文章目录
一、Harbor
1.1 概述
Harbor是VMware公司开源的企业级Docker Registry项目
1.2 Harbor的优势
- 基于角色控制
- 基于镜像的复制策略
- 支持LDAP / AD
- 图像删除和垃圾收集
- 图形UI
- 审计
- RESTful API
1.3 知识点
■ Proxy
- 通过一个前置的反向代理统一接受浏览器、Docker客户端的请求,并将请求转发给后端不同的服务
■ Registry
- 负责储存Docker镜像,并处理docker push/pull命令
■ Core services
- Harbor的核心功能,包括UI、webhook、token服务
■ Database
- 为core services提供数据库服务
■ Log collector
- 负责收集其他组件的log,供日后进行分析
1.4Docker私有仓库架构拓扑
二、实验环境
主机 | 操作系统 | IP | 主要软件 |
---|---|---|---|
服务端 | Centos 7.3 | 20.0.0.21 | docker、docker-compose、harbor |
客户端 | Centos 7.3 | 20.0.0.22 | docker |
三、实验需求
- 通过 Harbor 创建 Docker 私有仓库
- 图形化管理 Docker 私有仓库镜像
四、实验步骤
4.1 Harbor私有仓库的安装
服务端(harbor):20.0.0.21
'将docke-compose文件拖进来'
[root@harbor local]# chmod +x docker-compose
[root@harbor local]# mv docker-compose /usr/bin/
[root@harbor local]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3
'将harbor包拖进来'
[root@harbor local]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
[root@harbor local]# cd /usr/local/harbor/
[root@harbor harbor]# vim harbor.cfg
5 hostname = 20.0.0.21 ##修改为本机地址
59 harbor_admin_password = Harbor12345
##记住59行的密码,后面登录harbor用到,默认登录名为admin
[root@harbor harbor]# sh /usr/local/harbor/install.sh
[root@harbor harbor]# docker images ##查看镜像
[root@harbor harbor]# docker ps -a ##查看容器
[root@harbor harbor]# docker-compose ps ##查看容器,需要在/usr/local/harbor目录下执行,因为有yml文件
浏览器输入:20.0.0.21
用户名:admin
密码:Harbor12345
添加项目并且填写项目名称
4.2 Harbor私有仓库的基本操作
此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下,
Register 服务器在端口 80 上侦听。
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor harbor]# docker images
'//下载镜像进行测试'
[root@harbor harbor]# docker pull cirros
'//镜像打标签'
[root@harbor harbor]# docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1/myproject-kgc/cirros v1 3c82e4d066cf 8 months ago 12.6MB
cirros latest 3c82e4d066cf 8 months ago 12.6MB
'//上传镜像到Harbor'
[root@harbor harbor]# docker push 127.0.0.1/myproject-kgc/cirros:v1
点击浏览器的项目查看:
以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor,就会报如下错误。出现这问题的原因 Docker Registry 交互默认使用的是HTTPS,但是搭建私有镜像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误。
客户端(node):20.0.0.22
[root@node ~]# docker login -u admin -p Harbor12345 http://127.0.0.1
报错:
[root@node ~]# docker login -u admin -p Harbor12345 http://20.0.0.21
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.195.128/v2/: EOF
解决方法:
[root@node ~]# vim /usr/lib/systemd/system/docker.service ##加上标红的,指定私有仓库的实例地址,就可以通过sock文件连接
14 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 20.0.0.21 --containerd=/run/containerd/contai nerd.sock
'重启服务'
[root@node ~]# systemctl daemon-reload
[root@node ~]# systemctl restart docker
'再次连接'
[root@node ~]# docker login -u admin -p Harbor12345 http://20.0.0.21
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@node ~]# docker pull cirros
[root@node ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cirros latest 3c82e4d066cf 8 months ago 12.6MB
[root@node ~]# docker pull 127.0.0.1/myproject-kgc/cirros:v1
'报错:'
[root@node ~]# docker pull 127.0.0.1/myproject-kgc/cirros:v1
Error response from daemon: Get http://127.0.0.1/v2/: dial tcp 127.0.0.1:80: connect: connection refused
'解决方法:'
改下地址
[root@node ~]# docker pull 20.0.0.21/myproject-kgc/cirros:v1
v1: Pulling from myproject-kgc/cirros
Digest: sha256:c7d58d6d463247a2540b8c10ff012c34fd443426462e891b13119a9c66dfd28a
Status: Downloaded newer image for 20.0.0.21/myproject-kgc/cirros:v1
20.0.0.21/myproject-kgc/cirros:v1
[root@node ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
20.0.0.21/myproject-kgc/cirros v1 3c82e4d066cf 8 months ago 12.6MB
cirros latest 3c82e4d066cf 8 months ago 12.6MB
[root@node ~]# docker push 20.0.0.22/myproject-kgc/cirros:v2
'报错:'
[root@node ~]# docker push 20.0.0.22/myproject-kgc/cirros:v2
The push refers to repository [20.0.0.22/myproject-kgc/cirros]
Get https://20.0.0.22/v2/: dial tcp 20.0.0.22:443: connect: connection refused
'解决方法:'
地址得是私有仓库的地址
[root@node ~]# docker tag cirros:latest 20.0.0.21/myproject-kgc/cirros:v2
[root@node ~]# docker push 20.0.0.21/myproject-kgc/cirros:v2
The push refers to repository [20.0.0.21/myproject-kgc/cirros]
858d98ac4893: Layer already exists
aa107a407592: Layer already exists
b993cfcfd8fd: Layer already exists
v2: digest: sha256:c7d58d6d463247a2540b8c10ff012c34fd443426462e891b13119a9c66dfd28a size: 943
刷新下,可以看到两个镜像:
20.0.0.21/myproject-kgc/cirros:v2
##私有仓库地址/项目名称/镜像名
[root@node ~]# docker pull nginx
[root@node ~]# docker tag nginx:latest 20.0.0.21/myproject-kgc/nginx:v1
[root@node ~]# docker push 20.0.0.21/myproject-kgc/nginx:v1
刷新下:
4.3 Harbor的维护管理
可以使用 docker-compose 来管理 Harbor。一些有用的命令如下所示,必须在与
docker-compose.yml 相同的目录中运行。
修改 Harbor.cfg 配置文件
要更改 Harbour 的配置文件时,请先停止现有的 Harbour 实例并更新 Harbor.cfg;然
后运行 prepare 脚本来填充配置;最后重新创建并启动 Harbour 的实例。
服务端(harbor):20.0.0.21
'移除 Harbor 服务容器同时保留镜像数据/数据库
//在Harbor服务器上操作'
docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
vim harbor.cfg
./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
//报错:
docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))
//解决:关闭防火墙后,docker需要重启
systemctl restart docker
docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating harbor-adminserver ... done
创建 Harbor 用户
创建项目开发人员
客户端(node):20.0.0.22
'//注销登录'
[root@node ~]# docker logout http://20.0.0.21
Removing login credentials for 20.0.0.21
[root@node ~]# docker login http://20.0.0.21
Username: ##kgc-zhangsan
Password: ##Harbor1234
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
服务端(harbor):20.0.0.21
[root@harbor harbor]# docker tag tomcat:latest 20.0.0.21/myproject-kgc/tomcat:v1
[root@harbor harbor]# docker push 20.0.0.21/myproject-kgc/tomcat:v1
The push refers to repository [20.0.0.21/myproject-kgc/tomcat]
Get https://20.0.0.21/v2/: dial tcp 20.0.0.21:443: connect: connection refused
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://20.0.0.21
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://20.0.0.21/v2/: dial tcp 20.0.0.21:443: connect: connection refused
本机还是需要用127.0.0.1
其他服务器用20.0.0.21
[root@harbor harbor]# docker logout http://127.0.0.1
Removing login credentials for 127.0.0.1
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor harbor]# docker tag tomcat:latest 127.0.0.1/myproject-kgc/tomcat:v1
[root@harbor harbor]# docker push 127.0.0.1/myproject-kgc/tomcat:v1
客户端(node):20.0.0.22
[root@node ~]# docker pull 20.0.0.21/myproject-kgc/tomcat:v1
服务端(harbor):20.0.0.21
'移除 Harbor 服务容器同时保留镜像数据/数据库
//在Harbor服务器上操作'
docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-adminserver ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing registry ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing harbor-log ... done
Removing network harbor_harbor
如需重新部署,需要移除 Harbor 服务容器全部数据
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的
/var/log/Harbor/目录下。
rm -rf /data/database/
rm -rf /data/registry/