Docker 应用实战案例--基于 Harbor 搭建私有仓库
前言
本环境是基于 Centos 7.8 系统构建Docker-19.03.13环境
具体构建,请参考 构建Docker-19.03.13
上一章,我们介绍了基于 registry 搭建私有仓库,其实,现在企业中使用基于 Harbor 搭建私有仓库越发广泛和普及,同样,Harbor 也支持http、https协议。下面我们将介绍https协议支持下的基于 Harbor 搭建私有仓库
一、认识 Harbor
Harbor 介绍
- Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。
- Harbor是一个开源的可信云本机注册表项目,用于存储,签名和扫描内容。Harbor通过添加用户通常需要的功能(如安全性,身份和管理)来扩展开源Docker Distribution。使注册表更接近构建和运行环境可以提高图像传输效率。Harbor支持在注册表之间复制映像,还提供高级安全功能,如用户管理,访问控制和活动审计。
- Harbour由Cloud Native Computing Foundation(CNCF)托管。代码托管在gethub平台
Harbor 特征
- 云本机注册表:Harbour 支持容器映像和Helm图表,可用作云本机环境(如容器运行时和业务流程平台)的注册表。
- 基于角色的访问控制:用户和存储库通过“项目”进行组织,用户可以对项目下的图像拥有不同的权限
- 基于策略的映像复制:可以基于具有多个过滤器(存储库,标记和标签)的策略在多个注册表实例之间复制(同步)映像。如果遇到任何错误,Harbor将自动重试进行复制。非常适合负载平衡,高可用性,多数据中心,混合和多云场景。
- 漏洞扫描:Harbor定期扫描图像并警告用户漏洞。
- LDAP / AD支持:Harbor与现有企业LDAP / AD集成以进行用户身份验证和管理,并支持将LDAP组导入Harbor并为其分配适当的项目角色。
- 图像删除和垃圾收集:可以删除图像,并可以回收它们的空间。
- 公证:可以确保图像的真实性。
- 图形用户门户:用户可以轻松浏览,搜索存储库和管理项目。
- 审计:跟踪存储库的所有操作。
- RESTful API:适用于大多数管理操作的RESTful API,易于与外部系统集成。
- 易于部署:提供在线和离线安装程序。
harbor 配置文件
Harbor 的配置文件 harbor.cfg
新些版本开始使用yaml格式:
二、环境准备
环境准备
- 2台部署有docker的Linux主机,具体配置,参考构建构建Docker-19.03.13章节
- 2台主机名分别:servera.wan.host 、serverb.wan.host,
其中serverb 是镜像源仓库Server,servera是镜像源Client- 配置有hosts域名解析
Harbor被部署为多个Docker容器。因此,您可以将其部署在任何支持Docker的Linux发行版上。目标主机需要Docker和Docker Compose才能安装。
-
下表列出了用于部署Harbor的最低和建议的硬件配置。
-
下表列出了必须在目标主机上安装的软件版本。
| 软件 | 版本 | 描述 |
|---|---|---|
| Python | 2.7或更高版本 | 请注意,您可能必须在Linux发行版(Gentoo,Arch)上安装Python,默认情况下不安装Python解释器 |
| Docker engine | 17.06.0-ce +版或更高版本 | 有关安装说明,请参阅:https://docs.docker.com/compose/install/ |
| Docker Compose | 版本1.18.0或更高 | 有关安装说明,请参阅:https://docker.com/compose/install/ |
| Openssl | 最新的是首选 | 用于生成Harbor的证书和密钥 |
- Harbor要求在目标主机上打开以下端口。
三 、使用 Harbor 搭建 https 协议的私有仓库
生成证书
[root@serverb ~]# mkdir -p /opt/certs
[root@serverb ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout /opt/certs/serverb.wan.host.key \
> -x509 -days 36500 -out /opt/certs/serverb.wan.host.crt
Generating a 4096 bit RSA private key
...........................++
................................................++
writing new private key to '/opt/certs/serverb.wan.host.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SX
Locality Name (eg, city) [Default City]:XI`AN
Organization Name (eg, company) [Default Company Ltd]:SCHOLL
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:serverb.wan.host
Email Address []:wan@123.com
[root@serverb ~]# ll /opt/certs/
total 8
-rw-r--r--. 1 root root 2082 Nov 6 21:09 serverb.wan.host.crt
-rw-r--r--. 1 root root 3272 Nov 6 21:09 serverb.wan.host.key
上传 docker-compose
[root@serverb ~]# cd /usr/local/bin/
赋予docker-compose 执行权限,查看版本
[root@serverb bin]# chmod +x docker-compose
[root@serverb bin]# docker-compose version
docker-compose version 1.27.4, build 40524192
docker-py version: 4.3.1
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
上传 harbor
解压,并修改配置文件
[root@serverb ~]# ll
total 732032
-rw-------. 1 root root 1496 Jun 1 21:14 anaconda-ks.cfg
-rw-r--r--. 1 root root 12218968 Nov 6 21:43 docker-compose
-rw-r--r--. 1 root root 556130191 Nov 6 21:53 harbor-offline-installer-v2.1.0.tgz
-rwxr-xr-x. 1 root root 118 Jun 12 19:34 hostname.sh
-rw-r--r--. 1 root root 181238643 Jun 7 14:06 jdk-8u60-linux-x64.tar.gz
[root@serverb ~]# tar xf harbor-offline-installer-v2.1.0.tgz -C /usr/local/
[root@serverb ~]# cd /usr/local/harbor/
[root@serverb harbor]# ls
common.sh harbor.v2.1.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@serverb harbor]# cp harbor.yml.tmpl harbor.yml
[root@serverb harbor]# vim harbor.yml
hostname: serverb.wan.host
certificate: /opt/certs/serverb.wan.host.crt
private_key: /opt/certs/serverb.wan.host.key
拷贝证书文件
[root@servera ~]# mkdir -p /etc/docker/certs.d/serverb.wan.host
[root@servera ~]# cd /etc/docker/certs.d/serverb.wan.host/
[root@servera serverb.wan.host]# scp serverb.wan.host:/opt/certs/domain.
domain.crt domain.key
[root@servera serverb.wan.host]# scp serverb.wan.host:/opt/certs/serverb.wan.host.crt ca.crt
The authenticity of host 'serverb.wan.host (192.168.5.12)' can't be established.
ECDSA key fingerprint is SHA256:8KoAXpPVTPc8T4wS2TQoTrAcVmbrZUqiI0UQ4L56zCQ.
ECDSA key fingerprint is MD5:48:a8:5d:58:f3:a7:c6:9b:b8:11:1a:1c:09:a8:55:04.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'serverb.wan.host' (ECDSA) to the list of known hosts.
root@serverb.wan.host's password:
serverb.wan.host.crt 100% 2082 581.4KB/s 00:00
[root@servera serverb.wan.host]# ll
total 4
-rw-r--r-- 1 root root 2082 Nov 6 22:16 ca.crt
安装 harbor
[root@serverb harbor]# ./install.sh
[root@serverb harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17cd5e6092a4 goharbor/nginx-photon:v2.1.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
bea70cb16054 goharbor/harbor-jobservice:v2.1.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
51231af1cd02 goharbor/harbor-core:v2.1.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
b9c9fd6d0e23 goharbor/harbor-registryctl:v2.1.0 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
916fed2aab3d goharbor/harbor-portal:v2.1.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
6bde26633569 goharbor/harbor-db:v2.1.0 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
8193796d28fb goharbor/redis-photon:v2.1.0 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
26a7c4404907 goharbor/registry-photon:v2.1.0 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
81642ae4ac13 goharbor/harbor-log:v2.1.0 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
浏览器登录管理
https://192.168.5.12/
点击高级、继续前往
输入用户名、密码登录
登录界面
创建用户
创建项目
设置项目用户
查看仓库上传镜像格式
准备待上传的镜像并打标签
[root@servera ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
9758c28807f2: Pull complete
Digest: sha256:a9286defaba7b3a519d585ba0e37d0b2cbee74ebfe590960b0b1d6a5e97d1e1d
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@servera ~]# docker tag busybox:latest serverb.wan.host/docker_regist_manager/busybox:v1
[root@servera ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest f0b02e9d092d 3 weeks ago 1.23MB
serverb.wan.host/docker_regist_manager/busybox v1 f0b02e9d092d 3 weeks ago 1.23MB
上传镜像
[root@servera ~]# docker login serverb.wan.host -u Mr.Zhang -p Harbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@servera ~]# docker push serverb.wan.host/docker_regist_manager/busybox:v1
The push refers to repository [serverb.wan.host/docker_regist_manager/busybox]
d2421964bad1: Pushed
v1: digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc size: 527
UI 界面查看
进一步查看
删除所有镜像,从私有仓库重新拉取镜像
[root@servera ~]# docker image rmi serverb.wan.host/docker_regist_manager/busybox:v1
Untagged: serverb.wan.host/docker_regist_manager/busybox:v1
Untagged: serverb.wan.host/docker_regist_manager/busybox@sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Deleted: sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
Deleted: sha256:d2421964bad195c959ba147ad21626ccddc73a4f2638664ad1c07bd9df48a675
[root@servera ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@servera ~]# docker pull serverb.wan.host/docker_regist_manager/busybox:v1
v1: Pulling from docker_regist_manager/busybox
9758c28807f2: Pull complete
Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Status: Downloaded newer image for serverb.wan.host/docker_regist_manager/busybox:v1
serverb.wan.host/docker_regist_manager/busybox:v1
[root@servera ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
serverb.wan.host/docker_regist_manager/busybox v1 f0b02e9d092d 3 weeks ago 1.23MB
运行容器
[root@servera ~]# docker run --rm -it --name docker_regist_manager_busybox serverb.wan.host/docker_regist_manager/busybox:v1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
178: eth0@if179: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # uname -r
3.10.0-1127.el7.x86_64
/ # exit
扫一扫
1752
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
