Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
- Harbor是一个开源可信的云原生的仓库项目,用于存储、用户管理和查找镜像。
- Harbor通过添加用户通常需要的功能,如安全、身份和管理,扩展了开源Docker分发版。
- Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
特点:
- 多租户内容签名和验证
- 安全性和漏洞分析
- 审计日志记录
- 身份集成和基于角色的访问控制
- 实例之间的映像复制
- 可扩展API和图形UI
- 国际化(目前为中英文化)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用YAML文件来配置应用程序的服务。然后,通过一个命令,您可以创建并启动配置中的所有服务。
harbor私有镜像仓库部署
- 环境
| 主机名 | IP | 需安装的应用 | 系统 |
|---|---|---|---|
| registry | 192.168.218.144 | docker、Docker Compose、harbor-offline-installer-v2.3.5 | centos8 |
| docker | 192.168.218.130 | docker | centos8 |
两台主机已提前安装好docker
- 关闭防火墙和selinux
[root@registry ~]# systemctl --now disable firewalld
[root@registry ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@registry ~]# setenforce 0
[root@registry ~]# reboot
[root@registry ~]# getenforce
Disabled
//selinux需要是disabled状态
- 安装compos和habor
harbor下载链接
//安装compos
[root@registry ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 664 100 664 0 0 1213 0 --:--:-- --:--:-- --:--:-- 1211
100 12.1M 100 12.1M 0 0 2061k 0 0:00:06 0:00:06 --:--:-- 2872k
[root@registry ~]# cd /usr/local/bin/
[root@registry bin]# ls
docker-compose
//给与执行权限
[root@registry bin]# chmod +x docker-compose
[root@registry bin]# ll
total 12440
-rwxr-xr-x 1 root root 12737304 Dec 16 09:40 docker-compose
//安装harbor,提前下载好放入/usr/src下,加压至/usr/local
[root@registry src]# pwd
/usr/src
[root@registry src]# ls
debug harbor-offline-installer-v2.3.5.tgz kernels
[root@registry src]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/
[root@registry local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
- 更改主机名解析
//registry主机
[root@registry ~]# hostname registry.example.com
[root@registry ~]# bash
[root@registry ~]# hostname
registry.example.com
[root@registry ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.218.144 registry.example.com //添加此行
//docker主机
[root@docker ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.218.144 registry.example.com //添加此行
//测试docker主机能否ping通registry主机
[root@docker ~]# ping registry.example.com
PING registry.example.com (192.168.218.144) 56(84) bytes of data.
64 bytes from registry.example.com (192.168.218.144): icmp_seq=1 ttl=64 time=0.590 ms
64 bytes from registry.example.com (192.168.218.144): icmp_seq=2 ttl=64 time=0.162 ms
64 bytes from registry.example.com (192.168.218.144): icmp_seq=3 ttl=64 time=0.498 ms
- 修改harbor配置文件
[root@registry harbor]# pwd
/usr/local/harbor
[root@registry harbor]# cp harbor.yml.tmpl harbor.yml
[root@registry harbor]# vim harbor.yml
......
hostname: registry.example.com //更改为自己主机名
......
# https related config //没有使用https,注释掉此部分
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
......
harbor_admin_password: wa12345 //harbor的web界面登录密码,根据自己需求更改
......
data_volume: /data //生产环境中应该放在共享存储的挂载点上,这里是测试使用harbor,暂时放在默认的/data下
......
- 执行安装脚本
//执行安装脚本前docker需要是开启状态
[root@registry harbor]# ./install.sh
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@registry harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.5 1730c6f650e2 5 days ago 81.9MB
goharbor/chartmuseum-photon v2.3.5 47004f032938 5 days ago 179MB
goharbor/redis-photon v2.3.5 3d0cedc89a0d 5 days ago 156MB
goharbor/trivy-adapter-photon v2.3.5 5c0212e98070 5 days ago 133MB
goharbor/notary-server-photon v2.3.5 f20a76c65359 5 days ago 111MB
goharbor/notary-signer-photon v2.3.5 b9fa38eef4d7 5 days ago 108MB
goharbor/harbor-registryctl v2.3.5 7a52567a76ca 5 days ago 133MB
goharbor/registry-photon v2.3.5 cf22d3e386b8 5 days ago 82.6MB
goharbor/nginx-photon v2.3.5 5e3b6d9ce11a 5 days ago 45.7MB
goharbor/harbor-log v2.3.5 a03e4bc963d6 5 days ago 160MB
goharbor/harbor-jobservice v2.3.5 2ac32df5a2e0 5 days ago 211MB
goharbor/harbor-core v2.3.5 23baee01156f 5 days ago 193MB
goharbor/harbor-portal v2.3.5 bb545cdedf5a 5 days ago 58.9MB
goharbor/harbor-db v2.3.5 9826c57a5749 5 days ago 221MB
goharbor/prepare v2.3.5 a1ceaabe47b2 5 days ago 255MB
[root@registry harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b95a8b0ca5e3 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-jobservice
59cd7b9ee392 goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
7653c1166038 goharbor/harbor-core:v2.3.5 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-core
5ea42dbaf61a goharbor/harbor-db:v2.3.5 "/docker-entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-db
4f98e26203f3 goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start.…" 2 minutes ago Up 2 minutes (healthy) registryctl
0db97d2b8469 goharbor/registry-photon:v2.3.5 "/home/harbor/entryp…" 2 minutes ago Up 2 minutes (healthy) registry
5beffbddf365 goharbor/redis-photon:v2.3.5 "redis-server /etc/r…" 2 minutes ago Up 2 minutes (healthy) redis
563e54b3ce5d goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) harbor-portal
c451055f72d8 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc…" 2 minutes ago Up 2 minutes (healthy) 127.0.0.1:1514->10514/tcp
[root@registry harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
-
网页访问
-
修改docker主机配置文件
在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
[root@docker ~]# vim /etc/docker/daemon.json
{
"insecure-registries": ["registry.example.com"] //添加此行
}
//重启服务
[root@docker ~]# systemctl restart docker
- 测试harbor是否可以使用
//登录
[root@docker docker]# docker login registry.example.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
//拉取一个镜像,此时是在官方仓库拉取的
[root@docker docker]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
//修改镜像名称以便于测试是否可以上传至自建仓库
[root@docker docker]# docker tag busybox:latest registry.example.com/library/busybox:v1.0
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox v1.0 ffe9d497c324 8 days ago 1.24MB
//上传镜像
[root@docker docker]# docker push registry.example.com/library/busybox:v1.0
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
v1.0: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
[root@docker docker]# docker rmi registry.example.com/library/busybox:v1.0
Untagged: registry.example.com/library/busybox:v1.0
Untagged: registry.example.com/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
//从自己搭建的仓库中拉取镜像
[root@docker docker]# docker pull registry.example.com/library/busybox:v1.0
v1.0: Pulling from library/busybox
Digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
Status: Downloaded newer image for registry.example.com/library/busybox:v1.0
registry.example.com/library/busybox:v1.0
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox v1.0 ffe9d497c324 8 days ago 1.24MB
- Harbor的启停
[root@registry harbor]# pwd
/usr/local/harbor
//停止
[root@registry harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-log ... done
//开启
[root@registry harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
使用harbor注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
