centos7上harbor搭建实践记录

一、docker安装

1、删除原有docker:

sudo yum remove docker \

                  docker-client \

                  docker-client-latest \

                  docker-common \

                  docker-latest \

                  docker-latest-logrotate \

                  docker-logrotate \

                  docker-selinux \

                  docker-engine-selinux \

                  docker-engine

 

2、配置系统docker源

 

sudo yum install -y yum-utils device-mapper-persistent-data lvm2

## 注意：此处更换了阿里的源，适用国内用户

yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

 

3、查看docker安装列表，选择并安装

sudo yum list docker-ce --showduplicates

# 此处直接安装最新版本的docker-ce

sudo yum install -y docker-ce

 

# 注：如果要安装指定的版本可以参考下边的命令

sudo yum install -y docker-ce-3:19.03.8-3.el7.x86_64

 

4、启动docker

sudo systemctl  enable docker &&  systemctl  start docker

 

 

二、docker-compose

 

sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

 

sudo chmod +x /usr/local/bin/docker-compose

 

docker-compose --version

 

三、harbor安装

 

1、下载（个人使用迅雷还是蛮快的）

https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-offline-installer-v1.1.2.tgz

手册：https://github.com/bluecoffee1013/docker-library/blob/master/docs/How%20to%20install%20Harbor.md

2、安装

tar xvfz harbor-offline-installer-v1.1.2.tgz

 

编辑harbor.cfg（为避免手册失效，把手册内容复制过来）

harbor的nginx默认暴露本机的80端口，但是一般80端口都会被占用，我改成8060端口，如下是我的配置文件，有改动的地方我用**标注了，大家也可以根据实际情况进行修改

## Configuration file of Harbor

 

#The IP address or hostname to access admin UI and registry service.

#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

#修改成本地IP:暴露端口

** hostname = 192.168.3.42:8060

 

#The protocol for accessing the UI and token/notification service, by default it is http.

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = http

 

#The password for the root user of mysql db, change this before any production use.

db_password = root123

 

#Maximum number of job workers in job service

max_job_workers = 3

 

#Determine whether or not to generate certificate for the registry's token.

#If the value is on, the prepare script creates new root cert and private key

#for generating token to access the registry. If the value is off the default key/cert will be used.

#This flag also controls the creation of the notary signer's cert.

customize_crt = on

 

#The path of cert and key files for nginx, they are applied only the protocol is set to https

#存放认证书的位置

**ssl_cert = ./data/cert/server.crt

**ssl_cert_key = ./data/cert/server.key

 

#The path of secretkey storage

**secretkey_path = ./data

 

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone

admiral_url = NA

 

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES

#only take effect in the first boot, the subsequent changes of these properties

#should be performed on web ui

 

#************************BEGIN INITIAL PROPERTIES************************

 

#Email account settings for sending out password resetting emails.

 

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

#Identity left blank to act as username.

email_identity =

 

email_server = smtp.mydomain.com

email_server_port = 25

email_username = sample_admin@mydomain.com

email_password = abc

email_from = admin <sample_admin@mydomain.com>

email_ssl = false

 

##The initial password of Harbor admin, only works for the first time when Harbor starts.

#It has no effect after the first launch of Harbor.

#Change the admin password from UI after launching Harbor.

# 默认的管理员登录密码

harbor_admin_password = Harbor12345

 

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.

#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.

auth_mode = db_auth

 

#The url for an ldap endpoint.

ldap_url = ldaps://ldap.mydomain.com

 

#A user's DN who has the permission to search the LDAP/AD server.

#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.

#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

 

#the password of the ldap_searchdn

#ldap_search_pwd = password

 

#The base DN from which to look up a user in LDAP/AD

ldap_basedn = ou=people,dc=mydomain,dc=com

 

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.

#ldap_filter = (objectClass=person)

 

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD

ldap_uid = uid

 

#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE

ldap_scope = 3

 

#Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.

ldap_timeout = 5

 

#Turn on or off the self-registration feature

#是否允许用户注册

self_registration = off

 

#The expiration time (in minute) of token created by token service, default is 30 minutes

token_expiration = 30

 

#The flag to control what users have permission to create projects

#The default value "everyone" allows everyone to creates a project.

#Set to "adminonly" so that only admin user can create project.

#只有管理员可以有权限创建项目

**project_creation_restriction = adminonly

 

#Determine whether the job service should verify the ssl cert when it connects to a remote registry.

#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.

verify_remote_cert = on

#************************END INITIAL PROPERTIES************************

#############

修改docker-compose.yml

找到proxy那一段代码，将80改成8060

 proxy:

    image: vmware/nginx:1.11.5-patched

    container_name: nginx

    restart: always

    volumes:

      - ./common/config/nginx:/etc/nginx:z

    networks:

      - harbor

    ports:

      - 8060:80 //此处原来是80:80

      - 443:443

      - 4443:4443

    depends_on:

      - mysql

      - registry

      - ui

      - log

    logging:

      driver: "syslog"

      options:

        syslog-address: "tcp://127.0.0.1:1514"

        tag: "proxy"

 

改完配置后，可以安装了。

./prepare

./install.sh

如果配置有问题，重新配置再执行下./install.sh就可以了。

个人按照手册去配置docker，结果一直无法启动。后面直接跳过，运行安装，也是可以的。

安装完成后，浏览器输入192.168.3.42:8060就可以打开控制台了，账号admin,密码Harbor12345。后台可以修改用户密码，还有其他配置信息，不一定要配置文件上修改安装。

 

三、项目创建与镜像推送

 

项目创建，打开管理后台，创建个项目harbor。

 

镜像推送：

1、docker配置

由于个人没有配置过daemon.json文件，如果已经存在就配置，不要使用以下命令，直接添加

"insecure-registries":["192.168.20.120:8060"]这个内容就好了，如{
  "registry-mirrors": [ "https://registry.docker-cn.com"],
  "insecure-registries": [ "192.168.20.120:8060"]
}。没有的执行下面命令：

echo '{"insecure-registries":["192.168.20.120:8060"]}' > /etc/docker/daemon.json

 

配置完执行

systemctl restart docker

 

2、登录

docker login http://192.168.20.120:8060

输入账号密码就可以了。

 

3、测试镜像推送

docker images 查看已有镜像

这里我们测试推送nginx镜像

docker pull nginx  拉取镜像

docker tag nginx:latest 192.168.20.120:8060/harbor/nginx:1.19.3  打标签

docker push 192.168.20.120:8060/harbor/nginx:1.19.3    推送到harbor仓库

 

打开控制台搜索下，推送的镜像名称可以发现已经推送成功