之前简单的介绍了Docker Registry的使用,但是真正的生产环境,我们无法有效的管理Docker Registry。官方提供了收费版的Registry,社区有开源版本的Harbor。
一、Harbor简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必须的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户 使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
1、基于角色的访问控制—用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
2、镜像复制—镜像可以在多个Registry石磊中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
3、图形化用户界面—用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
4、AD/LDAP支持—Harbor可以继承企业内部已有的AD/LDAP,用于鉴权认证管理。
5、审计管理—所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
6、国际化—已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
7、RESTful API—RESTful API 提供给管理员对于Harbor更多的操控,使得与其它的管理软件集成变得更容易。
8、部署简单—提供在线和离线两种安装工具,也可以安装到vSphere平台(OVA方式)虚拟设备。
二、Harbor仓库结构
1、组成Harbor的容器
Harbor大概需要以下几个容器组成:
ui:Harbor的核心服务
log:运行着rsyslog的容器,进行日志收集
mysql:由官方mysql镜像构成的数据库容器
nginx:使用nginx做反向代理
registry:官方的Docker registry
adminserver:Harbor的配置数据管理器
jobservice:Harbor的任务管理服务
redis:用于存储session
2、Harbor的组件
1)Harbor依赖的外部组件
Nginx(即proxy代理层):Nginx前端代理,主要用于分发前端页面ui访问和镜像上传和下载流量。Harbor的registry,UI,token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将强求转发给后端不同的服务。
Registry v2:镜像仓库,负责存储镜像文件。Docker官方镜像仓库,负责存储Docker镜像,并处理docker push/pull命令。由于我们对用户进行访问控制,即不同的用户对Docker image有不同的读写权限,Registry会指向同一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token,Registry会通过公钥对token进行解密验证。
Database(Mysql或者Postgresql):为core services提供数据库服务,负责存储用户权限、审计日志、Docker image分组信息等数据。
2)Harbor自有组件
Core services(Admin Server):这是Harbor的核心功能,主要提供以下服务:
- UI:提供图形化界面,帮助用户管理registry上的镜像(image),并对用户进行授权。
- webhook:为了及时获取registry上image状态变化的情况,在Registry上配置webhook,把状态传递给UI模块。
- Auth服务:负责根据用户权限给每个docker push/pull命令签发token。Docker客户端向Registry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
- API:提供Harbor RESTful API。
Replication Job Service:提供多个Harbor实例之间的镜像同步功能。
Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
三、Harbor部署
1、安装docker
[root@harbor ~]# yum install -y yum-utils
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor ~]# yum install -y docker-ce
启动服务
[root@harbor ~]# systemctl start docker
[root@harbor ~]# systemctl enable docker
[root@harbor ~]# systemctl status docker
2、安装docker-compose
Harbor的每个组件都是以Docker容器的形式构建的,所以使用Docker Compose来对它进行部署和管理。
docker-compose的github地址为https://github.com/docker/compose/releases,我这里下载的是1.25版本。
[root@harbor ~]# curl -L https://github.com/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#添加执行权限
[root@harbor ~]# chmod +x /usr/local/bin/docker-compose
#验证
[root@harbor ~]# docker-compose --version
docker-compose version 1.25.0, build 0a186604
3、安装Harbor
Harbor的安装建议下载offline的压缩包,里面包含了harbor启动所需的所有docker镜像,可以快速的部署docker。可以在github的releases查看最新版本,这里用的是1.10.0版本。github地址为https://github.com/vmware/harbor/releases
1)下载Harbor
[root@harbor ~]# cd /usr/local/src
[root@harbor src]# wget https://github.com/goharbor/harbor/releases/download/v1.10.0/harbor-offline-installer-v1.10.0.tgz
[root@harbor src]# tar -zxf harbor-offline-installer-v1.10.0.tgz
2)为Harbor配置HTTP访问
[root@localhost src]# cd harbor
[root@localhost harbor]# ls
common.sh harbor.v1.10.0.tar.gz harbor.yml install.sh LICENSE prepare
[root@harbor harbor]# vim harbor.yml
hostname: 192.168.0.153
###并把https注释掉,不然在安装的时候会报错:ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
#https:
#port: 443
#certificate: /your/certificate/path
#private_key: /your/private/key/path
其他配置保持默认
3)安装Harbor
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.5
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.0
[Step 2]: loading Harbor images ...
47a4bb1cfbc7: Loading layer [==================================================>] 34.26MB/34.26MB
a9f6374f6301: Loading layer [==================================================>] 9.05MB/9.05MB
bcc00f109225: Loading layer [==================================================>] 6.239MB/6.239MB
e8ab93b98902: Loading layer [==================================================>] 14.61MB/14.61MB
9693a5513be0: Loading layer [==================================================>] 28.24MB/28.24MB
b7d7d682bc6d: Loading layer [==================================================>] 22.02kB/22.02kB
d900ce1515a6: Loading layer [==================================================>] 49.09MB/49.09MB
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.10.0
c213392443fe: Loading layer [==================================================>] 73.37MB/73.37MB
96da3f81a9fa: Loading layer [==================================================>] 42.3MB/42.3MB
6d5cecb71914: Loading layer [==================================================>] 2.56kB/2.56kB
0176040eb813: Loading layer [==================================================>] 1.536kB/1.536kB
c3ef530b4890: Loading layer [==================================================>] 166.4kB/166.4kB
4beac5b37ba2: Loading layer [==================================================>] 3.006MB/3.006MB
Loaded image: goharbor/prepare:v1.10.0
b74d8257d4e7: Loading layer [==================================================>] 12.83MB/12.83MB
84600f9f0741: Loading layer [==================================================>] 41.86MB/41.86MB
ffe062536c6c: Loading layer [==================================================>] 5.632kB/5.632kB
ea7f137ea115: Loading layer [==================================================>] 40.45kB/40.45kB
3e4a0845adac: Loading layer [==================================================>] 41.86MB/41.86MB
Loaded image: goharbor/harbor-core:v1.10.0
69e43242ff64: Loading layer [==================================================>] 50.39MB/50.39MB
181ea859832f: Loading layer [==================================================>] 3.584kB/3.584kB
8177cfc3d4f6: Loading layer [==================================================>] 3.072kB/3.072kB
d6a67476a798: Loading layer [==================================================>] 2.56kB/2.56kB
ba6e88638645: Loading layer [==================================================>] 3.072kB/3.072kB
6f4e810775fe: Loading layer [==================================================>] 3.584kB/3.584kB
68a002a96794: Loading layer [==================================================>] 12.29kB/12.29kB
Loaded image: goharbor/harbor-log:v1.10.0
badcf9296df7: Loading layer [==================================================>] 9.056MB/9.056MB
cf547160f0cb: Loading layer [==================================================>] 3.584kB/3.584kB
6ea8d6e27cc8: Loading layer [==================================================>] 3.072kB/3.072kB
d5bbe5fd758e: Loading layer [==================================================>] 21.76MB/21.76MB
89671f09ee94: Loading layer [==================================================>] 22.59MB/22.59MB
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.0
731b3ddd17ae: Loading layer [==================================================>] 16.04MB/16.04MB
097c19c25f23: Loading layer [==================================================>] 28.24MB/28.24MB
e9fd9ba28814: Loading layer [==================================================>] 22.02kB/22.02kB
d4da382b94f0: Loading layer [==================================================>] 50.52MB/50.52MB
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.10.0
c2d9cf7a4eaf: Loading layer [==================================================>] 9.056MB/9.056MB
7ff1181fe317: Loading layer [==================================================>] 9.71MB/9.71MB
bbef02a499c4: Loading layer [==================================================>] 9.71MB/9.71MB
Loaded image: goharbor/clair-adapter-photon:v1.0.1-v1.10.0
86340c56281e: Loading layer [==================================================>] 9.055MB/9.055MB
239a2501714d: Loading layer [==================================================>] 42.31MB/42.31MB
82cb5fb66ee1: Loading layer [==================================================>] 3.072kB/3.072kB
5df190fa4c4a: Loading layer [==================================================>] 3.584kB/3.584kB
1ad5a86de000: Loading layer [==================================================>] 43.14MB/43.14MB
Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.10.0
a2ffdaaa3434: Loading layer [==================================================>] 63.56MB/63.56MB
5745ac9e0297: Loading layer [==================================================>] 54.44MB/54.44MB
47a40f68074f: Loading layer [==================================================>] 5.632kB/5.632kB
3480ec848416: Loading layer [==================================================>] 2.048kB/2.048kB
6b1347c012b5: Loading layer [==================================================>] 2.56kB/2.56kB
8d58ae62dfff: Loading layer [==================================================>] 2.56kB/2.56kB
b244f429f353: Loading layer [==================================================>] 2.56kB/2.56kB
9e6aa8541fd4: Loading layer [==================================================>] 10.24kB/10.24kB
Loaded image: goharbor/harbor-db:v1.10.0
07efa003923d: Loading layer [==================================================>] 9.056MB/9.056MB
f58d9d3ffa81: Loading layer [==================================================>] 3.584kB/3.584kB
46a1832765ca: Loading layer [==================================================>] 21.76MB/21.76MB
01e5ce40973a: Loading layer [==================================================>] 3.072kB/3.072kB
415ae2dee656: Loading layer [==================================================>] 8.662MB/8.662MB
676dc2d0e966: Loading layer [==================================================>] 31.24MB/31.24MB
Loaded image: goharbor/harbor-registryctl:v1.10.0
db95a8bece9e: Loading layer [==================================================>] 78.32MB/78.32MB
9a0924a25b60: Loading layer [==================================================>] 3.072kB/3.072kB
7cb7e9d75e7d: Loading layer [==================================================>] 59.9kB/59.9kB
7c0cc7ba0eb4: Loading layer [==================================================>] 61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v1.10.0
48cda078e98d: Loading layer [==================================================>] 10.89MB/10.89MB
Loaded image: goharbor/nginx-photon:v1.10.0
9ea2dad46741: Loading layer [==================================================>] 10.89MB/10.89MB
0da7797cc45f: Loading layer [==================================================>] 7.696MB/7.696MB
72633f284549: Loading layer [==================================================>] 223.2kB/223.2kB
0fe7226e7f5e: Loading layer [==================================================>] 195.1kB/195.1kB
09d13331e39d: Loading layer [==================================================>] 15.36kB/15.36kB
0911c8ab4812: Loading layer [==================================================>] 3.584kB/3.584kB
Loaded image: goharbor/harbor-portal:v1.10.0
f3967aa0de5f: Loading layer [==================================================>] 115.8MB/115.8MB
ef07a35b449d: Loading layer [==================================================>] 12.14MB/12.14MB
d388cc1fc249: Loading layer [==================================================>] 3.072kB/3.072kB
8afe0ff3e4d1: Loading layer [==================================================>] 49.15kB/49.15kB
1ac3d3c632b4: Loading layer [==================================================>] 3.584kB/3.584kB
5a06625202c0: Loading layer [==================================================>] 13.02MB/13.02MB
Loaded image: goharbor/clair-photon:v2.1.1-v1.10.0
0039915754c6: Loading layer [==================================================>] 12.83MB/12.83MB
8b5f7c0672e5: Loading layer [==================================================>] 48.59MB/48.59MB
Loaded image: goharbor/harbor-jobservice:v1.10.0
62b223a46a15: Loading layer [==================================================>] 34.29MB/34.29MB
f62d30545b31: Loading layer [==================================================>] 338MB/338MB
ce4bd5384c87: Loading layer [==================================================>] 135.2kB/135.2kB
Loaded image: goharbor/harbor-migrator:v1.10.0
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/src/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating redis ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
可以看到Harbor已经成功安装并启动了。
4)查看Harbor的状态
[root@localhost harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
5)访问私服
192.168.0.153,默认用户名密码为:admin/Harbor12345
登录后的第一件事情永远都是修改默认密码。然后就可以在项目管理中新建和管理项目了。不过默认情况下的项目library是公开的,如果你要使用这个项目,而且域名放在公网上,请取消公开。
四、客户端验证
1、安装docker
[root@harbor ~]# yum install -y yum-utils
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor ~]# yum install -y docker-ce
启动服务
[root@harbor ~]# systemctl start docker
[root@harbor ~]# systemctl enable docker
[root@harbor ~]# systemctl status docker
2、配置客户端信任http
由于从docker1.3.2版本开始,使用registry时,必须使用TLS保证其安全。我们不用https的话,需要在客户机中增加一个配置文件。
[root@docker ~]# vim /etc/docker/daemon.json
{
"insecure-registries": ["192.168.0.153:5000"]
}
# 重启docker
[root@docker ~]# systemctl restart docker
3、客户端登录Harbor
[root@docker ~]# docker login -u admin -p Harbor12345 192.168.0.153
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4、验证推送镜像
本地先pull一个镜像下来
[root@docker ~]# docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:4fe721ccc2e8dc7362278a29dc660d833570ec2682f4e4194f4ee23e415e1064
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest fce289e99eb9 12 months ago 1.84kB
打标签
[root@docker ~]# docker tag hello-world 192.168.0.153/library/hello-world:v1
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.153/library/hello-world v1 fce289e99eb9 12 months ago 1.84kB
hello-world
推送到Harbor
[root@docker ~]# docker push 192.168.0.153/library/hello-world:v1
The push refers to repository [192.168.0.153/library/hello-world]
af0b15c8625b: Pushed
v1: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524
然后看一眼私服
已经成功上传了。
删除本地的镜像,从Harbor上pull
# 查看本地镜像
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest fce289e99eb9 12 months ago 1.84kB
192.168.0.153/library/hello-world v1
#删除本地镜像
[root@docker ~]# docker rmi -f fce289e99eb9
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
#从Harbor上pull镜像
[root@docker ~]# docker pull 192.168.0.153/library/hello-world:v1
v1: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
Status: Downloaded newer image for 192.168.0.153/library/hello-world:v1
192.168.0.153/library/hello-world:v1
#查看镜像
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.153/library/hello-world v1 fce289e99eb9 12 months ago 1.84kB
参考文章:
http://k8s.unixhot.com/docker/harbor.html
http://www.eryajf.net/2314.html
https://www.cnblogs.com/kevingrace/p/6547616.html
https://blog.51cto.com/11674854/2170522
7377
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
