Harbor,是VMware公司基于docker registry进行二次开发后的产品,因有美观的图形界面,多租户等特性被很多人员使用
Harbor 在Github地址:https://github.com/goharbor/harbor
Harbor 的特性
- Cloud native registry: 云原生仓库.
- Role based access control: 用户角色权限访问控制.
- Policy based replication: 镜像复制,镜像高可用.
- Vulnerability Scanning: 扫描漏洞.
- LDAP/AD support: .
- OIDC support: .
- Image deletion & garbage collection: 可以删除镜像并回收其空间.
- Notary: 确保镜像真实性.
- Graphical user portal: 用户可在图形界面上浏览、搜索、管理项目.
- Auditing: 审计,所有到存储库的操作都会被跟踪.
- RESTful API: RESTful APIs ,可使用Swagger UI来测试API.
- Easy deployment: 易于部署,提供在线和离线安装程序
依赖环境:On a Linux host: docker 17.06.0-ce+ and docker-compose 1.23.0+
安装教程可参考:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
下面开始安装 Harbor,由于harbor一套程序有多个容器,VMware为简单部署,使用了docker-compose单机编排工具,因此要先安装docker与docker-compose
-
1.安装docker-compose,yum -y install docker-compose
a.下载 curl -L “https://github.com/docker/compose/releases/download/1.27.3/docker-compose- ( u n a m e − s ) − (uname -s)- (uname−s)−(uname -m)” -o /usr/local/bin/docker-compose
b.赋权 chmod +x /usr/local/bin/docker-compose
c.验证 docker-compose --version -
2.下载 harbor 文件,wget https://storage.googleapis.com/harbor-releases/release-2.7.0/harbor-offline-installer-v2.7.0.tgz
-
3.解压,tar -xvzf harbor-offline-installer-v2.7.0.tgz -C /usr/local/,进入harbor目录,cd harbor/
-
4.修改配置:vi harbor.yml,修改必须的参数,hostname=192.168.68.135 (或域名),harbor默认监听宿主机80端口,下面还有登录图形要用到的账户和密码,默认 admin Harbor12345,还有mysql的账户和密码,默认 root root123,镜像存储路径等等可选配置,https域名的方式请参考最下方
-
5.启动私有仓库,sh install.sh ,包比较大,548M,等待时间比较久,它会先把harbor.v2.7.0.tar.gz里面的镜像load到本地,看到下面的 successfully 说明harbor安装成功
-
6.查看端口, netstat -tnlp,可以看到宿主机80端口被监听了
-
7.在浏览器中访问,http://192.168.68.135,使用admin Harbor12345登录 ,如果是https域名方式请在目标机器hosts中配置ip域名映射
-
8.harbor是个多租户平台,因此可以创建zhuyu的新用户,新用户登录后创建 dev 项目,项目下有仓库,可以点击进去,按照下图推送镜像区域的提示,按上面的规则把镜像打标签,提示中显示打标签为 centos2/dev/IMAGE格式,但centos2要改为harbor机器所在的 Ip 192.168.68.135,就可以推送镜像到Harbor了
-
9.镜像打标签,docker tag webhttpd:v0.2 192.168.68.135/dev/webhttpd:v0.2
-
10.推送成功后可以在 harbor 界面上看到刚刚推送的镜像,点进去还能看到每个标签、大小、作者等信息
-
11.在其他机器上pull刚刚push的镜像,docker pull 192.168.68.135/dev/webhttpd:v0.2 ,下载成功
docker-compose下载地址:https://github.com/docker/compose/releases
(Github)
curl -SL https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
(国内源)
curl -L http://get.daocloud.io/docker/compose/releases/download/v2.17.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
harbor https参考网址:
https://goharbor.io/docs/2.2.0/install-config/configure-https/ (官网)
https://blog.csdn.net/fly910905/article/details/127817508
mkdir -p /data/cert , cd /data/cert
1. openssl genrsa -out ca.key 4096
2. openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=docker.harbor.com" \
-key ca.key \
-out ca.crt
3. openssl genrsa -out docker.harbor.com.key 4096
4. openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=docker.harbor.com" \
-key docker.harbor.com.key \
-out docker.harbor.com.csr
5. cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=docker.harbor.com
DNS.2=harbor.com
DNS.3=hostname
EOF
6. openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in docker.harbor.com.csr \
-out docker.harbor.com.crt
7. openssl x509 -inform PEM -in docker.harbor.com.crt -out docker.harbor.com.cert
8. 拷贝到docker证书目录
mkdir -p /ect/docker/certs.d/docker.harbor.com
cp docker.harbor.com.cert /etc/docker/certs.d/docker.harbor.com/
cp docker.harbor.com.key /etc/docker/certs.d/docker.harbor.com/
cp ca.crt /etc/docker/certs.d/docker.harbor.com/
9. 如果不是443端口,文件夹还需要加上端口号
mkdir -p /etc/docker/certs.d/docker.harbor.com:port, or /etc/docker/certs.d/harbor_IP:port
10. systemctl restart docker
11. 在harbor.yml中配置好上面生成的证书
https:
port: 443
certificate: /data/cert/docker.harbor.com.crt
private_key: /data/cert/docker.harbor.com.key
12. 在客户端机器的 /etc/docker/certs.d/docker.harbor.com 目录下拷贝 harbor仓库机器的 /data/cert/docker.harbor.com.crt文件 并重启docker
13. 在客户端机器的/etc/docker/daemon.json 中添加一行配置 { "insecure-registries": ["docker.harbor.com"] },并重启docker
14. 在客户端机器的/etc/hosts中加入ip域名映射规则 192.168.148.150 docker.harbor.com
15. 在客户端机器上用 docker login docker.harbor.com