一、介绍
Docker容器应用的开发和运行路不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境的Registry也是非常必要的。 Harbor是由VMware
公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
二、组件
用于部署 Harbor 的 Docker Compose 模板位于 /Deployer/docker-compose.yml. 打开这个模板文件,会发现 Harbor 由 5 个容器组成:
- proxy:由 Nginx 服务器构成的反向代理。
- registry:由 Docker 官方的开源 registry 镜像构成的容器实例。
- ui:即架构中的 core services, 构成此容器的代码是 Harbor 项目的主体。
- mysql:由官方 MySql 镜像构成的数据库容器。
- log: 运行着 rsyslogd 的容器,通过 log-driver 的形式收集其他容器的日志。
这几个容器通过 Docker link 的形式连接在一起,这样,在容器之间可以通过容器名字互相访问。对终端用户而言,只需要暴露 proxy (即 Nginx)的服务端口。
三、工作原理
Harbor私有镜像仓库无坑搭建 – 掘金juejin.im/post/5d9c2f25f265da5bbb1e3de5
实验目标
- 构建出一个企业级的docker仓库
- 存放自己私有的docker镜像
1.环境准备
- IP:10.0.0.28/24
- 操作系统:centos7
- 禁用swap分区
[root@harbor ~]# vim /etc/fstab
#/dev/mapper/centos-swap swap swap defaults 0 0
- 修改主机名和时间同步
[root@harbor ~]# vim chrony.sh
[root@harbor ~]# chmod a+x chrony.sh
[root@harbor ~]# ./chrony.sh
hostnamectl set-hostname harbor
bash
yum install chrony -y
systemctl enable chronyd.service
systemctl start chronyd.service
timedatectl set-timezone Asia/Shanghai
chronyc sources
[root@harbor ~]# cat chrony.sh
#!/bin/bash
hostnamectl set-hostname harbor
bash
yum install chrony -y
systemctl enable chronyd.service
systemctl start chronyd.service
timedatectl set-timezone Asia/Shanghai
chronyc sources
- 关闭防火墙和关闭selinux
[root@harbor ~]# vim firewall.sh
[root@harbor ~]# chmod a+x firewall.sh
[root@harbor ~]# ./firewall.sh
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@harbor ~]# grep -v '^#' /etc/sysconfig/selinux | grep -v '^$'
SELINUX=disabled
SELINUXTYPE=targeted
[root@harbor ~]# cat firewall.sh
#!/bin/bash
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
2.安装Docker、Docker-compose
2.1安装Docker-CE
[root@harbor ~]# cat docker.sh
#!/bin/bash
yum install python-devel libffi-devel gcc openssl-devel libselinux-python -y
yum install yum-utils lvm2 device-mapper-persistent-data -y
yum-config-manager --add-repo \
https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum repolist
yum install docker-ce docker-ce-cli containerd.io -y
systemctl enable docker.service
systemctl start docker.service
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://7j94f0p5.mirror.aliyuncs.com"]
}
EOF
systemctl restart docker.service
[root@harbor ~]# chmod a+x docker.sh
[root@harbor ~]# ./docker.sh
# 查看版本
[root@harbor ~]# docker --version
Docker version 19.03.9, build 9d988398e7
2.2.安装Docker-compose
docker/composegithub.com/docker/compose/releases
[root@harbor ~]# wget -c https://github.com/docker/compose/releases/download/1.25.5/docker-compose-Linux-x86_64
[root@harbor ~]# mv docker-compose-Linux-x86_64 /usr/bin/docker
docker dockerd docker-init docker-proxy
[root@harbor ~]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
[root@harbor ~]# chmod a+x /usr/bin/docker-compose
[root@harbor ~]# docker-compose --version
docker-compose version 1.25.5, build 8a1c60f6
3.安装离线安装包
3.1下载harbor离线安装包并解压
https://github.com/goharbor/harbor/releasesgithub.com/goharbor/harbor/releases
[root@harbor ~]# wget -c https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz
[root@harbor ~]# tar -xf harbor-offline-installer-v2.0.0.tgz
3.2.配置harbor
## 创建 https 证书
# 创建证书目录,并赋予权限
[root@harbor ~]# mkdir /https/ca -p
[root@harbor ~]# chmod -R 777 /https/ca/
[root@harbor ~]# cd /https/ca/
# 生成私钥,需要设置密码:1234
[root@harbor ca]# openssl genrsa -des3 -out harbor.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for harbor.key:
Verifying - Enter pass phrase for harbor.key:
# 生成CA证书,需要输入密码1234
[root@harbor ca]# openssl req -sha512 -new \
> -subj "/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=10.0.0.28" \
> -key harbor.key \
> -out harbor.csr
Enter pass phrase for harbor.key:1234
# 备份证书
[root@harbor ca]# cp harbor.key harbor.key.org
# 退掉私钥密码,以便docker访问(也可以参考官方进行双向认证)
[root@harbor ca]# openssl rsa -in harbor.key.org -out harbor.key
Enter pass phrase for harbor.key.org:
writing RSA key
# 使用证书进行签名
[root@harbor ca]# openssl x509 -req -days 100000 -in harbor.csr -signkey harbor.key -out harbor.crt
Signature ok
subject=/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=10.0.0.28
Getting Private key
[root@harbor ~]# cd harbor/
[root@harbor harbor]# vim harbor.yml
hostname: 10.0.0.28
http:
port: 8080
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /https/ca/harbor.crt
private_key: /https/ca/harbor.key
harbor_admin_password: Com.123
3.3.安装harbor
- –with-clair参数是启用漏洞扫描功能
[root@harbor harbor]# ./install.sh --with-clair
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.9
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.5
[Step 2]: loading Harbor images ...
Loaded image: goharbor/notary-signer-photon:v2.0.0
Loaded image: goharbor/clair-adapter-photon:v2.0.0
Loaded image: goharbor/chartmuseum-photon:v2.0.0
Loaded image: goharbor/harbor-log:v2.0.0
Loaded image: goharbor/harbor-registryctl:v2.0.0
Loaded image: goharbor/registry-photon:v2.0.0
Loaded image: goharbor/clair-photon:v2.0.0
Loaded image: goharbor/notary-server-photon:v2.0.0
Loaded image: goharbor/redis-photon:v2.0.0
Loaded image: goharbor/nginx-photon:v2.0.0
Loaded image: goharbor/harbor-core:v2.0.0
Loaded image: goharbor/harbor-db:v2.0.0
Loaded image: goharbor/harbor-jobservice:v2.0.0
Loaded image: goharbor/trivy-adapter-photon:v2.0.0
Loaded image: goharbor/prepare:v2.0.0
Loaded image: goharbor/harbor-portal:v2.0.0
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/clair/postgresql-init.d/README.md
Clearing the configuration file: /config/clair/postgres_env
Clearing the configuration file: /config/clair/config.yaml
Clearing the configuration file: /config/clair/clair_env
Clearing the configuration file: /config/clair-adapter/env
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Copying offline data file for clair DB
Generated configuration file: /config/clair/postgres_env
Generated configuration file: /config/clair/config.yaml
Generated configuration file: /config/clair/clair_env
Generated configuration file: /config/clair-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping clair-adapter ... done
Stopping harbor-core ... done
Stopping clair ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-portal ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing clair-adapter ... done
Removing harbor-core ... done
Removing clair ... done
Removing registryctl ... done
Removing harbor-db ... done
Removing redis ... done
Removing registry ... done
Removing harbor-portal ... done
Removing harbor-log ... done
Removing network harbor_harbor
Removing network harbor_harbor-clair
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating clair ... done
Creating harbor-core ... done
Creating clair-adapter ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
````
```shell
[root@harbor ~]# docker ps | grep harbor
80e271e93f01 goharbor/nginx-photon:v2.0.0 "nginx -g 'daemon of…" 58 seconds ago Up 56 seconds (healthy) 0.0.0.0:80->8080/tcp nginx
381d9b6acd70 goharbor/harbor-jobservice:v2.0.0 "/harbor/entrypoint.…" 58 seconds ago Up 56 seconds (healthy) harbor-jobservice
a671be5e41de goharbor/clair-adapter-photon:v2.0.0 "/home/clair-adapter…" 59 seconds ago Up 57 seconds (healthy) 8080/tcp clair-adapter
7299713c6d14 goharbor/harbor-core:v2.0.0 "/harbor/entrypoint.…" 59 seconds ago Up 57 seconds (healthy) harbor-core
40a513e14e56 goharbor/clair-photon:v2.0.0 "./docker-entrypoint…" About a minute ago Up 54 seconds (healthy) 6060-6061/tcp clair
6332dfdc874d goharbor/harbor-db:v2.0.0 "/docker-entrypoint.…" About a minute ago Up 59 seconds (healthy) 5432/tcp harbor-db
f19de1b32a9b goharbor/redis-photon:v2.0.0 "redis-server /etc/r…" About a minute ago Up 59 seconds (healthy) 6379/tcp redis
7c216088e9bf goharbor/registry-photon:v2.0.0 "/home/harbor/entryp…" About a minute ago Up 59 seconds (healthy) 5000/tcp registry
420c77a7692a goharbor/harbor-registryctl:v2.0.0 "/home/harbor/start.…" About a minute ago Up 59 seconds (healthy) registryctl
00abe613b13c goharbor/harbor-portal:v2.0.0 "nginx -g 'daemon of…" About a minute ago Up 59 seconds (healthy) 8080/tcp harbor-portal
d7634d1b25e4 goharbor/harbor-log:v2.0.0 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@harbor ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v2.0.0 4db8d6aa63e9 2 weeks ago 127MB
goharbor/redis-photon v2.0.0 c89ea2e53cc0 2 weeks ago 72.2MB
goharbor/trivy-adapter-photon v2.0.0 6122c52b7e48 2 weeks ago 103MB
goharbor/clair-adapter-photon v2.0.0 dd2210cb7f53 2 weeks ago 62MB
goharbor/clair-photon v2.0.0 f7c7fcc52278 2 weeks ago 171MB
goharbor/notary-server-photon v2.0.0 983ac10ed8be 2 weeks ago 143MB
goharbor/notary-signer-photon v2.0.0 bee1b6d75e0d 2 weeks ago 140MB
goharbor/harbor-registryctl v2.0.0 c53c32d58d04 2 weeks ago 102MB
goharbor/registry-photon v2.0.0 afdc1b7ada36 2 weeks ago 84.5MB
goharbor/nginx-photon v2.0.0 17892f03e56c 2 weeks ago 43.6MB
goharbor/harbor-log v2.0.0 5f8ff08e795c 2 weeks ago 82MB
goharbor/harbor-jobservice v2.0.0 c68a2495bf55 2 weeks ago 116MB
goharbor/harbor-core v2.0.0 3aa3af64baf8 2 weeks ago 138MB
goharbor/harbor-portal v2.0.0 e0b1d3c894c4 2 weeks ago 52.4MB
goharbor/harbor-db v2.0.0 5c76f0296cec 2 weeks ago 154MB
goharbor/prepare v2.0.0 7266d49995ed 2 weeks ago 158MB
4.测试访问
5.配置私有仓库
5.1.创建用户
- 点击系统管理>>用户管理>>创建用户
5.2.创建项目
- 点击项目>>新建项目
5.3.查看拉取镜像命令
- 在项目里面,添加成员 ,角色为开发人员,具有推送拉取镜像的权限
6.拉取镜像,并打标上传到我的私有仓库
# 配置配置镜像仓库地址并重启docker和harbor服务
[root@harbor ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://7bc3o1s2.mirror.aliyuncs.com"],
"insecure-registries": ["http://10.0.0.28:8080"]
}
# 拉取Nginx镜像作为测试使用
[root@harbor ~]# docker pull nginx:1.16
# 给镜像打上标签
- 镜像仓库地址/项目名称/标签信息
[root@harbor ~]# docker image tag nginx:1.16.0 10.0.0.28:8080/yichen/nginx:1.16.1
# 登录仓库
[root@harbor ~]# docker login http://10.0.0.28:8080
Username: yc
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor ~]# docker push 10.0.0.28:8080/yichen/nginx:1.16.1
The push refers to repository [10.0.0.28:8080/yichen/nginx]
0cf13b8a00f5: Pushed
aed8cc46f92f: Pushed
6f338879a1ed: Pushed
2128e66a9b5a: Pushed
d041fdc398d8: Pushed
92177924583e: Pushed
6fec07606ed4: Pushed
790be8671d28: Pushed
bc09170fcda4: Pushed
20b846dd4d87: Pushed
89b00f8d475b: Pushed
5ce9028f7a02: Pushed
15862b2d78f3: Pushed
b047677013ff: Pushed
74eba46650c4: Pushed
bf73eb7db5db: Pushed
d4933e6f78f4: Pushed
edf3aa290fb3: Pushed
1.16.1: digest: sha256:84f46a80263e7adb96459b3cfcd5ed8db35b8fb93aad8a423bcfeecd4f759980 size: 4056
正文完
可以使用微信扫码关注公众号(ID:xzluomor)