harbor 部署入门指南
tags: storage
文章目录
harbor 部署入门指南
1. 什么是harbor
2. Harbor的架构
准备条件
Harbor 安装条件
docker安装
docker-compose安装
3. Harbor http ip部署
3.1 harbor安装
3.2 测试结果
3.2.1 仓库登陆
3.2.2 界面登陆
3.2.3 修改密码
3.2.4 推送镜像
3.2.5 拉取镜像
4. Harbor http 域名部署
4.1 清理杂质
4.2 修改配置
4.3 harbor安装
4.3 测试结果
4.3.1 仓库登陆
4.3.2 界面登陆
4.3.3 镜像推送
5. Harbor https ip访问部署
5.1 清理杂质
5.2 修改配置
5.2.1 harbor.yaml
5.2.2 /etc/docker/daemon.json
5.2.3 生成证书颁发机构证书
5.2.4 生成服务器证书
5.2.5 向 Harbor 和 Docker 提供证书
5.2.6 操作系统级别信任证书
5.3 部署或重新配置 Harbor
5.4 测试结果
5.4.1 仓库登陆
5.4.2 界面登陆
5.4.3 推送镜像
5.4.4 拉取镜像
6 Harbor https 域名访问部署
6.1 清理杂质
6.2 修改配置
6.2.1 harbor.yaml
6.2.2 /etc/docker/daemon.json
6.3 配置证书
6.3.1 生成证书颁发机构证书
6.3.2 生成服务器证书
6.3.4 向 Harbor 和 Docker 提供证书
6.3.5 操作系统级别信任证书
6.4 部署或重新配置 Harbor
6.5 测试
6.5.1 仓库登陆
6.5.2 界面登陆
6.5.3 推送镜像
6.5.4 拉取镜像
1. 什么是harbor
Docker有个形象的比喻叫集装箱,kubernetes是舵手,而Harbor是港湾,其实是用来保存容器镜像的仓库,企业使用docker、kubernetes时,一般都需要个私有镜像仓库的,Harbor就是其中的佼佼者。官方的解释:harbor通过策略和基于角色的访问控制来保护工件,确保图像被扫描且没有漏洞,并将图像签名为受信任的。Harbor 是 CNCF 毕业的项目,可提供合规性、性能和互操作性,帮助您跨云原生计算平台(如 Kubernetes 和 Docker)一致且安全地管理工件。
特点:
安全
- 安全和漏洞分析
- 内容签名和验证
管理
- 多租户
- 可扩展的 API 和 Web UI
- 跨多个注册中心复制,包括 Harbor
- 身份集成和基于角色的访问控制
2. Harbor的架构
Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
Core services: Harbor的核心功能,主要包括如下3个服务:
UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。
1 WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。
2 Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service。
3 Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
Log: 负责收集其他模块的日志到一个地方。
准备条件
Harbor 安装条件
docker安装
docker-compose安装
3. Harbor http ip部署
3.1 harbor安装
$ tar xzvf harbor-online-installer-v2.3.4.tgz harbor/prepare harbor/LICENSE harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl $ ls harbor harbor-online-installer-v2.3.4.tgz $ cd harbor/ harbor/$ ls common.sh harbor.yml.tmpl install.sh LICENSE prepare
如果我们 尝试重新安装的话,一定要保持harbor目录最初解压的样子,当然如果我们重新安装不修改数据目录,应该也要将其删除:rm -r /data/*
$ cp harbor.yml.tmpl harbor.yml $ vim harbor.yml $ cat harbor.yml|grep -v '#' |grep -v '^$' hostname: 192.168.211.70 http: port: 80 harbor_admin_password: 123456 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data trivy: ignore_unfixed: false skip_update: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.3.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
我修改如下:
hostname为本机的ip地址:192.168.211.70
注释掉了https部分的相关配置
也许你在配置文件harbor.yaml有改密码的冲动,但在注释中的解释说我们应该在登陆界面ui去修改它,因此,如果配置文件修改了admin的登陆密码为:123456,也许会报错,不管怎么说,我遇到了,也许是我的浏览器缓存问题。或者部署机器的杂质问题。
$ ./prepare prepare base dir is set to /root/harbor/harbor1/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir #会在/data目录生成一些配置和数据。 $ ls /data/ ca_download database job_logs redis registry secret
由于我们部署的是非安全的harbor,我们不要忘了对docker的配置做一些修改。添加insecure-registries参数。
$ cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ], "insecure-registries": [ "192.168.211.70" ] }
然后部署安装,如果第一次可能因为拉取镜像有点慢,但往后部署也就几秒钟的时间。
$ ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.10 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 2.1.1 [Step 2]: preparing environment ... [Step 3]: preparing harbor configs ... prepare base dir is set to /root/harbor/harbor1/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registry/passwd Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/jobservice/config.yml Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/db/env Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /data/secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 4]: starting Harbor ... [+] Running 10/10 ⠿ Network harbor_harbor Created 0.1s ⠿ Container harbor-log Started 2.2s ⠿ Container registry Started 5.5s ⠿ Container harbor-portal Started 6.1s ⠿ Container registryctl Started 8.2s ⠿ Container redis Started 8.7s ⠿ Container harbor-db Started 6.5s ⠿ Container harbor-core Started 10.1s ⠿ Container nginx Started 12.4s ⠿ Container harbor-jobservice Started 13.4s ✔ ----Harbor has been installed and started successfully.---- $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES aace64158bb9 goharbor/nginx-photon:v2.3.4 "nginx -g 'daemon of…" 20 minutes ago Up 20 minutes (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx 2fb44007a910 goharbor/harbor-jobservice:v2.3.4 "/harbor/entrypoint.…" 21 minutes ago Up 20 minutes (healthy) harbor-jobservice 07e9c7fc4789 goharbor/harbor-core:v2.3.4 "/harbor/entrypoint.…" 21 minutes ago Up 20 minutes (healthy) harbor-core 6a530d9902f0 goharbor/redis-photon:v2.3.4 "redis-server /etc/r…" 21 minutes ago Up 20 minutes (healthy) redis 857e8929f318 goharbor/registry-photon:v2.3.4 "/home/harbor/entryp…" 21 minutes ago Up 20 minutes (healthy) registry a6f1e3951798 goharbor/harbor-registryctl:v2.3.4 "/home/harbor/start.…" 21 minutes ago Up 20 minutes (healthy) registryctl 044a0dbe8f0f goharbor/harbor-db:v2.3.4 "/docker-entrypoint.…" 21 minutes ago Up 20 minutes (healthy) harbor-db 3a111e636acd goharbor/harbor-portal:v2.3.4 "nginx -g 'daemon of…" 21 minutes ago Up 20 minutes (healthy) harbor-portal da038195ace4 goharbor/harbor-log:v2.3.4 "/bin/sh -c /usr/loc…" 21 minutes ago Up 20 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log $ docker-compose ps NAME COMMAND SERVICE STATUS PORTS harbor-core "/harbor/entrypoint.…" core running (healthy) harbor-db "/docker-entrypoint.…" postgresql running (healthy) harbor-jobservice "/harbor/entrypoint.…" jobservice running (healthy) harbor-log "/bin/sh -c /usr/loc…" log running (healthy) 127.0.0.1:1514->10514/tcp harbor-portal "nginx -g 'daemon of…" portal running (healthy) nginx "nginx -g 'daemon of…" proxy running (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp redis "redis-server /etc/r…" redis running (healthy) registry "/home/harbor/entryp…" registry running (healthy) registryctl "/home/harbor/start.…" registryctl running (healthy)
Harbor安装结束,我们验证一下。
3.2 测试结果
3.2.1 仓库登陆
Harbor安装结束,我们验证一下。 3.2 测试结果 3.2.1 仓库登
3.2.2 界面登陆
界面登陆用户密码:admin/Harbor12345
3.2.3 修改密码
现在我们把admin的初始密码Harbor12345改为123456,试一试。
发现原来admin密码的设置要支持大小写字符并且有数字。
那么我们把admin的密码改为Ghost12345
修改成功,并且退出重新登陆成功了(图略)。
当然,我们的仓库登陆密码也会随之变化。
$ docker login 192.168.211.70 Authenticating with existing credentials... Stored credentials invalid or expired Username (admin): Password: 隐藏输入(Ghost12345) WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
3.2.4 推送镜像
我们要把镜像推送到仓库,那么镜像名要遵守恰当的格式
docker push 仓库名/项目名/镜像名:标签
我们的仓库名是192.168.211.70,项目名当前默认是library,当然我们可以根据自己的需求在界面创建一个新的项目名。例如base
然后给一个镜像打一个标签。推送到仓库。
$ docker tag busybox:latest 192.168.211.70/base/busybox:latest $ docker push 192.168.211.70/base/busybox:latest The push refers to repository [192.168.211.70/base/busybox] cfd97936a580: Pushed latest: digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b size: 527
界面我们也能看到推送进来的镜像。
3.2.5 拉取镜像
我们换到另一台机器尝试一下拉取这个镜像,要怎么做呢?修改/etc/docker/daemon.json 添加insecure-registries参数是最为关键的一步。
$ vim /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ], "insecure-registries": [ "192.168.211.70" ] } $ systemctl daemon-reload && systemctl restart docker #拉取成功 $ docker pull 192.168.211.70/base/busybox:latest latest: Pulling from base/busybox 24fb2886d6f6: Pull complete Digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b Status: Downloaded newer image for 192.168.211.70/base/busybox:latest 192.168.211.70/base/busybox:latest
![[ 环境搭建篇 ] docker 搭建部署 YAPI 框架](https://ucc.alicdn.com/pic/developer-ecology/cac0a80c2f844b94a8042f2e6f30f398.png?x-oss-process=image/resize,h_160,m_lfit)