Harbor 源码分析之组件分析（二）

Harbor本身构成分为多个组件，先从部署完成的容器看。

vmware/harbor-jobservice:v1.1.1    "/harbor/harbor_jobse"                                               harbor-jobservice

vmware/nginx:1.11.5-patched        "nginx -g 'daemon off"   45 hours ago              0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx

vmware/harbor-ui:v1.1.1            "/harbor/harbor_ui"                             harbor-ui

vmware/harbor-db:v1.1.1            "docker-entrypoint.sh"  3306/tcp                          harbor-db

vmware/registry:photon-2.6.0       "/entrypoint.sh serve"    5000/tcp                          registry

vmware/harbor-adminserver:v1.1.1   "/harbor/harbor_admin"                                                                        harbor-adminserver

vmware/harbor-log:v1.1.1           "/bin/sh -c 'crond &&"   127.0.0.1:1514->514/tcp            harbor-log

组件还挺多，下面一一介绍

harbor-jobservice

harbor-jobservice 是harbor的job管理模块，job在harbor里面主要是为了镜像仓库之前同步使用的，具体见后续的源码分析

nginx

nginx负责流量转发和安全验证，对外提供的流量都是从nginx中转，所以开放https的443端口，它将流量分发到后端的ui和正在docker镜像存储的docker registry。

worker_processes auto;

events {
  worker_connections 1024;
  use epoll;
  multi_accept on;
}

http {
  tcp_nodelay on;
  include /etc/nginx/conf.d/*.upstream.conf;
  proxy_http_version 1.1;

  upstream registry {
    server registry:5000;
  }

  upstream ui {
    server ui:80;
  }

  server {
    listen 443 ssl;

    # SSL
    ssl_certificate /etc/nginx/cert/yourdomain.com.crt;
    ssl_certificate_key /etc/nginx/cert/yourdomain.com.key;

    location / {
      proxy_pass http://ui/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_cookie_path / "/; secure";
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /v1/ {
      return 404;
    }

    location /v2/ {
      proxy_pass http://registry/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/ {
      proxy_pass http://ui/service/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/notifications {
      return 404;
    }
  }
    server {
      listen 80;
      return 301 https://$host$request_uri;
  } 
}

上面截取了nginx主要配置，里面定义两个上游服务ui和registry。nginx本身监听443端口，使用上一篇创建的证书，挂载到容器中。一个小细节就是最后三行如果你访问80端口会通过重定向到https的443端口，这样统一了接口认证。

harbor-ui

harbor-ui是web管理页面，主要是前端的页面和后端CURD的接口

harbor-db

harbor-db是harbor的数据库，这里保存了系统的job以及项目、人员权限管理。由于本harbor的认证也是通过数据，在生产环节大多对接到企业的ldap中。

show tables;
+--------------------+
| Tables_in_registry |
+--------------------+
| access             |
| access_log         |
| alembic_version    |
| project            |
| project_member     |
| properties         |
| replication_job    |
| replication_policy |
| replication_target |
| repository         |
| role               |
| user               |
+--------------------+

简单介绍一个吧，access是访问权限表

 select * from access;
+-----------+-------------+-------------------------------+
| access_id | access_code | comment                       |
+-----------+-------------+-------------------------------+
|         1 | M           | Management access for project |
|         2 | R           | Read access for project       |
|         3 | W           | Write access for project      |
|         4 | D           | Delete access for project     |
|         5 | S           | Search access for project     |
+-----------+-------------+-------------------------------+

定义了管理、读写删除和查询的权限。harbor里面的项目表

 select * from project;
+------------+----------+---------+---------------------+---------------------+---------+--------+
| project_id | owner_id | name    | creation_time       | update_time         | deleted | public |
+------------+----------+---------+---------------------+---------------------+---------+--------+
|          1 |        1 | library | 2017-05-15 05:42:16 | 2017-05-15 05:42:16 |       0 |      1 |
|          2 |        3 | tt      | 2017-05-15 05:46:58 | 2017-05-15 05:46:58 |       0 |      1 |
|          3 |        3 | vv      | 2017-05-15 06:04:36 | 2017-05-15 06:04:36 |       0 |      1 |
+------------+----------+---------+---------------------+---------------------+---------+--------+

可以看到我创建的三个项目。
项目下面有仓库

select * from repository;
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+
| repository_id | name  | project_id | owner_id | description | pull_count | star_count | creation_time       | update_time         |
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+
|             1 | tt/t1 |          2 |        3 |             |          2 |          0 | 2017-05-15 06:03:54 | 2017-05-17 12:47:41 |
|             2 | tt/tb |          2 |        3 |             |          2 |          0 | 2017-05-15 06:04:58 | 2017-05-15 06:11:06 |
+---------------+-------+------------+----------+-------------+------------+------------+---------------------+---------------------+

可以看到仓库所属项目。
还有下面的用户和角色表

select * from role;      
+---------+-----------+-----------+--------------+
| role_id | role_mask | role_code | name         |
+---------+-----------+-----------+--------------+
|       1 |         0 | MDRWS     | projectAdmin |
|       2 |         0 | RWS       | developer    |
|       3 |         0 | RS        | guest        |
+---------+-----------+-----------+--------------+

角色表定义harbor里面三种角色，分别是项目管理员：所有权限，开发者：读写查，访客：读查。

registry

registry就是docker原生的仓库，负责保存镜像。

 {
                "Source": "/root/harbor/common/config/registry",
                "Destination": "/etc/registry",
                "Mode": "z",
                "RW": true,
                "Propagation": "rprivate"
            },

            {
                "Source": "/data/registry",
                "Destination": "/storage",
                "Mode": "z",
                "RW": true,
                "Propagation": "rprivate"
            }

主要挂载两个目录，一个是配置文件目录，另一个镜像的存储路径。
先看配置文件

version: 0.1
log:
  level: debug
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /storage
    maintenance:
        uploadpurging:
            enabled: false
    delete:
        enabled: true
http:
    addr: :5000
    secret: placeholder
    debug:
        addr: localhost:5001
auth:
  token:
    issuer: harbor-token-issuer
    realm: https://reg.ennew.com/service/token
    rootcertbundle: /etc/registry/root.crt
    service: harbor-registry

notifications:
  endpoints:
      - name: harbor
        disabled: false
        url: http://ui/service/notifications
        timeout: 3000ms
        threshold: 5
        backoff: 1s

这个里面定义镜像存储位置和token验证的部分。token里面定义 realm: https://reg.ennew.com/service/token这个是非常重要的，我下一篇将介绍V2的验证体系。

harbor-adminserver

harbor-adminserver是harbor系统管理接口，可以修改系统配置以及获取系统信息。

harbor-log

harbor-log是harbor的日志服务，统一管理harbor的日志。通过inspect可以看出容器统一将日志输出的syslog。

 "LogConfig": {
                "Type": "syslog",
                "Config": {
                    "syslog-address": "tcp://127.0.0.1:1514",
                    "tag": "registry"
                }
            }

harbor-log启动1514收集日志，查看日志目录在容器里面按时间排序，下面显示ui的日志，其它的日志类似。

ls /var/log/docker/2017-05-18/ 
CROND.log  adminserver.log  anacron.log  proxy.log  registry.log  run-parts.log  ui.log

tail -300f /var/log/docker/2017-05-18/ui.log

这个整个harbor的组件已经分析完毕，代码后面会详解！