Harbor共享存储高可用安装文档
VIP 192.168.1.11
Haproxy+Keepalived 192.168.1.17/18
PG+Redis+NFS 192.168.1.12
Harbor1 192.168.1.14
Harbor2 192.168.1.15
2.4 Haproxy+Keepalived节点安装配置
Haproxy+Keepalived 192.168.1.17/18
[root@haproxy1 ~]# yum -y install wget
[root@haproxy1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@haproxy1 ~]# yum install -y keepalived
[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_master #路由ID号
vrrp_iptables #清除防火墙的拦截规则
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh" # 检测haproxy状态的脚本路径
interval 1 # 检测时间间隔1s
weight 20 # 如果脚本的条件成立,权重-2
}
vrrp_instance VI_1 {
state MASTER #主服务器为MASTER
interface ens33 #VIP配在哪个网卡
virtual_router_id 51 #主备服务器VRID号必须一致
priority 100 #服务器优先级
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script { # 将track_script块加入instance配置块
chk_haproxy # 执行haproxy监控的服务
}
virtual_ipaddress {
192.168.1.11/24
}
}
[root@haproxy2 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_slave
vrrp_iptables
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh" # 检测haproxy状态的脚本路径
interval 1 # 检测时间间隔1s
weight 20 # 如果脚本的条件成立,权重-2
}
vrrp_instance VI_1 {
state SLAVE
interface ens33
virtual_router_id 51
priority 10
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script { # 将track_script块加入instance配置块
chk_haproxy # 执行haproxy监控的服务
}
virtual_ipaddress {
192.168.1.11/24
}
}
[root@haproxy1 ~]# cat /etc/keepalived/check_haproxy.sh
#!/bin/bash
A=`ps -C haproxy -no-header |wc -l`
if [ $A -eq 0 ];then
service haproxy start
sleep 2
if [ `ps -C haproxy --no-header |wc -l` -eq 0 ];then
killall keepalived
fi
fi
[root@haproxy1 ~]# ip a s ens33 #vip出现会有延迟 稍等下
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP.
link/ether 00:0c:29:70:10:14 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.17/24 brd 192.168.1.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.1.11/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::3de:8234:6729:eade/64 scope link noprefixroute
valid_lft forever preferred_lft forever
2.4.3 haproxy 安装
[root@haproxy1 ~]# vim /etc/haproxy/haproxy.cfg
global
maxconn 100000
#chroot /usr/local/haproxy
uid 99
gid 99
daemon
nbproc 1
pidfile /run/haproxy.pid # 修改pid目录
stats socket /run/haproxy/admin.sock mode 600 level admin # socket目录
log 127.0.0.1 local3 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:123456
listen harbor
mode tcp
balance source
bind 192.168.1.11:80
server 192.168.1.14 192.168.1.14:80 weight 10 check inter 3s fall 3 rise 5
server 192.168.1.15 192.168.1.15:80 weight 10 check inter 3s fall 3 rise 5
客户端连接超时、最大连接数 、连接失败、健康检查、网站数据信息监控
[root@haproxy2 ~]# echo 'net.ipv4.ip_nonlocal_bind = 1'>>/etc/sysctl.conf
#没有VIP的主机上启动haproxy启动会失败,该参数,允许忽视VIP的存在
[root@haproxy2 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
[root@haproxy2 ~]# systemctl restart haproxy.service
2.5 postgresql节点安装配置
192.168.1.12
[root@pg ~]# useradd postgres
[root@pg ~]# id postgres
uid=1000(postgres) gid=1000(postgres) groups=1000(postgres)
[root@pg ~]# wget https://ftp.postgresql.org/pub/source/v13.5/postgresql-13.5.tar.gz --no-check-certificate
[root@pg ~]# tar xf postgresql-13.5.tar.gz
[root@pg ~]# yum -y install gcc make readline-devel zlib-devel
[root@pg postgresql-13.5]# ./configure --prefix=/usr/local/postgresql
[root@pg postgresql-13.5]# make && make install
合建数据目录
[root@pg postgresql-13.5]# mkdir -p /data/postgresql/data
[root@pg postgresql-13.5]# chown -R postgres:postgres /usr/local/postgresql/
[root@pg postgresql-13.5]# chown -R postgres:postgres /data/postgresql/data/
[root@pg postgresql-13.5]# su - postgres
[postgres@pg ~]$ cat .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/.local/bin:$HOME/bin
PGHOME=/usr/local/postgresql #psql安装目录
export PGHOME
PGDATA=/data/postgresql/data #数据库目录
export PGDATA
PATH=$PATH:$HOME/bin:$HOME/.local/bin:$PGHOME/bin
export PATH
[postgres@pg ~]$ source .bash_profile
[postgres@pg ~]$ psql -V
psql (PostgreSQL) 13.5
初始化数据库
[postgres@pg ~]$ initdb
Success. You can now start the database server using:
pg_ctl -D /data/postgresql/data -l logfile start
[postgres@pg ~]$ pg_ctl -D /data/postgresql/data -l logfile start
[postgres@pg ~]$ psql
postgres=# \password
Enter new password:
Enter it again:
postgres=# \q
[postgres@pg ~]$ vim +60 /data/postgresql/data/postgresql.conf
listen_addresses = '*' #60行,监听所有地址
[postgres@pg ~]$ vim +90 /data/postgresql/data/pg_hba.conf
local all all password
host all all 0.0.0.0/0 password #90
host all all ::1/128 password
重启PostgreSQL
[postgres@pg ~]$ pg_ctl -D /data/postgresql/data -l logfile restart
[postgres@pg ~]$ psql
创建数据库
postgres=# create database registry;
CREATE DATABASE
postgres=# create database notary_signer;
CREATE DATABASE
postgres=# create database notary_servers;
CREATE DATABASE
postgres=# create database clair;
CREATE DATABASE
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
----------------+----------+----------+-------------+-------------+------------
clair | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
notary_servers | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
notary_signer | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
registry | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
创建用户
postgres=# create user server with password '123456';
CREATE ROLE
postgres=# create user signer with password '123456';
CREATE ROLE
postgres=# create user clair with password '123456';
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------------------+------
clair | | {}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
server | | {}
signer | | {}
2.5.3 Redis 安装
[root@pg ~]# wget https://download.redis.io/releases/redis-6.2.7.tar.gz
[root@pg ~]# tar xf redis-6.2.7.tar.gz -C /app/
[root@pg ~]# cd /app/redis-6.2.7/
[root@pg redis-6.2.7]# make && make install
[root@pg redis-6.2.7]# vim redis.conf
#bind 127.0.0.1 -::1 #75行,注释掉bind的行,允许任何主机连接;
daemonize yes #259行,将no修改为yes,使redis可以使用守护进程方式启动;
requirepass 123456 #903行,设置redis连接的auth密码(123456)
启动Redis服务
[root@pg redis-6.2.7]# redis-server redis.conf
[root@pg redis-6.2.7]# redis-cli -v
redis-cli 6.2.7
[root@pg redis-6.2.7]# ps -ef | grep redis
root 30040 1 0 22:00 ? 00:00:00 redis-server *:6379
harbor1和harbor2作为redis客户端连接Redis
[root@pg ~]# which redis-cli
/usr/local/bin/redis-cli
[root@pg ~]# scp /usr/local/bin/redis-cli root@192.168.1.17:/usr/local/bin/
[root@haproxy1 ~]# redis-cli -h 192.168.1.12 -p 6379 -a 123456 ping
PONG
postgresql节点安装nfs服务:
[root@pg ~]# yum -y install nfs-utils
[root@pg ~]# mkdir -p /data/harbor_data
[root@pg ~]# cat /etc/exports
/data/harbor_data 192.168.1.0/24(rw,no_root_squash)
[root@pg ~]# exportfs -arv
exporting 192.168.1.0/24:/data/harbor_data
[root@pg ~]# systemctl enable nfs-utils --now
[root@pg ~]# systemctl restart nfs-server
[root@pg ~]# showmount -e
Export list for pg:
/data/harbor_data 192.168.1.0/24
Harbor1、harbor2客户端挂载到nfs
[root@haproxy1 ~]# yum -y install nfs-utils
[root@haproxy1 ~]# mkdir -p /data/harbor_data
[root@haproxy1 ~]# echo "192.168.1.12:/data/harbor_data /data/harbor_data nfs defaults 0 0" >> /etc/fstab
[root@haproxy1 ~]# mount -a
[root@harbor ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor ~]# yum install -y docker-ce
[root@harbor ~]# systemctl enable docker --now
[root@harbor ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://xcg41ct3.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://3hjcmqfe.mirror.aliyuncs.com"],
"log-driver": "json-file",
"log-opts": {
"max-size": "500m",
"max-file": "2"
}
}
[root@harbor ~]# systemctl daemon-reload
[root@harbor ~]# systemctl restart docker
[root@harbor ~]# wget https://github.com/docker/compose/releases/download/v2.10.0/docker-compose-linux-x86_64 --no-check-certificate
[root@harbor ~]# mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
[root@harbor ~]# chmod +x /usr/local/bin/docker-compose
[root@harbor ~]# docker-compose version
docker-compose version 1.22.0, build f46880fe
docker-py version: 3.4.1
[root@harbor ~]# cat /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
[root@harbor ~]# modprobe br_netfilter
[root@harbor ~]# sysctl -p
[root@harbor ~]# tar xf harbor-offline-installer-v1.8.0.tgz
[root@harbor ~]# cd harbor/
[root@harbor harbor]# ls
harbor.v1.8.0.tar.gz harbor.yml install.sh LICENSE prepare
[root@harbor harbor]# vim harbor.yml
vim harbor.yml
hostname: 192.168.1.14 #实例地址
http:
port: 80
#取消https安全加密访问方式:
#https:
# port: 443
# certificate: /your/certificate/path
# private_key: /your/private/key/path
## 启用外部代理,启用后hostname将不再使用
external_url: http://192.168.1.11:80
## 配置共享存储,即挂载的NFS目录
data_volume: /data/harbor_data
_version: 2.3.0
## 配置外部数据库
external_database:
harbor:
host: 192.168.1.12
port: 5432
db_name: registry
username: postgres
password: 123456
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
clair:
host: 192.168.1.12
port: 5432
db_name: clair
username: postgres
password: 123456
ssl_mode: disable
notary_signer:
host: 192.168.1.12
port: 5432
db_name: notary_signer
username: postgres
password: 123456
ssl_mode: disable
notary_server:
host: 192.168.1.12
port: 5432
db_name: notary_server
username: postgres
password: 123456
ssl_mode: disable
##配置外部Redis实例:
external_redis:
host: 192.168.1.12:6379 #redis服务IP地址和端口号。
port: 6379
password: 123456 #连接外部redis服务的密码
#如果redis是哨兵模式,这里应该是
#host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2
# sentinel_master_set: #仅在使用 Sentinel模式(哨兵模式)时使用
registry_db_index: 1
jobservice_db_index: 2 #job服务的数据库索引
chartmuseum_db_index: 3 #chartmuseum插件的Redis索引
trivy_db_index: 5 #Trivy扫描器的数据索引
idle_timeout_seconds: 30 #超时时间
#启用metrics数据采集插件:
metric:
enabled: true
port: 9090
path: /metrics
将配置文件注入到各级件中
[root@harbor2 harbor]# ./prepare
[root@harbor2 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.1.14.
此时,http://192.168.1.11/ http://192.168.1.14/都可访问镜像仓库
相关镜像管理人员可以根据自己的环境搭建适合自己的高可用仓库,各个组件可任意扩展,以下给出可扩展内容仅供参考。
3.1. Postgresql数据库可部署高可用架构
3.2. 数据库可改造为Mysql及企业较为熟悉的数据库
3.3. Redis可部署高可用架构
3.4. 后端存储支持NFS、CephFS、azure、gcs、AWS s3,、swift 以及阿里云oss
3.5. 访问方式可改进https安全加密方式访问
3.6. 部署方式可转为K8S部署,增加组件自愈能力