文章目录
一、Harbor概述
Harbor是VMware公司开源的企业级Docker Registry项目
1、Harbor的优势
基于角色控制
基于镜像的复制策略
支持LDAP/AD
图像删除和垃圾收集
图形UI审计
RESTful API
2、Harbor组件
(1)Proxy
通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务
(2)Registry
负责存储Docker镜像,并助理docker push/pull命令
(3)Core service
habor的核心功能,包括UI、wenhook、token服务
(4)Database
为core service提供数据库服务
(5)Log collector
负责䢳其他组件的log 供日后进行分析
二、部署
实验环境:
服务端:192.168.100.10 docker、docker-compse、harbor-offline
客户端:192.168.100.100 docker
#查看 Docker-Compose 版本判断安装是否成功
cp docker-compose /usr/local/bin/
docker-compose -v
#部署 Harbor 服务
Harbor 被部署为多个 Docker 容器,因此可以部署在任何支持 Docker 的 Linux 发行版 上。服务端主机需要安装 Python、Docker 和 Docker Compose。
1.下载 Harbor 安装程序
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
2. 配置 Harbor 参数文件
vim /usr/local/harbor/harbor.cfg
#第五行修改参数
hostname = 192.168.100.10
3. 启动 Harbor
sh /usr/local/harbor/install.sh
4. 查看 Harbor 配置
docker images
docker ps -a
cd /usr/local/harbor
docker-compose ps
如果一切都正常,应该可以打开浏览器访问 http://192.168.100.10的管理页面,默认 的管理员用户名和密码是 admin/Harbor12345。
此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下, Register 服务器在端口 80 上侦听
#登录
docker login -u admin -p Harbor12345 http://127.0.0.1
#下载镜像进行测试
docker pull cirros
#镜像打标签
docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1
#上传镜像到Harbor
docker push 127.0.0.1/myproject-kgc/cirros:v1
以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor,就会报 如下错误。出现这问题的原因 Docker Registry 交互默认使用的是 HTTPS,但是搭建私有镜 像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误。
[root@localhost opt]# docker login -u admin -p Harbor12345 http://192.168.100.10
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.100.10/v2/: dial tcp 192.168.100.10:443: connect: connection refused
#解决:
vim /usr/lib/systemd/system/docker.service
#修改这一行
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.100.10 --containerd=/run/containerd/containerd.sock
systemctl daemon-reload
systemctl restart docker
docker pull cirros
docker images
docker tag cirros 192.168.100.10/test/cirros:v2
docker push 192.168.100.10/test/cirros:v2
5、维护管理Harbor
(1)修改 Harbor.cfg 配置文件
要更改 Harbour 的配置文件时,请先停止现有的 Harbour 实例并更新 Harbor.cfg;然 后运行 prepare 脚本来填充配置;最后重新创建并启动 Harbour 的实例。
docker-compose
down -vStopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing harbor-db ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
vim harbor.cfg
./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/envClearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
/config/nginx/nginx.confloaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
#报错:docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))
#解决:关闭防火墙后,docker需要重启
systemctl restart docker
docker-compose up -d
6、创建 Harbor 用户
#创建项目开发人员
#在客户端上操作
docker rmi 192.168.100.10/test/cirros:v2
#注销登录
docker logout 192.168.100.10
docker login 192.168.100.10
docker pull 192.168.100.10/myproject-kgc/cirros:v1
docker images
移除 Harbor 服务容器同时保留镜像数据/数据库
#在Harbor服务器上操作
docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-adminserver ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing registry ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing harbor-log ... done
Removing network harbor_harbor
如需重新部署,需要移除 Harbor 服务容器全部数据
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的 /var/log/Harbor/目录下。
rm -rf /data/database/
rm -rf /data/registry/