docker-harbor私有仓库搭建-有验证和web
4核CPU,2G内存(至少2核cpu)
1.安装docker,版本高点,1.13.1版本不行
[root@localhost ~]#
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
[root@localhost ~]# yum -y install docker-ce-18.06.1.ce-3.el7
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.06.1-ce
2.上传harbor包和docker-compose包和安装docker-compose
[root@localhost ~]# ls harbor-offline-installer-v1.9.0.tgz
harbor-offline-installer-v1.9.0.tgz
[root@localhost ~]# ls docker-compose-bin.tar.gz
docker-compose-bin.tar.gz
[root@localhost ~]# tar -zxf docker-compose-bin.tar.gz
[root@localhost ~]# ls
docker-compose docker-compose-bin.tar.gz harbor-offline-installer-v1.9.0.tgz registry-2.5.tar registry-latest.tar
[root@localhost ~]# chmod +x docker-compose
[root@localhost ~]# mv docker-compose /usr/local/bin/
[root@localhost ~]# ls /usr/local/bin/docker-compose
/usr/local/bin/docker-compose
也可如下下载
[root@localhost ~]# curl -L https://github.com/docker/compose/releases/download/1.21.0/docker-compose-$(uname -s)-$(uname -m) -o /root/docker-compose
[root@localhost ~]# docker-compose -v
docker-compose version 1.21.0, build 5920eb0
3.解压habor包和在habor相关目录中自签TLS证书
[root@localhost ~]# tar -zxf harbor-offline-installer-v1.9.0.tgz
[root@localhost ~]# ls
docker-compose-bin.tar.gz harbor harbor-offline-installer-v1.9.0.tgz
[root@localhost ~]# cd harbor
[root@localhost harbor]# mkdir ssl
[root@localhost harbor]# ls
harbor.v1.9.0.tar.gz harbor.yml install.sh LICENSE prepare ssl
[root@localhost harbor]# cd ssl/
[root@localhost ssl]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
> -x509 -days 365 -out ca.crt #回车
Generating a 4096 bit RSA private key
.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++
...................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:shi
Email Address []:
[root@localhost ssl]# ls
ca.crt ca.key
[root@localhost ssl]# openssl req \ #下面reg.shi.com是定义仓库的域名地址
> -newkey rsa:4096 -nodes -sha256 -keyout reg.shi.com.key \
> -out reg.shi.com.csr #回车
Generating a 4096 bit RSA private key
....++
.....................++
writing new private key to 'reg.shi.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:reg.shi.com #登录harbor的域名地址
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #没有设置密码,也可设置
An optional company name []:
[root@localhost ssl]# ls
ca.crt ca.key reg.shi.com.csr reg.shi.com.key
颁发:
[root@localhost ssl]# openssl x509 -req -days 365 -in reg.shi.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.shi.com.crt #回车
Signature ok
subject=/C=CN/L=beijing/O=Default Company Ltd/CN=reg.shi.com
Getting CA Private Key
[root@localhost ssl]# ls
ca.crt ca.key ca.srl reg.shi.com.crt reg.shi.com.csr reg.shi.com.key
4.配置harbor和指定证书路径
[root@localhost ssl]# cd /root/harbor/
[root@localhost harbor]# ls
harbor.v1.9.0.tar.gz harbor.yml install.sh LICENSE prepare ssl
[root@localhost harbor]# vim harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: reg.shi.com #配置登录harbor的域名地址
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https: #释放
# # https port for harbor, default is 443
port: 443 #释放
# # The path of cert and key files for nginx
certificate: /root/harbor/ssl/reg.shi.com.crt #释放,修改
private_key: /root/harbor/ssl/reg.shi.com.key #释放,修改
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 100 for postgres.
max_open_conns: 100
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 1.9.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# clair:
# host: clair_db_host
# port: clair_db_port
# db_name: clair_db_name
# username: clair_db_username
# password: clair_db_password
# ssl_mode: disable
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# host: redis
# port: 6379
# password:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair
components:
- core
- jobservice
- clair
[root@localhost harbor]# ls
common docker-compose.yml harbor.v1.9.0.tar.gz harbor.yml harbor.yml.bak harbor.yml_bak2 install.sh LICENSE prepare ssl
[root@localhost harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5执行脚本,自动调用docker-compose运行harbor服务和其他依赖服务
[root@localhost harbor]# ./prepare #执行脚本,准备安装环境检查
prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v1.9.0' locally
v1.9.0: Pulling from goharbor/prepare
a1fd40743af1: Pull complete
2abd879a065c: Pull complete
97e2250cf3db: Pull complete
4aa32a250145: Pull complete
a9edf7ed2d3d: Pull complete
9960c7e0f209: Pull complete
c3f6c5fd4eca: Pull complete
Digest: sha256:3ab709e7f62dac42b729535a13a7fba6fed92071bab75b5ba7f1bb26a59db20f
Status: Downloaded newer image for goharbor/prepare:v1.9.0
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@localhost harbor]# ./install.sh #环境检查完成后,执行安装,会自动拉取镜像和运行容器(也可将镜像事先save下来,然后load进去)
[root@localhost harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v0.9.0-v1.9.0 00c12627cbd7 2 weeks ago 131MB
goharbor/harbor-migrator v1.9.0 75d4de5e0f16 2 weeks ago 362MB
goharbor/redis-photon v1.9.0 3249afaa9965 2 weeks ago 109MB
goharbor/clair-photon v2.0.9-v1.9.0 e54ad567c58f 2 weeks ago 165MB
goharbor/notary-server-photon v0.6.1-v1.9.0 2cdecba59f38 2 weeks ago 138MB
goharbor/notary-signer-photon v0.6.1-v1.9.0 973378593def 2 weeks ago 135MB
goharbor/harbor-registryctl v1.9.0 30a01bf0f4df 2 weeks ago 99.6MB
goharbor/registry-photon v2.7.1-patch-2819-v1.9.0 32571099a9fe 2 weeks ago 82.3MB
goharbor/nginx-photon v1.9.0 f933d62f9952 2 weeks ago 43.9MB
goharbor/harbor-log v1.9.0 28e27d511335 2 weeks ago 82.6MB
goharbor/harbor-jobservice v1.9.0 f3cd0b181a89 2 weeks ago 141MB
goharbor/harbor-core v1.9.0 f2814ed8aadd 2 weeks ago 155MB
goharbor/harbor-portal v1.9.0 0778d4c5d27e 2 weeks ago 51.3MB
goharbor/harbor-db v1.9.0 a809e14d2d49 2 weeks ago 147MB
goharbor/prepare v1.9.0 aa594772c1e8 2 weeks ago 147MB
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33bc18f4f152 goharbor/nginx-photon:v1.9.0 "nginx -g 'daemon of…" 50 seconds ago Up 49 seconds (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
b487528a3d92 goharbor/harbor-jobservice:v1.9.0 "/harbor/harbor_jobs…" 50 seconds ago Up 49 seconds (healthy) harbor-jobservice
4c7630c1a178 goharbor/harbor-core:v1.9.0 "/harbor/harbor_core" 51 seconds ago Up 50 seconds (healthy) harbor-core
2c8cbf031870 goharbor/redis-photon:v1.9.0 "redis-server /etc/r…" 53 seconds ago Up 52 seconds (healthy) 6379/tcp redis
9b659672834a goharbor/harbor-portal:v1.9.0 "nginx -g 'daemon of…" 53 seconds ago Up 51 seconds (healthy) 8080/tcp harbor-portal
c66b9fcbe1c1 goharbor/registry-photon:v2.7.1-patch-2819-v1.9.0 "/entrypoint.sh /etc…" 53 seconds ago Up 51 seconds (healthy) 5000/tcp registry
31ae0b26fd58 goharbor/harbor-db:v1.9.0 "/docker-entrypoint.…" 53 seconds ago Up 52 seconds (healthy) 5432/tcp harbor-db
09377d66f034 goharbor/harbor-registryctl:v1.9.0 "/harbor/start.sh" 53 seconds ago Up 52 seconds (healthy) registryctl
c3f5abfbfa1b goharbor/harbor-log:v1.9.0 "/bin/sh -c /usr/loc…" 55 seconds ago Up 53 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
6.Windows配置hosts解析:
192.168.171.128 reg.shi.com #登录harbor的地址
7.浏览器访问harbor的域名,使用web界面登录harbor: https://reg.shi.com
输入用户名,默认用户名admin,密码,配置文件中配置的Harbor123,登录后如下:
创建一个项目:
点击新建项目,如下:
不打勾公开,就是不公开,打勾公开就是公开,点击确定,如下:
创建一个用户用来管理项目:
点击用户管理,如下:
点击创建用户,如下:
设置密码xxQQ2011,点击确定,用户名和密码为shi/xxQQ2011,如下:
将私有项目交给创建的用户管理,使得该用户对该项目仓库有权限,如下:
点击项目——选择相应的项目:test_private——成员——用户——选择shi用户,设置角色权限,确定——如下:
点击用户,如下:
点击确定,如下:
8.两个用户admin和shi命令行测试登录:
[root@localhost harbor]# cat /etc/docker/daemon.json
{ "insecure-registries":["http://192.168.171.128","https://reg.shi.com"]}
[root@localhost harbor]# docker login reg.shi.com #或https://reg.shi.com
Username: admin
Password: #输入密码:Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost harbor]# docker logout reg.shi.com
Removing login credentials for reg.shi.com
[root@localhost harbor]# docker login reg.shi.com
Username: shi
Password: #输入密码:xxQQ2011
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost harbor]# docker logout reg.shi.com #或https://reg.shi.com
Removing login credentials for reg.shi.com
9.命令行推送一个镜像到harbor
[root@localhost harbor]# docker pull centos
[root@localhost harbor]# docker images |grep centos
centos latest 0f3e07c0138f 8 hours ago 220MB
[root@localhost harbor]# docker tag centos:latest reg.shi.com/test_private/centos:v2
[root@localhost harbor]# docker images |grep centos
centos latest 0f3e07c0138f 8 hours ago 220MB
reg.shi.com/test_private/centos v2 0f3e07c0138f 8 hours ago 220MB
[root@localhost harbor]# docker login reg.shi.com
Username: shi
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost harbor]# docker push reg.shi.com/test_private/centos:v2 #推送
The push refers to repository [reg.shi.com/test_private/centos]
9e607bb861a7: Pushed
v2: digest: sha256:6ab380c5a5acf71c1b6660d645d2cd79cc8ce91b38e0352cbf9561e050427baf size: 529
登录到web界面上查看,镜像已经推送上来,如下:
点击进去查看详细信息,如下:
10.删除本地centos镜像
[root@localhost harbor]# docker rmi centos reg.shi.com/test_private/centos:v2
[root@localhost harbor]# docker images |grep centos
空
11.从仓库拉取镜像:
[root@localhost harbor]# docker pull reg.shi.com/test_private/centos:v2 #拉取远方镜像(需提前登录)
[root@localhost harbor]# docker images |grep centos
reg.shi.com/test_private/centos v2 0f3e07c0138f 8 hours ago 220MB
附加,注意:远程仓库镜像可以通过web界面进行删除,如下:
点击删除,如下: