docker学习笔记-4.harbor

k8s 学习环境准备工作

在阿里云下载k8s验证的docker版本，即17.03.2

https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/

 

准备虚拟机

谷歌的容器下载地址

https://console.cloud.google.com/gcr/images/google-containers/GLOBAL

harbor学习安装笔记

harbor是vmware开源的docker镜像仓库

harbor的github地址

https://github.com/vmware/harbor/releases#download

本次实验的版本为 harbor-offline-installer-v1.5.1.tgz

安装docker

本次实验基于的docker版本为  18.03.1.ce

从阿里云下载

https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/

设置docker为开机自动启动

systemcl start docker

systemctl enable docker

关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

安装 pip

yum install python-pip  #需要epel源

安装 docker-compose 

docker单机版的编排工具

pip install docker-compose

 

下载上传harbor-offline-installer-v1.5.1.tgz

下载 离线的版本

解压 harbor-offline-installer-v1.5.1.tgz 包

 编辑harbor.cfg配置文件，修改 host 的地址，改为本机ip地址

## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version = 1.5.0
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 192.168.153.135

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http

#Maximum number of job workers in job service  
max_job_workers = 50 

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key 
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key

#The path of secretkey storage
secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
log_rotate_count = 50
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. 
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G 
#are all valid.
log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128
#Clair doesn't need to connect to harbor ui container via http proxy.
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties 
#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity = 

email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts. 
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth

#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server. 
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn
#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
ldap_uid = uid 

#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_scope = 2 

#Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5

#Verify certificate from LDAP server
ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD
ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group
ldap_group_filter = objectclass=group

#The attribute used to name a LDAP/AD group, it could be cn, name
ldap_group_gid = cn

#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_group_scope = 2

#Turn on or off the self-registration feature
self_registration = on

#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30

#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project. 
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.
db_host = mysql

#The password for the root user of Harbor DB. Change this before any production use.
db_password = root123

#The port of Harbor database host
db_port = 3306

#The user name of Harbor database
db_user = root

##### End of Harbor DB configuration#######

#The redis server address. Only needed in HA installation.
#address:port[,weight,password,db_index]
redis_url = redis:6379

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgres

#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password

#Clair DB connect port
clair_db_port = 5432

#Clair DB username
clair_db_username = postgres

#Clair default database
clair_db = postgres

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem


### Docker Registry setting ###
#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =

安装harbor

[root@harbor2 harbor]# ./install.sh

可以手工启动 harbor

docker-compose start 

docker-compose stop

查看harbor的web界面，默认是80端口，默认用户名 admin/Harbor12345   #可以在harbor.cfg 配置文件中进行修改

 配置docker客户端即docker的容器的宿主机使用harbor镜像仓库

[root@localhost ~]# vi /usr/lib/systemd/system/docker.service 

修改如下框所示列

修改docker的启动脚本  加上harbor的ip地址

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --selinux-enabled --log-driver=journald --insecure-registry '192.168.153.135' --insecure-registry '192.168.153.138'
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

重新启动docker

systemclt restart docker

 

登录 harbor

登录成功后会在当前用户的家目录下 ，生成一个隐藏文件，用来存放验证信息。

 docker客户端上传镜像到harbor

[root@localhost ~]# docker images

[root@localhost ~]# docker tag haproxy:v1 192.168.153.135/webimage/haproxy:v1

[root@localhost ~]# docker push 192.168.153.135/webimage/haproxy:v1

 

在另一个docker客户端点击pull命令  复制  pull命令 ，从docker客户端拉取harbor仓库的镜像

两个 harbor仓库的同步

 添加另外一个harbor仓库

如果 打开 harbor web界面  报 503 错误的话  

在 harbor的安装目录下

重启harbor

docker-compose stop

docker-compose start

查看80 端口

ss -tnl

查看防火墙是否关闭

如果 TEST CONNECTION 不通过的话  查看防火墙问题

在项目中添加项目，上传镜像

 [root@192 ~]# docker images

标记镜像  并把镜像同步到harbor中

[root@192 ~]# docker tag nginx-base:v1 192.168.153.140/webimage/nginx-base:v1

[root@192 ~]# docker push 192.168.153.140/webimage/nginx-base:v1

在项目中  编辑harbor同步规则

在此harbor界面中看到   同步日志完成

在 另外的harbor中查看  镜像同步情况

在界面上显示同步成功