一:在最近发布的Harbor的版本中,Harbor新增了基于策略的Docker镜像复制功能,这类似于MySQL的主从同步,其可以实现不同的数据中心、不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作,已经有用很多互联网公司使用harbor搭建内网docker仓库的案例,并且还有实现了双向复制的案列,本文将实现单向复制的部署:
1.1:环境介绍:
至少两台harbor服务器,一台是上一章中使用的harbor服务器docker-server3,本节将再添加一台docker-server2作为其镜像备份服务器负责docker镜像的备份:
1.2:新部署一台harbor服务器:
[root@docker-server2 ~]# cd /usr/local/src[root@docker-server2 src]# tar xvf harbor-offline-installer-0.5.0.tgz[root@docker-server2 src]# cd harbor/[root@docker-server2 harbor]# yum install python-pip -y[root@docker-server2 harbor]# pip install --upgrade pip[root@docker-server2 harbor]# pip install docker-compose[root@docker-server2 harbor]# vim harbor.cfghostname = 192.168.10.102[root@docker-server2 harbor]# ./install.sh[root@docker-server2 harbor]# docker images
1.3:安装完成harbor 之后登陆web界面进行操作,为避免自签名的证书问题,先改为http访问:
1.3.1:在主harbor服务器进入到之前创建好的jack项目:
1.3.2:进到jack项目之后点复制->新建策略:
1.3.3:创建的复制任务:
1.3.4:查看备份harbor服务器上是否有项目(该项目是被自动创建的):
1.3.5:验证镜像是否复制完成:
二:将主harbor服务器改为https,并再从harbor服务器申请证书也配置为https,测试能都在https环境下进行images备份:
2.1:将主harbor和从harbor全部改为https访问:
2.1.1:主harbor改为https,并自签名一个从harbor域名的证书:
[root@docker-server3 cakey]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor2.studeylinux.com.key -out harbor2.studeylinux.com.csr[root@docker-server3 cakey]# openssl x509 -req -days 365 -in harbor2.studeylinux.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor2.studeylinux.com.crt
2.1.2:将证书copy到从harbor服务器:
[root@docker-server3 cakey]# scp harbor2.studeylinux.com.* 192.168.10.102:/opt/cakey/root@192.168.10.102's password: harbor2.studeylinux.com.crt 100% 2013 2.0KB/s 00:00 harbor2.studeylinux.com.csr 100% 1825 1.8KB/s 00:00 harbor2.studeylinux.com.key 100% 3272 3.2KB/s 00:00
2.1.3:配置从harbor服务器使用https:
[root@docker-server2 harbor]# grep "^[a-Z]" harbor.cfg hostname = harbor2.studeylinux.com ui_url_protocol = httpsemail_identity = email_server = smtp.mydomain.comemail_server_port = 25email_username = sample_admin@mydomain.comemail_password = abcemail_from = admin email_ssl = falseharbor_admin_password = zhang@123auth_mode = db_authldap_url = ldaps://ldap.mydomain.comldap_basedn = ou=people,dc=mydomain,dc=comldap_uid = uid ldap_scope = 3 db_password = root123self_registration = onuse_compressed_js = onmax_job_workers = 3 token_expiration = 30verify_remote_cert = oncustomize_crt = oncrt_country = CNcrt_state = Statecrt_location = CNcrt_organization = organizationcrt_organizationalunit = organizational unitcrt_commonname = example.comcrt_email = example@example.comproject_creation_restriction = everyonessl_cert = /opt/cakey/harbor2.studeylinux.com.crtssl_cert_key = /opt/cakey/harbor2.studeylinux.com.key
2.1.4:重启从harbor服务:
[root@docker-server2 harbor]# ./prepare[root@docker-server2 harbor]# docker-compose down[root@docker-server2 harbor]# docker-compose up -d
2.1.5.:验证https访问:
2.1.6:在从harbor服务器保存ca的证书到/etc/docker/certs.d/harbor2.studeylinux.com/:
[root@docker-server2 harbor]# mkdir /etc/docker/certs.d/harbor2.studeylinux.com[root@docker-server2 harbor]# scp 192.168.10.103:/opt/cakey/ca.crt /etc/docker/certs.d/harbor2.studeylinux.com/[root@docker-server2 harbor]# ntpdate time1.aliyun.com[root@docker-server2 ~]# vim /etc/sysconfig/docker OPTIONS='--selinux-enabled --log-driver=journald'[root@docker-server2 harbor]# docker login harbor2.studeylinux.comUsername: adminPassword: Login Succeede
2.1.7:在主harbor服务器将ca的证书保存到/etc/docker/certs.d/harbor2.studeylinux.com/:
[root@docker-server3 harbor]# mkdir /etc/docker/certs.d/harbor2.studeylinux.com[root@docker-server3 harbor]# scp 192.168.10.103:/opt/cakey/ca.crt /etc/docker/certs.d/harbor2.studeylinux.com/root@192.168.10.103's password:ca.crt 100% 2106 2.1KB/s 00:00[root@docker-server3 harbor]# vim /etc/sysconfig/docke OPTIONS='--selinux-enabled --log-driver=journald'[root@docker-server3 harbor]# docker login harbor2.studeylinux.comUsername: adminPassword:Login Succeeded
2.2:在主harbor服务器新建一个项目测试同步:
2.2.1:创建一个jack2的项目:
2.2.2:创建复制策略,报错如下:
2.3:以上问题是由于自签名证只对域名生效而不对访问的IP生效因此报错,所以要写域名。但是写了域名会报另外的错误,因此需要使用有证书管理中心签名后的证书才可被信任,即从harbor服务器的harbor.cfg文件配置需要监听在IP地址,如果监听在域名则设置同步的时候写域名会报找不到主机的错误,看起来是网络问题无法连接,但是域名访问是没有问题的,如下: