Harbor私有镜像仓库搭建

一、介绍

Docker容器应用的开发和运行路不开可靠的镜像管理，虽然Docker官方也提供了公共的镜像仓库，但是从安全和效率等方面考虑，部署我们私有环境的Registry也是非常必要的。 Harbor是由VMware公司开源的企业级的Docker Registry管理项目，它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。

二、组件

用于部署 Harbor 的 Docker Compose 模板位于 /Deployer/docker-compose.yml. 打开这个模板文件，会发现 Harbor 由 5 个容器组成：

• proxy：由 Nginx 服务器构成的反向代理。
• registry：由 Docker 官方的开源 registry 镜像构成的容器实例。
• ui：即架构中的 core services, 构成此容器的代码是 Harbor 项目的主体。
• mysql：由官方 MySql 镜像构成的数据库容器。
• log: 运行着 rsyslogd 的容器，通过 log-driver 的形式收集其他容器的日志。

这几个容器通过 Docker link 的形式连接在一起，这样，在容器之间可以通过容器名字互相访问。对终端用户而言，只需要暴露 proxy (即 Nginx)的服务端口。

三、工作原理

Harbor私有镜像仓库无坑搭建 – 掘金​juejin.im/post/5d9c2f25f265da5bbb1e3de5

实验目标

• 构建出一个企业级的docker仓库
• 存放自己私有的docker镜像

1.环境准备

1. IP：10.0.0.28/24
2. 操作系统:centos7

• 禁用swap分区

[root@harbor ~]# vim  /etc/fstab   
#/dev/mapper/centos-swap swap                    swap    defaults        0 0

• 修改主机名和时间同步

[root@harbor ~]# vim  chrony.sh
[root@harbor ~]# chmod a+x  chrony.sh  
[root@harbor ~]# ./chrony.sh
hostnamectl  set-hostname   harbor
bash
yum install  chrony  -y
systemctl  enable  chronyd.service 
systemctl  start  chronyd.service 
timedatectl set-timezone Asia/Shanghai
chronyc   sources
[root@harbor ~]# cat  chrony.sh 
#!/bin/bash
hostnamectl  set-hostname   harbor
bash
yum install  chrony  -y
systemctl  enable  chronyd.service 
systemctl  start  chronyd.service 
timedatectl set-timezone Asia/Shanghai
chronyc   sources

• 关闭防火墙和关闭selinux

[root@harbor ~]# vim  firewall.sh
[root@harbor ~]# chmod  a+x firewall.sh 
[root@harbor ~]# ./firewall.sh 
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@harbor ~]# grep  -v '^#' /etc/sysconfig/selinux | grep -v '^$' 
SELINUX=disabled
SELINUXTYPE=targeted 
[root@harbor ~]# cat firewall.sh 
#!/bin/bash
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config

2.安装Docker、Docker-compose

2.1安装Docker-CE

[root@harbor ~]# cat docker.sh 
#!/bin/bash
yum install python-devel libffi-devel gcc openssl-devel libselinux-python  -y
yum  install  yum-utils  lvm2 device-mapper-persistent-data  -y
yum-config-manager --add-repo \
https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum  repolist 
yum install docker-ce docker-ce-cli containerd.io -y
systemctl  enable docker.service 
systemctl   start  docker.service
tee /etc/docker/daemon.json <<-'EOF'
{
   "registry-mirrors": ["https://7j94f0p5.mirror.aliyuncs.com"]
}
EOF
systemctl  restart  docker.service 
[root@harbor ~]# chmod  a+x  docker.sh 
[root@harbor ~]# ./docker.sh 
# 查看版本
[root@harbor ~]# docker --version
Docker version 19.03.9, build 9d988398e7

2.2.安装Docker-compose

docker/compose​github.com/docker/compose/releases

[root@harbor ~]# wget -c  https://github.com/docker/compose/releases/download/1.25.5/docker-compose-Linux-x86_64
[root@harbor ~]# mv docker-compose-Linux-x86_64  /usr/bin/docker
docker        dockerd       docker-init   docker-proxy  
[root@harbor ~]# mv docker-compose-Linux-x86_64  /usr/bin/docker-compose
[root@harbor ~]# chmod  a+x /usr/bin/docker-compose 
[root@harbor ~]# docker-compose  --version
docker-compose version 1.25.5, build 8a1c60f6

3.安装离线安装包

3.1下载harbor离线安装包并解压

https://github.com/goharbor/harbor/releases​github.com/goharbor/harbor/releases

[root@harbor ~]# wget -c https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz
[root@harbor ~]# tar -xf harbor-offline-installer-v2.0.0.tgz

3.2.配置harbor

##  创建 https 证书
# 创建证书目录，并赋予权限
[root@harbor ~]# mkdir  /https/ca  -p
[root@harbor ~]# chmod  -R 777 /https/ca/
[root@harbor ~]# cd /https/ca/
# 生成私钥，需要设置密码:1234
[root@harbor ca]# openssl genrsa -des3 -out harbor.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for harbor.key:
Verifying - Enter pass phrase for harbor.key:
# 生成CA证书，需要输入密码1234
[root@harbor ca]# openssl req -sha512 -new \
>     -subj "/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=10.0.0.28" \
>     -key harbor.key \
>     -out harbor.csr
Enter pass phrase for harbor.key:1234
# 备份证书
[root@harbor ca]# cp harbor.key  harbor.key.org
# 退掉私钥密码，以便docker访问（也可以参考官方进行双向认证）
[root@harbor ca]# openssl rsa -in harbor.key.org -out harbor.key
Enter pass phrase for harbor.key.org:
writing RSA key
# 使用证书进行签名
[root@harbor ca]# openssl x509 -req -days 100000  -in harbor.csr -signkey harbor.key -out harbor.crt
Signature ok
subject=/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=10.0.0.28
Getting Private key

[root@harbor ~]# cd  harbor/
[root@harbor harbor]# vim  harbor.yml
hostname: 10.0.0.28
http:
  port: 8080
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /https/ca/harbor.crt
  private_key: /https/ca/harbor.key
harbor_admin_password: Com.123

3.3.安装harbor

• –with-clair参数是启用漏洞扫描功能

[root@harbor harbor]# ./install.sh  --with-clair

[Step 0]: checking if docker is installed ...

Note: docker version: 19.03.9

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.25.5

[Step 2]: loading Harbor images ...
Loaded image: goharbor/notary-signer-photon:v2.0.0
Loaded image: goharbor/clair-adapter-photon:v2.0.0
Loaded image: goharbor/chartmuseum-photon:v2.0.0
Loaded image: goharbor/harbor-log:v2.0.0
Loaded image: goharbor/harbor-registryctl:v2.0.0
Loaded image: goharbor/registry-photon:v2.0.0
Loaded image: goharbor/clair-photon:v2.0.0
Loaded image: goharbor/notary-server-photon:v2.0.0
Loaded image: goharbor/redis-photon:v2.0.0
Loaded image: goharbor/nginx-photon:v2.0.0
Loaded image: goharbor/harbor-core:v2.0.0
Loaded image: goharbor/harbor-db:v2.0.0
Loaded image: goharbor/harbor-jobservice:v2.0.0
Loaded image: goharbor/trivy-adapter-photon:v2.0.0
Loaded image: goharbor/prepare:v2.0.0
Loaded image: goharbor/harbor-portal:v2.0.0


[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/clair/postgresql-init.d/README.md
Clearing the configuration file: /config/clair/postgres_env
Clearing the configuration file: /config/clair/config.yaml
Clearing the configuration file: /config/clair/clair_env
Clearing the configuration file: /config/clair-adapter/env
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Copying offline data file for clair DB
Generated configuration file: /config/clair/postgres_env
Generated configuration file: /config/clair/config.yaml
Generated configuration file: /config/clair/clair_env
Generated configuration file: /config/clair-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir


Note: stopping existing Harbor instance ...
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping clair-adapter     ... done
Stopping harbor-core       ... done
Stopping clair             ... done
Stopping registryctl       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping registry          ... done
Stopping harbor-portal     ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing clair-adapter     ... done
Removing harbor-core       ... done
Removing clair             ... done
Removing registryctl       ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing registry          ... done
Removing harbor-portal     ... done
Removing harbor-log        ... done
Removing network harbor_harbor
Removing network harbor_harbor-clair


[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating registryctl   ... done
Creating registry      ... done
Creating clair         ... done
Creating harbor-core   ... done
Creating clair-adapter     ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
✔ ----Harbor has been installed and started successfully.----
````
```shell
[root@harbor ~]# docker ps | grep harbor
80e271e93f01        goharbor/nginx-photon:v2.0.0           "nginx -g 'daemon of…"   58 seconds ago       Up 56 seconds (healthy)       0.0.0.0:80->8080/tcp        nginx
381d9b6acd70        goharbor/harbor-jobservice:v2.0.0      "/harbor/entrypoint.…"   58 seconds ago       Up 56 seconds (healthy)                                   harbor-jobservice
a671be5e41de        goharbor/clair-adapter-photon:v2.0.0   "/home/clair-adapter…"   59 seconds ago       Up 57 seconds (healthy)       8080/tcp                    clair-adapter
7299713c6d14        goharbor/harbor-core:v2.0.0            "/harbor/entrypoint.…"   59 seconds ago       Up 57 seconds (healthy)                                   harbor-core
40a513e14e56        goharbor/clair-photon:v2.0.0           "./docker-entrypoint…"   About a minute ago   Up 54 seconds (healthy)       6060-6061/tcp               clair
6332dfdc874d        goharbor/harbor-db:v2.0.0              "/docker-entrypoint.…"   About a minute ago   Up 59 seconds (healthy)       5432/tcp                    harbor-db
f19de1b32a9b        goharbor/redis-photon:v2.0.0           "redis-server /etc/r…"   About a minute ago   Up 59 seconds (healthy)       6379/tcp                    redis
7c216088e9bf        goharbor/registry-photon:v2.0.0        "/home/harbor/entryp…"   About a minute ago   Up 59 seconds (healthy)       5000/tcp                    registry
420c77a7692a        goharbor/harbor-registryctl:v2.0.0     "/home/harbor/start.…"   About a minute ago   Up 59 seconds (healthy)                                   registryctl
00abe613b13c        goharbor/harbor-portal:v2.0.0          "nginx -g 'daemon of…"   About a minute ago   Up 59 seconds (healthy)       8080/tcp                    harbor-portal
d7634d1b25e4        goharbor/harbor-log:v2.0.0             "/bin/sh -c /usr/loc…"   About a minute ago   Up About a minute (healthy)   127.0.0.1:1514->10514/tcp   harbor-log
[root@harbor ~]# docker  images
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
goharbor/chartmuseum-photon     v2.0.0              4db8d6aa63e9        2 weeks ago         127MB
goharbor/redis-photon           v2.0.0              c89ea2e53cc0        2 weeks ago         72.2MB
goharbor/trivy-adapter-photon   v2.0.0              6122c52b7e48        2 weeks ago         103MB
goharbor/clair-adapter-photon   v2.0.0              dd2210cb7f53        2 weeks ago         62MB
goharbor/clair-photon           v2.0.0              f7c7fcc52278        2 weeks ago         171MB
goharbor/notary-server-photon   v2.0.0              983ac10ed8be        2 weeks ago         143MB
goharbor/notary-signer-photon   v2.0.0              bee1b6d75e0d        2 weeks ago         140MB
goharbor/harbor-registryctl     v2.0.0              c53c32d58d04        2 weeks ago         102MB
goharbor/registry-photon        v2.0.0              afdc1b7ada36        2 weeks ago         84.5MB
goharbor/nginx-photon           v2.0.0              17892f03e56c        2 weeks ago         43.6MB
goharbor/harbor-log             v2.0.0              5f8ff08e795c        2 weeks ago         82MB
goharbor/harbor-jobservice      v2.0.0              c68a2495bf55        2 weeks ago         116MB
goharbor/harbor-core            v2.0.0              3aa3af64baf8        2 weeks ago         138MB
goharbor/harbor-portal          v2.0.0              e0b1d3c894c4        2 weeks ago         52.4MB
goharbor/harbor-db              v2.0.0              5c76f0296cec        2 weeks ago         154MB
goharbor/prepare                v2.0.0              7266d49995ed        2 weeks ago         158MB

4.测试访问

5.配置私有仓库

5.1.创建用户

• 点击系统管理>>用户管理>>创建用户

5.2.创建项目

• 点击项目>>新建项目

5.3.查看拉取镜像命令

• 在项目里面，添加成员 ，角色为开发人员，具有推送拉取镜像的权限

6.拉取镜像，并打标上传到我的私有仓库

# 配置配置镜像仓库地址并重启docker和harbor服务
[root@harbor ~]# cat  /etc/docker/daemon.json 
{
   "registry-mirrors": ["https://7bc3o1s2.mirror.aliyuncs.com"],
   "insecure-registries": ["http://10.0.0.28:8080"]
}
# 拉取Nginx镜像作为测试使用
[root@harbor ~]# docker  pull  nginx:1.16
# 给镜像打上标签
- 镜像仓库地址/项目名称/标签信息
[root@harbor ~]# docker image tag  nginx:1.16.0  10.0.0.28:8080/yichen/nginx:1.16.1
# 登录仓库
[root@harbor ~]# docker login http://10.0.0.28:8080
Username: yc
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@harbor ~]# docker push 10.0.0.28:8080/yichen/nginx:1.16.1
The push refers to repository [10.0.0.28:8080/yichen/nginx]
0cf13b8a00f5: Pushed 
aed8cc46f92f: Pushed 
6f338879a1ed: Pushed 
2128e66a9b5a: Pushed 
d041fdc398d8: Pushed 
92177924583e: Pushed 
6fec07606ed4: Pushed 
790be8671d28: Pushed 
bc09170fcda4: Pushed 
20b846dd4d87: Pushed 
89b00f8d475b: Pushed 
5ce9028f7a02: Pushed 
15862b2d78f3: Pushed 
b047677013ff: Pushed 
74eba46650c4: Pushed 
bf73eb7db5db: Pushed 
d4933e6f78f4: Pushed 
edf3aa290fb3: Pushed 
1.16.1: digest: sha256:84f46a80263e7adb96459b3cfcd5ed8db35b8fb93aad8a423bcfeecd4f759980 size: 4056