Docker私有鏡像倉庫harbor搭建

Harbor搭建鏡像倉庫

文章目錄

• • Harbor搭建鏡像倉庫
  • • • Harbor簡述
      • 系統環境與軟體版本說明
      • 安裝docker
      • 安裝docker-compose
      • 安裝Harbor
      • 使用Harbor上傳下載下傳鏡像基于http,https協定
      • 通路頁面
      • 小問題記錄

Harbor簡述

Harbor的所有服務元件都是在Docker中部署的，是以官方安裝使用Docker-compose快速部署，是以我們需要安裝Docker、Docker-compose。由于Harbor是基于Docker Registry V2版本，是以就要求Docker版本不小于1.10.0，Docker-compose版本不小于1.6.0

系統環境與軟體版本說明

名稱	詳情
系統環境	CentOS Linux release 7.5.1804 (Core)
Docker	docker-ce-18.06.1.ce-3.el7
Docker-Compose	v1.22.0
Harbor	v1.10.2

安裝docker

可以檢視Docker官網，或者我整理的另外一篇部落格Centos7安裝使用Docker，這裡不在過多叙述。

安裝docker-compose

首先去docker-compose的github擷取自己所要安裝的版本的下載下傳安裝連結，我安裝的是v1.22.0版本

#下載下傳安裝v1.22.0
[[email protected] ~]# curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

#對二進制檔案賦可執行權限
[[email protected] ~]# chmod +x /usr/local/bin/docker-compose

#是否安裝成功
[[email protected] ~]# docker-compose --version
docker-compose version 1.22.0, build f46880fe
           

安裝Harbor

1. Harbor的github頁面擷取安裝包的下載下傳連結

   小白教程_連結擷取方法：點選上述“github”字樣，選擇安裝版本的離線安裝包或線上安裝包位置右鍵選擇複制連結位址

#如果wget未安裝，請執行下面指令安裝
[[email protected] ~]# yum install wget

#下載下傳harbor安裝包，-P後面路徑是下載下傳檔案的儲存路徑(可以替換成自己位址)，後面的是安裝包下載下傳路徑
[[email protected] ~]# wget -P /usr/local/    https://github.com/goharbor/harbor/releases/download/v1.10.2/harbor-offline-installer-v1.10.2.tgz

           

PS: 有兩個包Harbor offline installer 和 Harbor online installer，兩者的差別的是 Harbor offline installer 裡就包含的 Harbor 需要使用的鏡像檔案

1. 解壓并修改配置檔案

#進入并檢視儲存路徑下是否有安裝包
[[email protected] local]# cd /usr/local/  && ls
harbor-offline-installer-v1.10.2.tgz

#解壓安裝包
[[email protected] local]# tar xvf harbor-offline-installer-v1.10.2.tgz && ls
harbor  harbor-offline-installer-v1.10.2.tgz

#進入harbor檔案夾
[[email protected] harbor]# cd harbor && ls
common  common.sh  docker-compose.yml  harbor.v1.10.2.tar.gz  harbor.yml  install.sh  LICENSE  prepare

[[email protected] harbor]# vi harbor.yml
#修改hostname為自己的IP位址
hostname: 192.168.50.218
#注釋https,否則安裝時會報錯：ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
# https related config
#https:
  # https port for harbor, default is 443
#  port: 443
  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path

           

PS:下列是1.6版本的配置資訊，由以前的harbor.cfg改成了harbor.yml，主要内容沒有變，留着是作為參考。

篇幅太多，隻截取部分進行說明，下列中文為個人寫的說明，主要修改hostname，其他可以使用預設

[[email protected] ~]# vi harbor.cfg

hostname填寫自己的ip或域名，不要使用localhost或127.0.0.1

The IP address or hostname to access admin UI and registry service.

DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname = 192.168.50.157

通路協定，預設是http，也可以設定https，如果設定https，則nginx ssl需要設定on

#The protocol for accessing the UI and token/notification service, by default it is http.

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = http

郵件設定，發送重置密碼郵件時使用

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

#Identity left blank to act as username.

email_identity =

email_server = smtp.mydomain.com

email_server_port = 25

email_username = [email protected]

email_password = abc

email_from = admin [email protected]

email_ssl = false

email_insecure = false

啟動Harbor後，管理者UI登入的密碼，預設是Harbor12345

##The initial password of Harbor admin, only works for the first time when Harbor starts.

#It has no effect after the first launch of Harbor.

#Change the admin password from UI after launching Harbor.

harbor_admin_password = Harbor12345

是否開啟自注冊

self_registration = on

Token有效時間，預設30分鐘

#The expiration time (in minute) of token created by token service, default is 30 minutes

token_expiration = 30

使用者建立項目權限控制，預設是everyone（所有人），也可以設定為adminonly（隻能管理者）

#The flag to control what users have permission to create projects

#The default value “everyone” allows everyone to creates a project.

#Set to “adminonly” so that only admin user can create project.

project_creation_restriction = everyone

1. 安裝Harbor

#配置修改之後一定要重新開機docker，否則安裝的時候會報錯，
#比如：ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait
[[email protected] harbor]# service docker restart
#在目前目錄下執行安裝腳本，過程需要下載下傳鏡像，需要一點時間
[[email protected] harbor]# ./install.sh

#可以檢視本地鏡像,多了下列鏡像
[[email protected] ~]# docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
goharbor/chartmuseum-photon     v1.10.2             f7233c953dd9        3 weeks ago         127MB
goharbor/harbor-migrator        v1.10.2             42527a4df778        3 weeks ago         362MB
goharbor/redis-photon           v1.10.2             6d87eab10d9f        3 weeks ago         115MB
goharbor/clair-adapter-photon   v1.10.2             4e7edec88bf4        3 weeks ago         61.2MB
goharbor/clair-photon           v1.10.2             fb972d10c273        3 weeks ago         171MB
goharbor/notary-server-photon   v1.10.2             b6d909215dc4        3 weeks ago         143MB
goharbor/notary-signer-photon   v1.10.2             43c17fcb63de        3 weeks ago         140MB
goharbor/harbor-registryctl     v1.10.2             cff56bea907a        3 weeks ago         103MB
goharbor/registry-photon        v1.10.2             1c6cce6a4f8e        3 weeks ago         86.1MB
goharbor/nginx-photon           v1.10.2             c2de0026ba0d        3 weeks ago         43.6MB
goharbor/harbor-log             v1.10.2             c20325dbaa3a        3 weeks ago         81.9MB
goharbor/harbor-jobservice      v1.10.2             6283c53c8c32        3 weeks ago         143MB
goharbor/harbor-core            v1.10.2             4bc09e35734d        3 weeks ago         129MB
goharbor/harbor-portal          v1.10.2             bcb1b803a1bf        3 weeks ago         51.7MB
goharbor/harbor-db              v1.10.2             42de7ee4943f        3 weeks ago         152MB
goharbor/prepare                v1.10.2             3d2783911e0d        3 weeks ago         159MB

#檢視啟動的容器
[[email protected] ~]# docker ps -a
CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS                 PORTS                                                              NAMES
3ff310149222        goharbor/harbor-jobservice:v1.10.2    "/harbor/harbor_jobs…"   3 hours ago         Up 3 hours (healthy)                               harbor-jobservice
2b8303b8baf3        goharbor/nginx-photon:v1.10.2         "nginx -g 'daemon of…"   3 hours ago         Up 3 hours (healthy)   0.0.0.0:80->8080/tcp        nginx
53c8d2092776        goharbor/harbor-core:v1.10.2          "/harbor/harbor_core"    3 hours ago         Up 3 hours (healthy)                               harbor-core
53da36519e72        goharbor/registry-photon:v1.10.2      "/home/harbor/entryp…"   3 hours ago         Up 3 hours (healthy)   5000/tcp                    registry
63c995a7dc11        goharbor/harbor-db:v1.10.2            "/docker-entrypoint.…"   3 hours ago         Up 3 hours (healthy)   5432/tcp                    harbor-db
10cd9a46e8b8        goharbor/redis-photon:v1.10.2         "redis-server /etc/r…"   3 hours ago         Up 3 hours (healthy)   6379/tcp                    redis
6bd1cffbcc4f        goharbor/harbor-registryctl:v1.10.2   "/home/harbor/start.…"   3 hours ago         Up 3 hours (healthy)                               registryctl
29958823a140        goharbor/harbor-portal:v1.10.2        "nginx -g 'daemon of…"   3 hours ago         Up 3 hours (healthy)   8080/tcp                    harbor-portal
7b5aba976188        goharbor/harbor-log:v1.10.2           "/bin/sh -c /usr/loc…"   3 hours ago         Up 3 hours (healthy)   127.0.0.1:1514->10514/tcp   harbor-log
           

使用Harbor上傳下載下傳鏡像基于http,https協定

1. 向基于http的harbor上傳下載下傳鏡像

   Docker從1.3.X之後，與docker registry互動預設使用的是https，然而harbor隻提供http服務。為了解決這個問題需要在啟動docker時增加啟動參數為預設使用http通路。

   方式一： 修改daemon.json

# 填寫自己ip
[[email protected] ~]# vi /etc/docker/daemon.json
{
  "insecure-registries":["192.168.50.157"]
}

#重新開機docker 
[[email protected] ~]# systemctl restart docker
           

   方式二： 修改docker.service

# ExecStart添加--insecure-registry參數
[[email protected] ~]# vi /usr/lib/systemd/system/docker.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --insecure-registry=192.168.50.157

#重新載入systemd
[[email protected] ~]# systemctl daemon-reload

#重新開機docker 
[[email protected] ~]# systemctl restart docker
           

1. 重新開機docker之後将會發現harbor缺少幾個服務容器，導緻harbor無法使用

# 停止容器
[[email protected] ~]# docker-compose down
#執行上述指令可能出現下列錯誤
[[email protected] ~]# docker-compose down
ERROR: 
        Can't find a suitable configuration file in this directory or any
        parent. Are you in the right directory?

        Supported filenames: docker-compose.yml, docker-compose.yaml
#問題解決
[[email protected] ~]# find / -name docker-compose.yml
/root/harbor/docker-compose.yml
#進入/root/harbor該目錄再次執行即可，該目錄根據每個人安裝目錄不同而不同
# 背景啟動容器
[[email protected] ~]# docker-compose up -d
           

通路頁面

通路剛剛配置檔案的hostname的值，就可以進入Harbor的登陸頁面，填寫配置檔案的賬号密碼，預設是admin,Harbor12345。

小問題記錄

1. 執行docker info指令最後會出現警告：

   WARNING: bridge-nf-call-iptables is disabled

   WARNING: bridge-nf-call-ip6tables is disabled

#在sysctl.conf檔案中添加兩行内容
[[email protected] ~]# vi /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

#執行下列指令或者重新開機(隻試過重新開機)
[[email protected] ~]# sysctl -p
           

1. 系統重新開機後Harbor不能通路，檢視容器發現其中關閉了幾個容器

# 背景啟動容器
[[email protected] ~]# docker-compose up -d

# 停止Harbor
[[email protected] ~]# docker-comose stop

# 重新開機Harbor
[[email protected] ~]# docker-compose restart

# 或者啟動關閉的容器，×××值宕掉的容器
[[email protected] ~]# docker container start ×××
           

1. Harbor不能開機自啟，網上說的貌似都不管用

[參考資料]

https://blog.csdn.net/aixiaoyang168/article/details/73549898

https://www.cnblogs.com/pangguoping/p/7650014.html

https://www.cnblogs.com/straycats/p/8850693.html