搭建 Harbor 镜像仓库
安装 Docker
安装 Docker 和 Docker Compose。
下载 Harbor 压缩包
从 https://github.com/goharbor/harbor/releases 下载最新版本 Harbor 压缩包。
解压 Harbor 压缩包
tar -xzf harbor-offline-installer-v2.1.3.tgz
# 解压后目录为当前路径下 harbor 目录
mkdir opt
mv habor ./opt
cd ./opt/harbor
ls
common.sh harbor.v2.1.3.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
# harbor.v2.1.3.tar.gz 即为 harbor 的镜像文件
# harbor.yml.tmpl 为 yml 模板文件,重命名为 harbor.yml
mv harbor.yml.tmpl harbor.yml
修改 Harbor 配置
harbor.yml 文件配置内容为:
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: reg.mydomain.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /your/certificate/path
private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.0.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# clair:
# host: clair_db_host
# port: clair_db_port
# db_name: clair_db_name
# username: clair_db_username
# password: clair_db_password
# ssl_mode: disable
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# clair_db_index: 4
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy
修改 hostname 为实际网址或 IP,port 改为 85(可选):
hostname: 192.168.194.136
http:
port: 85
如果愿意还可以修改 harbor_admin_password 和 database 的 password ,另外如果我们只是要 http 接口,请注释掉 https 相关配置。
安装 Harbor
./prepare
./install.sh
查看 harbor 镜像:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/redis-photon v2.1.3 161d45dcb2f5 2 weeks ago 68.9MB
goharbor/trivy-adapter-photon v2.1.3 e7896af8b06d 2 weeks ago 114MB
goharbor/clair-adapter-photon v2.1.3 6f8858c1946f 2 weeks ago 65.2MB
goharbor/harbor-registryctl v2.1.3 6c8f14771edd 2 weeks ago 132MB
goharbor/registry-photon v2.1.3 51523bdfa59e 2 weeks ago 80.3MB
goharbor/nginx-photon v2.1.3 8f3f1df526c4 2 weeks ago 40.2MB
goharbor/harbor-log v2.1.3 d6143bc93728 2 weeks ago 106MB
goharbor/harbor-jobservice v2.1.3 4940590a5dfb 2 weeks ago 169MB
goharbor/harbor-core v2.1.3 b9117e275f20 2 weeks ago 150MB
goharbor/harbor-portal v2.1.3 b76be38158a6 2 weeks ago 49.6MB
goharbor/harbor-db v2.1.3 7a8a8f4ca96d 2 weeks ago 172MB
goharbor/prepare v2.1.3 b2b5ed857cf5 2 weeks ago 166MB
goharbor/clair-photon v2.1.3 2ad03ae86757 2 weeks ago 168MB
goharbor/notary-server-photon v2.1.3 136ee3db23de 2 weeks ago 104MB
goharbor/notary-signer-photon v2.1.3 202e96adb495 2 weeks ago 102MB
goharbor/chartmuseum-photon v2.1.3 01d575443355 2 weeks ago 172MB
安装完成后,harbor 默认启动。
将 Harbor 地址加入 Docker 信任列表
打开 Docker 配置文件:
vim /etc/docker/daemon.json
{ "registry-mirrors": [ "https://registry.docker-cn.com", "https://hub-mirror.c.163.com/", "https://docker.mirrors.ustc.edu.cn", "https://reg-mirror.qiniu.com", "https://docker.mirrors.ustc.edu.cn" ], "insecure-registries": [ "192.168.194.136:85" ] }
重启 Docker:
service docker restart
Harbor 管理命令
# 启动
docker-compose up -d
# 停止
docker-compose stop
# 重启
docker-compose restart
访问 Harbor 容器
浏览器访问 IP:85
:
使用 admin 登录(密码是在安装是 harbor.yml 的 harbor_admin_password 的配置值):
用户和项目管理
项目管理
在【系统管理】->【用户管理】可以添加新用户。
公有项目
公有项目所有用户都可以访问,通常存放公共镜像,默认已经存在一个 library 公有有镜像。
在【项目】选项中点击【新建项目 】:
将访问级别选择为公开(默认为否):
私有项目
私有项目只有授权用户才可以使用,通常存放项目本身的镜像。
创建私有项目的过程和公有项目过程一致,只要访问级别选择不公开(默认)即可:
私有项目创建完成后,可以为项目分配用户:
“访客”和“受限访问”角色,对仓库只有有限的权限,需要按照实际情况分配角色。
以新用户 fgd 登录账户,可以看到当前账户可管理的项目:
上传和下载镜像
上传镜像到 Harbor
# 登录 Harbor
docker login 192.168.194.136:85
Username: fgd
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 查看需要上传的镜像
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 7731472c3f2a 13 days ago 5.61MB
# 给镜像打上标签
$ docker tag alpine:latest 192.168.194.136:85/storm_private/alpine:0.1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.194.136:85/storm_private/alpine 0.1 7731472c3f2a 13 days ago 5.61MB
alpine latest 7731472c3f2a 13 days ago 5.61MB
# 上传镜像到 Harbor 仓库
$ docker push 192.168.194.136:85/storm_private/alpine:0.1
The push refers to repository [192.168.194.136:85/storm_private/alpine]
c04d1437198b: Pushed
0.1: digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 size: 528
上面的过程是上传 alpine 镜像到 Harbor 私有仓库,也可以上传到公有仓库:
$ docker tag alpine:latest 192.168.194.136:85/storm_public/alpine:0.1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.194.136:85/storm_private/alpine 0.1 7731472c3f2a 13 days ago 5.61MB
192.168.194.136:85/storm_public/alpine 0.1 7731472c3f2a 13 days ago 5.61MB
alpine latest 7731472c3f2a 13 days ago 5.61MB
$ docker push 192.168.194.136:85/storm_public/alpine:0.1
The push refers to repository [192.168.194.136:85/storm_public/alpine]
c04d1437198b: Pushed
0.1: digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 size: 528
从 Harbor 下载镜像
从 Harbor 公有仓库下载镜像不需要登录 Harbor 账户;
$ docker pull 192.168.194.136:85/storm_public/alpine:0.1
0.1: Pulling from storm_public/alpine
Digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515
Status: Downloaded newer image for 192.168.194.136:85/storm_public/alpine:0.1
192.168.194.136:85/storm_public/alpine:0.1
从 Harbor 私有仓库下载镜像:
# 未登录状态,从 Harbor 私有仓库下载镜像
$ docker pull 192.168.194.136:85/storm_private/alpine:0.1
Error response from daemon: unauthorized: unauthorized to access repository: storm_private/alpine, action: pull: unauthorized to access repository: storm_private/alpine, action: pull
# 提示下载失败,原因是没有权限
# 登录 Harbor
$ docker login -u <用户名> -p <密码> 192.168.194.136:85
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 从 Harbor 私有仓库下载镜像
$ docker pull 192.168.194.136:85/storm_private/alpine:0.1
0.1: Pulling from storm_private/alpine
Digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515
Status: Downloaded newer image for 192.168.194.136:85/storm_private/alpine:0.1
192.168.194.136:85/storm_private/alpine:0.1
Harbor 高级配置
启用 HTTPS
设置 Harbor 网址
$ sudo echo "192.168.194.136 www.ftharbor.com" >> /etc/hosts
$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 fgd-ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.194.136 www.ftharbor.com
设置完成后,请重启网络。
生成相关证书
## 生成证书颁发机构证书
# 生成 CA 证书私钥
$ sudo openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................++++
................................................++++
e is 65537 (0x010001)
$ ls
ca.key
# 生成 CA 证书
$ sudo openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.ftharbor.com" -key ca.key -out ca.crt
$ ls
ca.crt ca.key
## 生成服务器证书
# 生成私钥
$ sudo openssl genrsa -out www.ftharbor.com.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................++++
....++++
e is 65537 (0x010001)
$ ls
ca.crt ca.key www.ftharbor.com.key
# 生成证书签名请求(CSR)
$ sudo openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.ftharbor.com" -key www.ftharbor.com.key -out www.ftharbor.com.csr
$ ls
ca.crt ca.key www.ftharbor.com.csr www.ftharbor.com.key
# 生成一个x509 v3扩展文件
$ sudo cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.ftharbor.com
DNS.2=www.ftharbor.com
DNS.3=hostname
EOF
# $ sudo cat > v3.ext <<-EOF
# authorityKeyIdentifier=keyid,issuer
# basicConstraints=CA:FALSE
# keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
# extendedKeyUsage = serverAuth
# subjectAltName = IP:192.168.194.136
# EOF
$ ls
ca.crt ca.key v3.ext www.ftharbor.com.csr www.ftharbor.com.key
# 使用 v3.ext 文件为 Harbor主机生成证书
$ sudo openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.ftharbor.com.csr -out www.ftharbor.com.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = www.ftharbor.com
Getting CA Private Key
$ ls
ca.crt ca.srl www.ftharbor.com.crt www.ftharbor.com.key
ca.key v3.ext www.ftharbor.com.csr
# 转换 www.ftharbor.com.crt 为 www.ftharbor.com.cert
$ sudo openssl x509 -inform PEM -in www.ftharbor.com.crt -out www.ftharbor.com.cert
$ ls
ca.crt ca.srl www.ftharbor.com.cert www.ftharbor.com.csr
ca.key v3.ext www.ftharbor.com.crt www.ftharbor.com.key
部署证书
# 将服务器证书和密钥复制到 Harbor 主机上的 /data/cert/ 文件夹中
# /date 为安装 Habor 时, harbor.yml 中 data_volume 选项指定的挂载目录
$ sudo mkdir -p /data/cert/
cp www.ftharbor.com.crt /data/cert/
cp www.ftharbor.com.key /data/cert/
$ ls /data/cert/
www.ftharbor.com.crt www.ftharbor.com.key
# 将服务器证书,密钥和 CA 文件复制到 Harbor主机上的 Docker 证书文件夹中
$ sudo mkdir -p /etc/docker/certs.d/www.ftharbor.com/
# 如果将默认 nginx 端口 443 映射到其他端口,
# 请创建文件夹 /etc/docker/certs.d/yourdomain.com:port
# 或 /etc/docker/certs.d/harbor_IP:port
$ sudo cp www.ftharbor.com.cert /etc/docker/certs.d/www.ftharbor.com/
$ sudo cp www.ftharbor.com.key /etc/docker/certs.d/www.ftharbor.com/
$ sudo cp ca.crt /etc/docker/certs.d/www.ftharbor.com/
$ ls /etc/docker/certs.d/www.ftharbor.com/
ca.crt www.ftharbor.com.cert www.ftharbor.com.key
# 此时证书的目录结构为
# /etc/docker/certs.d/
# └── www.ftharbor.com
# ├── ca.crt
# ├── www.ftharbor.com.cert
# └── www.ftharbor.com.key
# 信任证书(可选)
$ sudo cp www.ftharbor.com.crt /usr/share/ca-certificates
$ update-ca-certificates
配置 Docker
将 https://www.ftharbor.com
加入 Docker 信任列表。
打开 Docker 配置文件:
vim /etc/docker/daemon.json
{ "registry-mirrors": [ "https://registry.docker-cn.com", "https://hub-mirror.c.163.com/", "https://docker.mirrors.ustc.edu.cn", "https://reg-mirror.qiniu.com", "https://docker.mirrors.ustc.edu.cn" ], "insecure-registries": [ "https://www.ftharbor.com" ] }
重启 Docker:
service docker restart
配置 Harbor
停止 Harbor(可选)
$ sudo docker-compose down -v
配置 Harbor
打开 harbor.yml,主要修改 https 相关配置:
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: www.ftharbor.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/www.ftharbor.com.crt
private_key: /data/cert/www.ftharbor.com.key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: admin
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.0.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# clair:
# host: clair_db_host
# port: clair_db_port
# db_name: clair_db_name
# username: clair_db_username
# password: clair_db_password
# ssl_mode: disable
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# clair_db_index: 4
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy
生成配置文件
$ sudo ./prepare
安装 Harbor(可选)
$ ./install
启动 Harbor
$ sudo docker-compose up -d
浏览器访问测试
如果需要在浏览器访问,需要首先配置浏览器所在机器的 hosts。这里以 windows 为例,需要在 C:\Windows\System32\drivers\etc\hosts 文件添加一行配置:
192.168.194.136 www.ftharbor.com
然后我们在浏览器中访问 https://www.ftharbor.com/ :
点击继续访问,即可转到 Harbor 登录页面:
上传和下载镜像测试
# 使用 https://www.ftharbor.com 登录 Harbor
$ docker login https://www.ftharbor.com
Username: fgd
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 查看本地镜像
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 7731472c3f2a 13 days ago 5.61MB
# 给镜像打标签
$ docker tag alpine:latest www.ftharbor.com/storm/alpine:0.1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 7731472c3f2a 13 days ago 5.61MB
www.ftharbor.com/storm/alpine 0.1 7731472c3f2a 13 days ago 5.61MB
# 上传镜像
$ docker push www.ftharbor.com/storm/alpine:0.1
The push refers to repository [www.ftharbor.com/storm/alpine]
c04d1437198b: Pushed
0.1: digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 size: 528
# 删除本地镜像
$ docker rmi www.ftharbor.com/storm/alpine:0.1
Untagged: www.ftharbor.com/storm/alpine:0.1
Untagged: www.ftharbor.com/storm/alpine@sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 7731472c3f2a 13 days ago 5.61MB
# 从 Harbor 下载镜像
$ docker pull www.ftharbor.com/storm/alpine:0.1
0.1: Pulling from storm/alpine
Digest: sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515
Status: Downloaded newer image for www.ftharbor.com/storm/alpine:0.1
www.ftharbor.com/storm/alpine:0.1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 7731472c3f2a 13 days ago 5.61MB
www.ftharbor.com/storm/alpine 0.1 7731472c3f2a 13 days ago 5.61MB
# 退出登录
$ docker logout https://www.ftharbor.com
Removing login credentials for www.ftharbor.com
Harbor 高可用部署
按照前文的方法,可以部署两台 Harbor 主机,一台作为 master,一台作为 slave。安装完成后,登录 master 主机的 Harbor,在【系统管理】->【仓库管理】可以添加 slave 主机的 Harbor 连接,然后配置其复制规则,便可实现 slave 主机自动备份 master 主机仓库。
Harbor 添加漏洞扫描
./prepare --with-clair --with-clair
docker-compose up -d