zoukankan      html  css  js  c++  java
  • Ubuntu 安装docker CE以及harbor

    Docker CE安装

    系统建议版本:Ubuntu 16.04

    官方安装文档连接:https://docs.docker.com/install/linux/docker-ce/ubuntu/#prerequisites

    自动匹配系统版本安装:

    apt-get install -y docker.io
    

    ubuntu搜索:

    apt-cache madison kubeadm
    

    安装步骤

    在shell中执行如下即可,如果使用kubernetes,建议使用17.03版本(此建议出自K8S官方:https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-docker)。

    apt-get update
    apt-get install -y 
        apt-transport-https 
        ca-certificates 
        curl 
        software-properties-common
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
    add-apt-repository 
       "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") 
       $(lsb_release -cs) 
       stable"
    apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
    

    然后执行docker info命令,如果成功,应该可以看到已安装docker的详情。

    使用官方镜像安装docker时,速度会比较慢,可以使用国内阿里源地址进行安装。

    Ubuntu 14.04 16.04 (使用apt-get进行安装):

    # step 1: 安装必要的一些系统工具
    apt-get update
    apt-get -y install apt-transport-https ca-certificates curl software-properties-common
    # step 2: 安装GPG证书
    curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | apt-key add -
    
    # 或者使用清华的源
    curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | apt-key add -
    # Step 3: 写入软件源信息
    add-apt-repository "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
    
    # add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
    # Step 4: 更新并安装 Docker-CE
    apt-get -y update
    apt-get -y install docker-ce
    
    # 安装指定版本的Docker-CE:
    # Step 1: 查找Docker-CE的版本:
    # apt-cache madison docker-ce
    #   docker-ce | 17.03.1~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages
    #   docker-ce | 17.03.0~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages
    # Step 2: 安装指定版本的Docker-CE: (VERSION 例如上面的 17.03.1~ce-0~ubuntu-xenial)
    apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
    

    CentOS 7 (使用yum进行安装)

    # step 1: 安装必要的一些系统工具
    yum install -y yum-utils device-mapper-persistent-data lvm2 ca-certificates
    # Step 2: 添加软件源信息
    yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    #或者用清华的镜像也可
    yum-config-manager --add-repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
    # Step 3: 更新并安装 Docker-CE
    yum makecache fast
    yum -y install docker-ce
    # Step 4: 开启Docker服务
    sudo service docker start
    
    # 注意:
    # 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,你可以通过以下方式开启。同理可以开启各种测试或边缘版本等。
    # vim /etc/yum.repos.d/docker-ce.repo
    #   将 [docker-ce-test] 下方的 enabled=0 修改为 enabled=1
    #或者执行 yum-config-manager --enable docker-ce-edge 
    #或者 yum-config-manager --enable docker-ce-test
    # 安装指定版本的Docker-CE:
    # Step 1: 查找Docker-CE的版本:
    # yum list docker-ce.x86_64 --showduplicates | sort -r
    #   Loading mirror speeds from cached hostfile
    #   Loaded plugins: branch, fastestmirror, langpacks
    #   docker-ce.x86_64            17.03.1.ce-1.el7.centos            docker-ce-stable
    #   docker-ce.x86_64            17.03.1.ce-1.el7.centos            @docker-ce-stable
    #   docker-ce.x86_64            17.03.0.ce-1.el7.centos            docker-ce-stable
    #   Available Packages
    # Step2 : 安装指定版本的Docker-CE: (VERSION 例如上面的 17.03.0.ce.1-1.el7.centos)
    # sudo yum -y install docker-ce-[VERSION]
    

    harbor安装

    Harbor是一个企业级的注册服务器(registry),用于保存和管理docker的镜像文件。Harbor主要提供 Dcoker Registry 的WEB管理界面,同时支持多个注册服务器之间进行镜像同步,还提供了高级的安全特性,如用户管理、访问控制和活动审计。

    harbor有两种安装方式,一种是在线源码安装,另一种是离线安装包方式,因为包比较大,所以建议使用离线方式安装。官方下载地址:https://github.com/vmware/harbor/releases ,也可以使用国内镜像地址:http://harbor.orientsoft.cn 进行下载。

    wget http://harbor.orientsoft.cn/harbor-v1.4.0/harbor-offline-installer-v1.4.0.tgz
    

    下载完成后解压得到离线安装包。

    生成免费的TLS证书

    可以在互联网申请免费的证书,地址:https://freessl.org,如果有域名,可以使用DNS进行验证,需要指定域名的TXT记录。


    点击验证可以获取到如下信息:


    将如下信息保存到服务器。分别保存为/data/harbor_cert/server.crt/data/harbor_cert/server.key

    安装docker-compose

    harbor安装时需要docker-compose工具,需要提前安装。

    apt-get install python-pip -y && pip install docker-compose
    

    修改配置文件

    配置文件为harbor.cfg

    ## Configuration file of Harbor
    
    #The IP address or hostname to access admin UI and registry service.
    #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
    ##此处修改为你要使用的域名,本文使用已有的域名。
    hostname = harbor.jdpoc.com
    
    #The protocol for accessing the UI and token/notification service, by default it is http.
    #It can be set to https if ssl is enabled on nginx.
    #如果已有TLS证书,可以在此处配置为https
    ui_url_protocol = https
    
    #Maximum number of job workers in job service  
    #后台任务进程数,
    max_job_workers = 5 
    
    #Determine whether or not to generate certificate for the registry's token.
    #If the value is on, the prepare script creates new root cert and private key 
    #for generating token to access the registry. If the value is off the default key/cert will be used.
    #This flag also controls the creation of the notary signer's cert.
    customize_crt = on
    
    #The path of cert and key files for nginx, they are applied only the protocol is set to https
    #此处配置https证书的位置
    ssl_cert = /data/harbor_cert/server.crt
    ssl_cert_key = /data/harbor_cert/server.key
    
    #The path of secretkey storage
    #密钥存放位置
    secretkey_path = /data
    
    #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
    admiral_url = NA
    
    #Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    log_rotate_count = 50
    #Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. 
    #If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G 
    #are all valid.
    log_rotate_size = 200M
    
    #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
    #only take effect in the first boot, the subsequent changes of these properties 
    #should be performed on web ui
    
    #************************BEGIN INITIAL PROPERTIES************************
    
    #Email account settings for sending out password resetting emails.
    
    #Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
    #Identity left blank to act as username.
    email_identity = 
    
    email_server = smtp.mydomain.com
    email_server_port = 25
    email_username = sample_admin@mydomain.com
    email_password = abc
    email_from = admin <sample_admin@mydomain.com>
    email_ssl = false
    email_insecure = false
    
    ##The initial password of Harbor admin, only works for the first time when Harbor starts. 
    #It has no effect after the first launch of Harbor.
    #Change the admin password from UI after launching Harbor.
    #配置harbor web UI的管理员密码
    harbor_admin_password = Harbor12345
    
    ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
    #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
    #此处配置认证方式,默认是db_auth,即mysql认证,还支持本地文件或者LDAP认证。
    auth_mode = db_auth
    
    #The url for an ldap endpoint.
    #LDAP访问地址
    ldap_url = ldaps://ldap.mydomain.com
    
    #A user's DN who has the permission to search the LDAP/AD server. 
    #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
    #LDAP/AD 基本查询位置单元
    #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
    
    #the password of the ldap_searchdn
    #ldap_search_pwd = password
    
    #The base DN from which to look up a user in LDAP/AD
    ldap_basedn = ou=people,dc=mydomain,dc=com
    
    #Search filter for LDAP/AD, make sure the syntax of the filter is correct.
    #ldap_filter = (objectClass=person)
    
    # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
    ldap_uid = uid 
    
    #the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
    ldap_scope = 2 
    
    #Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
    ldap_timeout = 5
    
    #Verify certificate from LDAP server
    ldap_verify_cert = true
    
    #Turn on or off the self-registration feature
    self_registration = on
    
    #The expiration time (in minute) of token created by token service, default is 30 minutes
    token_expiration = 30
    
    #The flag to control what users have permission to create projects
    #The default value "everyone" allows everyone to creates a project. 
    #Set to "adminonly" so that only admin user can create project.
    project_creation_restriction = everyone
    
    #************************END INITIAL PROPERTIES************************
    
    #######Harbor DB configuration section#######
    
    #The address of the Harbor database. Only need to change when using external db.
    #harbor MySQL数据库的配置信息
    db_host = mysql
    
    #The password for the root user of Harbor DB. Change this before any production use.
    db_password = root123
    
    #The port of Harbor database host
    db_port = 3306
    
    #The user name of Harbor database
    db_user = root
    
    ##### End of Harbor DB configuration#######
    
    #The redis server address. Only needed in HA installation.
    redis_url =
    
    ##########Clair DB configuration############
    
    #Clair DB host address. Only change it when using an exteral DB.
    clair_db_host = postgres
    
    #The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
    #Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
    clair_db_password = password
    
    #Clair DB connect port
    clair_db_port = 5432
    
    #Clair DB username
    clair_db_username = postgres
    
    #Clair default database
    clair_db = postgres
    
    ##########End of Clair DB configuration############
    
    #The following attributes only need to be set when auth mode is uaa_auth
    uaa_endpoint = uaa.mydomain.org
    uaa_clientid = id
    uaa_clientsecret = secret
    uaa_verify_cert = true
    uaa_ca_cert = /path/to/ca.pem
    
    
    ### Docker Registry setting ###
    #registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
    registry_storage_provider_name = filesystem
    #registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
    #Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
    registry_storage_provider_config =
    

    安装harbor

    修改好配置文件后,执行install.sh即可:

    /opt/harbor/install.sh
    

    如下为安装成功的界面:

    指定DNS:

    访问https://harbor.jdpoc.com ,可以正常访问,并且Chrome浏览器提示为安全。

    如下为页面

    用户名为admin,默认密码为Harbor12345,如果配置文件中修改过,请使用之前配置的密码。

    登陆后如下:

    harbor的日常运维管理

    Harbor 的日常运维管理是通过docker-compose来完成的,Harbor本身有多个服务进程,都放在docker容器之中运行,我们可以通过docker ps命令查看。

    日常维护命令

    #启动服务
    docker-compose start
    #停止服务
    docker-compose stop
    #重启服务
    docker-compose restart
    #修改配置文件后,重新启动,默认情况,如果该服务的容器已经存在, docker-compose up 将会停止并尝试重新创建他们(保持使用 volumes-from 挂载的卷),以保证 docker-compose.yml的修改生效。
    docker-compose up -d
    

    harbor的使用方式

    创建项目

    登陆harbor网站,创建一个项目,访问级别可以选择是否公开,如果不选择公开,其他用户无法访问。

    harbor本机设置

    将之前申请的crt公钥copy到/etc/docker/certs.d/harbor.jdpoc.com下

    mkdir -p /etc/docker/certs.d/harbor.jdpoc.com
    cp /data/harbor_cert/server.crt !$
    

    然后测试是否能够登陆成功:

    docker login harbor.jdpoc.com
    

    然后输入用户名密码,密钥配置正确的话,会提示登陆成功。

    从hub上下载一个测试镜像,并修改tag:

    docker pull alpine:latest && docker tag alpine:latest harbor.jdpoc.com/poctest/alpine:latest
    

    查看本机镜像如下:

    然后push到我们创建的仓库项目中:

    docker push harbor.jdpoc.com/poctest/alpine:latest 
    

    push成功。

    pull镜像,比如admin账号中有一个poctest/photon:1.0的镜像:

    docker pull harbor.jdpoc.com/poctest/photon:1.0
    

    查看镜像:

    当然我们也可以在web页面中看到:

    客户机的使用

    客户机使用方式与本机设置相同,即:

    1. 客户机创建/etc/docker/certs.d/harbor.jdpoc.com目录。
    2. 将域名harbor.jdpoc.com的crt密钥copy至创建的目录。
    3. docker login harbor.jdpoc.com登陆即可上传下载。

    访问权限管理

    Harbor的用户是一种简单的认证方式,在Harbor的用户管理界面创建用户以后,可以将给用户分配到不同的项目权限。

    可以实现多用户权限控制。

    harbor中的一些坑

    修改数据库密码

    第一次安装Harbor后,mysql的数据会存储在/data/database文件夹下。如果你想修改mysql root密码的话(不管你有没有重装),都要先把/data/database删掉,否则UI容器会一直报“Access denied”的错误,即便是重下镜像也无法解决。强烈建议预先配置好各类环境参数,避免改动。

    nginx端口修改

    Harbor的Nginx端口映射到宿主机的80端口上了,如果不希望80端口被占用,例如使用9999替换80端口,需要修改docker-compose.yml文件:

    proxy:
        image: nginx:1.9
        container_name: nginx
        restart: always
        volumes:
          -./common/config/nginx:/etc/nginx
        ports:
          - 9999:80
          - 443:443
        depends_on:
          - mysql
          - registry
          - ui
          - log
    

    common/templates/registry/config.yml文件也必须修改:

    auth:
      token:
        issuer:registry-token-issuer
        realm: $ui_url:9999/service/token
        rootcertbundle:/etc/registry/root.crt
        service: token-service
    

    修改完成后执行sudo ./prepare重新生成配置文件。

    Registry端口修改(非必需)

    按照惯例,开放5000端口给registry使用,则修改docker-compose.yml文件,为registry节点添加posts属性,步骤与修改Nginx配置一样。

    设置信赖列表

    默认情况下,docker对registry的操作是基于https协议的,而Harbor默认是以http协议访问的,如果你没有配置https证书,这时候执行docker login的操作,会得到这样的错误信息:

    Error response from daemon: Get https://xx.xxx.xx.xx/v1/users/: dial tcp xx.xxx.xx.xx:443:getsockopt: connection refused
    

    这时候需要修改docker的启动文件,Ubuntu16.04下,文件为/lib/systemd/system/docker.service:

    # Modified,origin: ExecStart=/usr/bin/dockerd -H fd://
    ExecStart=/usr/bin/docker daemon -H fd:// --insecure-registry xx.xxx.xx.xx:5000
    

    然后执行命令:

    sudo systemctl daemon-reload
    sudo systemctl restart docker
    
  • 相关阅读:
    vue组件重新加载的方法
    事件触发方法获取当前值的写法 (含方法要传2个参数的写法)
    mac 解压 rar压缩文件
    表格
    小米8安装charles证书方法
    视频结构化技术栈全解析
    多目标跟踪全解析,全网最全
    SpringBoot
    技术方案设计的方法
    Java的强引用、软引用、弱引用、虚引用
  • 原文地址:https://www.cnblogs.com/ccorz/p/Ubuntu-an-zhuangdocker-CE-yi-jiharbor.html
Copyright © 2011-2022 走看看