一、环境准备:
CentOS Linux release 7.4.1708 (Core)
docker 18.06.1-ce
docker-compose 1.22.0
ip 10.10.0.135
二、安装方式:
2.1 harbor:
可以选择online或者offline,如果可以正常上网就选择online了,需求包可以在线拉取,offline一般为离线安装,在线也行,需求包都已下载下来,所以比较大一些。
这里我选择online的方式:
https://github.com/goharbor/harbor/releases harbor地址,可选择需求的版本,我这里选择的版本是:v1.6.0 online
(wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-online-installer-v1.6.0.tgz google上网。)
2.2 docker-compose:
curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
2.3 解压:
tar -xf harbor-online-installer-v1.6.0.tgz
[root@kubernetes-exam harbor]# grep -v "^#\|^$" harbor.cfg _version = 1.6.0 hostname = 10.10.0.135 ui_url_protocol = http max_job_workers = 10 customize_crt = on ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA log_rotate_count = 50 log_rotate_size = 200M http_proxy = https_proxy = no_proxy = 127.0.0.1,localhost,ui,registry email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false email_insecure = false harbor_admin_password = Harbor12345 auth_mode = db_auth ldap_url = ldaps://ldap.mydomain.com ldap_basedn = ou=people,dc=mydomain,dc=com ldap_uid = uid ldap_scope = 2 ldap_timeout = 5 ldap_verify_cert = true ldap_group_basedn = ou=group,dc=mydomain,dc=com ldap_group_filter = objectclass=group ldap_group_gid = cn ldap_group_scope = 2 self_registration = on token_expiration = 30 project_creation_restriction = everyone db_host = postgresql db_password = root123 db_port = 5432 db_user = postgres redis_host = redis redis_port = 6379 redis_password = redis_db_index = 1,2,3 clair_db_host = postgresql clair_db_password = root123 clair_db_port = 5432 clair_db_username = postgres clair_db = postgres clair_updaters_interval = 12 uaa_endpoint = uaa.mydomain.org uaa_clientid = id uaa_clientsecret = secret uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem registry_storage_provider_name = filesystem registry_storage_provider_config = registry_custom_ca_bundle =
(我这里只是修改了hostname为本机ip,别的选择的默认方式。)
bash ./install.sh执行安装程序,安装完后查看:
[root@kubernetes-exam harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/redis-photon v1.6.0 745667dc5aa8 8 weeks ago 214MB goharbor/registry-photon v2.6.2-v1.6.0 1ec7d8d4f0fd 8 weeks ago 201MB goharbor/nginx-photon v1.6.0 81df0f8a78c0 8 weeks ago 138MB goharbor/harbor-log v1.6.0 0f474b9d4565 8 weeks ago 203MB goharbor/harbor-jobservice v1.6.0 4e6a3afe6802 8 weeks ago 198MB goharbor/harbor-ui v1.6.0 9cf3894e769e 8 weeks ago 221MB goharbor/harbor-adminserver v1.6.0 14d9ee1bbda3 8 weeks ago 187MB goharbor/harbor-db v1.6.0 5c39f18ce348 8 weeks ago 225MB [root@kubernetes-exam harbor]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5df2353ac966 goharbor/harbor-jobservice:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour harbor-jobservice 9b24ef0f204a goharbor/nginx-photon:v1.6.0 "nginx -g 'daemon of…" About an hour ago Up About an hour (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx faa6245c2f15 goharbor/harbor-ui:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour (healthy) harbor-ui cf7e9739f9c5 goharbor/registry-photon:v2.6.2-v1.6.0 "/entrypoint.sh /etc…" About an hour ago Up About an hour (healthy) 5000/tcp registry 1b6f8dd70dc3 goharbor/harbor-adminserver:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour (healthy) harbor-adminserver f71e44823d36 goharbor/redis-photon:v1.6.0 "docker-entrypoint.s…" About an hour ago Up About an hour 6379/tcp redis c771246886f2 goharbor/harbor-db:v1.6.0 "/entrypoint.sh post…" About an hour ago Up About an hour (healthy) 5432/tcp harbor-db 5750379b3cb1 goharbor/harbor-log:v1.6.0 "/bin/sh -c /usr/loc…" About an hour ago Up About an hour (healthy) 127.0.0.1:1514->10514/tcp harbor-log
web ui登录:
(默认账号和密码:admin/Harbor12345,可在配置文件harbor.cfg中找到,登录后,我将密码修改为了:Fzh411524。)
三、harbor使用:
3.1 由于Harbor的默认安装使用HTTP,而Register v2版本开始必须使用HTTPS,因此你需要将该选项添加 --insecure-registry到客户端的Docker守护程序并重新启动Docker服务:
echo -e '{\n"insecure-registries":["k8s.gcr.io", "gcr.io", "quay.io"]\n}' > /etc/docker/daemon.json
systemctl restart docker.service
[root@kubernetes-exam harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.0.135 kubernetes-exam k8s.gcr.io
[root@fzh-hadoop03 docker]# docker login http://k8s.gcr.io
Username: admin
Password:
Login Succeeded
(注:3.1需要在所有的集群服务器中执行。)
3.2 harbor ui添加项目:
3.3 push and pull:
[root@kubernetes-exam harbor]# docker push k8s.gcr.io/fzh/busybox:1.0.0 The push refers to repository [k8s.gcr.io/fzh/busybox] 8a788232037e: Pushed 1.0.0: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
[root@fzh-hadoop03 docker]# docker pull k8s.gcr.io/fzh/busybox:1.0.0 1.0.0: Pulling from fzh/busybox Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 Status: Downloaded newer image for k8s.gcr.io/fzh/busybox:1.0.0
四 https方式:
4.1 创建CA证书:
[root@k8s-harbor-registry CERT]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt Generating a 4096 bit RSA private key .........................++ ............++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SH Locality Name (eg, city) [Default City]:SH Organization Name (eg, company) [Default Company Ltd]:CA Organizational Unit Name (eg, section) []:CA Common Name (eg, your name or your server's hostname) []:10.10.0.135 Email Address []:harbor@163.com [root@k8s-harbor-registry CERT]# ls ca.crt ca.key
[root@k8s-harbor-registry CERT]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.0.135 k8s-harbor-registry k8s.gcr.io www.tcharbor.com
4.2 生成证书签名请求:
[root@k8s-harbor-registry CERT]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.tcharbor.com.key -out www.tcharbor.com.csr
注:证书的生成方式详解,可参考下链接:5.1
[root@k8s-harbor-registry CERT]# ls ca.crt ca.key www.tcharbor.com.csr www.tcharbor.com.key
4.3 生成主机证书: [root@k8s-harbor-registry CERT]# openssl x509 -req -days 365 -in www.tcharbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.tcharbor.com.crt Signature ok subject=/C=CN/ST=SH/L=SH/O=FZH/OU=FZH/CN=www.tcharbor.com/emailAddress=tcharbor@163.com Getting CA Private Key [root@k8s-harbor-registry CERT]# ls ca.crt ca.key ca.srl www.tcharbor.com.crt www.tcharbor.com.csr www.tcharbor.com.key
[root@k8s-harbor-registry CERT]# cp www.tcharbor.com.crt www.tcharbor.com.key /root/cert/ 必须要有
[root@k8s-harbor-registry ~]# mkdir /etc/docker/certs.d/www.tcharbor.com/ -p
[root@k8s-harbor-registry cert]# ls
www.tcharbor.com.crt www.tcharbor.com.key
[root@k8s-harbor-registry cert]# cp www.tcharbor.com.crt /etc/docker/certs.d/www.tcharbor.com/ 必须要有。
4.4 修改harbor.cfg:
[root@k8s-harbor-registry ~]# grep -v "^#\|^$" harbor/harbor.cfg
_version = 1.6.0
hostname = www.tcharbor.com 可以写ip
ui_url_protocol = https
max_job_workers = 10
customize_crt = on
ssl_cert = /root/cert/www.tcharbor.com.crt
ssl_cert_key = /root/cert/www.tcharbor.com.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui,registry
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password =
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle =
4.5 初始化:
[root@k8s-harbor-registry harbor]# ./prepare Generated and saved secret to file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/ui/app.conf Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [root@k8s-harbor-registry harbor]# ls common docker-compose.clair.yml docker-compose.yml harbor.cfg LICENSE open_source_license docker-compose.chartmuseum.yml docker-compose.notary.yml ha install.sh NOTICE prepare [root@k8s-harbor-registry harbor]# ll -htr total 1.6M -rwxr-xr-x. 1 root root 39K Sep 11 18:02 prepare -rw-r--r--. 1 root root 1.5M Sep 11 18:02 open_source_license -rw-r--r--. 1 root root 482 Sep 11 18:02 NOTICE -rw-r--r--. 1 root root 11K Sep 11 18:02 LICENSE -rwxr-xr-x. 1 root root 6.1K Sep 11 18:02 install.sh drwxr-xr-x. 3 root root 4.0K Sep 11 18:02 ha -rw-r--r--. 1 root root 3.6K Sep 11 18:02 docker-compose.yml -rw-r--r--. 1 root root 1.3K Sep 11 18:02 docker-compose.notary.yml -rw-r--r--. 1 root root 777 Sep 11 18:02 docker-compose.clair.yml -rw-r--r--. 1 root root 727 Sep 11 18:02 docker-compose.chartmuseum.yml -rw-r--r--. 1 root root 7.8K Nov 8 14:04 harbor.cfg drwxr-xr-x. 4 root root 35 Nov 8 14:04 common [root@k8s-harbor-registry harbor]# ls common/ config templates [root@k8s-harbor-registry harbor]# ls common/config/ adminserver db jobservice log nginx registry registryctl ui [root@k8s-harbor-registry harbor]# docker-compose up -d Creating network "harbor_harbor" with the default driver Pulling log (goharbor/harbor-log:v1.6.0)... v1.6.0: Pulling from goharbor/harbor-log 51be32cd3c9d: Pull complete fd9cdcfcef45: Pull complete 4167b797c339: Pull complete b22d11b0e478: Pull complete d5aad3df7cee: Pull complete bd43de1bbd44: Pull complete 7494eff3da48: Pull complete Digest: sha256:27f9e24f28393a6052b71c93b1571f2269e1d3c489f4081996a099ac88ff56ff Status: Downloaded newer image for goharbor/harbor-log:v1.6.0 Pulling registry (goharbor/registry-photon:v2.6.2-v1.6.0)... v2.6.2-v1.6.0: Pulling from goharbor/registry-photon 51be32cd3c9d: Already exists eaf5637d77d9: Pull complete c68621c7e44d: Pull complete 314e16c23f49: Pull complete e3f6c59a8a19: Pull complete e4f08365b84c: Pull complete 29c822b725fa: Pull complete Digest: sha256:070dcc29fb5b34cdcc982394ead57f598160fd61bd8daee4b2a5f39ea37bd7a0 Status: Downloaded newer image for goharbor/registry-photon:v2.6.2-v1.6.0 Pulling postgresql (goharbor/harbor-db:v1.6.0)... v1.6.0: Pulling from goharbor/harbor-db 51be32cd3c9d: Already exists 16bdbb239be8: Pull complete 1f2308455a1a: Pull complete 886c09e06dee: Pull complete 4c74f43fb3f6: Pull complete a5a85370032d: Pull complete c393ddbdd7fb: Pull complete ae546b8414b0: Pull complete Digest: sha256:ee65d512c93860bd4872be296de80c079842a64e2a4002360e720222a87ec346 Status: Downloaded newer image for goharbor/harbor-db:v1.6.0 Pulling adminserver (goharbor/harbor-adminserver:v1.6.0)... v1.6.0: Pulling from goharbor/harbor-adminserver 51be32cd3c9d: Already exists a12ecf0fa8fc: Pull complete 3757394ad64f: Pull complete 26ceec7e26ff: Pull complete e8d90789101d: Pull complete Digest: sha256:c3ca012c2d69099ba4e3bbedc58ffe146fd10aa5129d44cc7d735edf6167959e Status: Downloaded newer image for goharbor/harbor-adminserver:v1.6.0 Pulling ui (goharbor/harbor-ui:v1.6.0)... v1.6.0: Pulling from goharbor/harbor-ui 51be32cd3c9d: Already exists ec6a6b245304: Pull complete a88d6c453ccb: Pull complete d5e2e9e0086a: Pull complete f8d7e9d8512c: Pull complete a06b1a705b19: Pull complete Digest: sha256:de332db437b8df6ce05203247cbf97ac9f4953672a8c22be8858aee47a0f435f Status: Downloaded newer image for goharbor/harbor-ui:v1.6.0 Pulling redis (goharbor/redis-photon:v1.6.0)... v1.6.0: Pulling from goharbor/redis-photon 51be32cd3c9d: Already exists c400e93ba418: Pull complete 170ae129f67d: Pull complete bffa31ec55cd: Pull complete 5b72a97a5506: Pull complete Digest: sha256:4095dc26d6331b4d3c25377bc02d95501c51fbba99f31f9761d321bbc17803af Status: Downloaded newer image for goharbor/redis-photon:v1.6.0 Pulling jobservice (goharbor/harbor-jobservice:v1.6.0)... v1.6.0: Pulling from goharbor/harbor-jobservice 51be32cd3c9d: Already exists ffcdeda0f50f: Pull complete e69daf7ff175: Pull complete 840fbfb5576e: Pull complete Digest: sha256:51d2bf14cd9d1bbf082793a0556ff949937655c67569a86424210a1455f60057 Status: Downloaded newer image for goharbor/harbor-jobservice:v1.6.0 Pulling proxy (goharbor/nginx-photon:v1.6.0)... v1.6.0: Pulling from goharbor/nginx-photon 51be32cd3c9d: Already exists edc138fa5ed7: Pull complete Digest: sha256:3270c6fc3bdaaecd16280592e916e2cfcf7c5eb54ffc46d79b507b625e3fb4c6 Status: Downloaded newer image for goharbor/nginx-photon:v1.6.0 Creating harbor-log ... done Creating redis ... done Creating registry ... done Creating harbor-db ... done Creating harbor-adminserver ... done Creating harbor-ui ... done Creating harbor-jobservice ... done Creating nginx ... done
[root@k8s-harbor-registry harbor]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 14936251ce61 goharbor/nginx-photon:v1.6.0 "nginx -g 'daemon of…" 37 seconds ago Up 36 seconds (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx c9937695a6be goharbor/harbor-jobservice:v1.6.0 "/harbor/start.sh" 38 seconds ago Up 36 seconds harbor-jobservice 7f19f7a91d4a goharbor/harbor-ui:v1.6.0 "/harbor/start.sh" 38 seconds ago Up 37 seconds (healthy) harbor-ui c8ae4682e20f goharbor/harbor-db:v1.6.0 "/entrypoint.sh post…" 39 seconds ago Up 37 seconds (healthy) 5432/tcp harbor-db dd6ccde6e2b8 goharbor/harbor-adminserver:v1.6.0 "/harbor/start.sh" 39 seconds ago Up 33 seconds (healthy) harbor-adminserver 9471af19294b goharbor/redis-photon:v1.6.0 "docker-entrypoint.s…" 39 seconds ago Up 38 seconds 6379/tcp redis ac75fcbe03a3 goharbor/registry-photon:v2.6.2-v1.6.0 "/entrypoint.sh /etc…" 39 seconds ago Up 38 seconds (healthy) 5000/tcp registry e664fe1a47a9 goharbor/harbor-log:v1.6.0 "/bin/sh -c /usr/loc…" 40 seconds ago Up 39 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
登录页面:https://10.10.0.135 并新建项目:“fzh”
4.6 push and pull:
[root@k8s-harbor-registry ~]# docker login -u admin -p Harbor12345 www.tcharbor.com WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
[root@k8s-harbor-registry ~]# docker push www.tcharbor.com/fzh/busybox:1.0.0 The push refers to repository [www.tcharbor.com/fzh/busybox] 8a788232037e: Pushed 1.0.0: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
[root@k8s-node-01 ~]# docker login -u admin -p Harbor12345 www.tcharbor.com WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@k8s-node-01 ~]# docker pull www.tcharbor.com/fzh/busybox:1.0.0 [root@k8s-node-01 ~]# docker pull www.tcharbor.com/fzh/busybox:1.0.0 1.0.0: Pulling from fzh/busybox 90e01955edcd: Pull complete Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 Status: Downloaded newer image for www.tcharbor.com/fzh/busybox:1.0.0
可正常push and pull。
注:需要在所有docker服务器上做如下事情:
A /etc/hosts 添加记录:10.10.0.135 www.tcharbor.com
B 添加harbor服务器上的crt到所有docker服务器上:/etc/docker/certs.d/www.tcharbor.com/www.tcharbor.com.crt
C login操作:docker login -u admin -p Harbor12345 www.tcharbor.com
只做A和B:可以pull不能push
A、B、C全做:即可以pull也可以push
五 参考链接:
5.1 https://github.com/goharbor/harbor/blob/release-1.4.0/docs/configure_https.md