docker push 192.168.100.100/k8s/pause-amd64:3.0 The push refers to a repository [192.168.100.100/k8s/pause-amd64] 5f70bf18a086: Pushed 41ff149e94f2: Pushed 3.0: digest: sha256:f04288efc7e65a84be74d4fc63e235ac3c6c603cf832e442e0bd3f240b10a91b size: 939
d.查看上傳情況
e.下載鏡像(pull命令如下圖)
附:
1.停止harbor
# cd harbor # docker-compose stop
2.啟動harbor
# cd harbor # docker-compose start
3.官方安裝文檔
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
4.https官方配置指南
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
本文出自 “記事本” 博客,請務必保留此出處http://wangzhijian.blog.51cto.com/6427016/1978474
Harbor鏡像倉庫部署