镜像仓库无论是在docker环境还是在kubernetes环境下都是必不可少的一个组件,而构建私有仓库对将来的CI/CD也是非有不可的,内网存取镜像,速度非常快。
Harbor仓库是基于Docker公司开源的registry为基础,提供了管理UI、角色访问控制、日志审计等,通过docker compose进行容器化部署,非常方便。
其实用harbor 2.0+版本效果更加。。。1.2后来用有点问题
部署Harbor:
1、安装docker-compose
# 下载安装
curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m`> /usr/local/bin/docker-compose
# 权限
chmod a+x /usr/local/bin/docker-compose
# 检查是否可用
docker-compose -v
2、下载Harbor
下载地址:https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-offline-installer-v1.2.0.tgz
wget太慢,建议使用迅雷下载后发送到主机上
3、配置安装Harbor
# 解压Harbor
tar -zxvf harbor-offline-installer-v1.2.0.tgz
# 进入harbor目录
cd harbor
# 修改配置
vim harbor.cfg
需要更改的地方
hostname = 自定义域名
ui_url_protocol = https
附一份改完的配置
hostname = docker.harbor.com
ui_url_protocol = https
db_password = root123
max_job_workers = 3
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
clair_db_password = password
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 3
ldap_timeout = 5
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
verify_remote_cert = on
创建证书:
# 创建目录,根据harbor.cfg中ssl_cert = /data/cert/server.crt指定的目录创建
mkdir -p /data/cert
# 进入目录
cd /data/cert
# 创建证书
[root@m1 cert]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
.......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@m1 cert]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:lxq
Organizational Unit Name (eg, section) []:lxq
Common Name (eg, your name or your server's hostname) []:docker.harbor.com
Email Address []:lxq@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@m1 cert]# cp server.key server.key.org
[root@m1 cert]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
140417011402640:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for server.key.org:
writing RSA key
[root@m1 cert]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=BJ/ST=BJ/L=BJ/O=lxq/OU=lxq/CN=docker.harbor.com/emailAddress=lxq@123.com
Getting Private key
[root@m1 cert]# chmod 755 *
# 安装
./install.sh
4、安装完成后测试使用
首先添加hosts,指定域名到Harbor所在服务器上
更改docker daemon.json,让docker认为此仓库为安全仓库
[root@m1 harbor]# cat /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["docker.harbor.com"] #添加此行
}
登录
docker login https://docker.harbor.com
默认用户名: admin
默认密码: Harbor12345
也可以从win上配置hosts,然后使用浏览器打开ui页面
提交和下载镜像测试
# pull一个测试镜像
docker pull hello-world
# 更改镜像标签
docker tag hello-world:latest docker.harbor.com/library/hello-world:v1
# 提交到仓库
docker push docker.harbor.com/library/hello-world:v1
# 下载镜像
docker pull docker.harbor.com/library/hello-world:v1
至此搭建完成,Harbor还可以更改端口,以应对主机资源少,端口冲突问题