部署Harbor私有仓库
Harbor简介:
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor 提供了以下主要功能和特性:
- 容器镜像存储:Harbor 允许用户存储 Docker 镜像,使其能够轻松地管理和分享容器镜像。
- 访问控制:Harbor 支持灵活的访问控制策略,可以定义用户和团队对镜像的访问权限,包括读取和写入权限。这有助于维护镜像的安全性和隐私性。
- 复制和同步:Harbor 支持镜像的复制和同步功能,允许用户将镜像从一个 Harbor 实例复制到另一个,以便在多个地理位置或环境之间共享。
- 漏洞扫描:Harbor 集成了漏洞扫描工具,可以检查镜像中的漏洞,并提供关于安全问题的报告,有助于确保容器镜像的安全性。
- 存储策略:用户可以配置存储策略,包括镜像的保留策略和自动清理机制,以控制存储资源的使用。
- 多租户支持:Harbor 支持多租户架构,允许不同团队或项目在同一个 Harbor 实例上创建和管理他们自己的私有镜像仓库。
- 活动审计:Harbor 记录了所有对镜像仓库的操作,以提供审计功能,帮助跟踪谁在何时访问和修改了镜像。
- LDAP/AD集成:Harbor 支持与LDAP和Active Directory集成,方便组织内部管理用户和团队的访问权限。
Harbor私有仓库的优缺点
优点:
- 安全性:Harbor 提供强大的访问控制和漏洞扫描功能,有助于确保镜像的安全性。
- 隐私:组织可以轻松创建和管理私有仓库,控制其镜像的访问权限,确保敏感数据不会泄露。
- 灵活性:Harbor 可以在多云环境或本地部署,适用于各种部署场景。
- 多租户:支持多租户,使不同项目或团队能够在同一实例上管理他们自己的仓库。
- 容器镜像管理:提供了丰富的容器镜像管理功能,包括复制、同步、存储策略等。
缺点:
- 维护成本:部署和维护 Harbor 需要一定的工作量和资源,尤其是在大规模使用时。
- 学习曲线:对于新用户来说,配置和管理 Harbor 可能需要一些学习和时间。
- 性能:在处理大量镜像时,性能可能成为一个问题,需要适当的硬件和调优。
环境说明:
主机名称 | IP | 部署服务 | 环境 |
---|---|---|---|
Harbox.example.com | 192.168.10.132 | docker,harbor(需先安装docker) | CentOS-8 |
docker | 192.168.10.133 | docker | CentOS-8 |
配置步骤
关闭防火墙、配置selinuex、配置yum源
[root@localhost ~]# systemctl disable --now firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# rm -rf /etc/yum.repos.d/*
[root@localhost ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
[root@localhost ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repoyum
[root@localhost ~]# clean all
18 files removed
[root@localhost ~]# yum makecache
添加映射关系
[root@Harbor ~]# vim /etc/hosts
[root@Harbor ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.132 Harbor.example.com
#在Harbor和容器所在的主机的/etc/hosts文件中添加Harbor
安装docker,开启docker服务并添加加速器(两台主机都要操作)
[root@Harbor ~]# cd /etc/yum.repos.d/
[root@Harbor yum.repos.d]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1919 100 1919 0 0 8379 0 --:--:-- --:--:-- --:--:-- 8343
[root@Harbor yum.repos.d]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' docker-ce.repo
[root@Harbor yum.repos.d]# yum -y install docker-ce
......
[root@Harbor ~]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[root@Harbor ~]#
docker加速
docker-ce的配置文件是/etc/docker/daemon.json,此文件默认不存在,需要我们手动创建并进行配置,而docker的加速就是通过配置此文件来实现的。
docker的加速有多种方式:
- docker cn
- 中国科技大学加速器
- 阿里云加速器(需要通过阿里云开发者平台注册帐号,免费使用个人私有的加速器)
阿里云平台域名:www.aliyun.com
登录平台后进入控制台
点击这三条杠
搜索容器镜像服务
配置加速器
[root@Harbor ~]# sudo mkdir -p /etc/docker #docker目录启动docker服务后自动存在
[root@Harbor ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://lgc3bg0m.mirror.aliyuncs.com"]
}
EOF
[root@Harbor ~]# sudo systemctl daemon-reload
[root@Harbor ~]# sudo systemctl restart docker
查看加速器
[root@localhost ~]# docker info #使用这个命令
.......
Registry Mirrors:
https://lgc3bg0m.mirror.aliyuncs.com/ #能看到这个就是加速器配置成功
Live Restore Enabled: false
[root@localhost ~]# docker info
查看drocker的版本号
[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:09:18 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:08:20 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.24
GitCommit: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
runc:
Version: 1.1.9
GitCommit: v1.1.9-0-gccaecfc
docker-init:
Version: 0.19.0
GitCommit: de40ad0
[root@localhost ~]#
4.进入harbor官网,拉取harbor二进制包
解压到/usr/local目录下
[root@Harbor ~]# tar xf harbor-offline-installer-v2.9.1.tgz
[root@Harbor ~]# ls
anaconda-ks.cfg harbor harbor-offline-installer-v2.9.1.tgz
[root@Harbor ~]# mv harbor /usr/local/
[root@Harbor ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
[root@Harbor local]# cd harbor/
[root@Harbor harbor]# ls
common.sh harbor.v2.9.1.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@Harbor harbor]#
复制出一份harbor.yml文件,编辑/usr/local/harbor/下的harbor.yml文件
[root@Harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@Harbor harbor]# ls
common.sh harbor.v2.9.1.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@Harbor harbor]#
[root@Harbor harbor]# vim harbor.yml
......
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: Harbor.example.com #把这里改成主机名
.......
# https related config #把https注释掉
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
......
# The default data volume
data_volume: /data #这里是存储位置
......
# insecure The flag to skip verifying registry certificate
insecure: true #跳过证书验证
......
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 #Harbor的密码,默认为Harbor12345
执行install.sh文件
[root@Harbor harbor]# ls
common common.sh docker-compose.yml harbor.v2.9.1.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@Harbor harbor]# ./install.sh
.......
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.1s
✔ Container harbor-portal Started 0.1s
✔ Container registry Started 0.1s
✔ Container redis Started 0.1s
✔ Container registryctl Started 0.1s
✔ Container harbor-db Started 0.1s
✔ Container harbor-core Started 0.0s
✔ Container nginx Started 0.0s
✔ Container harbor-jobservice Started 0.0s
✔ ----Harbor has been installed and started successfully.----
[root@Harbor harbor]#
通过IP访问harbor的web界面
将harbor设置为开机自启
由于想要关闭或开启harbor需要进入到有docker-compose.yml文件的目录下执行,所以我们将该命令放到虚拟机启动最后执行的一个文件中去,也就是/etc/rc.local文件中
[root@Harbor harbor]# vim /etc/rc.local
[root@Harbor harbor]# cat /etc/rc.local
#!/bin/bash
cd /usr/local/harbor/ && docker-compose start #添加这一行,系统启动时会自动执行这条命令
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
[root@Harbor harbor]# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Feb 11 2022 /etc/rc.local -> rc.d/rc.local
[root@Harbor harbor]# chmod +x /etc/rc.d/rc.local
[root@Harbor harbor]# ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 520 Nov 10 22:15 /etc/rc.d/rc.local
[root@Harbor harbor]#
登录到docker的私有镜像仓库(harbor)
在登录我们的harbor私有仓库时,需在/etc/docker/daemon.json文件中添加harbor仓库的信息
[root@docker ~]# vi /etc/docker/daemon.json
[root@docker ~]# cat /etc/docker/daemon.json
{
"dns": ["114.114.114.114"],
"insecure-registries": ["Harbor.example.com"], #添加这一行,添加的是私有仓库
"registry-mirrors": ["https://lgc3bg0m.mirror.aliyuncs.com"]
}
[root@docker ~]# systemctl restart docker.service #重启服务
[root@docker ~]# docker login Harbor.example.com #登录仓库
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded #登陆成功
[root@docker ~]#
拉取一个官方镜像,将官方镜像名称更改后上传到我们的私有仓库
[root@docker ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
a2abf6c4d29d: Pull complete
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@docker ~]#
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 605c77e624dd 22 months ago 141MB
[root@docker ~]# docker tag nginx:latest Harbor.example.com/library/nginx:v0.1
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
Harbor.example.com/library/nginx v0.1 605c77e624dd 22 months ago 141MB
nginx latest 605c77e624dd 22 months ago 141MB
[root@docker ~]# docker push Harbor.example.com/library/nginx:v0.1
The push refers to repository [Harbor.example.com/library/nginx]
d874fd2bc83b: Pushed
32ce5f6a5106: Pushed
f1db227348d0: Pushed
b8d6e692a25e: Pushed
e379e8aedd4d: Pushed
2edcec3590a4: Pushed
v0.1: digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 size: 1570
[root@docker ~]#
进入私有仓库查看
删除现存镜像,尝试从私有仓库拉取镜像
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
Harbor.example.com/library/nginx v0.1 605c77e624dd 22 months ago 141MB
nginx latest 605c77e624dd 22 months ago 141MB
[root@docker ~]# docker rmi -f 605c77e624dd
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@docker ~]# docker pull Harbor.example.com/library/nginx:v0.1
v0.1: Pulling from library/nginx
a2abf6c4d29d: Pull complete
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Status: Downloaded newer image for Harbor.example.com/library/nginx:v0.1
Harbor.example.com/library/nginx:v0.1
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
Harbor.example.com/library/nginx v0.1 605c77e624dd 22 months ago 141MB #拉取成功
[root@docker ~]#
21743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Status: Downloaded newer image for Harbor.example.com/library/nginx:v0.1
Harbor.example.com/library/nginx:v0.1
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
Harbor.example.com/library/nginx v0.1 605c77e624dd 22 months ago 141MB #拉取成功
[root@docker ~]#