一、简介
Harbor是VMware中国研发团队开发并开源企业级Registry,对中文支持很友好。
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。
Harbor具有如下特点:
1.基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
2.镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
3.图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
4.AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
5.审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
6.国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
7.RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
8.部署简单 - 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。
二、Harbor 获取地址
1.Harbor中文官网:https://vmware.github.io/harbor/cn/
2.Github地址:https://github.com/vmware/harbor
3.Harbor下载地址:https://github.com/vmware/harbor/releases
4.Harbor二进制离线包镜像站点:http://harbor.orientsoft.cn/
三、Harbor 安装前准备
1.安装 docker
1
2
3
4
5
6
7
8
|
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum -y install docker-ce
# docker --version
Docker version 17.06.2-ce, build cec0b72
# systemctl start docker
# systemctl status docker
# systemctl enable docker
|
2.安装 docker-compose
1
2
3
4
5
6
7
8
9
10
|
# yum -y install python-pip
# pip install --upgrade pip
# pip -V
pip 9.0.1 from
/usr/lib/python2
.7
/site-packages
(python 2.7)
# pip install docker-compose
# docker-compose version
docker-compose version 1.16.1, build 6d1ac219
docker-py version: 2.5.1
CPython version: 2.7.5
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
|
四、安装 Habor
1.解压并载入镜像(注:制作本文档时harbor版本已更新至1.2.2,请自行下载)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# tar -zxvf harbor-offline-installer-v1.2.0.tgz
# cd harbor
# docker load -i harbor.v1.2.0.tar.gz
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware
/harbor-log
v1.2.0 c7887347f435 7 weeks ago 200MB
vmware
/harbor-jobservice
v1.2.0 1fb18427db11 7 weeks ago 164MB
vmware
/harbor-ui
v1.2.0 b7069ac3bd4b 7 weeks ago 178MB
vmware
/harbor-adminserver
v1.2.0 a18331f0c1ae 7 weeks ago 142MB
vmware
/harbor-db
v1.2.0 deb8033b1c86 7 weeks ago 329MB
vmware
/registry
2.6.2-photon 5d9100e4350e 2 months ago 173MB
vmware
/postgresql
9.6.4-photon c562762cbd12 2 months ago 225MB
vmware
/clair
v2.0.1-photon f04966b4af6c 3 months ago 297MB
vmware
/nginx-photon
1.11.13 285492ff20d6 4 months ago 147MB
vmware
/harbor-notary-db
mariadb-10.1.10 64ed814665c6 6 months ago 324MB
vmware
/notary-photon
signer-0.5.0 b1eda7d10640 7 months ago 156MB
vmware
/notary-photon
server-0.5.0 6e2646682e3c 7 months ago 157MB
photon 1.0 e6e4e4a2ba1b 16 months ago 127MB
|
2.配置 harbor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# sed -i "s/reg.mydomain.com/192.168.100.100/g" harbor.cfg
# sed -i "s/sample_admin/admin/g" harbor.cfg ##该命令纯属为了好看,并没有使用相关配置
# grep ^[a-z] harbor.cfg ###能看则看
### 指定 harbor 的主机名,可以是IP地址,也可以是域名(不能注释再指定)
hostname
= 192.168.100.100
### 指定用户访问使用的协议,默认http
ui_url_protocol = http
### 指定 mysql 数据库管理员密码
db_password = root123
### 作业服务中的最大复制worker数(缺省值为3)
max_job_workers = 3
### 是否允许创建用于生成/验证注册表令牌的私钥和根证书(默认为on)
customize_crt = on
### 设置证书文件路径
ssl_cert =
/data/cert/server
.crt
ssl_cert_key =
/data/cert/server
.key
secretkey_path =
/data
admiral_url = NA
clair_db_password = password
### 邮件相关信息配置
email_identity =
### 配置邮件服务器地址
email_server = smtp.mydomain.com
### 配置邮件服务器端口
email_server_port = 25
### 配置用户
email_username = admin@mydomain.com
### 配置密码
email_password = abc
### 配置发件人地址
email_from = admin <admin@mydomain.com>
### 配置是否进行ssl加密
email_ssl =
false
### 指定 harbor 管理员密码
harbor_admin_password = Harbor12345
### 使用的认证类型。默认为db_auth,即凭据存储在MySQL数据库中(Harbor还 支持本地及LDAP认证方式)
auth_mode = db_auth
### LDAP端点URL,仅当auth_mode设置为ldap_auth时使用
ldap_url = ldaps:
//ldap
.mydomain.com
### 查找用户的基本DN,仅当auth_mode设置为ldap_auth时使用
ldap_basedn = ou=people,
dc
=mydomain,
dc
=com
### 用于在LDAP搜索期间匹配用户的属性
ldap_uid = uid
### 用于搜索用户的范围
ldap_scope = 3
## 设置LDAP超时时间
ldap_timeout = 5
### 是否允许开放注册(默认允许)
self_registration = on
### 令牌服务创建的令牌的过期时间(以分钟为单位,默认30分钟)
token_expiration = 30
### 用户创建项目的权限,默认是everyone(所有人),也可以设置为adminonly(只有管理员才能创建)
project_creation_restriction = everyone
### 确定当 Harbor 与远程注册表实例通信时是否验证SSL / TLS证书
verify_remote_cert = on
|
注:harbor 的主机名 hostname 不能注释再指定,必须删除默认设置再指定主机名,不然会产生错误。
3.安装 harbor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 17.06.2
Note: docker-compose version: 1.16.1
[Step 1]: loading Harbor images ...
Loaded image: vmware
/registry
:2.6.2-photon
Loaded image: photon:1.0
Loaded image: vmware
/notary-photon
:signer-0.5.0
Loaded image: vmware
/clair
:v2.0.1-photon
Loaded image: vmware
/harbor-ui
:v1.2.0
Loaded image: vmware
/harbor-log
:v1.2.0
Loaded image: vmware
/harbor-db
:v1.2.0
Loaded image: vmware
/nginx-photon
:1.11.13
Loaded image: vmware
/postgresql
:9.6.4-photon
Loaded image: vmware
/harbor-adminserver
:v1.2.0
Loaded image: vmware
/harbor-jobservice
:v1.2.0
Loaded image: vmware
/notary-photon
:server-0.5.0
Loaded image: vmware
/harbor-notary-db
:mariadb-10.1.10
[Step 2]: preparing environment ...
loaded secret from
file
:
/data/secretkey
Generated configuration
file
: .
/common/config/nginx/nginx
.conf
Generated configuration
file
: .
/common/config/adminserver/env
Generated configuration
file
: .
/common/config/ui/env
Generated configuration
file
: .
/common/config/registry/config
.yml
Generated configuration
file
: .
/common/config/db/env
Generated configuration
file
: .
/common/config/jobservice/env
Generated configuration
file
: .
/common/config/jobservice/app
.conf
Generated configuration
file
: .
/common/config/ui/app
.conf
Generated certificate, key
file
: .
/common/config/ui/private_key
.pem, cert
file
: .
/common/config/registry/root
.crt
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
[Step 4]: starting Harbor ...
Creating network
"harbor_harbor"
with the default driver
Creating harbor-log ...
Creating harbor-log ...
done
Creating harbor-adminserver ...
Creating registry ...
Creating harbor-db ...
Creating harbor-adminserver
Creating registry
Creating registry ...
done
Creating harbor-db ...
done
Creating harbor-ui ...
done
Creating harbor-jobservice ...
Creating nginx ...
Creating nginx
Creating nginx ...
done
----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http:
//192
.168.100.100.
For
more
details, please visit https:
//github
.com
/vmware/harbor
.
|
4.查看容器状况
1
2
3
4
5
6
7
8
9
10
|
# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver
/harbor/harbor_adminserver
Up
harbor-db docker-entrypoint.sh mysqld Up 3306
/tcp
harbor-jobservice
/harbor/harbor_jobservice
Up
harbor-log
/bin/sh
-c crond &&
rm
-f ... Up 127.0.0.1:1514->514
/tcp
harbor-ui
/harbor/harbor_ui
Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443
/tcp
, 0.0.0.0:4443->4443
/tcp
, 0.0.0.0:80->80
/tcp
registry
/entrypoint
.sh serve
/etc/
... Up 5000
/tcp
|
Harbor共由七个容器组成:
a.harbor-adminserver:harbor系统管理服务
b.harbor-db: 由官方mysql镜像构成的数据库容器
c.harbor-jobservice:harbor的任务管理服务
d.harbor-log:harbor的日志收集、管理服务
e.harbor-ui:harbor的web页面服务
f.nginx:负责流量转发和安全验证
g.registry:官方的Docker registry,负责保存镜像
5.应用 harbor
浏览器输入 http://harborip 登陆 harbor 镜像仓库页面(帐号admin,密码为harbor.cfg默认密码Harbor12345)
进入harbor后界面如下
新建项目(注:默认项目是私有的,公开请打勾)
新建完成之后就可以上传镜像到 harbor 镜像仓库了。
a.更改 docker 配置
1
2
3
4
|
# grep "ExecStart" /usr/lib/systemd/system/docker.service
ExecStart=
/usr/bin/dockerd
--insecure-registry=192.168.100.100
# systemctl daemon-reload
# systemctl restart docker
|
注:docker默认使用https传输镜像,这里使用的是http,所以需要指定,无论上传还是下载都需要指定
b.登陆 harbor(注:第一种方便,第二种安全,实际中请使用第二种)
1
2
|
# docker login -u admin -p Harbor12345 192.168.100.100
Login Succeeded
|
1
2
3
4
|
# docker login 192.168.100.100
Username: admin
Password:
Login Succeeded
|
c.给镜像打 tag 并上传至 harbor
1
2
3
4
5
6
|
# docker tag 99e59f495ffa 192.168.100.100/k8s/pause-amd64:3.0
# docker push 192.168.100.100/k8s/pause-amd64:3.0
The push refers to a repository [192.168.100.100
/k8s/pause-amd64
]
5f70bf18a086: Pushed
41ff149e94f2: Pushed
3.0: digest: sha256:f04288efc7e65a84be74d4fc63e235ac3c6c603cf832e442e0bd3f240b10a91b size: 939
|
d.查看上传情况
e.下载镜像(pull命令如下图)
附:
1.停止harbor
1
2
|
# cd harbor
# docker-compose stop
|
2.启动harbor
1
2
|
# cd harbor
# docker-compose start
|
3.官方安装文档
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
4.https官方配置指南
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
本文转自 结束的伤感 51CTO博客,原文链接:http://blog.51cto.com/wangzhijian/1978474