Harbor
Docker Registry
网上有很多的Registry服务器都支持第三方用户注册,而后基于用户名去做自己的仓库,但是使用互联网上的Registry有一个缺陷,那就是我们去推送和下载镜像时都不会很快,而在生产环境中很可能并行启动的容器将达到几十、上百个,而且很有可能每个服务器本地是没有镜像的,此时如果通过互联网去下载镜像会有很多问题,比如下载速度会很慢、带宽会用很多等等,如果带宽不够的话,下载至启动这个过程可能要持续个几十分钟,这已然违背了使用容器会更加轻量、快速的初衷和目的。因此,很多时候我们很有可能需要去做自己的私有Registry。
Registry用于保存docker镜像,包括镜像的层次结构和元数据。用户可以自建Registry,也可以使用官方的Docker Hub。
Docker Registry分类:
Sponsor Registry:第三方的Registry,供客户和Docker社区使用
Mirror Registry:第三方的Registry,只让客户使用
Vendor Registry:由发布docker镜像的供应商提供的registry
Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
事实上,如果运维的系统环境托管在云计算服务上,比如阿里云,那么用阿里云的Registry则是最好的选择。很多时候我们的生产环境不会在本地,而是托管在数据中心机房里,如果我们在数据中心机房里的某台主机上部署Registry,因为都在同一机房,所以属于同一局域网,此时数据传输走内网,效率会极大的提升。
所有的Registry默认情况下都是基于https工作的,这是Docker的基本要求,而我自建Registry时很可能是基于http工作的,但是Docker默认是拒绝使用http提供Registry服务的,除非明确的告诉它,我们就是要用http协议的Registry。
Harbor
Harbor镜像仓库部署
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Harbor是一个开源可信的云原生的仓库项目,用于存储、用户管理和查找镜像。
Harbor通过添加用户通常需要的功能,如安全、身份和管理,扩展了开源Docker分发版。
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
多租户内容签名和验证
安全性和漏洞分析
审计日志记录
身份集成和基于角色的访问控制
实例之间的映像复制
可扩展API和图形UI
国际化(目前为中英文化)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用YAML文件来配置应用程序的服务。然后,通过一个命令,您可以创建并启动配置中的所有服务
[root@master ~]# systemctl disable --now firewalld
[root@master ~]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[root@master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@master ~]# vim /etc/docker/daemon.json
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker
[root@master ~]# docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
scan: Docker Scan (Docker Inc., v0.12.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 20.10.12
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 4.18.0-257.el8.x86_64
Operating System: CentOS Stream 8
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 1.748GiB
Name: master
ID: OSXY:DH6I:6EZL:LLN5:SAOS:ANGY:YSTI:XPGN:JARQ:K7XS:C424:P6QJ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://q9u587gb.mirror.aliyuncs.com/
Live Restore Enabled: false
[root@master ~]# ls /usr/local/bin/
[root@master ~]# cd /usr/local/bin/
[root@master bin]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:20 --:--:-- 0curl: (7) Failed to connect to github.com port 443: 拒绝连接
[root@master bin]# vim /etc/hosts
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.197.131 raw.githubusercontent.com
[root@master bin]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 664 100 664 0 0 186 0 0:00:03 0:00:03 --:--:-- 186
100 12.1M 100 12.1M 0 0 59863 0 0:03:32 0:03:32 --:--:-- 121k
[root@master bin]# chmod +x /usr/local/bin/docker-compose
[root@master bin]# which docker-compose
/usr/local/bin/docker-compose
[root@master bin]# echo $PATH
/usr/local/mysql/bin:/usr/local/httpd/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin
[root@master bin]# cd
[root@master ~]# cd /usr/local/
[root@master local]# ls
apache-tomcat-9.0.54 bin games include lib64 sbin src
apr etc harbor-offline-installer-v2.3.5.tgz lib libexec share tomcat
[root@master local]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/
[root@master local]# ls
apache-tomcat-9.0.54 bin games harbor-offline-installer-v2.3.5.tgz lib libexec share tomcat
apr etc harbor include lib64 sbin src
[root@master local]# cd harbor
[root@master harbor]# hostnamectl set-hostname registry.example.com
[root@master harbor]# bash
[root@registry harbor]# hostname
registry.example.com
[root@registry harbor]# cp harbor.yml.tmpl harbor.yml
[root@registry harbor]# vim harbor.yml
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.197.131 raw.githubusercontent.com
[root@registry harbor]# vim /etc/hosts
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.197.131 raw.githubusercontent.com
192.168.101.110 registry.example.com
[root@registry harbor]# ping registry.example.com
PING registry.example.com (192.168.101.110) 56(84) bytes of data.
^Z
[1]+ 已停止 ping registry.example.com
[root@registry harbor]# vim /etc/hosts
[root@registry harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.197.131 raw.githubusercontent.com
192.168.197.131 registry.example.com
[root@registry harbor]# ping registry.example.com
PING registry.example.com (192.168.197.131) 56(84) bytes of data.
64 bytes from raw.githubusercontent.com (192.168.197.131): icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from raw.githubusercontent.com (192.168.197.131): icmp_seq=2 ttl=64 time=0.048 ms
[2]+ 已停止 ping registry.example.com
[root@registry harbor]# ls
1 common.sh harbor.v2.3.5.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
[root@registry harbor]# ls
1 common common.sh harbor.v2.3.5.tar.gz harbor.yml harbor.yml.tmpl input install.sh LICENSE prepare
[root@registry harbor]# vim harbor.yml
[root@registry harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.2
[Step 2]: loading Harbor images ...
Loaded image: goharbor/notary-server-photon:v2.3.5
Loaded image: goharbor/trivy-adapter-photon:v2.3.5
Loaded image: goharbor/harbor-log:v2.3.5
Loaded image: goharbor/harbor-registryctl:v2.3.5
Loaded image: goharbor/redis-photon:v2.3.5
Loaded image: goharbor/nginx-photon:v2.3.5
Loaded image: goharbor/prepare:v2.3.5
Loaded image: goharbor/harbor-exporter:v2.3.5
Loaded image: goharbor/notary-signer-photon:v2.3.5
Loaded image: goharbor/harbor-db:v2.3.5
Loaded image: goharbor/registry-photon:v2.3.5
Loaded image: goharbor/harbor-portal:v2.3.5
Loaded image: goharbor/harbor-core:v2.3.5
Loaded image: goharbor/harbor-jobservice:v2.3.5
Loaded image: goharbor/chartmuseum-photon:v2.3.5
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
localhost.localdomain主机 安装docker步骤同上面Harbor仓库安装docker步骤一致
localhost.localdomain主机 配置参数 insecure(不安全的),因为没有使用https,使用的是http
[root@registry harbor]# cat /etc/docker/daemon.json
{
"insecure-registries": ["registry.example.com"] # 添加Harbor仓库对应主机名
}
[root@registry harbor]# systemctl daemon-reload
[root@registry harbor]# systemctl restart docker
修改 localhost.localdomain主机 的hosts文件
[root@localhost ~]# ping registry.example.com
PING registry.example.com (192.168.97.131) 56(84) bytes of data.
64 bytes from registry.example.com (192.168.197.131): icmp_seq=1 ttl=64 time=1.91 ms
localhost.localdomain主机 使用docker来拉取官方镜像,然后传到刚搭建的Harbor仓库
[root@registry ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@localhost docker]# docker images # 查看
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
# 将busybox镜像改名并上传到刚搭建的Harbor仓库
[root@localhost docker]# docker tag busybox:latest registry.example.com/library/busybox:latest
[root@localhost docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
# 登录
[root@localhost ~]# docker login registry.example.com
Username: admin
Password: # 密码为登录web界面的密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 上传到Harbor仓库
[root@localhost ~]# docker push registry.example.com/library/busybox:latest
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
web界面 查看
测试:删除 localhost.localdomain主机 本地镜像,从Harbor仓库拉取
# 删除前查看
[root@localhost ~]# docker images # 删除前查看
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
# 删除镜像registry.example.com/library/busybox
[root@localhost ~]# docker rmi registry.example.com/library/busybox
Untagged: registry.example.com/library/busybox:latest
Untagged: registry.example.com/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9
# 删除后查看
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
# 从Harbor仓库拉取镜像
[root@localhost ~]# docker push registry.example.com/library/busybox:latest
The push refers to repository [registry.example.com/library/busybox]
64cac9eaf0da: Pushed
latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
# 查看
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest ffe9d497c324 8 days ago 1.24MB
registry.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB