私有仓库Harbor
一、概述
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必须的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户 使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
二、特点
1、基于角色的访问控制—用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
2、镜像复制—镜像可以在多个Registry石磊中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
3、图形化用户界面—用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
4、AD/LDAP支持—Harbor可以继承企业内部已有的AD/LDAP,用于鉴权认证管理。
5、审计管理—所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
6、国际化—已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
7、RESTful API—RESTful API 提供给管理员对于Harbor更多的操控,使得与其它的管理软件集成变得更容易。
8、部署简单—提供在线和离线两种安装工具,也可以安装到vSphere平台(OVA方式)虚拟设备。
三、Harbor仓库结构
Harbor大概需要以下几个容器组成:
- ui:Harbor的核心服务
- log:运行着rsyslog的容器,进行日志收集
- mysql:由官方mysql镜像构成的数据库容器
- nginx:使用nginx做反向代理
- registry:官方的Docker registry
- adminserver:Harbor的配置数据管理器
- jobservice:Harbor的任务管理服务
- redis:用于存储session
四、部署Harbor
1、环境准备
软件:harbor-offline-installer-v1.2.2.tgz
Harbor:192.168.245.209
验证主机:192.168.245.210
注意:Harbor的所有服务组件都是在Docker中部署的,所以官方安装使用Docker-compose快速部署,所以我们需要安装Docker、Docker-compose。由于Harbor是基于Docker Registry V2版本,所以就要求Docker版本不小于1.10.0,Docker-compose版本不小于1.6.0。
将docker-compose放入/usr/local/bin/目录下,添加执行权限即可
[root@localhost ~]# cd /usr/local/bin/
[root@localhost bin]# chmod +x docker-compose
2、安装harbor
[root@harbor ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.2.tar.gz LICENSE prepare
docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
[root@harbor harbor]#
3、修改配置文件
[root@harbor harbor]# vim harbor.cfg
5 hostname = 192.168.245.209
//hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
4、启动Harbor
修改完配置文件后,在当前目录执行./install.sh,Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动各个服务
[root@harbor harbor]# sh install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.13
Note: docker-compose version: 1.21.1
……
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registry ... done
Creating harbor-adminserver ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.245.209.
For more details, please visit https://github.com/vmware/harbor .
Harbor的所有服务都应该是up状态
[root@harbor harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0cc23da70eee vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
f261f9d42963 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 2 minutes ago Up 2 minutes harbor-jobservice
053a2d713176 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 2 minutes ago Up 2 minutes harbor-ui
cf14e259e502 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 2 minutes ago Up 2 minutes 5000/tcp registry
ada21113ee19 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 2 minutes ago Up 2 minutes harbor-adminserver
ff078a1d03d0 vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 2 minutes ago Up 2 minutes 3306/tcp harbor-db
efca0ac37509 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 2 minutes ago Up 2 minutes 127.0.0.1:1514->514/tcp harbor-log
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 3 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 3 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 3 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB
photon 1.0 e6e4e4a2ba1b 4 years ago 128MB
[root@harbor harbor]#
如果这里访问不了Harbor的话建议重启下docker,然后重新开启服务
[root@harbor harbor]# systemctl restart docker
5、登陆Harbor
真机验证访问http://192.168.245.209会出现登录界面就成功
由于Harbor的web服务使用了宿主机的80端口,所以在浏览器直接输入宿主机的IP地址即可访问Harbor的web管理页面
账号是admin,密码是前面设置的harbor_admin_password的值(默认是Harbor12345)
6、新建项目
7、上传镜像到私库
使用管理员登陆Harbor服务器
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下载一个nginx镜像,重新编辑一个标签,指定名称为127.0.0.1/sheng/nginx,标签为v1
[root@harbor harbor]# docker pull nginx
[root@harbor harbor]# docker tag nginx:latest 127.0.0.1/sheng/nginx:v1
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1/sheng/nginx v1 7e4d58f0e5f3 13 days ago 133MB
nginx latest 7e4d58f0e5f3 13 days ago 133MB
上传镜像
[root@harbor harbor]# docker push 127.0.0.1/sheng/nginx
The push refers to repository [127.0.0.1/sheng/nginx]
908cf8238301: Pushed
eabfa4cd2d12: Pushed
60c688e8765e: Pushed
f431d0917d41: Pushed
07cab4339852: Pushed
v1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
到网页上去查看sheng的项目下面已经多了我们刚上传的nginx镜像了
8、其他主机上传镜像到私库
在验证主机上用管理员用户登陆到私库
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.245.209
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.245.209/v2/: dial tcp 192.168.245.209:443: connect: connection refused
[root@localhost ~]#
解决方法:
第一种:
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
[root@localhost ~]#
14 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.245.209 --containerd=/run/containerd/containerd.s ock
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
第二种:
[root@docker ~]# vim /etc/docker/daemon.json
{
"insecure-registries": ["192.168.245.209:5000"]
}
重启docker
[root@docker ~]# systemctl restart docker
再次登录
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.245.209
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
先拉取一个镜像到本地
[root@localhost ~]# docker pull centos:7
7: Pulling from library/centos
75f829a71a1c: Pull complete
Digest: sha256:19a79828ca2e505eaee0ff38c2f3fd9901f4826737295157cc5212b7a372cd2b
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
给镜像重新打个标签
[root@localhost ~]# docker tag centos:7 192.168.245.209/sheng/centos7:v1
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.245.209/sheng/centos7 v1 7e6257c9f8d8 6 weeks ago 203MB
centos 7 7e6257c9f8d8 6 weeks ago 203MB
上传到私库
[root@localhost ~]# docker push 192.168.245.209/sheng/centos7
The push refers to repository [192.168.245.209/sheng/centos7]
613be09ab3c0: Pushed
v1: digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9 size: 529
[root@localhost ~]#
到网页上验证多了一个centos7镜像
9、下载镜像
在harbor服务器上(其他主机)下载这个镜像,因为私库就在本地,所以要用环回地址
[root@harbor harbor]# docker pull 127.0.0.1/sheng/centos7:v1
v1: Pulling from sheng/centos7
75f829a71a1c: Pull complete
Digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9
Status: Downloaded newer image for 127.0.0.1/sheng/centos7:v1
127.0.0.1/sheng/centos7:v1
[root@harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1/sheng/nginx v1 7e4d58f0e5f3 13 days ago 133MB
nginx latest 7e4d58f0e5f3 13 days ago 133MB
127.0.0.1/sheng/centos7 v1 7e6257c9f8d8 6 weeks ago 203MB
10、新建用户
在网页上为项目新建一个开发人员用户zhangsan,密码Harbor12345
在主机上以zhangsan登陆,先退出管理员登陆
[root@localhost ~]# docker logout 192.168.245.209
Removing login credentials for 192.168.245.209
[root@localhost ~]# docker login 192.168.245.209
Username: zhangsan
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
11、删除镜像
注意:这里删除的是本地的镜像
[root@localhost ~]# docker rmi 192.168.245.209/sheng/centos7:v1
Untagged: 192.168.245.209/sheng/centos7:v1
Untagged: 192.168.245.209/sheng/centos7@sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9
[root@localhost ~]#
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 7 7e6257c9f8d8 6 weeks ago 203MB
12、停止与启动方式
[root@harbor harbor]# docker-compose down -v //-v:停止容器的同时删除已经在compose文件中定义的和匿名的附在容器上的数据卷
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping registry ... done
Stopping harbor-adminserver ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing registry ... done
Removing harbor-adminserver ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[root@harbor harbor]# docker-compose up -d //指定在后台以守护进程方式运行服务容器
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating harbor-adminserver ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating nginx ... done
Creating harbor-jobservice ... done
注意:当项目设为公开后,任何人都有此项目下镜像的读权限。命令行用户不需要“docker login”就可以拉取此项目下的镜像。
如果需要修改Harbor的配置文件harbor.cfg,因为Harbor是基于docker-compose服务编排的,我们可以使用docker-compose命令重启Harbor。