Harbor介绍与安装部署,并实现通过http和https协议【自签发SSL证书】访问,客户端如何通过Harbor镜像仓库实现镜像的上传【推送】与下载【拉取】。
Harbor介绍
Harbor,是一个英文单词,意思是港湾,港湾是干什么的呢,就是停放货物的,而货物呢,是装在集装箱中的,说到集装箱,就不得不提到Docker容器,因为docker容器的技术正是借鉴了集装箱的原理。所以,Harbor正是一个用于存储Docker镜像的企业级Registry服务。
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
机器规划
| 服务器名称(hostname) | 操作系统版本 | 内网IP | 外网IP(模拟) | 安装软件 |
|---|---|---|---|---|
| docker01 | CentOS7.7 | 172.16.1.31 | 10.0.0.31 | docker、Harbor |
| docker02 | CentOS7.7 | 172.16.1.32 | 10.0.0.32 | docker |
SSL证书创建
如果要使用https访问Harbor。那么请按照如下生成SSL证书。
创建根证书
## 创建CA私钥
openssl genrsa -out ca.key 2048
## 制作CA公钥
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=zhang/emailAddress=ca@test.com"
选项参数说明:
genrsa 生成私钥
-out filename 标准输出到filename文件
req 生成证书请求
-new 生成新证书签署请求
-x509 专用于CA生成自签证书;不自签的时候不要加该选项
-days num 证书的有效期限
-key file 生成请求时用到的私钥文件
-out filename 标准输出到filename文件
subj内容详解:
C = 国家
ST = 省/州
L = 城市
O = Organization Name
OU = Organizational Unit Name
CN = Common Name
emailAddress = test@email.address
证书签发
## 创建私钥
openssl genrsa -out httpd.key 1024
## 生成签发请求
openssl req -new -key httpd.key -out httpd.csr -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=OPS/CN=zhang/emailAddress=zhang@test.com"
## 使用CA证书进行签发
openssl x509 -req -sha256 -in httpd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 36500 -out httpd.crt
## 验证签发证书是否有效
openssl verify -CAfile ca.crt httpd.crt
生成结果如下图:
然后将httpd.key和httpd.crt,放到/etc/harbor/cert/目录下,后面会用到。
安装docker-ce
安装脚本如下
[root@docker01 harbor]# pwd
/root/harbor
[root@docker01 harbor]# cat install_docker-ce.sh
#!/bin/sh
# 加载环境变量
. /etc/profile
. /etc/bashrc
## 设置 docker yum repository
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
## 安装docker
yum install -y docker-ce
# yum install -y docker-ce-19.03.8
## 启动docker服务,这样可以创建/etc/docker目录
systemctl start docker
## 配置daemon
## 1、修改docker Cgroup Driver为systemd;2、日志格式设定
## 如果不修改,可能会碰到如下错误
## [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd".
## Please follow the guide at https://kubernetes.io/docs/setup/cri/
cat > /etc/docker/daemon.json << EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF
## 开机自启动
systemctl stop docker && systemctl daemon-reload && systemctl enable docker && systemctl start docker
安装docker-compose
下载地址:
https://github.com/docker/compose
此次,我们使用的是 1.25.5 版本。
[root@docker01 harbor]# ll
total 17180
-rw-r--r-- 1 root root 17586312 May 12 23:16 docker-compose-Linux-x86_64
-rw-r--r-- 1 root root 958 May 12 23:00 install_docker-ce.sh
[root@docker01 harbor]# chmod +x docker-compose-Linux-x86_64 # 添加执行权限
[root@docker01 harbor]# mv docker-compose-Linux-x86_64 /usr/local/sbin/docker-compose # 移到指定目录
[root@docker01 harbor]# docker-compose version # 版本查看
docker-compose version 1.25.5, build 8a1c60f6
docker-py version: 4.1.0
CPython version: 3.7.5
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
安装Harbor私有仓库
官网下载地址
https://github.com/goharbor/harbor
此次,我们使用的是 v1.10.1 版本。
[root@docker01 harbor]# ll
total 658284
-rw-r--r-- 1 root root 674078519 May 12 17:25 harbor-offline-installer-v1.10.1.tgz
-rw-r--r-- 1 root root 958 May 12 23:00 install_docker-ce.sh
[root@docker01 harbor]#
[root@docker01 harbor]# tar xf harbor-offline-installer-v1.10.1.tgz # 解压包
[root@docker01 harbor]# cd harbor/
[root@docker01 harbor]# ll
total 662120
-rw-r--r-- 1 root root 3398 Feb 10 14:18 common.sh
-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz
-rw-r--r-- 1 root root 5882 Feb 10 14:18 harbor.yml
-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh
-rw-r--r-- 1 root root 11347 Feb 10 14:18 LICENSE
-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare
harbor.yml配置文件修改内容【http访问】
# 这里的hostname怎么配置
# 1、如果所有机器都在一个局域网,那么配置内网IP
# 2、如果机器跨网络,只能通过公网访问,那么配置本机外网IP或域名
hostname: 172.16.1.31
# http端口改为了5000,默认80端口
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 5000
# 将https注释掉,不然会报 ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
# https related config
#https:
# https port for harbor, default is 443
#port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
# admin用户的免密
harbor_admin_password: Harbor12345
# 数据存储路径
data_volume: /data
harbor.yml配置文件修改内容【https访问】
放开了https配置,证书是自签发的。
# 这里的hostname怎么配置
# 1、如果所有机器都在一个局域网,那么配置内网IP
# 2、如果机器跨网络,只能通过公网访问,那么配置本机外网IP或域名
hostname: 172.16.1.31
# http端口改为了5000,默认80端口
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 5000
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/harbor/cert/httpd.crt
private_key: /etc/harbor/cert/httpd.key
# admin用户的免密
harbor_admin_password: Harbor12345
# 数据存储路径
data_volume: /data
如果使用了https协议且端口是443,那么当使用http访问时,会自动跳转到https。
部署Harbor
修改完配置文件后,在的当前目录执行./install.sh,Harbor服务就会根据当前目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动。
[root@docker01 harbor]# ll
total 662120
drwxr-xr-x 3 root root 20 May 12 23:47 common
-rw-r--r-- 1 root root 3398 Feb 10 14:18 common.sh
-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz
-rw-r--r-- 1 root root 5921 May 12 23:54 harbor.yml
drwxr-xr-x 2 root root 24 May 12 23:47 input
-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh
-rw-r--r-- 1 root root 11347 Feb 10 14:18 LICENSE
-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare
[root@docker01 harbor]#
[root@docker01 harbor]# ./install.sh # 启动harbor
启动结果如下图
停止与启动Harbor
如果修改了Harbor的配置文件harbor.yml,因为Harbor是基于docker-compose服务编排的,我们可以使用docker-compose命令重启Harbor。
未修改配置文件,重启Harbor命令:docker-compose start | stop | restart
当然个人建议:如果修改了harbor.yml文件,那么停止使用docker-compose down,启动使用 ./install.sh 。
##### 停止Harbor
[root@docker01 harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing registryctl ... done
Removing redis ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
##### 启动Harbor
[root@docker01 harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating redis ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
镜像信息和容器信息
镜像信息和容器信息如下
[root@docker01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v0.9.0-v1.10.1 0245d66323de 3 months ago 128MB
goharbor/harbor-migrator v1.10.1 a4f99495e0b0 3 months ago 364MB
goharbor/redis-photon v1.10.1 550a58b0a311 3 months ago 111MB
goharbor/clair-adapter-photon v1.0.1-v1.10.1 2ec99537693f 3 months ago 61.6MB
goharbor/clair-photon v2.1.1-v1.10.1 622624e16994 3 months ago 171MB
goharbor/notary-server-photon v0.6.1-v1.10.1 e4ff6d1f71f9 3 months ago 143MB
goharbor/notary-signer-photon v0.6.1-v1.10.1 d3aae2fc17c6 3 months ago 140MB
goharbor/harbor-registryctl v1.10.1 ddef86de6480 3 months ago 104MB
goharbor/registry-photon v2.7.1-patch-2819-2553-v1.10.1 1a0c5f22cfa7 3 months ago 86.5MB
goharbor/nginx-photon v1.10.1 01276d086ad6 3 months ago 44MB
goharbor/harbor-log v1.10.1 1f5c9ea164bf 3 months ago 82.3MB
goharbor/harbor-jobservice v1.10.1 689368d30108 3 months ago 143MB
goharbor/harbor-core v1.10.1 14151d58ac3f 3 months ago 130MB
goharbor/harbor-portal v1.10.1 8a9856c37798 3 months ago 52.1MB
goharbor/harbor-db v1.10.1 18548720d8ad 3 months ago 148MB
goharbor/prepare v1.10.1 897a4d535ced 3 months ago 192MB
[root@docker01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6f57ce1d6a27 goharbor/nginx-photon:v1.10.1 "nginx -g 'daemon of…" 29 seconds ago Up 28 seconds (health: starting) 0.0.0.0:5000->8080/tcp nginx
bd441d18ae54 goharbor/harbor-jobservice:v1.10.1 "/harbor/harbor_jobs…" 29 seconds ago Up 28 seconds (health: starting) harbor-jobservice
374fad48780e goharbor/harbor-core:v1.10.1 "/harbor/harbor_core" 30 seconds ago Up 29 seconds (health: starting) harbor-core
89f8f4312c24 goharbor/harbor-portal:v1.10.1 "nginx -g 'daemon of…" 31 seconds ago Up 29 seconds (health: starting) 8080/tcp harbor-portal
4d0b294a38c4 goharbor/redis-photon:v1.10.1 "redis-server /etc/r…" 31 seconds ago Up 29 seconds (health: starting) 6379/tcp redis
cd9fafa019f5 goharbor/harbor-registryctl:v1.10.1 "/home/harbor/start.…" 31 seconds ago Up 29 seconds (health: starting) registryctl
a62616384f6c goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1 "/home/harbor/entryp…" 31 seconds ago Up 29 seconds (health: starting) 5000/tcp registry
dc453165b1fb goharbor/harbor-db:v1.10.1 "/docker-entrypoint.…" 31 seconds ago Up 29 seconds (health: starting) 5432/tcp harbor-db
8256f54e69ee goharbor/harbor-log:v1.10.1 "/bin/sh -c /usr/loc…" 31 seconds ago Up 30 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
浏览器访问
访问地址如下:
http 访问:http://10.0.0.31:5000/ 或则 http://172.16.1.31:5000/
https访问:https://10.0.0.31/ 或者 https://172.16.1.31/
备注:
1、由于我使用的Vmware虚拟机,因此10.0.0.0/24网段【模拟外网】和172.16.1.0/24网络【内网】都可以访问。生产环境是访问内网还是外网,视具体情况而定。
2、这里的访问地址和harbor.yml中配置的hostname值无关。
登录后页面
Harbor实现Docker镜像上传与下载
新建项目
根据你的项目名新建项目,这样才能将镜像推动到harbor镜像中心。
客户端http设置
Docker 默认不允许非 HTTPS 方式推送镜像。我们可以通过 Docker 的配置选项来取消这个限制。
如果直接【上传】或【拉取】镜像会失败,因为默认为https方式。
所有客户端都需要添加这个配置,然后重启 docker 服务。
[root@docker01 ~]# vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["172.16.1.31:5000"]
}
[root@docker01 ~]# systemctl restart docker # 重启docker服务
添加了 “insecure-registries”: [“172.16.1.31:5000”] 这行,其中172.16.1.31为内网IP地址。该文件必须符合 json 规范,否则 Docker 将不能启动。
如果在Harbor所在的机器重启了docker服务,记得要重新启动Harbor。
客户端登录Harbor
客户端登录Harbor。
# docker login 172.16.1.31:5000 -u admin -p Harbor12345
查看登录信息,这样客户端就可以直接拉取或者推送镜像了。
[root@docker01 ~]# cat ~/.docker/config.json
{
"auths": {
"172.16.1.31:5000": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.8 (linux)"
}
}
Docker push镜像上传
[root@docker02 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.1.31:5000/zhang/nginx 1.17 ed21b7a8aee9 6 weeks ago 127MB
[root@docker02 ~]# docker push 172.16.1.31:5000/zhang/nginx:1.17 # 上传镜像
The push refers to repository [172.16.1.31:5000/zhang/nginx]
d37eecb5b769: Pushed
99134ec7f247: Pushed
c3a984abe8a8: Pushed
1.17: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948
说明:注意镜像名格式
Harbor页面信息
Docker pull镜像拉取
[root@docker01 ~]# docker images | grep 'zhang/nginx'
[root@docker01 ~]# docker pull 172.16.1.31:5000/zhang/nginx:1.17 # 镜像拉取
1.17: Pulling from zhang/nginx
c499e6d256d6: Pull complete
74cda408e262: Pull complete
ffadbd415ab7: Pull complete
Digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266
Status: Downloaded newer image for 172.16.1.31:5000/zhang/nginx:1.17
172.16.1.31:5000/zhang/nginx:1.17
[root@docker01 ~]# docker images | grep 'zhang/nginx'
172.16.1.31:5000/zhang/nginx 1.17 ed21b7a8aee9 6 weeks ago 127MB
Harbor页面信息
完毕!
7804
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
