一、环境准备:
CentOS Linux release 7.4.1708 (Core)
docker 18.06.1-ce
docker-compose 1.22.0
ip 10.10.0.135 二、安装方式:
2.1 harbor:
可以选择online或者offline,如果可以正常上网就选择online了,需求包可以在线拉取,offline一般为离线安装,在线也行,需求包都已下载下来,所以比较大一些。
这里我选择online的方式:
https://github.com/goharbor/harbor/releases harbor地址,可选择需求的版本,我这里选择的版本是:v1.6.0 online
(wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-online-installer-v1.6.0.tgz google上网。)
2.2 docker-compose:
curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
2.3 解压:
tar -xf harbor-online-installer-v1.6.0.tgz
[root@kubernetes-exam harbor]# grep -v "^#\|^$" harbor.cfg
_version = 1.6.0
hostname = 10.10.0.135
ui_url_protocol = http
max_job_workers = 10
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui,registry
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password =
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle = (我这里只是修改了hostname为本机ip,别的选择的默认方式。)
bash ./install.sh执行安装程序,安装完后查看:
[root@kubernetes-exam harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/redis-photon v1.6.0 745667dc5aa8 8 weeks ago 214MB
goharbor/registry-photon v2.6.2-v1.6.0 1ec7d8d4f0fd 8 weeks ago 201MB
goharbor/nginx-photon v1.6.0 81df0f8a78c0 8 weeks ago 138MB
goharbor/harbor-log v1.6.0 0f474b9d4565 8 weeks ago 203MB
goharbor/harbor-jobservice v1.6.0 4e6a3afe6802 8 weeks ago 198MB
goharbor/harbor-ui v1.6.0 9cf3894e769e 8 weeks ago 221MB
goharbor/harbor-adminserver v1.6.0 14d9ee1bbda3 8 weeks ago 187MB
goharbor/harbor-db v1.6.0 5c39f18ce348 8 weeks ago 225MB
[root@kubernetes-exam harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5df2353ac966 goharbor/harbor-jobservice:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour harbor-jobservice
9b24ef0f204a goharbor/nginx-photon:v1.6.0 "nginx -g \'daemon of…" About an hour ago Up About an hour (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
faa6245c2f15 goharbor/harbor-ui:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour (healthy) harbor-ui
cf7e9739f9c5 goharbor/registry-photon:v2.6.2-v1.6.0 "/entrypoint.sh /etc…" About an hour ago Up About an hour (healthy) 5000/tcp registry
1b6f8dd70dc3 goharbor/harbor-adminserver:v1.6.0 "/harbor/start.sh" About an hour ago Up About an hour (healthy) harbor-adminserver
f71e44823d36 goharbor/redis-photon:v1.6.0 "docker-entrypoint.s…" About an hour ago Up About an hour 6379/tcp redis
c771246886f2 goharbor/harbor-db:v1.6.0 "/entrypoint.sh post…" About an hour ago Up About an hour (healthy) 5432/tcp harbor-db
5750379b3cb1 goharbor/harbor-log:v1.6.0 "/bin/sh -c /usr/loc…" About an hour ago Up About an hour (healthy) 127.0.0.1:1514->10514/tcp harbor-log web ui登录:
(默认账号和密码:admin/Harbor12345,可在配置文件harbor.cfg中找到,登录后,我将密码修改为了:Fzh411524。)
三、harbor使用:
3.1 由于Harbor的默认安装使用HTTP,而Register v2版本开始必须使用HTTPS,因此你需要将该选项添加 --insecure-registry到客户端的Docker守护程序并重新启动Docker服务:
echo -e \'{\n"insecure-registries":["k8s.gcr.io", "gcr.io", "quay.io"]\n}\' > /etc/docker/daemon.json
systemctl restart docker.service [root@kubernetes-exam harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.0.135 kubernetes-exam k8s.gcr.io
[root@fzh-hadoop03 docker]# docker login http://k8s.gcr.io
Username: admin
Password:
Login Succeeded
(注:3.1需要在所有的集群服务器中执行。)
3.2 harbor ui添加项目:
3.3 push and pull:
[root@kubernetes-exam harbor]# docker push k8s.gcr.io/fzh/busybox:1.0.0
The push refers to repository [k8s.gcr.io/fzh/busybox]
8a788232037e: Pushed
1.0.0: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527 [root@fzh-hadoop03 docker]# docker pull k8s.gcr.io/fzh/busybox:1.0.0
1.0.0: Pulling from fzh/busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for k8s.gcr.io/fzh/busybox:1.0.0 四 https方式:
4.1 创建CA证书:
[root@k8s-harbor-registry CERT]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
.........................++
............++
writing new private key to \'ca.key\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \'.\', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server\'s hostname) []:10.10.0.135
Email Address []:[email protected]
[root@k8s-harbor-registry CERT]# ls
ca.crt ca.key [root@k8s-harbor-registry CERT]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.0.135 k8s-harbor-registry k8s.gcr.io www.tcharbor.com
4.2 生成证书签名请求:
[root@k8s-harbor-registry CERT]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.tcharbor.com.key -out www.tcharbor.com.csr 注:证书的生成方式详解,可参考下链接:5.1
[root@k8s-harbor-registry CERT]# ls
ca.crt ca.key www.tcharbor.com.csr www.tcharbor.com.key
4.3 生成主机证书:
[root@k8s-harbor-registry CERT]# openssl x509 -req -days 365 -in www.tcharbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.tcharbor.com.crt
Signature ok
subject=/C=CN/ST=SH/L=SH/O=FZH/OU=FZH/CN=www.tcharbor.com/[email protected]
Getting CA Private Key
[root@k8s-harbor-registry CERT]# ls
ca.crt ca.key ca.srl www.tcharbor.com.crt www.tcharbor.com.csr www.tcharbor.com.key
[root@k8s-harbor-registry CERT]# cp www.tcharbor.com.crt www.tcharbor.com.key /root/cert/ 必须要有
[root@k8s-harbor-registry ~]# mkdir /etc/docker/certs.d/www.tcharbor.com/ -p
[root@k8s-harbor-registry cert]# ls
www.tcharbor.com.crt www.tcharbor.com.key
[root@k8s-harbor-registry cert]# cp www.tcharbor.com.crt /etc/docker/certs.d/www.tcharbor.com/ 必须要有。
4.4 修改harbor.cfg:
[root@k8s-harbor-registry ~]# grep -v "^#\|^$" harbor/harbor.cfg
_version = 1.6.0
hostname = www.tcharbor.com 可以写ip
ui_url_protocol = https
max_job_workers = 10
customize_crt = on
ssl_cert = /root/cert/www.tcharbor.com.crt
ssl_cert_key = /root/cert/www.tcharbor.com.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui,registry
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password =
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle =
4.5 初始化:
[root@k8s-harbor-registry harbor]# ./prepare
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@k8s-harbor-registry harbor]# ls
common docker-compose.clair.yml docker-compose.yml harbor.cfg LICENSE open_source_license
docker-compose.chartmuseum.yml docker-compose.notary.yml ha install.sh NOTICE prepare
[root@k8s-harbor-registry harbor]# ll -htr
total 1.6M
-rwxr-xr-x. 1 root root 39K Sep 11 18:02 prepare
-rw-r--r--. 1 root root 1.5M Sep 11 18:02 open_source_license
-rw-r--r--. 1 root root 482 Sep 11 18:02 NOTICE
-rw-r--r--. 1 root root 11K Sep 11 18:02 LICENSE
-rwxr-xr-x. 1 root root 6.1K Sep 11 18:02 install.sh
drwxr-xr-x. 3 root root 4.0K Sep 11 18:02 ha
-rw-r--r--. 1 root root 3.6K Sep 11 18:02 docker-compose.yml
-rw-r--r--. 1 root root 1.3K Sep 11 18:02 docker-compose.notary.yml
-rw-r--r--. 1 root root 777 Sep 11 18:02 docker-compose.clair.yml
-rw-r--r--. 1 root root 727 Sep 11 18:02 docker-compose.chartmuseum.yml
-rw-r--r--. 1 root root 7.8K Nov 8 14:04 harbor.cfg
drwxr-xr-x. 4 root root 35 Nov 8 14:04 common
[root@k8s-harbor-registry harbor]# ls common/
config templates
[root@k8s-harbor-registry harbor]# ls common/config/
adminserver db jobservice log nginx registry registryctl ui
[root@k8s-harbor-registry harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Pulling log (goharbor/harbor-log:v1.6.0)...
v1.6.0: Pulling from goharbor/harbor-log
51be32cd3c9d: Pull complete
fd9cdcfcef45: Pull complete
4167b797c339: Pull complete
b22d11b0e478: Pull complete
d5aad3df7cee: Pull complete
bd43de1bbd44: Pull complete
7494eff3da48: Pull complete
Digest: sha256:27f9e24f28393a6052b71c93b1571f2269e1d3c489f4081996a099ac88ff56ff
Status: Downloaded newer image for goharbor/harbor-log:v1.6.0
Pulling registry (goharbor/registry-photon:v2.6.2-v1.6.0)...
v2.6.2-v1.6.0: Pulling from goharbor/registry-photon
51be32cd3c9d: Already exists
eaf5637d77d9: Pull complete
c68621c7e44d: Pull complete
314e16c23f49: Pull complete
e3f6c59a8a19: Pull complete
e4f08365b84c: Pull complete
29c822b725fa: Pull complete
Digest: sha256:070dcc29fb5b34cdcc982394ead57f598160fd61bd8daee4b2a5f39ea37bd7a0
Status: Downloaded newer image for goharbor/registry-photon:v2.6.2-v1.6.0
Pulling postgresql (goharbor/harbor-db:v1.6.0)...
v1.6.0: Pulling from goharbor/harbor-db
51be32cd3c9d: Already exists
16bdbb239be8: Pull complete
1f2308455a1a: Pull complete
886c09e06dee: Pull complete
4c74f43fb3f6: Pull complete
a5a85370032d: Pull complete
c393ddbdd7fb: Pull complete
ae546b8414b0: Pull complete
Digest: sha256:ee65d512c93860bd4872be296de80c079842a64e2a4002360e720222a87ec346
Status: Downloaded newer image for goharbor/harbor-db:v1.6.0
Pulling adminserver (goharbor/harbor-adminserver:v1.6.0)...
v1.6.0: Pulling from goharbor/harbor-adminserver
51be32cd3c9d: Already exists
a12ecf0fa8fc: Pull complete
3757394ad64f: Pull complete
26ceec7e26ff: Pull complete
e8d90789101d: Pull complete
Digest: sha256:c3ca012c2d69099ba4e3bbedc58ffe146fd10aa5129d44cc7d735edf6167959e
Status: Downloaded newer image for goharbor/harbor-adminserver:v1.6.0
Pulling ui (goharbor/harbor-ui:v1.6.0)...
v1.6.0: Pulling from goharbor/harbor-ui
51be32cd3c9d: Already exists
ec6a6b245304: Pull complete
a88d6c453ccb: Pull complete
d5e2e9e0086a: Pull complete
f8d7e9d8512c: Pull complete
a06b1a705b19: Pull complete
Digest: sha256:de332db437b8df6ce05203247cbf97ac9f4953672a8c22be8858aee47a0f435f
Status: Downloaded newer image for goharbor/harbor-ui:v1.6.0
Pulling redis (goharbor/redis-photon:v1.6.0)...
v1.6.0: Pulling from goharbor/redis-photon
51be32cd3c9d: Already exists
c400e93ba418: Pull complete
170ae129f67d: Pull complete
bffa31ec55cd: Pull complete
5b72a97a5506: Pull complete
Digest: sha256:4095dc26d6331b4d3c25377bc02d95501c51fbba99f31f9761d321bbc17803af
Status: Downloaded newer image for goharbor/redis-photon:v1.6.0
Pulling jobservice (goharbor/harbor-jobservice:v1.6.0)...
v1.6.0: Pulling from goharbor/harbor-jobservice
51be32cd3c9d: Already exists
ffcdeda0f50f: Pull complete
e69daf7ff175: Pull complete
840fbfb5576e: Pull complete
Digest: sha256:51d2bf14cd9d1bbf082793a0556ff949937655c67569a86424210a1455f60057
Status: Downloaded newer image for goharbor/harbor-jobservice:v1.6.0
Pulling proxy (goharbor/nginx-photon:v1.6.0)...
v1.6.0: Pulling from goharbor/nginx-photon
51be32cd3c9d: Already exists
edc138fa5ed7: Pull complete
Digest: sha256:3270c6fc3bdaaecd16280592e916e2cfcf7c5eb54ffc46d79b507b625e3fb4c6
Status: Downloaded newer image for goharbor/nginx-photon:v1.6.0
Creating harbor-log ... done
Creating redis ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-adminserver ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done [root@k8s-harbor-registry harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14936251ce61 goharbor/nginx-photon:v1.6.0 "nginx -g \'daemon of…" 37 seconds ago Up 36 seconds (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
c9937695a6be goharbor/harbor-jobservice:v1.6.0 "/harbor/start.sh" 38 seconds ago Up 36 seconds harbor-jobservice
7f19f7a91d4a goharbor/harbor-ui:v1.6.0 "/harbor/start.sh" 38 seconds ago Up 37 seconds (healthy) harbor-ui
c8ae4682e20f goharbor/harbor-db:v1.6.0 "/entrypoint.sh post…" 39 seconds ago Up 37 seconds (healthy) 5432/tcp harbor-db
dd6ccde6e2b8 goharbor/harbor-adminserver:v1.6.0 "/harbor/start.sh" 39 seconds ago Up 33 seconds (healthy) harbor-adminserver
9471af19294b goharbor/redis-photon:v1.6.0 "docker-entrypoint.s…" 39 seconds ago Up 38 seconds 6379/tcp redis
ac75fcbe03a3 goharbor/registry-photon:v2.6.2-v1.6.0 "/entrypoint.sh /etc…" 39 seconds ago Up 38 seconds (healthy) 5000/tcp registry
e664fe1a47a9 goharbor/harbor-log:v1.6.0 "/bin/sh -c /usr/loc…" 40 seconds ago Up 39 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log 登录页面:https://10.10.0.135 并新建项目:“fzh”
4.6 push and pull:
[root@k8s-harbor-registry ~]# docker login -u admin -p Harbor12345 www.tcharbor.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded [root@k8s-harbor-registry ~]# docker push www.tcharbor.com/fzh/busybox:1.0.0
The push refers to repository [www.tcharbor.com/fzh/busybox]
8a788232037e: Pushed
1.0.0: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527 [root@k8s-node-01 ~]# docker login -u admin -p Harbor12345 www.tcharbor.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node-01 ~]# docker pull www.tcharbor.com/fzh/busybox:1.0.0
[root@k8s-node-01 ~]# docker pull www.tcharbor.com/fzh/busybox:1.0.0
1.0.0: Pulling from fzh/busybox
90e01955edcd: Pull complete
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for www.tcharbor.com/fzh/busybox:1.0.0 可正常push and pull。
注:需要在所有docker服务器上做如下事情:
A /etc/hosts 添加记录:10.10.0.135 www.tcharbor.com
B 添加harbor服务器上的crt到所有docker服务器上:/etc/docker/certs.d/www.tcharbor.com/www.tcharbor.com.crt
C login操作:docker login -u admin -p Harbor12345 www.tcharbor.com
只做A和B:可以pull不能push
A、B、C全做:即可以pull也可以push
五 参考链接:
5.1 https://github.com/goharbor/harbor/blob/release-1.4.0/docs/configure_https.md