harbor仓库的构建及简单使用
前言:
首先,什么是harbor?
Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
好了,说人话,harbor是一个可供企业使用的私有仓库,提供权限管理。存储等功能,也就是说功能和docker官方仓库极为类似,但控制管理权都由搭建harbor者定义的高度可定制化的私人仓库。可以这么理解,harbor就是一个升级版的ftp服务器,只是这个服务器提供的服务是镜像存储,安装,多用户权限管理,并且由于该服务器可安装在企业内部网络中,镜像的传输效率是有绝对的保障。
另外,harbor还可以对镜像扫描漏洞,这个就比较nice了,自己制作的镜像质量也会有一定的保障了。
因为该项目是docker仓库项目,自然所有模块都是使用docker镜像来构建,其中使用到的docker镜像如下(主要是8个镜像):
vmware/harbor-log v1.2.0 c7887347f435 2 years ago 200MB
#日志功能
vmware/harbor-jobservice v1.2.0 1fb18427db11 2 years ago 164MB
#工作流程控制
vmware/harbor-ui v1.2.0 b7069ac3bd4b 2 years ago 178MB
#web 的ui界面
vmware/harbor-adminserver v1.2.0 a18331f0c1ae 2 years ago 142MB
#harbor的管理员服务
vmware/harbor-db v1.2.0 deb8033b1c86 2 years ago 329MB
#harbor的数据库
vmware/registry 2.6.2-photon 5d9100e4350e 2 years ago 173MB
#harbor的注册功能
vmware/postgresql 9.6.4-photon c562762cbd12 2 years ago 225MB
#harbor的分布式关系型数据库
vmware/clair v2.0.1-photon f04966b4af6c 2 years ago 297MB
#harbor 的容器漏洞分析服务
vmware/nginx-photon 1.11.13 285492ff20d6 3 years ago 147MB
#NGINX的Python驱动
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB
#harbor的HTTPS证书服务
vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB
#证书服务的Python驱动
vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB
photon 1.0 e6e4e4a2ba1b 4 years ago 128MB
#harbor的磁力链下载服务================================================================================================================================
环境简介:
本例使用的服务器IP地址是192.168.217.23,此服务器内安装了docker-compose和docker环境,操作系统是centos7
[root@node3 harbor]# docker version
Client: Docker Engine - Community
Version: 19.03.9
API version: 1.40
Go version: go1.13.10
Git commit: 9d988398e7
Built: Fri May 15 00:22:47 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.9
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 9d988398e7
Built: Fri May 15 00:28:17 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@node3 harbor]# docker-compose --version
docker-compose version 1.25.1, build a82fef07
安装包下载地址:
链接:https://pan.baidu.com/s/1yyFalQ4mVWILnsbqSXNvhw?pwd=star
提取码:star
本例使用的版本是 harbor-offline-installer-v1.5.0
================================================================================================================================
证书的制作:
新建一个目录专门用于存放证书,证书制作的命令都在这个目录下进行:
mkdir -p /opt/harbor/cert/
cd /opt/harbor/cert/1,
生成CA证书私钥
openssl genrsa -out ca.key 4096输出如下:
[root@node3 harbor]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................++
..................................................................................................................++
e is 65537 (0x10001)
2,
生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.217.23"\
-key ca.key \
-out ca.crt3,
生成服务器证书 1)生成私钥
openssl genrsa -out 192.168.217.23.key 40962)生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.217.23" \
-key 192.168.217.23.key \
-out 192.168.217.23.csr
3)生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.217.23
EOF4)使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in 192.168.217.23.csr -out 192.168.217.23.crt5)转换 192.168.217.23.crt 为192.168.217.23.cert,供Docker使用。
原因是
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书,很明显现在是客户端证书,因此需要转换一下。
openssl x509 -inform PEM -in 192.168.217.23.crt -out 192.168.217.23.cert总计证书相关文件有这些:
[root@node3 cert]# ls -al
total 32
drwxr-xr-x 2 root root 167 Nov 29 18:05 .
drwxr-xr-x 3 root root 18 Nov 29 17:18 ..
-rw-r--r-- 1 root root 2057 Nov 29 18:05 192.168.217.23.cert
-rw-r--r-- 1 root root 2057 Nov 29 17:36 192.168.217.23.crt
-rw-r--r-- 1 root root 1708 Nov 29 17:27 192.168.217.23.csr
-rw-r--r-- 1 root root 3243 Nov 29 17:23 192.168.217.23.key
-rw-r--r-- 1 root root 2033 Nov 29 17:20 ca.crt
-rw-r--r-- 1 root root 3243 Nov 29 17:20 ca.key
-rw-r--r-- 1 root root 17 Nov 29 17:36 ca.srl
-rw-r--r-- 1 root root 206 Nov 29 17:30 v3.ext
================================================================================================================================
证书的分发:
通过以上的证书制作,我们应该可以得到很多证书文件,docker也需要使用这些证书:
mkdir -p /etc/docker/certs.d/192.168.217.23
cp /opt/harbor/cert/192.168.217.23.cert /etc/docker/certs.d/192.168.217.23/
cp /opt/harbor/cert/192.168.217.23.key /etc/docker/certs.d/192.168.217.23/
cp /opt/harbor/cert/ca.crt /etc/docker/certs.d/192.168.217.23/
重启docker服务:
systemctl daemon-reload && systemctl restart docker================================================================================================================================================================================================================================================================
OK,上面我们制作好了证书,那么,现在就可以进行正式的部署了,下载下来的安装包解压后的目录是这样的;
[root@node4 harbor]# pwd
/usr/local/harbor
[root@node3 harbor]# ls -al
total 854964
drwxr-xr-x 4 root root 4096 Nov 29 20:27 .
drwxr-xr-x. 15 root root 186 Nov 28 21:52 ..
drwxr-xr-x 4 root root 37 Nov 28 22:07 common
-rw-r--r-- 1 root root 1185 Nov 28 21:52 docker-compose.clair.yml
-rw-r--r-- 1 root root 1725 Nov 28 21:52 docker-compose.notary.yml
-rw-r--r-- 1 root root 3596 Nov 28 21:52 docker-compose.yml
drwxr-xr-x 3 root root 156 Nov 28 21:52 ha
-rw-r--r-- 1 root root 6714 Nov 29 19:17 harbor.cfg
-rw-r--r-- 1 root root 875401338 Nov 28 21:52 harbor.v1.5.0.tar.gz
-rwxr-xr-x 1 root root 5773 Nov 28 21:52 install.sh
-rw-r--r-- 1 root root 10771 Nov 28 21:52 LICENSE
-rw-r--r-- 1 root root 482 Nov 28 21:52 NOTICE
-rwxr-xr-x 1 root root 27379 Nov 28 21:52 prepare
主要是编辑主配置文件harbor.cfg的前面一部分(多余的注释我就去掉了,省的看的眼花):
这里注意,hostname要写IP,不使用域名,原因是证书没有使用域名。
证书的路径和前面证书制作的路径是对应的。
harbor_admin_password 的值是登陆用的admin的密码,如果是实际生产的话,建议复杂密码。
_version = 1.5.0
clients.
hostname = 192.168.217.23
ui_url_protocol = https
max_job_workers = 50
customize_crt = on
ssl_cert = /opt/harbor/cert/192.168.217.23.crt
ssl_cert_key = /opt/harbor/cert/192.168.217.23.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
配置文件按需修改完成后,保存即可,下面将开始初始化安装。
=======================================================================================
初始化安装harbor:
增加参数--with-clair 启用扫描漏洞功能:
./install.sh --with-clair此命令输出如下:
docker的版本是ce 19.0.3.9,如果低于18,应该会报错,不能初始化的。
docker-compose的版本是 1.25.1,如果低于1.6,应该会报错,不能初始化的。
harbor可以反复初始化,下面的输出也表示我是再次初始化的。
Now you should be able to visit the admin portal at https://192.168.217.23. 这一段表示harbor开启https是成功的。
[Step 0]: checking installation environment ...
Note: docker version: 19.03.9
Note: docker-compose version: 1.25.1
[Step 1]: loading Harbor images ...
Loaded image: vmware/clair-photon:v2.0.1-v1.5.0
Loaded image: vmware/postgresql-photon:v1.5.0
Loaded image: vmware/harbor-adminserver:v1.5.0
Loaded image: vmware/registry-photon:v2.6.2-v1.5.0
Loaded image: vmware/photon:1.0
Loaded image: vmware/harbor-migrator:v1.5.0
Loaded image: vmware/harbor-ui:v1.5.0
Loaded image: vmware/redis-photon:v1.5.0
Loaded image: vmware/nginx-photon:v1.5.0
Loaded image: vmware/mariadb-photon:v1.5.0
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.0
Loaded image: vmware/harbor-log:v1.5.0
Loaded image: vmware/harbor-db:v1.5.0
Loaded image: vmware/harbor-jobservice:v1.5.0
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.0
[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
Clearing the configuration file: ./common/config/clair/postgresql-init.d/README.md
Clearing the configuration file: ./common/config/clair/postgres_env
Clearing the configuration file: ./common/config/clair/config.yaml
Clearing the configuration file: ./common/config/clair/clair_env
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
Copying offline data file for clair DB
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing clair ... done
Removing redis ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing clair-db ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
Removing network harbor_harbor-clair
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... done
Creating clair-db ... done
Creating harbor-db ... done
Creating redis ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating clair ... done
Creating harbor-ui ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://192.168.217.23.
For more details, please visit https://github.com/vmware/harbor .
#######注:下面写的启停脚本有得时候并不太管用,初始化命令倒是可以反复执行,该命令不会清除任何已存在的数据,因此,如果遇到以下的情况,可以执行初始化命令,一般多来个几次就好了。
有一个服务是starting,web界面什么的也是不可用,当然了,push或者pull镜像也是无法用的,这个时候初始化几次即可
[root@centos4 harbor]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (health: starting)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp 直到全部服务都是healthy,harbor才可以算作恢复正常使用:
[root@centos4 harbor]# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp ================================================================================================================================================================================================================================================================
验证初始化成果:
OK,正常初始化完毕后,需要告诉docker引擎这个私有仓库是可以使用的,因此,编辑docker的配置文件:
主要是添加这一行:"insecure-registries": ["192.168.217.23:443"], 当然,在其它的服务器上使用此harbor仓库,也需要配置这一行。
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://b0j89uo8.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.217.23:443"],
"exec-opts":["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF重启docker服务:
systemctl daemon-reload && systemctl restart docker1,
命令行登陆私有harbor仓库
docker login https://192.168.217.23输出如下(登陆成功):
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
2,
harbor UI 登陆:
https://192.168.217.23 即可登录 ,用户名是admin,密码是harbor.cfg里配置的初始登录密码
harbor的扫描漏洞功能:
登陆进入后,假设已经有一个上传到此私有仓库的镜像:
关于harbor的主配置文件更改问题:
主配置文件的某些地方做了调整后,不需要再次初始化
其实,比较的简单,在安装目录下执行prepare脚本后,在重启harbor即可:
[root@node3 harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
================================================================================================================================================================================================================================================================
harbor的维护工作:
1,
查看harbor各个组件的状态:
docker-compose ps
如下,全部up表示harbor正常工作:
[root@node3 harbor]# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp 2,
harbor的启停脚本(systemd):
cat >/usr/lib/systemd/system/harbor.service<<EOF
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF有了这个脚本后,harbor的启停就方便很多了:
systemctl enable harbor && systemctl start harbor3 ,
上传镜像到harbor:
先查看有哪些镜像:
[root@node4 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.217.23/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
192.168.217.23/test/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
quay.io/coreos/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
上传到默认的那个项目也就是library内,因此,修改tag适配以私有 仓库:
docker tag quay.io/coreos/flannel:v0.13.0 192.168.217.23/library/flannel:0.13命令行登录harbor:
[root@node4 harbor]# docker login https://192.168.217.23
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传镜像:
[root@node4 harbor]# docker push 192.168.217.23/library/flannel:0.13
The push refers to repository [192.168.217.23/library/flannel]
1a6a4161ff3a: Mounted from test/flannel
8a984b390686: Mounted from test/flannel
bfb960ebd228: Mounted from test/flannel
24d8f5a426b6: Mounted from test/flannel
90679e912622: Mounted from test/flannel
0be670d27a91: Mounted from test/flannel
50644c29ef5a: Mounted from test/flannel
0.13: digest: sha256:34860ea294a018d392e61936f19a7862d5e92039d196cac9176da14b2bbd0fe3 size: 1785
在harbor的web端可以看到有镜像了:
4,
命令行查看默认的library项目内有哪些镜像:
用户名和密码可以随意填写,--insecure必须要有
[root@node3 harbor]# curl -u "admin:123456" -X GET -H "Content-Type: application/json" "https://192.168.217.23/api/search?" --insecure
{
"project": [
{
"project_id": 1,
"owner_id": 1,
"name": "library",
"creation_time": "2022-11-28T14:07:11Z",
"update_time": "2022-11-28T14:07:11Z",
"deleted": 0,
"owner_name": "",
"togglable": false,
"current_user_role_id": 0,
"repo_count": 1,
"metadata": {
"public": "true"
}
}
],
"repository": [
{
"project_id": 1,
"project_name": "library",
"project_public": true,
"pull_count": 0,
"repository_name": "library/flannel",
"tags_count": 1
}
]
================================================================================================================================================================================================================================================================================================================================================================================================
附一:
简单的报错处理和
一,
unauthorized: authentication required
[root@node4 harbor]# docker login https://192.168.217.23
Authenticating with existing credentials...
Stored credentials invalid or expired
Username (admin):
Password:
Error response from daemon: Get https://192.168.217.23/v2/: unauthorized: authentication required
这个的错误是由于密码没有输入正确的原因,找到正确的密码输入即可登陆成功。
二,
Login did not succeed, error: Error response from daemon: Get https://192.168.217.23/v2/: x509: certificate signed by unknown authority
这样的报错原因是由于docker缺少证书导致的:
[root@node4 192.168.217.23]# pwd
/etc/docker/certs.d/192.168.217.23
[root@node4 192.168.217.23]# ls -al
total 8
drwxr-xr-x 2 root root 59 Nov 29 22:58 .
drwxr-xr-x 3 root root 28 Nov 29 22:17 ..
-rw-r--r-- 1 root root 2057 Nov 29 22:17 192.168.217.23.cert
-rw-r--r-- 1 root root 3243 Nov 29 22:17 192.168.217.23.key
因此,重新拷贝ca.crt 到此目录下即可解决。
稍作总结,ssl的登陆方式需要每个客户端都有证书的哦,当然了,这样的话,整个harbor的安全性会比较高的哦。
附二:
Harbor在架构上主要由6个组件构成:
-
Proxy:Harbor的registry, UI, token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
-
Registry: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。
-
Core services: 这是Harbor的核心功能,主要提供以下服务:
-
UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
-
webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
-
token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
-
Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
-
Job Services:提供镜像远程复制功能,可以把本地镜像同步到其他Harbor实例中。
-
Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
[root@node3 harbor]#docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp - nginx:nginx负责流量转发和安全验证,对外提供的流量都是从nginx中转,所以开放https的443端口,它将流量分发到后端的ui和正在docker镜像存储的docker registry。
- harbor-jobservice:harbor-jobservice 是harbor的job管理模块,job在harbor里面主要是为了镜像仓库之前同步使用的;
- harbor-ui:harbor-ui是web管理页面,主要是前端的页面和后端CURD的接口;
- registry:registry就是docker原生的仓库,负责保存镜像。
- harbor-adminserver:harbor-adminserver是harbor系统管理接口,可以修改系统配置以及获取系统信息。
- harbor-db:harbor-db是harbor的数据库,这里保存了系统的job以及项目、人员权限管理。由于本harbor的认证也是通过数据,在生产环节大多对接到企业的ldap中;
- harbor-log:harbor-log是harbor的日志服务,统一管理harbor的日志。通过inspect可以看出容器统一将日志输出的syslog。
- redis 同harbor-db,只是分工有所不同罢了
这几个容器通过Docker link的形式连接在一起,在容器之间通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
