摘要
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
一、安装docker
1.1、安装依赖包
1 [root@server1 yum.repos.d]# yum -y install yum-utils device-mapper-persistent-data lvm2
2
3 #yum-utils 提供了 yum-config-manager
4 #device mapper 存储驱动程序需要 device-mapper-persistent-data 和 lvm2
5 #device mapper 是 linux2.6 内核中支持逻辑卷管理的通用设备映射机制,它为实现用于存储资源管理的块设备驱动提供了一个高度模块化的内核架构
1.2、设置阿里云镜像源并重建元数据库
1 [root@server1 yum.repos.d]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
2
3 [root@server1 yum.repos.d]# yum clean all
4
5 [root@server1 yum.repos.d]# yum makecache
1.3、安装docker-ce并设置环境
1 [root@server1 yum.repos.d]# systemctl stop firewalld.service
2 [root@server1 yum.repos.d]# setenforce 0
3 [root@server1 yum.repos.d]# yum -y install docker-ce
4 [root@server1 yum.repos.d]# systemctl start docker.service
5 [root@server1 yum.repos.d]# systemctl enable docker.service
1.4、网络优化
1 [root@server1 yum.repos.d]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf #开启路由功能
2 [root@server1 yum.repos.d]# sysctl -p #配置生效
3 net.ipv4.ip_forward = 1
4 [root@server1 yum.repos.d]# systemctl restart network
5 [root@server1 yum.repos.d]# systemctl restart docker
1.5、镜像加速(到阿里云镜像加速寻找自己的加速器,具体操作查看Docker基本操作)
1 [root@server1 yum.repos.d]# tee /etc/docker/daemon.json <<-'EOF'
2 > {
3 > "registry-mirrors": ["https://......"]
4 > }
5 > EOF
6
7 [root@server1 yum.repos.d]# systemctl daemon-reload
8 [root@server1 yum.repos.d]# systemctl restart docker
二、安装docker-compose
1 上传docker-compose到/root目录下
2
3 将docker-compose移动到/usr/local/bin
4 [root@server1 ~]# cp -p docker-compose /usr/local/bin/
5 [root@server1 ~]# chmod +x /usr/local/bin/docker-compose
三、安装Harbor程序
3.1、上传Harbor到/root目录下并解压缩
1 [root@server1 ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
3.2、配置Harbor参数文件
1 [root@server1 ~]# vim /usr/local/harbor/harbor.cfg
2 hostname = 20.0.0.10 #第五行,修改hostname
3.3、Harbor.cfg配置文件参数详解
3.3.1、所需参数
①hostname:用于访问用户界面和 register 服务。它应该是目标机器的 IP 地址或完全限定的域名(FQDN)
例如 192.168.195.128 或 hub.kgc.cn。不要使用 localhost 或 127.0.0.1 为主机名。
②ui_url_protocol:(http 或 https,默认为 http)用于访问 UI 和令牌/通知服务的协议。如果公证 处于启用状态,则此参数必须为 https。
③max_job_workers:镜像复制作业线程。
④db_password:用于db_auth 的MySQL数据库root 用户的密码。
⑤customize_crt:该属性可设置为打开或关闭,默认打开。打开此属性时,准备脚本创建私钥和根证书,用于生成/验证注册表令牌。
当由外部来源提供密钥和根证书时,将此属性设置为 off。
⑥ssl_cert:SSL 证书的路径,仅当协议设置为 https 时才应用。
⑦ssl_cert_key:SSL 密钥的路径,仅当协议设置为 https 时才应用。
⑧secretkey_path:用于在复制策略中加密或解密远程 register 密码的密钥路径。
3.2.2、可选参数
这些参数对于更新是可选的,即用户可以将其保留为默认值,并在启动 Harbor 后在 Web UI 上进行更新。如果进入 Harbor.cfg,只会
在第一次启动 Harbor 时生效,随后对这些参数 的更新,Harbor.cfg 将被忽略。
注意:如果选择通过UI设置这些参数,请确保在启动Harbour后立即执行此操作。具体来说,必须在注册或在 Harbor 中创建任何新用
户之前设置所需的
①auth_mode。当系统中有用户时(除了默认的 admin 用户),auth_mode 不能被修改。具体参数如下:
②Email:Harbor需要该参数才能向用户发送“密码重置”电子邮件,并且只有在需要该功能时才需要。
请注意,在默认情况下SSL连接时没有启用。如果SMTP服务器需要SSL,但不支持STARTTLS,那么应该通过设置启用SSL
③email_ssl = TRUE。
④harbour_admin_password:管理员的初始密码,只在Harbour第一次启动时生效。之后,此设置将被忽略,并且应 UI中设置管理员
的密码。请注意,默认的用户名/密码是 admin/Harbor12345。
⑤auth_mode:使用的认证类型,默认情况下,它是 db_auth,即凭据存储在数据库中。对于LDAP身份验证,请将其设置为
ldap_auth。
⑥self_registration:启用/禁用用户注册功能。禁用时,新用户只能由 Admin 用户创建,只有管理员用户可以在 Harbour中创建新用
户。注意:当 auth_mode 设置为 ldap_auth 时,自注册功能将始终处于禁用状态,并且该标志被忽略。
⑦Token_expiration:由令牌服务创建的令牌的到期时间(分钟),默认为 30 分钟。
⑧project_creation_restriction:用于控制哪些用户有权创建项目的标志。默认情况下, 每个人都可以创建一个项目。
如果将其值设置为“adminonly”,那么只有 admin 可以创建项目。
⑨verify_remote_cert:打开或关闭,默认打开。此标志决定了当Harbor与远程 register 实例通信时是否验证 SSL/TLS 证书。
将此属性设置为 off 将绕过 SSL/TLS 验证,这在远程实例具有自签名或不可信证书时经常使用。
3.4、执行安装脚本
1 [root@server1 ~]# cd /usr/local/harbor/
2 [root@server1 harbor]# ./install.sh
3 ......
4 Note: stopping existing Harbor instance ...
5 Stopping harbor-jobservice ... done
6 Stopping harbor-ui ... done
7 Stopping harbor-db ... done
8 Stopping registry ... done
9 Stopping harbor-adminserver ... done
10 Stopping harbor-log ... done
11 Removing nginx ... done
12 Removing harbor-jobservice ... done
13 Removing harbor-ui ... done
14 Removing harbor-db ... done
15 Removing registry ... done
16 Removing harbor-adminserver ... done
17 Removing harbor-log ... done
18 Removing network harbor_harbor
19
20
21 [Step 4]: starting Harbor ...
22 Creating network "harbor_harbor" with the default driver
23 Creating harbor-log ... done
24 Creating harbor-adminserver ... done
25 Creating harbor-db ... done
26 Creating registry ... done
27 Creating harbor-ui ... done
28 Creating harbor-jobservice ... done
29 Creating nginx ... done
30
31 ✔ ----Harbor has been installed and started successfully.----
32
33 Now you should be able to visit the admin portal at http://20.0.0.10.
34 For more details, please visit https://github.com/vmware/harbor .
3.5、查看 Harbor 启动镜像和容器
1 [root@server1 harbor]# docker images #查看镜像
2 REPOSITORY TAG IMAGE ID CREATED SIZE
3 compose_nginx latest a3f5e9daf7b0 6 hours ago 537MB
4 centos 7 8652b9f0cb4c 2 weeks ago 204MB
5 vmware/harbor-log v1.2.2 36ef78ae27df 3 years ago 200MB
6 vmware/harbor-jobservice v1.2.2 e2af366cba44 3 years ago 164MB
7 vmware/harbor-ui v1.2.2 39efb472c253 3 years ago 178MB
8 vmware/harbor-adminserver v1.2.2 c75963ec543f 3 years ago 142MB
9 vmware/harbor-db v1.2.2 ee7b9fa37c5d 3 years ago 329MB
10 vmware/nginx-photon 1.11.13 6cc5c831fc7f 3 years ago 144MB
11 vmware/registry 2.6.2-photon 5d9100e4350e 3 years ago 173MB
12 vmware/postgresql 9.6.4-photon c562762cbd12 3 years ago 225MB
13 vmware/clair v2.0.1-photon f04966b4af6c 3 years ago 297MB
14 vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB
15 vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB
16 vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB
17 photon 1.0 e6e4e4a2ba1b 4 years ago 128MB
18
19 [root@server1 harbor]# docker ps -a #查看容器
20 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
21 dd195a4d5629 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 15 minutes ago Up 15 minutes harbor-jobservice
22 3d99f95d990d vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 15 minutes ago Up 15 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
23 24e827c862ce vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 15 minutes ago Up 15 minutes harbor-ui
24 8a33e690c5a7 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 15 minutes ago Up 15 minutes 5000/tcp registry
25 44a8bd7c8c37 vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 15 minutes ago Up 15 minutes 3306/tcp harbor-db
26 e6f9abb29cc5 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 15 minutes ago Up 15 minutes harbor-adminserver
27 7c55529f3fc9 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 15 minutes ago Up 15 minutes 127.0.0.1:1514->514/tcp harbor-log
3.6、如果上面的镜像和容器都正常就可以使用网页登录http//20.0.0.10查看Harbor仓库
默认的用户名/密码是admin/Harbor12345
添加项目并且填写项目名称
设置为公开
3.7、推送镜像
此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下,Register 服务器在端口 80 上侦听。
1 登录
2 [root@server1 harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
3 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
4 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
5 Configure a credential helper to remove this warning. See
6 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
7
8 Login Succeeded #登录成功
9
10 下载镜像进行测试
11 [root@server1 harbor]# docker pull tomcat
12
13 镜像打标签
14 [root@server1 harbor]# docker tag tomcat:latest 127.0.0.1/xuhao/tomcat:v1
15
16 上传镜像到Harbor
17 [root@server1 harbor]# docker push 127.0.0.1/xuhao/tomcat:v1
网页查看是否上传成功
3.8、其他服务器登录Harbor仓库(error)
以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor,就会报如下错误。出现这问题的原因 Docker Registry 交互默认使用的是 HTTPS,但是搭建私有镜像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误,使用server2
1 [root@server2 ~]# docker login -u admin -p Harbor12345 http://20.0.0.10
2 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
3 Error response from daemon: Get https://20.0.0.10/v2/: dial tcp 20.0.0.10:443: connect: connection refused
解决:
1 再docker系统服务添加安全(server2上展示)
2 [root@server2 ~]# vim /usr/lib/systemd/system/docker.service
3 #14行
4 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 20.0.0.10 --containerd=/run/containerd/containerd.sock #中间添加--insecure-registry 20.0.0.10
5
6 重新加载守护进程并重启
7 [root@server2 ~]# systemctl daemon-reload
8 [root@server2 ~]# systemctl restart docker
9
10 server1上重新加载脚本
11
12
13 登录
14 [root@server2 ~]# docker login -u admin -p Harbor12345 http://20.0.0.10
15 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
16 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
17 Configure a credential helper to remove this warning. See
18 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
19
20 Login Succeeded #登录成功
21
22 下载镜像进行测试
23 [root@server2 ~]# docker pull httpd
24
25 镜像打标签
26 [root@server2 ~]# docker tag httpd:latest 20.0.0.10/xuhao/httpd:v1
27
28 上传镜像
29 [root@server2 ~]# docker push 20.0.0.10/xuhao/httpd
网页查看是否上传成功
3.9、关闭Harbor和开启
1 [root@server1 ~]# cd /usr/local/harbor/
2
3 关闭(修改配置文件必须先关闭服务)
4 [root@server1 harbor]# docker-compose down -v
5 Stopping harbor-jobservice ... done
6 Stopping nginx ... done
7 Stopping harbor-ui ... done
8 Stopping harbor-adminserver ... done
9 Stopping harbor-db ... done
10 Stopping registry ... done
11 Stopping harbor-log ... done
12 Removing harbor-jobservice ... done
13 Removing nginx ... done
14 Removing harbor-ui ... done
15 Removing harbor-adminserver ... done
16 Removing harbor-db ... done
17 Removing registry ... done
18 Removing harbor-log ... done
19 Removing network harbor_harbor
20
21 查看容器状态
22 [root@server1 harbor]# docker ps -a
23 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
24
25 开启
26 [root@server1 harbor]# docker-compose up -d
27 Creating network "harbor_harbor" with the default driver
28 Creating harbor-log ... done
29 Creating harbor-db ... done
30 Creating registry ... done
31 Creating harbor-adminserver ... done
32 Creating harbor-ui ... done
33 Creating nginx ... done
34 Creating harbor-jobservice ... done
35
36 查看容器状态
37 [root@server1 harbor]# docker ps -a
38 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
39 643d4fe02c98 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 19 seconds ago Up 18 seconds harbor-jobservice
40 a8554ba5e828 vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 19 seconds ago Up 18 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
41 ee0328973cfd vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 19 seconds ago Up 19 seconds harbor-ui
42 c7732f829cb0 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 20 seconds ago Up 19 seconds harbor-adminserver
43 32a12e9d3bd4 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 20 seconds ago Up 19 seconds 5000/tcp registry
44 7f83e53c5f82 vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 20 seconds ago Up 19 seconds 3306/tcp harbor-db
45 29172fd34b88 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 20 seconds ago Up 20 seconds 127.0.0.1:1514->514/tcp harbor-log
四、创建 Harbor 用户
4.1、用户管理
4.2、创建用户并设置为管理员
4.3、创建项目开发人员
4.4、用张三用户登录
1 注销登录(server1上演示)
2 [root@server1 harbor]# docker logout 20.0.0.10
3
4 登录
5 [root@server1 harbor]# docker login -u zhangsan -p Harbor12345 http://20.0.0.10
6 WARNING! Using --password via the CLI is insecure. Use --password-stdin.
7 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
8 Configure a credential helper to remove this warning. See
9 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
10
11 Login Succeeded #登录成功
12
13 删除本地tomcat镜像
14 [root@server1 harbor]# docker rmi tomcat:latest
15 [root@server1 harbor]# docker rmi 20.0.0.10/xuhao/tomcat:v1
16
17 拉取tomcat及httpd镜像
18 [root@server1 harbor]# docker pull 20.0.0.10/xuhao/tomcat:v1 #拉取成功
19 v1: Pulling from xuhao/tomcat
20 756975cb9c7e: Pull complete
21 d77915b4e630: Pull complete
22 5f37a0a41b6b: Pull complete
23 96b2c1e36db5: Pull complete
24 27a2d52b526e: Pull complete
25 a867dba77389: Pull complete
26 0939c055fb79: Pull complete
27 0b0694ce0ae2: Pull complete
28 81a5f8099e05: Pull complete
29 c3d7917d545e: Pull complete
30 Digest: sha256:4527a552568f7d706173d8065278cd1abaa7edce186a149a5a2de251e12e6c3c
31 Status: Downloaded newer image for 20.0.0.10/xuhao/tomcat:v1
32 20.0.0.10/xuhao/tomcat:v1
33
34 [root@server1 harbor]# docker pull 20.0.0.10/xuhao/httpd:v1 #拉取成功
35 v1: Pulling from xuhao/httpd
36 852e50cd189d: Pull complete
37 67d51c33d390: Pull complete
38 b0ad2a3b9567: Pull complete
39 136f1f71f30c: Pull complete
40 01f8ace29294: Pull complete
41 Digest: sha256:4c7c70926e2f2e10a9f78b63f344c83ae97a22c7fefa96afed46c63e4e607c51
42 Status: Downloaded newer image for 20.0.0.10/xuhao/httpd:v1
43 20.0.0.10/xuhao/httpd:v1
4.5、移除 Harbor 服务容器同时保留镜像数据/数据库
1 [root@server1 harbor]# docker-compose down -v
2 Stopping harbor-jobservice ... done
3 Stopping nginx ... done
4 Stopping harbor-ui ... done
5 Stopping harbor-adminserver ... done
6 Stopping registry ... done
7 Stopping harbor-db ... done
8 Stopping harbor-log ... done
9 Removing harbor-jobservice ... done
10 Removing nginx ... done
11 Removing harbor-ui ... done
12 Removing harbor-adminserver ... done
13 Removing registry ... done
14 Removing harbor-db ... done
15 Removing harbor-log ... done
16 Removing network harbor_harbor
如需重新部署,需要移除 Harbor 服务容器全部数据,持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的
1 /var/log/Harbor/目录下。
2 rm -rf /data/database/
3 rm -rf /data/registry/