一、Harbor简介
1.Harbor仓库介绍
Harbor是VMware公司开源的企业级Docker Registry项目Harbor的优势
♤ 基于角色控制
♤ 基于镜像的复制策略
♤ 支持LDAP/AD
♤ 图像删除和日志收集
♤ 图形U
♤ 审计
♤ RESTful APl ,提供了第三方软件调用,满足restful规范的API接口,方便其他软件调用
2.Harbor功能描述
3.harbor私有仓库架构拓扑
proxy反向代理功能接收请求代理的请求可以获得后端两种服务类型:
♦ 一种是通过访问web网页向Registry镜像仓库获取镜像资源
♦ 另一种是直接通过命令从Registry镜像仓库获取
Core services提供了web图形服务,UI提供了前端页面,token提供了身份令牌认证,webhook提供web网页服务。
Registry镜像仓库存放了各种镜像资源,可以供proxy代理请求或者core services请求拉取镜像资源
Core service核心功能中产生的一些数据(如身份令牌等信息)存放到后端Database数据库中
整个harbor仓库服务产生的日志有Log collector收集管理
二、Harbor仓库搭建
项目背景最近公司又提出一个新需求,将项目全部打包成镜像部署私有仓库服务,经过几轮商讨,最终选择Docker HarborDocker Harbor有可视化的Web管理界面,可以方便管理Docker镜像,又提供了多个项目的镜像权限管理及控制功能
项目需求通过Harbor创建Docker私有仓库,图形化管理Docker私有仓库镜像
需求的相关软件
Harbor服务器:docker-ce、docker-compose、harbor-offline
Client客户端:docker-ce、
1.查看docker及docker-compose
[root@promote ~]# docker -v ##查看docker版本
Docker version 19.03.13, build 4484c46d9d
[root@promote ~]# docker-compose -v ##插卡docker-compose版本
docker-compose version 1.21.1, build 5a3f1a3
2.解压harbor软件包
[root@promote ~]# ls ##查看软件包
harbor-offline-installer-v1.2.2.tgz
[root@promote ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/ ##解压
3.修改配置文件 harbor.cfg
[root@promote ~]# vim /usr/local/harbor/harbor.cfg
hostname = 192.168.10.30 ##第5行,修改为本地地址
harbor_admin_password = Harbor12345 ##第59行,设置harbor登录密码,默认为Harbor12345
[root@promote ~]# cd /usr/local/harbor/
[root@promote harbor]# ls ##查看文件
common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.2.tar.gz LICENSE prepare
docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
1 在/usr/local/harbor目录下有harbor的安装脚本install.sh
2 在install.sh执行安装的脚本中指定了docker-compose.yml编排文件
3 在当下目录可以看到docker-compose.yml编排文件,查看docker-compose.yml该文件,可以发现有7个容器编排
4.执行脚本安装并查看容器
[root@promote harbor]# sh /usr/local/harbor/install.sh ##执行安装
[root@promote harbor]# docker ps -a ##查看容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f238393a9460 vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
dce7070b896b vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 3 minutes ago Up 3 minutes harbor-jobservice
1c7d3a91eed7 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 3 minutes ago Up 3 minutes harbor-ui
2ed04682f845 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 3 minutes ago Up 3 minutes harbor-adminserver
a1f09c86820b vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 3306/tcp harbor-db
28bc92da77d8 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 3 minutes ago Up 3 minutes 5000/tcp registry
602b5bf23725 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 3 minutes ago Up 3 minutes 127.0.0.1:1514->514/tcp harbor-log
[root@promote harbor]# expr `docker ps -a |wc -l` - 1 ##统计生成的容器,刚好为7个
7
5.访问网站测试
6.镜像上传测试
[root@promote ~]# docker pull nginx ##先从公有仓库拉取nginx镜像用于测试
[root@promote ~]# docker images ##查看拉取的镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest c39a868aad02 9 days ago 133MB
[root@promote ~]# docker login -u admin -p 'Harbor12345' http://192.168.10.30 ##使用IP地址登入被拒绝
Password:
Error response from daemon: Get https://192.168.10.30/v2/: dial tcp 192.168.10.30:443: connect: connection refused
[root@promote ~]# docker login -u admin -p 'Harbor12345' http://127.0.0.1 ##本地登录harbor仓库
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@promote ~]# docker tag nginx:latest 192.168.10.30/project-ltp/nginx ##打上指明仓库为192.168.10.30的镜像标签
[root@promote ~]# docker push 192.168.10.30/project-ltp/nginx ##上传失败
The push refers to repository [192.168.10.30/project-ltp/nginx]
Get https://192.168.10.30/v2/: dial tcp 192.168.10.30:443: connect: connection refused
[root@promote ~]# docker tag nginx:latest 127.0.0.1/project-ltp/nginx01 ##打上127.0.0.1的仓库标签
[root@promote ~]# docker push 127.0.0.1/project-ltp/nginx01 ##再次上传,成功
The push refers to repository [127.0.0.1/project-ltp/nginx01]
7b5417cae114: Pushed
aee208b6ccfb: Pushed
2f57e21e4365: Pushed
2baf69a23d7a: Pushed
d0fe97fa8b8c: Pushed
latest: digest: sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e size: 1362
7.客户端上传下载测试
客户端登录harbor需要修改docker.services配置文件,因为harbor默认是用https登入的,使用http无法正常登入,因此需要修改服务配置
[root@promote ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.10.30 --containerd=/run/containerd/containerd.sock ##添加--insecure-registry 192.168.10.30指向harbor仓库地址
[root@promote ~]# systemctl daemon-reload
[root@promote ~]# systemctl restart docker
[root@client ~]# docker login -u admin http://192.168.10.30 -p 'Harbor12345'
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@client ~]# docker pull 192.168.10.30/project-ltp/nginx01 ##拉取镜像
Using default tag: latest
latest: Pulling from project-ltp/nginx01
bb79b6b2107f: Pull complete
5a9f1c0027a7: Pull complete
b5c20b2b484f: Pull complete
166a2418f7e8: Pull complete
1966ea362d23: Pull complete
Digest: sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e
Status: Downloaded newer image for 192.168.10.30/project-ltp/nginx01:latest
192.168.10.30/project-ltp/nginx01:latest
[root@client ~]# docker images ##拉取成功
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.10.30/project-ltp/nginx01 latest c39a868aad02 9 days ago 133MB
8.创建管理用户
添加管理员
添加项目管理用户(必须先创用户)