Harbor介绍与搭建并使用
Harbor
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
-
Project Harbor是一个开源的受信任的云本地注册表项目,用于存储、标记和扫描上下文。
-
Harbor扩展了开源Docker发行版,增加了用户通常需要的功能,如安全、身份和管理。
-
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
例如:
- 多租户内容签名和验证
- 安全性与漏洞分析
- 审计日志记录
- 身份集成和基于角色的访问控制
- 实例间的镜像复制
- 可扩展的API和图形UI
- 国际化(目前为英文和中文)
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用YAML文件来配置应用程序的服务。然后,只需要一个命令,就可以从配置中创建并启动所有服务。
访问网站
Harbor部署
访问网站,详情步骤如下:
安装过程
- 确保您的目标主机满足安装先决条件 Harbor Installer Precondition
- 下载并安装Harbor Download the Harbor Installer
- 配置HTTPS访问端口 Configure HTTPS Access to Harbor
- 配置Harbor YML文件 Configure the Harbor YML File
- 配置启用内部TLS Configure Enabling Internal TLS
- 运行安装程序脚本 Run the Installer Script
准备工作
下载安装包
下载需要的版本,使用xftp传进来
配置环境
环境说明:
| Software | version | Description |
|---|---|---|
| Docker engine | Version 17.06.0-ce+ or higher | For installation instructions, see Docker Engine documentation |
| Docker Compose | Version 1.18.0 or higher | For installation instructions, see Docker Compose documentation |
| Openssl | Latest is preferred | Used to generate certificate and keys for Harbor |
- 安装docker引擎
具体方法请见:Docker的基本用法
- 安装Docker Compose
通过帮助文档进行一下配置安装
//下载
[root@localhost ~]# curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 633 100 633 0 0 29 0 0:00:21 0:00:21 --:--:-- 173
//查看下载好的包
[root@localhost ~]# ls /usr/local/bin/
docker-compose
//修改执行权限
[root@localhost ~]# chmod +x /usr/local/bin/docker-compose
//映射到/usr/bin/
[root@localhost ~]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
[root@localhost ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
//查看命令路径,已经可以使用了
[root@localhost ~]# which docker-compose
/usr/local/bin/docker-compose
- 安装openssl
//安装docker的时候自动安装了
[root@localhost ~]# rpm -qa|grep openssl
xmlsec1-openssl-1.2.25-4.el8.x86_64
openssl-1.1.1c-15.el8.x86_64
openssl-pkcs11-0.4.10-2.el8.x86_64
openssl-libs-1.1.1c-15.el8.x86_64
开始部署
- 解压harbor安装包
[root@localhost ~]# tar xf harbor-offline-installer-v2.2.0.tgz -C /usr/local/
[root@localhost ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
//查看内容
[root@localhost ~]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
- 编辑harbor.yml文件
//复制一个yml文件
[root@localhost harbor]# ls
common.sh harbor.v2.2.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# ls
common.sh harbor.yml install.sh prepare
harbor.v2.2.0.tar.gz harbor.yml.tmpl LICENSE
//编辑yml文件
[root@localhost harbor]# vim harbor.yml
#修改为当前主机的IP
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.110.20
#注释https功能
# https related config
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
#可以修改密码,这里使用默认密码
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
#默认存储卷位置
# The default data volume
data_volume: /data
#日志记录
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
- 运行./install.sh文件
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.28.5
[Step 2]: loading Harbor images ...
07ed3fe22282: Loading layer 34.51MB/34.51MB
632651017131: Loading layer 8.071MB/8.071MB
cff019bd8e54: Loading layer 3.584kB/3.584kB
db8113c9a129: Loading layer 2.56kB/2.56kB
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
//查看端口
[root@localhost harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//查看运行的容器
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9dae957ece18 goharbor/harbor-jobservice:v2.2.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
d77b0d1b0587 goharbor/nginx-photon:v2.2.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp nginx
f0a645068b70 goharbor/harbor-core:v2.2.0 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
565abbba323e goharbor/harbor-portal:v2.2.0 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
99bafb875561 goharbor/redis-photon:v2.2.0 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
10efa0d1a3b8 goharbor/registry-photon:v2.2.0 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
3fb33e3ed6a5 goharbor/harbor-registryctl:v2.2.0 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
f6f7abf741f0 goharbor/harbor-db:v2.2.0 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
bad95cfee8df goharbor/harbor-log:v2.2.0 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
端口起来了,配置成功
设置harbor开机自启动
//写一个启动脚本
[root@localhost harbor]# vim startall.sh
#!/bin/bash
cd /usr/local/harbor
docker-compose stop && docker-compose start
//给这个启动脚本设置执行权限
[root@localhost harbor]# chmod +x startall.sh
[root@localhost harbor]# ll startall.sh
-rwxr-xr-x. 1 root root 78 Mar 9 18:13 startall.sh
//把启动脚本加到系统启动之后最后一个执行的文件
#把rc.local文件设置执行权限
[root@localhost harbor]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 474 Mar 24 2020 /etc/rc.d/rc.local
[root@localhost harbor]# chmod +x /etc/rc.d/rc.local
[root@localhost harbor]# ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 474 Mar 24 2020 /etc/rc.d/rc.local
#编辑rc.local文件,执行启动脚本
[root@localhost harbor]# vim /etc/rc.d/rc.local
#!/bin/bash
/bin/bash /usr/local/harbor/startall.sh
//验证一下
[root@localhost harbor]# reboot
//查看端口
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
GUI界面使用
访问网站
输入本机IP访问
输入信息登录(用户名:admin 密码:Harbor12345)
创建用户
点击 系统管理--->用户管理--->创建用户
输入身份信息,点击确认
成功创建用户
创建项目
点击 项目--->新建项目
输入信息,点击确认
创建成功,点击创建好的项目
点击推送命令可以查看帮助命令
查看帮助命令
上传镜像
镜像的创建方法,详情见:
//查看镜像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
goharbor/trivy-adapter-photon v2.2.0 658abcdfe7e3 2 weeks ago 120MB
goharbor/notary-server-photon v2.2.0 5117cee34e76 2 weeks ago 101MB
goharbor/notary-signer-photon v2.2.0 5d8879c476a8 2 weeks ago 98.4MB
goharbor/harbor-registryctl v2.2.0 6833a758fcfb 2 weeks ago 128MB
goharbor/registry-photon v2.2.0 c5797c8f62f1 2 weeks ago 77.2MB
goharbor/nginx-photon v2.2.0 39fcd9da1a47 2 weeks ago 40.2MB
goharbor/harbor-log v2.2.0 27a38464bdcd 2 weeks ago 108MB
goharbor/harbor-jobservice v2.2.0 62b4ae79b159 2 weeks ago 163MB
goharbor/harbor-core v2.2.0 049ef19b7080 2 weeks ago 148MB
goharbor/harbor-portal v2.2.0 d9eff87cd8b5 2 weeks ago 51MB
goharbor/harbor-db v2.2.0 2f84c1cc9b71 2 weeks ago 174MB
goharbor/prepare v2.2.0 c632fc058adf 2 weeks ago 165MB
goharbor/harbor-exporter v2.2.0 700422c549b0 2 weeks ago 76.1MB
busybox latest b97242f89c8a 7 weeks ago 1.23MB
httpd latest 683a7aad17d3 8 weeks ago 138MB
使用docker login +本机IP 登录
//编辑daemon.json文件
#加上本机的IP
[root@localhost ~]# vim /etc/docker/daemon.json
{
"insecure-registries":["192.168.110.20"]
}
//重读文件,并重启服务
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
//使用IP地址登录
#username是:admin(默认)
#密码是:Harbor123456(默认)
[root@localhost ~]# docker login 192.168.110.20
Username: admin
Password: Harbor123456
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
更改镜像版本名称,并上传
//这里以leidazhuang/web:v0.3镜像为例
[root@localhost ~]# docker tag leidazhuang/web:v0.3 192.168.110.20/ldaz/web:v0.1
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.110.20/ldaz/web v0.1 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
goharbor/trivy-adapter-photon v2.2.0 658abcdfe7e3 2 weeks ago 120MB
goharbor/notary-server-photon v2.2.0 5117cee34e76 2 weeks ago 101MB
goharbor/notary-signer-photon v2.2.0 5d8879c476a8 2 weeks ago 98.4MB
goharbor/harbor-registryctl v2.2.0 6833a758fcfb 2 weeks ago 128MB
goharbor/registry-photon v2.2.0 c5797c8f62f1 2 weeks ago 77.2MB
goharbor/nginx-photon v2.2.0 39fcd9da1a47 2 weeks ago 40.2MB
goharbor/harbor-log v2.2.0 27a38464bdcd 2 weeks ago 108MB
goharbor/harbor-jobservice v2.2.0 62b4ae79b159 2 weeks ago 163MB
goharbor/harbor-core v2.2.0 049ef19b7080 2 weeks ago 148MB
goharbor/harbor-portal v2.2.0 d9eff87cd8b5 2 weeks ago 51MB
goharbor/harbor-db v2.2.0 2f84c1cc9b71 2 weeks ago 174MB
goharbor/prepare v2.2.0 c632fc058adf 2 weeks ago 165MB
goharbor/harbor-exporter v2.2.0 700422c549b0 2 weeks ago 76.1MB
busybox latest b97242f89c8a 7 weeks ago 1.23MB
httpd latest 683a7aad17d3 8 weeks ago 138MB
//上传
[root@localhost ~]# docker push 192.168.110.20/ldaz/web:v0.1
The push refers to repository [192.168.110.20/ldaz/web]
3793c5ba5e71: Pushed
0064d0478d00: Pushed
v0.1: digest: sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd size: 734
查看镜像,创建成功
拉取镜像
//删除192.168.110.20/ldaz/web:v0.1镜像
[root@localhost ~]# docker rmi 192.168.110.20/ldaz/web:v0.1
Untagged: 192.168.110.20/ldaz/web:v0.1
Untagged: 192.168.110.20/ldaz/web@sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
//拉取镜像
[root@localhost ~]# docker pull 192.168.110.20/ldaz/web:v0.1
v0.1: Pulling from ldaz/web
Digest: sha256:5e65c1a6fec7673ae41930f6649d2bb597bebec503bb4b57f387bf88fc8d69dd
Status: Downloaded newer image for 192.168.110.20/ldaz/web:v0.1
192.168.110.20/ldaz/web:v0.1
//成功拉取镜像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.110.20/ldaz/web v0.1 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.3 613fd44bad96 8 days ago 1.23MB
leidazhuang/web v0.2 6c5652212d19 8 days ago 1.23MB
goharbor/chartmuseum-photon v2.2.0 7d2b0430a45d 2 weeks ago 165MB
goharbor/redis-photon v2.2.0 dab1804560b2 2 weeks ago 68.9MB
使用Harbor的注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请--help
[root@localhost ~]# docker-compose --help
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f <arg>...] [--profile <name>...] [options] [--] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name
(default: directory name)
--profile NAME Specify a profile to enable
-c, --context NAME Specify a context name
--verbose Show more output
--log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
--ansi (never|always|auto) Control when to print ANSI control characters
--no-ansi Do not print ANSI control characters (DEPRECATED)
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the
name specified in the client certificate
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
--compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent (DEPRECATED)
--env-file PATH Specify an alternate environment file
Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove resources
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show version information and quit