一、Harbor簡介
1.Harbor倉庫介紹
Harbor是VMware公司開源的企業級Docker Registry項目Harbor的優勢
♤ 基于角色控制
♤ 基于鏡像的複制政策
♤ 支援LDAP/AD
♤ 圖像删除和日志收集
♤ 圖形U
♤ 審計
♤ RESTful APl ,提供了第三方軟體調用,滿足restful規範的API接口,友善其他軟體調用
2.Harbor功能描述
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiIyVGduV2YfNWawNCM38FdsYkRGZkRG9lcvx2bjxiNx8VZ6l2cs0TPn1ENBRVT1UERPBDOsJGcohVYsR2MMBjVtJWd0ckW65UbM5WOHJWa5kHT20ESjBjUIF2X0hXZ0xCMx81dvRWYoNHLrdEZwZ1Rh5WNXp1bwNjW1ZUba9VZwlHdssmch1mclRXY39CXldWYtlWPzNXZj9mcw1ycz9WL49zZuBnLycjN3EDOwETMwITMxAjMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
3.harbor私有倉庫架構拓撲
proxy反向代理功能接收請求代理的請求可以獲得後端兩種服務類型:
♦ 一種是通過通路web網頁向Registry鏡像倉庫擷取鏡像資源
♦ 另一種是直接通過指令從Registry鏡像倉庫擷取
Core services提供了web圖形服務,UI提供了前端頁面,token提供了身份令牌認證,webhook提供web網頁服務。
Registry鏡像倉庫存放了各種鏡像資源,可以供proxy代理請求或者core services請求拉取鏡像資源
Core service核心功能中産生的一些資料(如身份令牌等資訊)存放到後端Database資料庫中
整個harbor倉庫服務産生的日志有Log collector收集管理
二、Harbor倉庫搭建
項目背景最近公司又提出一個新需求,将項目全部打包成鏡像部署私有倉庫服務,經過幾輪商讨,最終選擇Docker HarborDocker Harbor有可視化的Web管理界面,可以友善管理Docker鏡像,又提供了多個項目的鏡像權限管理及控制功能
項目需求通過Harbor建立Docker私有倉庫,圖形化管理Docker私有倉庫鏡像
需求的相關軟體
Harbor伺服器:docker-ce、docker-compose、harbor-offline
Client用戶端:docker-ce、
1.檢視docker及docker-compose
[[email protected] ~]# docker -v ##檢視docker版本
Docker version 19.03.13, build 4484c46d9d
[[email protected] ~]# docker-compose -v ##插卡docker-compose版本
docker-compose version 1.21.1, build 5a3f1a3
2.解壓harbor軟體包
[[email protected] ~]# ls ##檢視軟體包
harbor-offline-installer-v1.2.2.tgz
[[email protected] ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/ ##解壓
3.修改配置檔案 harbor.cfg
[[email protected] ~]# vim /usr/local/harbor/harbor.cfg
hostname = 192.168.10.30 ##第5行,修改為本地位址
harbor_admin_password = Harbor12345 ##第59行,設定harbor登入密碼,預設為Harbor12345
[[email protected] ~]# cd /usr/local/harbor/
[[email protected] harbor]# ls ##檢視檔案
common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.2.tar.gz LICENSE prepare
docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
1 在/usr/local/harbor目錄下有harbor的安裝腳本install.sh
2 在install.sh執行安裝的腳本中指定了docker-compose.yml編排檔案
3 在當下目錄可以看到docker-compose.yml編排檔案,檢視docker-compose.yml該檔案,可以發現有7個容器編排
4.執行腳本安裝并檢視容器
[[email protected] harbor]# sh /usr/local/harbor/install.sh ##執行安裝
[[email protected] harbor]# docker ps -a ##檢視容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f238393a9460 vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
dce7070b896b vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 3 minutes ago Up 3 minutes harbor-jobservice
1c7d3a91eed7 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 3 minutes ago Up 3 minutes harbor-ui
2ed04682f845 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 3 minutes ago Up 3 minutes harbor-adminserver
a1f09c86820b vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 3306/tcp harbor-db
28bc92da77d8 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 3 minutes ago Up 3 minutes 5000/tcp registry
602b5bf23725 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 3 minutes ago Up 3 minutes 127.0.0.1:1514->514/tcp harbor-log
[[email protected] harbor]# expr `docker ps -a |wc -l` - 1 ##統計生成的容器,剛好為7個
7
5.通路網站測試
6.鏡像上傳測試
[[email protected] ~]# docker pull nginx ##先從公有倉庫拉取nginx鏡像用于測試
[[email protected] ~]# docker images ##檢視拉取的鏡像
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest c39a868aad02 9 days ago 133MB
[[email protected] ~]# docker login -u admin -p 'Harbor12345' http://192.168.10.30 ##使用IP位址登入被拒絕
Password:
Error response from daemon: Get https://192.168.10.30/v2/: dial tcp 192.168.10.30:443: connect: connection refused
[[email protected] ~]# docker login -u admin -p 'Harbor12345' http://127.0.0.1 ##本地登入harbor倉庫
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[[email protected] ~]# docker tag nginx:latest 192.168.10.30/project-ltp/nginx ##打上指明倉庫為192.168.10.30的鏡像标簽
[[email protected] ~]# docker push 192.168.10.30/project-ltp/nginx ##上傳失敗
The push refers to repository [192.168.10.30/project-ltp/nginx]
Get https://192.168.10.30/v2/: dial tcp 192.168.10.30:443: connect: connection refused
[[email protected] ~]# docker tag nginx:latest 127.0.0.1/project-ltp/nginx01 ##打上127.0.0.1的倉庫标簽
[[email protected] ~]# docker push 127.0.0.1/project-ltp/nginx01 ##再次上傳,成功
The push refers to repository [127.0.0.1/project-ltp/nginx01]
7b5417cae114: Pushed
aee208b6ccfb: Pushed
2f57e21e4365: Pushed
2baf69a23d7a: Pushed
d0fe97fa8b8c: Pushed
latest: digest: sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e size: 1362
7.用戶端上傳下載下傳測試
用戶端登入harbor需要修改docker.services配置檔案,因為harbor預設是用https登入的,使用http無法正常登入,是以需要修改服務配置
[[email protected] ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.10.30 --containerd=/run/containerd/containerd.sock ##添加--insecure-registry 192.168.10.30指向harbor倉庫位址
[[email protected] ~]# systemctl daemon-reload
[[email protected] ~]# systemctl restart docker
[[email protected] ~]# docker login -u admin http://192.168.10.30 -p 'Harbor12345'
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[[email protected] ~]# docker pull 192.168.10.30/project-ltp/nginx01 ##拉取鏡像
Using default tag: latest
latest: Pulling from project-ltp/nginx01
bb79b6b2107f: Pull complete
5a9f1c0027a7: Pull complete
b5c20b2b484f: Pull complete
166a2418f7e8: Pull complete
1966ea362d23: Pull complete
Digest: sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e
Status: Downloaded newer image for 192.168.10.30/project-ltp/nginx01:latest
192.168.10.30/project-ltp/nginx01:latest
[[email protected] ~]# docker images ##拉取成功
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.10.30/project-ltp/nginx01 latest c39a868aad02 9 days ago 133MB
8.建立管理使用者
添加管理者
添加項目管理使用者(必須先創使用者)