Harbor镜像仓库
Docker Registry
网上有很多的Registry
服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry
有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry
。
Registry
用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry
,也可以使用官方的Docker Hub
。
Docker Registry分类:
- Sponsor Registry:第三方的Registry,供客户和Docker社区使用
- Mirror Registry:第三方的Registry,只让客户使用
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry
则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry
,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry
默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry
时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry
服务的,除非明确的告诉它,我们就是要用http协议的Registry
。
Docker Private Registry
为了帮助我们快速创建私有Registry
,Docker专门提供了一个名为Docker Distribution的软件包,我们可以通过安装这个软件包快速构建私有仓库。
问:既然Docker是为了运行程序的,Docker Distribution能否运行在容器中?
容器时代,任何程序都应该运行在容器中,除了Kernel和init。而为了能够做Docker Private Registry,Docker Hub官方直接把Registry
做成了镜像,我们可以直接将其pull到本地并启动为容器即可快速实现私有Registry
。
Registry
的主要作用是托管镜像,Registry
运行在容器中,而容器自己的文件系统是随着容器的生命周期终止和删除而被删除的,所以当我们把Registry
运行在容器中时,客户端上传了很多镜像,随着Registry
容器的终止并删除,所有镜像都将化为乌有,因此这些镜像应该放在存储卷上,而且这个存储卷最好不要放在Docker主机本地,而应该放在一个网络共享存储上,比如NFS。不过,镜像文件自己定义的存储卷,还是一个放在Docker本地、Docker管理的卷,我们可以手动的将其改成使用其它文件系统的存储卷。
这就是使用容器来运行Registry
的一种简单方式。自建Registry
的另一种方式,就是直接安装docker-distribution
软件。
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Project Harbor 是一个开源的受信任的云原生注册表项目,用于存储、签名和扫描上下文。
Harbor 通过添加用户通常需要的功能(如安全性、身份和管理)来扩展开源 Docker 发行版。
Harbor 支持用户管理、访问控制、活动监控、实例间复制等高级功能。
Harbor的功能
特性:
- 多租户内容签名和验证
- 安全性和漏洞分析
- 审计日志
- 身份集成和基于角色的访问控制
- 实例间的镜像复制
- 可扩展API和图形UI
- 国际化(目前为英文和中文)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Compose 是一个用于定义和运行多容器 Docker 应用程序的工具。使用 Compose,您可以使用 YAML 文件来配置应用程序的服务。然后,使用单个命令,从配置创建并启动所有服务。
安装compose
//下载docker-ce 源
[root@docker ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
[root@docker ~]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' /etc/yum.repos.d/docker-ce.repo
[root@docker ~]# dnf clean all
Repository extras is listed more than once in the configuration
77 files removed
//安装
[root@docker ~]# dnf -y install docker-ce
[root@docker ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@docker ~]# cd /usr/local/bin/
[root@docker bin]# chmod +x docker-compose
[root@docker bin]# ls
docker-compose
//查看版本
[root@docker bin]# docker-compose version
docker-compose version 1.26.2, build eefe0d31
docker-py version: 4.2.2
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
Harbor部署
//关闭防火墙
[root@docker bin]# systemctl disable --now firewalld
[root@docker bin]# sed -i 's/^enforcing/disabled/g' /etc/selinux/config
[root@docker bin]# reboot
//配置镜像加速
[root@docker bin]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://6yrl18rf.mirror.aliyuncs.com"]
}
[root@docker bin]# systemctl daemon-reload
[root@docker bin]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
//修改主机名
[root@docker ~]# hostnamectl set-hostname docker.example.com
[root@docker ~]# bash
[root@docker ~]# hostname
docker.example.com
[root@docker ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.150 docker.example.com
[root@docker ~]# ping docker.example.com
PING docker.example.com (192.168.200.150) 56(84) bytes of data.
64 bytes from docker.example.com (192.168.200.150): icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from docker.example.com (192.168.200.150): icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from docker.example.com (192.168.200.150): icmp_seq=3 ttl=64 time=0.031 ms
//解压
[root@docker local]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/
[root@docker local]# ls
bin games include lib64 nginx share
etc harbor lib libexec sbin src
//修改配置文件
[root@docker harbor]# cp harbor.yml.tmpl harbor.yml
[root@docker harbor]# ls
common.sh harbor.yml install.sh prepare
harbor.v2.3.5.tar.gz harbor.yml.tmpl LICENSE
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: docker.example.com //主机名
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
........
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 //密码
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 //数据库密码
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100 //最大空闲连接
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900 //最大连接数
# The default data volume
data_volume: /data //数据挂载目录
//运行脚本
[root@docker harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.26.2
......
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
[root@docker harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 25 0.0.0.0:514 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 25 [::]:514 [::]:*
[root@docker harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ba46f6a706c goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of…" 35 seconds ago Up 34 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
80cf61b933a4 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint.…" 35 seconds ago Up 34 seconds (healthy) harbor-jobservice
64eb93d6f048 goharbor/harbor-core:v2.3.5 "/harbor/entrypoint.…" 36 seconds ago Up 35 seconds (healthy) harbor-core
927f4ba4529c goharbor/harbor-db:v2.3.5 "/docker-entrypoint.…" 37 seconds ago Up 35 seconds (healthy) harbor-db
8f09ead36e86 goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start.…" 37 seconds ago Up 35 seconds (healthy) registryctl
e826fdcba21d goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of…" 37 seconds ago Up 35 seconds (healthy) harbor-portal
a6fae8a6cd2d goharbor/registry-photon:v2.3.5 "/home/harbor/entryp…" 37 seconds ago Up 36 seconds (healthy) registry
0e09d84f6d74 goharbor/redis-photon:v2.3.5 "redis-server /etc/r…" 37 seconds ago Up 36 seconds (healthy) redis
961d9ab6ec93 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc…" 38 seconds ago Up 37 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
a388b1a08286 haproxy:v0.1 "/entrypoint.sh" 4 days ago Exited (137) 4 days ago haproxy
访问
使用Harbor的注意事项
-
在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
-
在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
-
数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
-
Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请–help
上传镜像
//在http环境下也能使用
[root@docker harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://6yrl18rf.mirror.aliyuncs.com"],
"insecure-registries": ["docker.example.com"]
}
[root@docker harbor]# systemctl daemon-reload
[root@docker harbor]# systemctl restart docker
//登入
[root@docker harbor]# docker login docker.example.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
//上传镜像
[root@docker harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
haproxy v0.1 1e2038feeb7f 4 days ago 381MB
nginx latest f652ca386ed1 2 weeks ago 141MB
busybox latest d23834f29b38 2 weeks ago 1.24MB
alpine latest c059bfaa849c 3 weeks ago 5.59MB
centos latest 5d0da3dc9764 3 months ago 231MB
[root@docker harbor]# docker tag nginx:latest docker.example.com/library/nginx:v0.1
[root@docker harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
haproxy v0.1 1e2038feeb7f 4 days ago 381MB
docker.example.com/library/nginx v0.1 f652ca386ed1 2 weeks ago 141MB
nginx latest f652ca386ed1 2 weeks ago 141MB
busybox latest d23834f29b38 2 weeks ago 1.24MB
alpine latest c059bfaa849c 3 weeks ago 5.59MB
centos latest 5d0da3dc9764 3 months ago 231MB
[root@docker harbor]# docker push docker.example.com/library/nginx:v0.1
The push refers to repository [docker.example.com/library/nginx]
2bed47a66c07: Pushed
82caad489ad7: Pushed
d3e1dca44e82: Pushed
c9fcd9c6ced8: Pushed
0664b7821b60: Pushed
9321ff862abb: Pushed
v0.1: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570
管理用户
使用创建的账户登入
设置开机自启
[root@docker harbor]# vim harbor_start.sh
#! /bin/bash
cd /usr/local/harbor
docker-compose start
[root@docker harbor]# vim /etc/rc.loca
#!/bin/bash
/bin/bash /usr/local/harbor/harbor_start.sh
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
//验证
[root@docker harbor]# reboot
[root@docker harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 25 0.0.0.0:514 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 25 [::]:514 [::]:*
[root@docker harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ba46f6a706c goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of…" 35 seconds ago Up 34 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
80cf61b933a4 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint.…" 35 seconds ago Up 34 seconds (healthy) harbor-jobservice
64eb93d6f048 goharbor/harbor-core:v2.3.5 "/harbor/entrypoint.…" 36 seconds ago Up 35 seconds (healthy) harbor-core
927f4ba4529c goharbor/harbor-db:v2.3.5 "/docker-entrypoint.…" 37 seconds ago Up 35 seconds (healthy) harbor-db
8f09ead36e86 goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start.…" 37 seconds ago Up 35 seconds (healthy) registryctl
e826fdcba21d goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of…" 37 seconds ago Up 35 seconds (healthy) harbor-portal
a6fae8a6cd2d goharbor/registry-photon:v2.3.5 "/home/harbor/entryp…" 37 seconds ago Up 36 seconds (healthy) registry
0e09d84f6d74 goharbor/redis-photon:v2.3.5 "redis-server /etc/r…" 37 seconds ago Up 36 seconds (healthy) redis
961d9ab6ec93 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc…" 38 seconds ago Up 37 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log