Docker-harbor私有仓库

一、Harbor概述

Harbor是VMware公司开源的企业级Docker Registry项目

1、Harbor的优势

基于角色控制
基于镜像的复制策略
支持LDAP/AD
图像删除和垃圾收集
图形UI审计
RESTful API

2、Harbor组件

（1）Proxy
通过一个前置的反向代理统一接收浏览器、Docker客户端的请求，并将请求转发给后端不同的服务
（2）Registry
负责存储Docker镜像，并助理docker push/pull命令
（3）Core service
habor的核心功能，包括UI、wenhook、token服务
（4）Database
为core service提供数据库服务
（5）Log collector
负责䢳其他组件的log 供日后进行分析

二、部署

实验环境：
服务端：192.168.100.10 docker、docker-compse、harbor-offline
客户端：192.168.100.100 docker

#查看 Docker-Compose 版本判断安装是否成功

cp docker-compose /usr/local/bin/ 

docker-compose -v

#部署 Harbor 服务
Harbor 被部署为多个 Docker 容器，因此可以部署在任何支持 Docker 的 Linux 发行版 上。服务端主机需要安装 Python、Docker 和 Docker Compose。

1.下载 Harbor 安装程序

wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz 

tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

2. 配置 Harbor 参数文件

vim /usr/local/harbor/harbor.cfg 

#第五行修改参数
 hostname = 192.168.100.10

3. 启动 Harbor

sh /usr/local/harbor/install.sh

4. 查看 Harbor 配置

docker images

docker ps -a

cd /usr/local/harbor
docker-compose ps

如果一切都正常，应该可以打开浏览器访问 http://192.168.100.10的管理页面，默认 的管理员用户名和密码是 admin/Harbor12345。

此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下， Register 服务器在端口 80 上侦听

#登录
docker login -u admin -p Harbor12345 http://127.0.0.1 

#下载镜像进行测试
docker pull cirros  

#镜像打标签
docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1 

#上传镜像到Harbor
docker push 127.0.0.1/myproject-kgc/cirros:v1

以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor，就会报 如下错误。出现这问题的原因 Docker Registry 交互默认使用的是 HTTPS，但是搭建私有镜 像默认使用的是 HTTP 服务，所以与私有镜像交互时出现以下错误。

[root@localhost opt]# docker login  -u admin -p Harbor12345 http://192.168.100.10
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.100.10/v2/: dial tcp 192.168.100.10:443: connect: connection refused

#解决：
 vim /usr/lib/systemd/system/docker.service
 
#修改这一行
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.100.10 --containerd=/run/containerd/containerd.sock

systemctl daemon-reload

systemctl restart docker

docker pull cirros

docker images

docker tag cirros 192.168.100.10/test/cirros:v2

docker push 192.168.100.10/test/cirros:v2

5、维护管理Harbor

（1）修改 Harbor.cfg 配置文件
要更改 Harbour 的配置文件时，请先停止现有的 Harbour 实例并更新 Harbor.cfg；然 后运行 prepare 脚本来填充配置；最后重新创建并启动 Harbour 的实例。

docker-compose 
down -vStopping nginx       ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor

vim harbor.cfg

./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/envClearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
/config/nginx/nginx.confloaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

#报错：docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name. 
(exit status 1))
#解决：关闭防火墙后，docker需要重启
systemctl restart docker
docker-compose up -d

6、创建 Harbor 用户

#创建项目开发人员

#在客户端上操作

docker rmi 192.168.100.10/test/cirros:v2

#注销登录
docker logout 192.168.100.10

docker login 192.168.100.10

docker pull 192.168.100.10/myproject-kgc/cirros:v1

docker images

移除 Harbor 服务容器同时保留镜像数据/数据库

#在Harbor服务器上操作
docker-compose down -v

Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-db          ... done
Stopping harbor-adminserver ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-db          ... done
Removing harbor-adminserver ... done
Removing harbor-log         ... done
Removing network harbor_harbor
如需重新部署，需要移除 Harbor 服务容器全部数据
持久数据，如镜像，数据库等在宿主机的/data/目录下,日志在宿主机的 /var/log/Harbor/目录下。
 rm -rf /data/database/
 rm -rf /data/registry/