1.安装docker
//安装常用组件包
yum install -y yum-utils device-mapper-persistent-data lvm2
//配置docker的yum源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
//安装Docker
yum install docker-ce
systemctl enable docker
//启动Docker
systemctl start docker
2.安装 docker-compose
yum -y install epel-release 安装python pip依赖
vi /etc/yum.repos.d/epel.repo 修改依赖repo,使用base的地址
yum -y install python-pip 安装python pip
pip install docker-compose 安装docker-compose
docker-compose --version
3.安装Harbor
(1)下载离线版
https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-offline-installer-v1.4.0.tgz
(2)上传并解压
tar -zxvf harbor-offline-installer-v1.4.0.tgz
(3) 修改docker-compose.yml
version: '2'
services:
log:
image: vmware/harbor-log:v1.4.0
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: vmware/registry-photon:v2.6.2-v1.4.0
container_name: registry
restart: always
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
ports:
- 5000:5000
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.4.0
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.4.0
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.4.0
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certificates/:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.4.0
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
- /data/secretkey:/etc/jobservice/key:z
networks:
- harbor
depends_on:
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
proxy:
image: vmware/nginx-photon:v1.4.0
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
(4) 修改harbor.cfg
## Configuration file of Harbor
The IP address or hostname to access admin UI and registry service.
DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 172.16.0.133
The protocol for accessing the UI and token/notification service, by default it is http.
It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http
Maximum number of job workers in job service
max_job_workers = 3
Determine whether or not to generate certificate for the registry's token.
If the value is on, the prepare script creates new root cert and private key
for generating token to access the registry. If the value is off the default key/cert will be used.
This flag also controls the creation of the notary signer's cert.
customize_crt = on
The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
The path of secretkey storage
secretkey_path = /data
Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA
Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
log_rotate_count = 50
Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
are all valid.
log_rotate_size = 200M
NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
only take effect in the first boot, the subsequent changes of these properties
should be performed on web ui
BEGIN INITIAL PROPERTIES
Email account settings for sending out password resetting emails.
Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
The initial password of Harbor admin, only works for the first time when Harbor starts.
It has no effect after the first launch of Harbor.
Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345
By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth
The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com
A user's DN who has the permission to search the LDAP/AD server.
If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
the password of the ldap_searchdn
ldap_search_pwd = password
The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com
Search filter for LDAP/AD, make sure the syntax of the filter is correct.
ldap_filter = (objectClass=person)
The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid
the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_scope = 2
Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5
Verify certificate from LDAP server
ldap_verify_cert = true
Turn on or off the self-registration feature
self_registration = on
The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30
The flag to control what users have permission to create projects
The default value "everyone" allows everyone to creates a project.
Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone
END INITIAL PROPERTIES
Harbor DB configuration section
The address of the Harbor database. Only need to change when using external db.
db_host = mysql
The password for the root user of Harbor DB. Change this before any production use.
db_password = root123
The port of Harbor database host
db_port = 3306
The user name of Harbor database
db_user = root
End of Harbor DB configuration
The redis server address. Only needed in HA installation.
redis_url =
Clair DB configuration
Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgres
The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password
Clair DB connect port
clair_db_port = 5432
Clair DB username
clair_db_username = postgres
Clair default database
clair_db = postgres
End of Clair DB configuration
The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
Docker Registry setting
registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =
(5)安装
在harbor目录中执行./prepare命令,接着在harbor目录下执行./install.sh命令即可,会自动导入镜像并启动对应的容器,待脚本跑完之后使用docke-compose ps即可查看,常用命令包含以下几个:
docker-compose up -d ###后台启动,如果容器不存在根据镜像自动创建
docker-compose down -v ###停止容器并删除容器
docker-compose start ###启动容器,容器不存在就无法启动,不会自动创建镜像
docker-compose stop ###停止容器
注:其实上面是停止docker-compose.yml中定义的所有容器,默认情况下docker-compose就是操作同目录下的docker-compose.yml文件,如果使用其他yml文件,可以使用-f自己指定。
(6)验证仓库是否创建成功
docker配置文件/usr/lib/systemd/system/docker.service添加私有仓库和加速器配置
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
the default is not to use systemd for cgroups because the delegate issues still
exists and systemd currently does not support the cgroup feature set required
for containers run by docker
ExecStart=/usr/bin/dockerd --registry-mirror=https://u1qbyfsc.mirror.aliyuncs.com \
--insecure-registry 172.16.0.133:5000
ExecReload=/bin/kill -s HUP $MAINPID
Having non-zero Limit*s causes performance problems due to accounting overhead
in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Uncomment TasksMax if your systemd version supports it.
Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
kill only the docker process, not all processes in the cgroup
KillMode=process
restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
然后重新启动docker
//拉取镜像
docker pull hello-world
//上传镜像
docker tag 172.16.0.133:5000/library/hello-world:v1 hello-world:latest
docker login 172.16.0.133:5000
Username (admin): admin
Password: Harbor123456
Login Succeeded
docker push 172.16.0.133:5000/library/hello-world:v1
在浏览器输入172.16.0.133登录Harbor的web界面
账号admin密码Harbor12345