一、Harbor
容器应用的开发和运行离不开可靠的镜像管理。从安全和效率等方面考虑,部署在私有环境内的Registry是非常必要的。Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。
二、安装Harbor的前提条件
根据官网说明,简单描述一下安装Harbor前需要的主要条件:
| 硬件 | 最低要求 | 推荐 |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| 内存 | 4 GB | 8 GB |
| 硬盘 | 40 GB | 160 GB |
| 软件 | 版本 |
|---|---|
| Docker engine | 17.06.0-ce+或更高 |
| Docker Compose | 1.18.0或更高 |
三、部署规划
| 说明 | 规划 |
|---|---|
| 服务器IP | 192.168.113.48 |
| 端口 | 8930 |
| 安装目录 | /home/work/harbor |
| 数据映射目录 | /home/work/harbor/data |
| 日志映射目录 | /home/work/harbor/logs |
| Harbor管理员密码 | h12345 |
Harbor的http协议默认端口为80,https协议默认端口为443;本次安装属于公司内网,无需https,采用http即可。为避免产生端口冲突,可以自己修改端口。
Harbor的数据映射目录默认为/data,日志映射目录默认为/var/log/harbor;此处为了统一管理,将数据目录和日志目录统一放在安装目录之下。
Harbor安装成功后,会生成一个管理员用户,用户名为admin,密码默认为Harbor12345,密码可改可不改。
四、安装Harbor
-
安装方式:可在线安装或离线安装。本次安装采用离线安装方式。
-
下载安装包,本次安装时最新版本为2.1.0,可自行选择安装版本。将harbor-offline-installer-v2.1.0.tgz下载到windows本地,然后通过ftp工具将文件上传到/home/work目录下。官方最新版地址
-
解压安装包,解压后就会在当前目录生成一个harbor目录
tar xvf harbor-offline-installer-v2.1.0.tgz
解压后会目录中就会包含上图中所示文件,其中harbor.yml.tmpl文件就是Harbor的模板配置文件。
-
拷贝一份harbor.yml.tmpl文件命名为harbor.yml,并按照规划编辑并保存该文件
cp harbor.yml.tmpl harbor.yml vim harbor.yml
-
由于没有使用https,为了避免Harbor启动后不能从Docker中登录到Harbor当中,需要修改并保存Docker的配置
vim /usr/lib/systemd/system/docker.service#需要修改的地方 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=192.168.113.48:8930
在ExecStart这一行的末尾加上--insecure-registry=IP:端口
-
重新加载配置,并重启Docker服务(生产环境慎用!!!)
#重新加载配置 systemctl daemon-reload #重启Docker服务 systemctl restart docker -
每次修改harbor的配置文件之后,都需要在安装目录下执行prepare命令,否则配置文件不生效
[root@node03 harbor]# ./prepare prepare base dir is set to /home/work/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir命令执行完成之后,目录内容如下图所示:
-
编辑并保存docker-compose.yml文件
proxy: image: goharbor/nginx-photon:v2.1.0 container_name: nginx restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - ./common/config/nginx:/etc/nginx:z - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor dns_search: . ports: #此处原本为80:8080,将80端口修改为8930端口 - 8930:8080 depends_on: - registry - core - portal - log -
利用docker-compose启动harbor
docker-compose up -d启动成功如下图所示:
五、验证Harbor
-
在浏览器中输入ip:端口,访问Harbor的Web页面,用户名为admin,密码为自己设置的密码。
-
在docker中登录harbor,用户和密码同上
[root@node03 harbor]# docker login 192.168.113.48:8930 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded You have new mail in /var/spool/mail/root [root@node03 harbor]# -
将本地镜像打上tag,然后将镜像push到harborn当中(push镜像步骤:login-->tag-->push)
[root@node03 harbor]# docker tag mysql:5.7 192.168.113.48:8930/library/mysql:5.7 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB 192.168.113.48:8930/library/mysql 5.7 42cdba9f1b08 9 days ago 448MB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]# docker push 192.168.113.48:8930/library/mysql:5.7 The push refers to repository [192.168.113.48:8930/library/mysql] bdda49371b83: Pushed 78a9edf56b5f: Pushed 2e19acd09cf6: Pushed 30f9c7764a3f: Pushed 15b463db445c: Pushed c21e35e55228: Pushed 36b89ee4c647: Pushed 9dae2565e824: Pushed ec8c80284c72: Pushed 329fe06a30f0: Pushed d0fe97fa8b8c: Pushed 5.7: digest: sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 size: 2621 [root@node03 harbor]#到harbor中查看,发现镜像已经成功push:
-
从harbor当中拉取镜像
先将镜像删除,然后从harbor中pull镜像:
[root@node03 harbor]# docker rmi 192.168.113.48:8930/library/mysql:5.7 Untagged: 192.168.113.48:8930/library/mysql:5.7 Untagged: 192.168.113.48:8930/library/mysql@sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]# docker pull 192.168.113.48:8930/library/mysql:5.7 5.7: Pulling from library/mysql Digest: sha256:3830eda172a0285aa9899c422f26d739cde0ad5445962fbb9a2a8b0df00a1a64 Status: Downloaded newer image for 192.168.113.48:8930/library/mysql:5.7 192.168.113.48:8930/library/mysql:5.7 [root@node03 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE sonatype/nexus3 latest d4fbb85e8101 2 days ago 634MB gitlab/gitlab-ce latest b0c27d1707a0 6 days ago 1.98GB 192.168.113.48:8930/library/mysql 5.7 42cdba9f1b08 9 days ago 448MB mysql 5.7 42cdba9f1b08 9 days ago 448MB jenkins/jenkins lts f669140ba6ec 2 weeks ago 711MB goharbor/redis-photon v2.1.0 45fa455a8eeb 5 weeks ago 68.7MB goharbor/harbor-registryctl v2.1.0 98f466a61ebb 5 weeks ago 132MB goharbor/registry-photon v2.1.0 09c818fabdd3 5 weeks ago 80.1MB goharbor/nginx-photon v2.1.0 470ffa4a837e 5 weeks ago 40.1MB goharbor/harbor-log v2.1.0 402802990707 5 weeks ago 82.1MB goharbor/harbor-jobservice v2.1.0 ff65bef832b4 5 weeks ago 165MB goharbor/harbor-core v2.1.0 26047bcb9ff5 5 weeks ago 147MB goharbor/harbor-portal v2.1.0 5e97d5e230b9 5 weeks ago 49.5MB goharbor/harbor-db v2.1.0 44c0be92f223 5 weeks ago 164MB goharbor/prepare v2.1.0 58d0e7cee8cf 5 weeks ago 160MB [root@node03 harbor]#拉取镜像是否有权限需要根据harbor项目权限和项目的成员权限共同决定,若harbor中项目为公开项目,则不用登录harbor即可pull镜像;若项目为私有,则只有项目中的成员能够对镜像进行下一步操作。具体权限请参照官方文档。