Harbor简介
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Harbor的功能
Feathers:
- Multi-tenant content signing and validation 多租户内容签名和验证
- Security and vulnerability analysis 安全性和脆弱性分析
- Audit logging 审计日志记录
- Identity integration and role-based access control 身份集成和基于角色的访问控制
- Image replication between instances 实例间的镜像复制
- Extensible API and graphical UI 可扩展API和图形化界面
- Internationalization(currently English and Chinese) 国际化(目前为中英文)
- Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Harbor部署
主机名 | IP | 服务 | 作用 |
---|---|---|---|
JLJLregistry.example.com | 192.168.23.180 | docker harbor | 镜像仓库 |
JLtest.example.com | 192.168.23.181 | docker | 获取镜像,上传镜像 |
安装docker
centos8(centos8官方源已下线,建议切换centos-vault源)
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
centos6(centos6官方源已下线,建议切换centos-vault源)
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
CentOS 7
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repoce/linux/centos/docker-ce.repo
[root@JLregistry ~]# yum -y install docker-ce
[root@JLregistry ~]# systemctl enable --now docker
[root@JLregistry ~]# cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://tnj022g0.mirror.aliyuncs.com"]
}
EOF
[root@JLregistry ~]# systemctl restart docker
[root@JLregistry ~]# systemctl daemon-reload
安装docker compose
[root@JLregistry ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 664 100 664 0 0 982 0 --:--:-- --:--:-- --:--:-- 980
100 12.1M 100 12.1M 0 0 102k 0 0:02:01 0:02:01 --:--:-- 91328
[root@JLregistry ~]# chmod +x /usr/local/bin/docker-compose
[root@JLregistry ~]# docker-compose --version
docker-compose version 1.29.2, build 5becea4c
[root@JLregistry ~]# which docker-compose
/usr/local/bin/docker-compose
安装harbor
[root@JLregistry ~]# cd /usr/src/
[root@JLregistry src]# wget https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
[root@JLregistry local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
[root@JLregistry local]# cd harbor/
[root@JLregistry harbor]# ls
common.sh harbor.yml.tmpl LICENSE
harbor.v2.3.5.tar.gz install.sh prepare
生成配置文件
[root@JLregistry harbor]# cp harbor.yml.tmpl harbor.yml
[root@JLregistry harbor]# ls
common.sh harbor.yml install.sh prepare
harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE
修改配置
[root@JLregistry harbor]# vim harbor.yml
......
hostname: JLregistry.example.com #设置为Harbor服务器的IP地址或者域名
https:
port: 443
certificate: /data/cert/harbor.od.com.crt
private_key: /data/cert/harbor.od.com.key
external_url: https://JLregistry.example.com
harbor_admin_password: Harbor12345 #harbor web界面登陆密码
配置域名解析
[root@JLregistry ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.23.180 JLregistry.example.com
执行安装harbor脚本
[root@JLregistry ~]# cd /usr/local/harbor/
[root@JLregistry harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
启动harbor
[root@JLregistry harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
[root@JLregistry harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
编写启动脚本
[root@JLregistry ~]# touch /start.sh
[root@JLregistry ~]# chmod +x /start.sh
[root@JLregistry ~]# cat > /start.sh <<EOF
#!/bin/bash
cd /usr/local/harbor/
docker-compose start
EOF
[root@JLregistry ~]# vim /etc/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
/bin/bash -c /start.sh
[root@JLregistry ~]# chmod +x /etc/rc.local
运行prepare脚本以启用HTTPS
Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTPS
./prepare
如果Harbor正在运行,请停止并删除现有实例
您的图像数据保留在文件系统中,因此不会丢失任何数据
docker-compose down -v
重启docker
docker-compose up -d
JLtest端测试
配置主机解析
[root@JLregistry ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.23.180 JLregistry.example.com
// 镜像获取地址
[root@JLregistry ~]# cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://in3617d8.mirror.aliyuncs.com"],
"insecure-registries": ["JLregistry.example.com"]
}
EOF
[root@JLregistry ~]# systemctl restart docker
[root@JLregistry ~]# systemctl daemon-reload
获取官网上的busybox镜像
[root@JLtest ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@JLtest ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
登录仓库
[root@JLtest ~]# docker login JLregistry.example.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传busybox镜像到私有仓库上
[root@JLregistry ~]# docker tag busybox JLregistry.example.com/library/busybox
[root@JLtest ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
JLregistry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
busybox latest ffe9d497c324 8 days ago 1.24MB
[root@JLtest ~]# docker push JLregistry.example.com/library/busybox
Using default tag: latest
The push refers to repository [JLregistry.example.com/library/busybox]
64cac9eaf0da: Pushed
latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
登录仓库查看