文章目录
1. 搭建全功能仓库harbor
之前的本地仓库属于私有仓库,不公开,想要拉取其中的镜像,就必须要使用合法账号登陆仓库
这种强制用户login的做法不符合设计仓库的初衷
由此,引入harbor仓库
仓库作为代理,
客户发出请求,仓库提供。如果没有,仓库代理去互联网上拉取
第一步:部署harbor仓库
① 下载docker-compose
命令的脚本到/usr/local/bin/docker-compose目录中,并授予权限
[root@server61 ~]# ls
docker docker-compose-Linux-x86_64-1.27.0 harbor-offline-installer-v1.10.1.tgz
[root@server61 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server61 ~]# chmod +x /usr/local/bin/docker-compose
② 解压了harbor离线安装包之后,修改harbor配置文件harbor.yml
设定好hostname,以及证书和私钥的地址
[root@server61 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server61 ~]# cd harbor/
[root@server61 harbor]# ls
common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
[root@server61 harbor]# vim harbor.yml
hostname: reg.westos.org
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/certs/westos.org.crt
private_key: /data/certs/westos.org.key
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: westos
③ 离线安装之前,一定要记得删除之前做实验留下的本地仓库registry。仓库的名字一定要唯一
(这是之前用户密码的目录,这个实验不需要使用它,先将它移到/mnt下)
[root@server61 harbor]# mv /data/auth /mnt
④ 离线安装
[root@server61 harbor]# docker rm -f registry
registry
[root@server61 harbor]# pwd
/root/harbor
[root@server61 harbor]# ./install.sh
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
⑤ 安装好harbor之后,在/root/harbor
目录下使用docker-compose
命令,查看harbor相关进程的状态,要求必须都是UP状态
如果有些状态没有UP,可以使用docker-compose start
命令启动
验证实验结果:Web界面查看
[root@server61 harbor]# pwd
/root/harbor
[root@server61 harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice Up (healthy)
...
harbor-log /bin/sh -c /usr/local/bin/ Up (healthy) 127.0.0.1:1514->10514/tcp
...
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,
0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
第二步:服务端server61上传镜像到harbor仓库reg.westos.org
(服务端需要使用harbor的用户密码,这个密码就在之前解压的harbor配置目录里的harbor.yml
文件中)
[root@server61 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server61 harbor]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server61 harbor]# docker push reg.westos.org/library/rhel7:latest
The push refers to repository [reg.westos.org/library/rhel7]
18af9eb19b5f: Pushed
latest: digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b size: 528
第三步:客户端server62删除之前的镜像
保证客户端已经登出了认证用户,处于匿名用户身份
此时,客户端再去拉取镜像,不会提示报错没有认证(不是合法用户),而是直接拉取成功
[root@server62 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
reg.westos.org/nginx latest f0b8a9a54136 10 days ago 133MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@server62 ~]# docker rmi reg.westos.org/nginx:latest
Untagged: reg.westos.org/nginx:latest
Untagged: reg.westos.org/nginx@sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c
Deleted: sha256:f0b8a9a541369db503ff3b9d4fa6de561b300f7363920c2bff4577c6c24c5cf6
Deleted: sha256:60f61ee7da08c2a5c5f6a76c1f2926f50ba1d01d8ec4af9afb8fdcd3d97ef6f9
Deleted: sha256:affa58c5a9d1d907c11d8589d4e08d2dc8e4e6b71b141269405a2e67d0a8b011
Deleted: sha256:6b1533d42f38a9c55cad97d4e01c03756ab82b61798b6c4f4bc9122093bb6ebd
Deleted: sha256:5c3e94c8305f2a4158258725fe33d2451842c13a97c76f02042a7a7e0aa3799a
Deleted: sha256:adda6567aeaa86913f56f0e4647032e1d9347bd63ed98a320f904c71df2637c1
Deleted: sha256:02c055ef67f5904019f43a41ea5f099996d8e7633749b6e606c400526b2c4b33
[root@server62 ~]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server62 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@server62 ~]# docker pull rhel7:latest
latest: Pulling from library/rhel7
48f5bbc9baf5: Pull complete
Digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b
Status: Downloaded newer image for rhel7:latest
docker.io/library/rhel7:latest
[root@server62 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
game2048 latest 19299002fdbe 4 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
第四步:服务端再上传镜像到仓库
Web界面查看
[root@server61 harbor]# docker tag nginx:latest reg.westos.org/library/nginx:latest
[root@server61 harbor]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
f0f30197ccf9: Pushed
eeb14ff930d4: Pushed
c9732df61184: Pushed
4b8db2d7f35a: Pushed
431f409d4c5a: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
[root@server61 harbor]# docker rmi reg.westos.org/nginx:latest
Untagged: reg.westos.org/nginx:latest
Untagged: reg.westos.org/nginx@sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c
第五步:客户端拉取
Web界面查看日志,显示Anonymous匿名用户
匿名拉取操作成功
[root@server62 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
69692152171a: Pull complete
49f7d34d62c1: Pull complete
5f97dc5d71ab: Pull complete
cfcd0711b93a: Pull complete
be6172d7651b: Pull complete
de9813870342: Pull complete
Digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
2. 使用harbor仓库(一些基本的指令)
[root@server61 harbor]# pwd
/root/harbor
[root@server61 harbor]# docker-compose logs
Attaching to harbor-jobservice, nginx, harbor-core, harbor-db, harbor-portal, registryctl, redis, registry, harbor-log
harbor-core | WARNING: no logs are available with the 'syslog' log driver
harbor-db | WARNING: no logs are available with the 'syslog' log driver
harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver
harbor-portal | WARNING: no logs are available with the 'syslog' log driver
nginx | WARNING: no logs are available with the 'syslog' log driver
redis | WARNING: no logs are available with the 'syslog' log driver
registry | WARNING: no logs are available with the 'syslog' log driver
registryctl | WARNING: no logs are available with the 'syslog' log driver
3. 维护仓库(添加仓库模块:自动扫描镜像、签名功能)
第一步:先stop仓库
[root@server61 harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-db ... done
Stopping harbor-portal ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-log ... done
[root@server61 harbor]# docker-compose rm
Going to remove harbor-jobservice, nginx, harbor-core, harbor-db, harbor-portal, registryctl, redis, registry, harbor-log
Are you sure? [yN] y
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing harbor-db ... done
Removing harbor-portal ... done
Removing registryctl ... done
Removing redis ... done
Removing registry ... done
Removing harbor-log ... done
[root@server61 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
第二步:添加harbor的功能
查看安装脚本的help,可以看到3个模块:镜像漏洞扫描,内容信任,远程登陆
在安装脚本后面加上模块名称,重新安装后,会开启这些模块功能
[root@server61 harbor]# pwd
/root/harbor
[root@server61 harbor]# ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-clair if needs enable Clair in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@server61 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[Step 5]: starting Harbor ...
Creating network "harbor_harbor-clair" with the default driver
Creating network "harbor_harbor-notary" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating network "harbor_notary-sig" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registry ... done
Creating harbor-db ... done
Creating chartmuseum ... done
Creating registryctl ... done
Creating redis ... done
Creating notary-signer ... done
Creating clair ... done
Creating harbor-core ... done
Creating clair-adapter ... done
Creating notary-server ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@server61 harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------
chartmuseum ./docker-entrypoint.sh Up (healthy) 9999/tcp
clair ./docker-entrypoint.sh Up (healthy) 6060/tcp, 6061/tcp
clair-adapter /clair-adapter/clair-adapter Up (healthy) 8080/tcp
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice Up (healthy)
...
harbor-log /bin/sh -c /usr/local/bin/ Up (healthy) 127.0.0.1:1514->10514/tcp
...
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:4443->4443/tcp,
0.0.0.0:80->8080/tcp,
0.0.0.0:443->8443/tcp
notary-server /bin/sh -c migrate-patch - Up
...
notary-signer /bin/sh -c migrate-patch - Up
...
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
第三步:在Web界面查看镜像的信息
此时,可以看到镜像后面都跟有扫描、签名等信息
因为,配置这个目录时,没有开启镜像扫描和签名功能,所以,当前显示镜像是无扫描和无签名的
3.1 自动扫描镜像
第四步:维护镜像安全:自动扫描镜像
为了维护镜像的安全,到配置中开启自动扫描的功能
保存了Web界面的配置操作之后,服务端server61上传镜像到仓库
(这里改名字tag的操作,就是在指定镜像上传的位置)
上传成功之后,通过Web界面查看到“镜像已经成功扫描完毕”
[root@server61 harbor]# docker tag gcr.io/distroless/base-debian10:latest reg.westos.org/library/debian:latest
[root@server61 harbor]# docker push reg.westos.org/library/debian:latest
The push refers to repository [reg.westos.org/library/debian]
1d3b68b6972f: Pushed
de1602ca36c9: Pushed
latest: digest: sha256:732acc54362badaa64d9c01619020cf96ce240b97e2f1390d2a44cc22b9ba6a3 size: 737
3.2 镜像签名功能
第五步:维护镜像安全: 签名
在Web界面的仓库配置中,开启内容信任
功能
开启这个功能之后,客户端只能拉取具有签名的镜像
用于部署的应用镜像是否具有可信任的来源?如果有人悄悄把镜像替换了,怎样可以发现?
在容器镜像管理中,我们可通过内容信任(Content Trust)的机制来确保镜像的来源可信。
镜像的创建者可以对镜像做数字签名,签名的结果称为摘要(Digest),保存在一个称为 Notary 服务中。
当镜像的用户下载时,根据镜像的名称,可以从 Notary 获得镜像的摘要,然后使用 Registry V2 的 API,做 Pull by content (Digest)的 Registry 调用,即可获得来自信任者的镜像。
如果镜像没有签过名,获取 Digest 会失败,因而无法下载镜像。
镜像内容信任的机制
开源企业级 Harbor 镜像仓库从 v1.1 起增加了镜像内容信任的能力,可以帮助用户实现容器镜像的内容信任问题。
在安装 Harbor 时,加上–with-notary选项,并且设置 HTTPS 功能,即可启动 Notary 服务。
① 因为仓库开启了内容信任功能,客户端只能下载具有签名的镜像,而现在仓库中的debian镜像没有签名,因此,客户端拉取失败。
虽然拉取harbor仓库失败,但是,系统会自动到互联网上去拉取镜像(现在处于未联网的环境,所以,出现下述错误)
[root@server62 ~]# docker pull debian
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 114.114.114.114:53: read udp 172.25.21.62:45937->114.114.114.114:53: i/o timeout
② 解决这样的问题:
现在Web界面删除之前上传的,没有签名的镜像
在Docker的服务端设置2个环境变量,即可使用内容信任功能为上传的镜像进行签名
[root@server61 harbor]# pwd
/root/harbor
[root@server61 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server61 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server61 harbor]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
f0f30197ccf9: Pushed
eeb14ff930d4: Pushed
c9732df61184: Pushed
4b8db2d7f35a: Pushed
431f409d4c5a: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority
③ 服务端上传镜像出现报错:没有证书
在隐藏目录.docker
中,创建证书目录tls
,进入该目录后,创建和容器名称相同的目录reg.westos.org:4443
。
复制之前生成好的证书到该目录中
(仓库有了证书,而密钥就在server61)
[root@server61 ~]# cd .docker/
[root@server61 .docker]# mkdir tls
[root@server61 .docker]# cd tls
[root@server61 tls]# mkdir reg.westos.org:4443
[root@server61 tls]# cd reg.westos.org\:4443/
[root@server61 reg.westos.org:4443]# cp /data/certs/westos.org.crt ca.crt
[root@server61 reg.westos.org:4443]# ls
ca.crt
④ 解决问题之后,服务端再去上传镜像,成功
上传新的镜像,需要管理员设置根key和仓库key
(注意,每次上传镜像的不同版本时,只需要输入对应的仓库key,不需要输入根key)
设定好之后,去Web界面查看,发现上传的镜像的签名处显示成功
[root@server61 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
f0f30197ccf9: Layer already exists
eeb14ff930d4: Layer already exists
c9732df61184: Layer already exists
4b8db2d7f35a: Layer already exists
431f409d4c5a: Layer already exists
02c055ef67f5: Layer already exists
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID afa20ac:
Repeat passphrase for new root key with ID afa20ac:
Enter passphrase for new repository key with ID 15f6241:
Repeat passphrase for new repository key with ID 15f6241:
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest
【westosyqq】
⑤ 客户端拉取已经有签名的镜像,成功
[root@server62 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
Digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c
Status: Image is up to date for nginx:latest
docker.io/library/nginx:latest
[root@server62 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest f0b8a9a54136 10 days ago 133MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
⑥ 验证:不同版本的镜像上传,只需要输入仓库key
首先,创建一个测试目录test
,在其中写好Docker构建镜像的配置文件Dockerfile
[root@server61 reg.westos.org:4443]# docker images nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest f0b8a9a54136 10 days ago 133MB
[root@server61 reg.westos.org:4443]# cd
[root@server61 ~]# cd docker/
[root@server61 docker]# mkdir test
[root@server61 docker]# cd test/
[root@server61 test]# vim Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html
[root@server61 test]# echo server61.test > index.html
[root@server61 test]# ls
Dockerfile index.html
写好之后,先不要着急构建,先关闭服务端的信任功能,再构建。
构建完成之后,开启信任功能
(注意,这里构建的镜像nginx:v1是在之前上传且已签名的nginx镜像的基础之上构建而成的,v1只是另一个版本)
[root@server61 test]# export DOCKER_CONTENT_TRUST=0
[root@server61 test]# docker build -t nginx:v1 .
Sending build context to Docker daemon 3.072kB
Step 1/2 : FROM nginx
---> f0b8a9a54136
Step 2/2 : COPY index.html /usr/share/nginx/html
---> dd89e6143899
Successfully built dd89e6143899
Successfully tagged nginx:v1
[root@server61 test]# export DOCKER_CONTENT_TRUST=1
改名字,确定好v1镜像上传的位置
上传时,只需要输入仓库key
[root@server61 test]# docker tag nginx:v1 reg.westos.org/library/nginx:v1
[root@server61 test]# docker push reg.westos.org/library/nginx:v1
The push refers to repository [reg.westos.org/library/nginx]
37115bfe2aae: Pushed
f0f30197ccf9: Layer already exists
eeb14ff930d4: Layer already exists
c9732df61184: Layer already exists
4b8db2d7f35a: Layer already exists
431f409d4c5a: Layer already exists
02c055ef67f5: Layer already exists
v1: digest: sha256:8733811000eb1854a13e3ce77f51faee67414f48bc350bfcc8aeae429cd21ebb size: 1777
Signing and pushing trust metadata
Enter passphrase for repository key with ID 15f6241:
Successfully signed reg.westos.org/library/nginx:v1
客户端也可以正常拉取
验证成功
[root@server62 ~]# docker pull nginx:v1
v1: Pulling from library/nginx
69692152171a: Already exists
49f7d34d62c1: Already exists
5f97dc5d71ab: Already exists
cfcd0711b93a: Already exists
be6172d7651b: Already exists
de9813870342: Already exists
3b60dc649519: Pull complete
Digest: sha256:8733811000eb1854a13e3ce77f51faee67414f48bc350bfcc8aeae429cd21ebb
Status: Downloaded newer image for nginx:v1
docker.io/library/nginx:v1
3.3 guest用户访问未公开仓库
第六步:维护镜像安全:访客使用未公开的仓库
① Web界面上创建一个新的仓库westos(它是未公开的仓库)
westos没有打开内容信任
② 关闭服务端的信任功能,并上传一个镜像到新的未公开的仓库westos
[root@server61 test]# export DOCKER_CONTENT_TRUST=0
[root@server61 test]# docker tag reg.westos.org/library/rhel7:latest reg.westos.org/westos/rhel7-westos
[root@server61 test]# docker push reg.westos.org/westos/rhel7-westos:latest
The push refers to repository [reg.westos.org/westos/rhel7-westos]
18af9eb19b5f: Mounted from library/rhel7
latest: digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b size: 528
③ 客户端想要拉取,失败。
这是一个未公开的仓库
[root@server62 ~]# docker pull reg.westos.org/westos/rhel7-westos:latest
Error response from daemon: pull access denied for reg.westos.org/westos/rhel7-westos, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
④ 解决办法:创建未公开仓库的合法用户
在Web界面,先创建用户。再将该用户以guest的身份添加到westos仓库的合法名单中
【yqq
westosYQQ123】
⑤ 验证创建结果,客户端使用刚刚创建的用户,去登陆仓库
登陆成功之后,拉取镜像
[root@server62 ~]# docker login reg.westos.org
Username: yqq
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server62 ~]# docker pull reg.westos.org/westos/rhel7-westos:latest
latest: Pulling from westos/rhel7-westos
48f5bbc9baf5: Pull complete
Digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b
Status: Downloaded newer image for reg.westos.org/westos/rhel7-westos:latest
reg.westos.org/westos/rhel7-westos:latest
第七步:去掉镜像扫描和签名功能,这些加快磁盘的消耗
(扫描加快磁盘的消耗)
(之后的实验不需要镜像扫描和签名)
[root@server61 harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping notary-server ... done
Stopping clair-adapter ... done
Stopping harbor-core ... done
Stopping clair ... done
Stopping notary-signer ... done
Stopping chartmuseum ... done
Stopping redis ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping harbor-portal ... done
Stopping registry ... done
Stopping harbor-log ... done
[root@server61 harbor]# docker-compose rm
Going to remove harbor-jobservice, nginx, notary-server, clair-adapter, harbor-core, clair, notary-signer, chartmuseum, redis, registryctl, harbor-db, harbor-portal, registry, harbor-log
Are you sure? [yN] y
Removing harbor-jobservice ... done
Removing nginx ... done
Removing notary-server ... done
Removing clair-adapter ... done
Removing harbor-core ... done
Removing clair ... done
Removing notary-signer ... done
Removing chartmuseum ... done
Removing redis ... done
Removing registryctl ... done
Removing harbor-db ... done
Removing harbor-portal ... done
Removing registry ... done
Removing harbor-log ... done
[root@server61 harbor]# ./install.sh --with-chartmuseum
[Step 5]: starting Harbor ...
Creating harbor-log ... done
Creating harbor-db ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating registry ... done
Creating chartmuseum ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@server61 harbor]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------
chartmuseum ./docker-entrypoint.sh Up (healthy) 9999/tcp
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,
0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)