概念说明:
仓库:集中存放镜像的地方,可分为公共仓库和私有仓库(公共仓库"http://hub.docker.com"或国内的"http://www.daocloud.io")
注册服务器(Registry):是存放仓库的服务器,每个服务器上都可以放置多个仓库,而每个仓库上可以放置多个镜像,每个镜像上可以运行多个容器,每个容器上可以跑一个应用或应用组。
Docker hub为我们提供了很多官方镜像和个人上传的镜像,我们可以下载机构或个人提供的镜像,也可以上传我们自己的本地镜像,然后我们需要的时候也可以随时下载。但缺点是:
(1)由于网络的原因,从dockerhub上下载和上传镜像速度可能会比较慢。
(2)在生产上使用的docker镜像可能包含我们的代码、配置信息等,不想被外部人员获取,只允许内网的开发人员下载。如果上传到dockerhub上所有人都可以看到。
使用Docker私有仓库则解决了以上2个问题,在内部网络搭建docker私有仓库可以使内网人员下载和上传都非常快速,不受外网带宽等因素的影响,同时不在内网的人员无法下载我们的镜像。
Harbor是VMware公司最近开源的企业级Docker Registry项目(https://github.com/vmware/harbor) ,用于存储和分发Docker镜像的企业级Registry服务器。其目标是帮助用户迅速搭建一个企业级的Docker registry服务。它提供了管理UI, 基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Audit logging) 等企业用户需求的功能,同时还原生支持中文。Harbor的每个组件都是以Docker容器的形式构建的,使用Docker Compose来对它进行部署。
这里我们使用了2个主机(IP分别为172.16.50.36,172.16.50.37),在“37”上安装Harbor。先安装Harbor依赖的docker,compose。
一、安装Docker(略)
两台主机都安装docker(参看《Centos7下Docker安装》)
二、安装docker-compose
(docker-compose 是用来做docker 的多容器控制,是Docker容器进行编排的工具,定义和运行多容器的应用,可以一条命令启动多个容器,使用Docker Compose不再需要使用shell脚本来启动容器。 )
1.下载安装(使用 curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose 的方式因为网络问题无法安装成功。)
1.1 安装docker-compose
1.1.1 安装epel
[root@localhost ~]# yum install epel-release -y
(省略信息)
已安装:
epel-release.noarch 0:7-11
完毕!
1.1.2 安装pip
[root@localhost ~]# yum install python-pip -y
已加载插件:fastestmirror
(省略信息)
已安装:
python2-pip.noarch 0:8.1.2-6.el7
作为依赖被安装:
python-backports.x86_64 0:1.0-8.el7 python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 python-ipaddress.noarch 0:1.0.16-2.el7 python-setuptools.noarch 0:0.9.8-7.el7
完毕!
1.1.3 确认pip安装
[root@localhost ~]# pip --version
pip 8.1.2 from /usr/lib/python2.7/site-packages (python 2.7)
1.1.4 升级pip
执行 pip install --upgrade pip 否则在安装docker-compose时会报错:
You are using pip version 8.1.2, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[root@localhost ~]# pip install --upgrade pip
Collecting pip
(省略信息)
Successfully installed pip-18.1
1.2 安装docker-compose
[root@localhost ~]# pip install docker-compose
Collecting docker-compose
(省略信息)
Successfully installed PyYAML-3.13 cached-property-1.5.1 certifi-2018.10.15 chardet-3.0.4 docker-3.5.0 docker-compose-1.22.0 docker-pycreds-0.3.0 dockerpty-0.4.1 docopt-0.6.2 enum34-1.1.6 functools32-3.2.3.post2 idna-2.6 jsonschema-2.6.0 requests-2.18.4 six-1.11.0 texttable-0.9.1 urllib3-1.22 websocket-client-0.53.0
三、安装Harbor
1.下载Harbor安装包
下载页面:https://github.com/goharbor/harbor/releases
下载链接:https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz
[root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz
[root@localhost ~]# tar xvf harbor-offline-installer-v1.6.1.tgz
2. 配置harbor目录下的harbor.cfg
[root@localhost harbor]# vi harbor.cfg
文件内容:
## Configuration file of Harbor
# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost,此处我设置为本地ip
hostname = 172.16.50.37
# Harbor启动后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345
# 认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth
# 是否开启自注册
self_registration = on
# Token有效时间,默认30分钟
token_expiration = 30
3. 启动 Harbor
修改完配置文件后,在的当前目录执行./install.sh,Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动各。(重启harbor也可以用这个脚本)
[root@localhost harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 18.06.1
Note: docker-compose version: 1.22.0
[Step 1]: loading Harbor images ...
ad50e89f4922: Loading layer [==================================================>] 133.4MB/133.4MB
(省略信息)
[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://172.16.50.37.
For more details, please visit https://github.com/goharbor/harbor .
4. 查看Harbor依赖的镜像及启动服务如下:
[root@localhost harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v0.7.1-v1.6.1 f0a2dbee1ff1 2 days ago 350MB
goharbor/harbor-migrator v1.6.1 60e8be845b35 2 days ago 798MB
goharbor/redis-photon v1.6.1 6a67380bb061 2 days ago 210MB
goharbor/clair-photon v2.0.6-v1.6.1 c4fcdbae7df2 2 days ago 302MB
goharbor/notary-server-photon v0.5.1-v1.6.1 f1afd44d9f9b 2 days ago 209MB
goharbor/notary-signer-photon v0.5.1-v1.6.1 83aa51867207 2 days ago 207MB
goharbor/registry-photon v2.6.2-v1.6.1 f4cb5e83f0a4 2 days ago 196MB
goharbor/nginx-photon v1.6.1 9ca888fe33b2 2 days ago 132MB
goharbor/harbor-log v1.6.1 9b1ea3f29465 2 days ago 198MB
goharbor/harbor-jobservice v1.6.1 9ca6fd371ca6 2 days ago 192MB
goharbor/harbor-ui v1.6.1 305ee5b8952c 2 days ago 215MB
goharbor/harbor-adminserver v1.6.1 a3e95f74984e 2 days ago 181MB
goharbor/harbor-db v1.6.1 3bea3bff0190 2 days ago 219MB
查看compose状态(此命令在harbor目录下执行)
[root@localhost harbor]# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
5. 访问Web Harbor
启动完成后,我们访问刚设置的hostname即可 http://172.16.50.37,默认是80端口,如果端口占用,我们可以去修改docker-compose.yml文件中,对应服务的端口映射。
输入用户名admin,默认密码(或已修改密码)
可以看到系统各个模块如下:
项目:新增/删除项目,查看镜像仓库,给项目添加成员、查看操作日志、复制项目等
日志:仓库各个镜像create、push、pull等操作日志
系统管理
用户管理:新增/删除用户、设置管理员等
复制管理:新增/删除从库目标、新建/删除/启停复制规则等
配置管理:认证模式、复制、邮箱设置、系统设置等
其他设置
用户设置:修改用户名、邮箱、名称信息
修改密码:修改用户密码
注意:非系统管理员用户登录,只能看到有权限的项目和日志,其他模块不可见。
6. 新建项目(仓库)
新建一个名称为docker-test的项目,设置不公开。注意:当项目设为公开后,任何人都有此项目下镜像的读权限。命令行用户不需要“docker login”就可以拉取此项目下的镜像。
7. 提交本地镜像到Harbor仓库
7.1 登录
新建项目完毕后,我们就可以用admin账户提交本地镜像到Harbor仓库了。例如我们提交本地镜像:
从另一台装有docker环境的客户端主机登录到Harbor仓库,
[root@localhost ~]# docker login 172.16.50.37
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
FAQ:
(1). 如提示“failed to get default registry endpoint from daemon (Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?)”。
解决:docker没有启动,使用systemctl start docker命令启动docker,用docker version检查docker状态。
(2).报错:Error response from daemon: Get https://172.16.50.37/v2/: dial tcp 172.16.50.37:443: connect: connection refused
docker1.3.2版本开始默认docker registry使用的是https,我们设置Harbor默认http方式,所以当执行用docker login、pull、push等命令操作非https的docker regsitry的时就会报错。
解决,在发起登录的客户端主机上的文件(如没有则创建)/etc/docker/daemon.json中添加如下参数:
{
"insecure-registries": [
"172.16.50.37"
]
}
重启docker:systemctl restart docker.service
(3).报错:Error response from daemon: Get https://172.16.50.37/v2/: dial tcp 172.16.50.37:443: connect: no route to host
解决,Harbor主机开放80、443端口:
[root@localhost ~]#firewall-cmd --zone=public --add-port=80/tcp --permanent
[root@localhost ~]#firewall-cmd --zone=public --add-port=443/tcp --permanent
[root@localhost ~]#firewall-cmd --reload
[root@localhost ~]# firewall-cmd --zone=public --list-ports
80/tcp 443/tcp
7.2 给镜像打tag
查看是否有镜像,没有则创建
[root@localhost system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 4ab4c602aa5e 5 weeks ago 1.84kB
给镜像打tag(镜像的格式为,镜像仓库IP:端口/镜像名称)
[root@localhost system]# docker tag hello-world 172.16.50.37/repo-test/hello-world:hw20181019tag
查看镜像,发现已经生成
[root@localhost system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.50.37/repo-test/hello-world hw20181019tag 4ab4c602aa5e 5 weeks ago 1.84kB
hello-world latest 4ab4c602aa5e 5 weeks ago 1.84kB
7.3 PUSH到仓库
[root@localhost system]# docker push 172.16.50.37/repo-test/hello-world
The push refers to repository [172.16.50.37/repo-test/hello-world]
428c97da766c: Pushed
hw20181019tag: digest: sha256:1a6fd470b9ce10849be79e99529a88371dff60c60aab424c077007f6979b4812 size: 524
PUSH完毕后,登录Web Harbor,选择项目就可以看到该镜像。
FAQ:
1. 报错:
The push refers to repository [172.16.50.37/repo-test]
428c97da766c: Retrying in 1 second
received unexpected HTTP status: 500 Internal Server Error
(1)通过命令journalctl -u docker.service查看错误日志,然而没看出什么东西...
(2)尝试关闭selinux,编辑/etc/selinux/config,注释掉“SELINUX=enforcing”和“SELINUXTYPE=targeted”,增加“SELINUX=disabled”,这样配置是永久关闭,但需要重启才能生效。为了不重启,使用“setenforce 0”来临时关闭,“getenforce”查看selinux状态。(没有解决问题)
(2)通过查看日志文件/var/log/harbor/registry.log看到以下信息:
Oct 19 17:26:44 172.18.0.1 registry[1479]: time="2018-10-19T09:26:44.703034974Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.7.3 http.request.host=172.16.50.37 http.request.id=4d6b8a2c-20c2-4504-a90b-8f9843399f17 http.request.method=GET http.request.remoteaddr=172.16.50.36 http.request.uri="/v2/" http.request.useragent="docker/18.06.1-ce go/go1.10.3 git-commit/e68fc7a kernel/3.10.0-862.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/18.06.1-ce \\(linux\\))" instance.id=ffcae3a5-e4e4-447f-a986-8b3b12448d70 service=registry version=v2.6.2
Oct 19 17:26:44 172.18.0.1 registry[1479]: 172.18.0.3 - - [19/Oct/2018:09:26:44 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/18.06.1-ce go/go1.10.3 git-commit/e68fc7a kernel/3.10.0-862.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/18.06.1-ce \\(linux\\))"
解决:HTTP状态码 " 401 87 ",401-未授权,跟权限有关。其实是打tag时打的不对,应该为docker push 172.16.50.37/repo-test/hello-world,但是打成了docker push 172.16.50.37/repo-test
如果需要修改Harbor的配置文件harbor.cfg,因为Harbor是基于docker-compose服务编排的,我们可以使用docker-compose命令重启Harbor。不修改配置文件,重启Harbor命令:docker-compose start | stop | restart
1、停止Harbor
$ docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done ......
Removing harbor-log ... done
Removing network harbor_harbor
2、启动Harbor
$ docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... ......
Creating nginx Creating harbor-jobservice ... done
参考资料:https://blog.csdn.net/weixin_41465338/article/details/80146218?utm_source=blogxgwz0