Harbor本身构成分为多个组件,先从部署完成的容器看。
vmware/harbor-jobservice:v1.1.1 "/harbor/harbor_jobse" harbor-jobservice
vmware/nginx:1.11.5-patched "nginx -g 'daemon off" 45 hours ago 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
vmware/harbor-ui:v1.1.1 "/harbor/harbor_ui" harbor-ui
vmware/harbor-db:v1.1.1 "docker-entrypoint.sh" 3306/tcp harbor-db
vmware/registry:photon-2.6.0 "/entrypoint.sh serve" 5000/tcp registry
vmware/harbor-adminserver:v1.1.1 "/harbor/harbor_admin" harbor-adminserver
vmware/harbor-log:v1.1.1 "/bin/sh -c 'crond &&" 127.0.0.1:1514->514/tcp harbor-log
组件还挺多,下面一一介绍
harbor-jobservice
harbor-jobservice 是harbor的job管理模块,job在harbor里面主要是为了镜像仓库之前同步使用的,具体见后续的源码分析
nginx
nginx负责流量转发和安全验证,对外提供的流量都是从nginx中转,所以开放https的443端口,它将流量分发到后端的ui和正在docker镜像存储的docker registry。
worker_processes auto;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
tcp_nodelay on;
include /etc/nginx/conf.d/*.upstream.conf;
proxy_http_version 1.1;
upstream registry {
server registry:5000;
}
upstream ui {
server ui:80;
}
server {
listen 443 ssl;
# SSL
ssl_certificate /etc/nginx/cert/yourdomain.com.crt;
ssl_certificate_key /etc/nginx/cert/yourdomain.com.key;
location / {
proxy_pass http://ui/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path / "/; secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://registry/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://ui/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
server {
listen 80;
return 301 https://$host$request_uri;
}
}
上面截取了nginx主要配置,里面定义两个上游服务ui和registry。nginx本身监听443端口,使用上一篇创建的证书,挂载到容器中。一个小细节就是最后三行如果你访问80端口会通过重定向到https的443端口,这样统一了接口认证。
harbor-ui
harbor-ui是web管理页面,主要是前端的页面和后端CURD的接口
harbor-db
harbor-db是harbor的数据库,这里保存了系统的job以及项目、人员权限管理。由于本harbor的认证也是通过数据,在生产环节大多对接到企业的ldap中。
show tables;
+--------------------+
| Tables_in_registry |
+--------------------+
| access |
| access_log |
| alembic_version |
| project |
| project_member |
| properties |
| replication_job |
| replication_policy |
| replication_target |
| repository |
| role |
| user |
+--------------------+
简单介绍一个吧,access是访问权限表
select * from access;
+-----------+-------------+-------------------------------+
| access_id | access_code | comment |
+-----------+-------------+-------------------------------+
| 1 | M | Management access for project |
| 2 | R | Read access for project |
| 3 | W | Write access for project |
| 4 | D | Delete access for project |
| 5 | S | Search access for project |
+-----------+-------------+-------------------------------+
定义了管理、读写删除和查询的权限。harbor里面的项目表
select * from project;
+------------+----------+---------+---------------------+---------------------+---------+--------+
| project_id | owner_id | name | creation_time | update_time | deleted | public |
+------------+----------+---------+---------------------+---------------------+---------+--------+
| 1 | 1 | library | 2017-05-15 05:42:16 | 2017-05-15 05:42:16 | 0 | 1 |
| 2 | 3 | tt | 2017-05-15 05:46:58 | 2017-05-15 05:46:58 | 0 | 1 |
| 3 | 3 | vv | 2017-05-15 06:04:36 | 2017-05-15 06:04:36 | 0 | 1 |
+------------+----------+---------+---------------------+---------------------+---------+--------+
可以看到我创建的三个项目。
项目下面有仓库
select * from repository;
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+
| repository_id | name | project_id | owner_id | description | pull_count | star_count | creation_time | update_time |
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+
| 1 | tt/t1 | 2 | 3 | | 2 | 0 | 2017-05-15 06:03:54 | 2017-05-17 12:47:41 |
| 2 | tt/tb | 2 | 3 | | 2 | 0 | 2017-05-15 06:04:58 | 2017-05-15 06:11:06 |
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+
可以看到仓库所属项目。
还有下面的用户和角色表
select * from role;
+---------+-----------+-----------+--------------+
| role_id | role_mask | role_code | name |
+---------+-----------+-----------+--------------+
| 1 | 0 | MDRWS | projectAdmin |
| 2 | 0 | RWS | developer |
| 3 | 0 | RS | guest |
+---------+-----------+-----------+--------------+
角色表定义harbor里面三种角色,分别是项目管理员:所有权限,开发者:读写查,访客:读查。
registry
registry就是docker原生的仓库,负责保存镜像。
{
"Source": "/root/harbor/common/config/registry",
"Destination": "/etc/registry",
"Mode": "z",
"RW": true,
"Propagation": "rprivate"
},
{
"Source": "/data/registry",
"Destination": "/storage",
"Mode": "z",
"RW": true,
"Propagation": "rprivate"
}
主要挂载两个目录,一个是配置文件目录,另一个镜像的存储路径。
先看配置文件
version: 0.1
log:
level: debug
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /storage
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
http:
addr: :5000
secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: https://reg.ennew.com/service/token
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
notifications:
endpoints:
- name: harbor
disabled: false
url: http://ui/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
这个里面定义镜像存储位置和token验证的部分。token里面定义 realm: https://reg.ennew.com/service/token这个是非常重要的,我下一篇将介绍V2的验证体系。
harbor-adminserver
harbor-adminserver是harbor系统管理接口,可以修改系统配置以及获取系统信息。
harbor-log
harbor-log是harbor的日志服务,统一管理harbor的日志。通过inspect可以看出容器统一将日志输出的syslog。
"LogConfig": {
"Type": "syslog",
"Config": {
"syslog-address": "tcp://127.0.0.1:1514",
"tag": "registry"
}
}
harbor-log启动1514收集日志,查看日志目录在容器里面按时间排序,下面显示ui的日志,其它的日志类似。
ls /var/log/docker/2017-05-18/
CROND.log adminserver.log anacron.log proxy.log registry.log run-parts.log ui.log
tail -300f /var/log/docker/2017-05-18/ui.log
这个整个harbor的组件已经分析完毕,代码后面会详解!