Fork me on GitHub

Docker私有仓库管理系统Harbor部署

发表于 | 分类于 | | 阅读次数   |   字数统计: 3,141(字)   |   阅读时长: 16(分)
Docker私有仓库管理系统Harbor部署

Docker私有仓库管理系统Harbor部署

Harbor简介

Harbor介绍

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

  • 基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
  • 镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  • 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
  • AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
  • 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  • 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
  • RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
  • 部署简单 - 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。
    更多信息请查看Readme文档。

Harbor架构


如上所示,Harbor包含6个组件:
Proxy(代理服务器): Harbor组件,例如register,UI和令牌服务都在代理服务后端,代理将来自客户端和浏览器的流量返回给后端各个服务
register(仓库):负责存储Docker Images和处理docker pull/push命令。Harbor会强制对访问images进行控制,register会将客户端引导到令牌服务,以获取每次push和pull请求的有效令牌
Core services(核心服务):Harbor核心功能,主要提供以下服务:
UI(图形用户界面):帮助用户管理register上的image。Webhook是在注册表中配置的一种机制,以便注册表中的图像状态更改可以填充到Harbour的Webhook端点。Harbor使用webhook来更新日志,启动复制以及其他一些功能。令牌服务:负责根据用户的项目角色为每个Docker推送/拉取命令发布令牌。如果从Docker客户端发送的请求中没有令牌,注册中心会将请求重定向到令牌服务。数据库:数据库存储项目,用户,角色,复制策略和图像的元数据。
Job services(Job服务):用于Images复制,可以将本地images同步到其他Harbor实例
Log collector(日志采集器):负责在一个地方收集其他模块的日志
资料

实现讲解

详见

Docker登录过程讲解


详见

Docker push过程讲解

详见

环境说明

1
2
3
4
5
6
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# uname -r
3.10.0-327.el7.x86_64
# uname -m
x86_64

Harbor部署实践

依赖

  • Python should be version 2.7 or higher
  • Docker engine should be version 1.10 or higher.
  • Docker Compose needs to be version 1.6.0 or higher.

快速部署docker环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
# yum remove -y docker docker-common docker-selinux docker-engine
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum-config-manager --enable docker-ce-edge
# yum-config-manager --enable docker-ce-test
# yum list docker-ce --showduplicates | sort -r |grep stable
# yum install -y docker-ce-17.06.2.ce
# systemctl start docker
# systemctl enable docker

# mkdir -p /etc/docker                                            # 为了后期方便添加阿里云的加速镜像站
# tee /etc/docker/daemon.json <<-'EOF'
{
 "registry-mirrors": ["https://k9lgui7f.mirror.aliyuncs.com"]
}
EOF
# systemctl daemon-reload
# systemctl restart docker
# docker version
Client:
 Version:      17.06.2-ce
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   cec0b72
 Built:        Tue Sep  5 19:59:06 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.2-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   cec0b72
 Built:        Tue Sep  5 20:00:25 2017
 OS/Arch:      linux/amd64
 Experimental: false

Docker Compose 安装

1
2
3
# yum install -y docker-compose
# docker-compose -v
docker-compose version 1.9.0, build 2585387

Harbor离线部署

镜像站点:http://harbor.orientsoft.cn/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# wget http://harbor.orientsoft.cn/harbor-v1.3.0/harbor-offline-installer-v1.3.0.tgz
# tar -zxf harbor-offline-installer-v1.3.0.tgz
# vim harbor.cfg
hostname = 192.168.200.107
# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 17.06.2

Note: docker-compose version: 1.9.0

[Step 1]: loading Harbor images ...
49c2c19b0cd0: Loading layer [==================================================>]  135.8MB/135.8MB
43871d066430: Loading layer [==================================================>]  30.94MB/30.94MB
6e35eebca0b3: Loading layer [==================================================>]  7.071MB/7.071MB
72366ac0a61c: Loading layer [==================================================>]  7.071MB/7.071MB
Loaded image: vmware/harbor-adminserver:v1.3.0
Loaded image: vmware/photon:1.0
454c81edbd3b: Loading layer [==================================================>]  135.2MB/135.2MB
11a7546bc950: Loading layer [==================================================>]  90.74MB/90.74MB
0e1b40dbb3d2: Loading layer [==================================================>]  10.95MB/10.95MB
58127bdab8e5: Loading layer [==================================================>]   17.3MB/17.3MB
2e3e9ac4492d: Loading layer [==================================================>]  15.87kB/15.87kB
bd6c57401b0f: Loading layer [==================================================>]  3.072kB/3.072kB
08a6f4315b6a: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: vmware/notary-photon:signer-0.5.1
418e636d0b27: Loading layer [==================================================>]  161.5MB/161.5MB
fb804e98cb47: Loading layer [==================================================>]  6.656kB/6.656kB
d961645df25c: Loading layer [==================================================>]  6.656kB/6.656kB
Loaded image: vmware/postgresql:9.6.5-photon
e99db1275091: Loading layer [==================================================>]  395.4MB/395.4MB
051e4ee23882: Loading layer [==================================================>]  9.216kB/9.216kB
6cca4437b6f6: Loading layer [==================================================>]  9.216kB/9.216kB
1d48fc08c8bc: Loading layer [==================================================>]   7.68kB/7.68kB
0419724fd942: Loading layer [==================================================>]  1.536kB/1.536kB
92ce53616a73: Loading layer [==================================================>]  599.2MB/599.2MB
2004244b53a2: Loading layer [==================================================>]  74.24kB/74.24kB
Loaded image: vmware/harbor-db-migrator:1.3
a6d98571db01: Loading layer [==================================================>]  30.95MB/30.95MB
59a1c12ff8fc: Loading layer [==================================================>]   22.7MB/22.7MB
e2afbf102133: Loading layer [==================================================>]  7.168kB/7.168kB
651f22b6c594: Loading layer [==================================================>]   5.38MB/5.38MB
c09acca6fec2: Loading layer [==================================================>]  22.69MB/22.69MB
Loaded image: vmware/harbor-ui:v1.3.0
4bb9abea102e: Loading layer [==================================================>]  80.77MB/80.77MB
8587cdacda27: Loading layer [==================================================>]  3.584kB/3.584kB
360c7adfc364: Loading layer [==================================================>]  3.072kB/3.072kB
1f7da27101b3: Loading layer [==================================================>]  4.096kB/4.096kB
a6f957ab2e5e: Loading layer [==================================================>]  3.584kB/3.584kB
2f80d33e3806: Loading layer [==================================================>]  10.24kB/10.24kB
Loaded image: vmware/harbor-log:v1.3.0
cd0c2ef5af40: Loading layer [==================================================>]  72.46MB/72.46MB
Loaded image: vmware/nginx-photon:1.11.13
bab81b4d4981: Loading layer [==================================================>]  463.7MB/463.7MB
5735a75e540c: Loading layer [==================================================>]  9.216kB/9.216kB
44394f38b0c9: Loading layer [==================================================>]  9.216kB/9.216kB
13775ef23512: Loading layer [==================================================>]   7.68kB/7.68kB
9d8d34eb8c97: Loading layer [==================================================>]  1.536kB/1.536kB
Loaded image: vmware/mariadb-photon:10.2.10
7b9d4bb4a97a: Loading layer [==================================================>]  221.3MB/221.3MB
bf09be2fb717: Loading layer [==================================================>]  10.75MB/10.75MB
e58dd96cb442: Loading layer [==================================================>]  2.048kB/2.048kB
ee0b77dfb8f1: Loading layer [==================================================>]  48.13kB/48.13kB
ed57bf8fb48c: Loading layer [==================================================>]   10.8MB/10.8MB
Loaded image: vmware/clair:v2.0.1-photon
423b913589eb: Loading layer [==================================================>]  9.216kB/9.216kB
125f16e1d09a: Loading layer [==================================================>]   2.56kB/2.56kB
288e350a1aa7: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: vmware/harbor-db:v1.3.0
011e312d9548: Loading layer [==================================================>]  30.95MB/30.95MB
90dfb70c7d61: Loading layer [==================================================>]  18.33MB/18.33MB
3476101e3dce: Loading layer [==================================================>]  18.33MB/18.33MB
Loaded image: vmware/harbor-jobservice:v1.3.0
7280dd18d4e6: Loading layer [==================================================>]  90.74MB/90.74MB
29de07437cda: Loading layer [==================================================>]  2.048kB/2.048kB
bf435791a668: Loading layer [==================================================>]  2.048kB/2.048kB
ea6923ed1a8e: Loading layer [==================================================>]  2.048kB/2.048kB
b39969acb12a: Loading layer [==================================================>]  3.072kB/3.072kB
a07efc1d5b07: Loading layer [==================================================>]   22.8MB/22.8MB
Loaded image: vmware/registry:2.6.2-photon
cd2cb03dfead: Loading layer [==================================================>]  12.16MB/12.16MB
fdcb5fa28b07: Loading layer [==================================================>]   17.3MB/17.3MB
eef410f82bbe: Loading layer [==================================================>]  15.87kB/15.87kB
938e5e2a4bad: Loading layer [==================================================>]  3.072kB/3.072kB
558c91f2870a: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: vmware/notary-photon:server-0.5.1


[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log
Creating registry
Creating harbor-adminserver
Creating harbor-db
Creating harbor-ui
Creating harbor-jobservice
Creating nginx

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.200.107.
For more details, please visit https://github.com/vmware/harbor .
# docker ps
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS                    PORTS                                                              NAMES
b6c25def0f46        vmware/harbor-jobservice:v1.3.0    "/harbor/start.sh"       42 seconds ago      Up 40 seconds (healthy)                                                                      harbor-jobservice
58dea89a9644        vmware/nginx-photon:1.11.13        "nginx -g 'daemon ..."   42 seconds ago      Up 39 seconds             0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
e40cd5c3ec9b        vmware/harbor-ui:v1.3.0            "/harbor/start.sh"       42 seconds ago      Up 41 seconds (healthy)                                                                      harbor-ui
624f0e6908bc        vmware/harbor-adminserver:v1.3.0   "/harbor/start.sh"       43 seconds ago      Up 41 seconds (healthy)                                                                      harbor-adminserver
3cfff5252009        vmware/harbor-db:v1.3.0            "/usr/local/bin/do..."   43 seconds ago      Up 41 seconds (healthy)   3306/tcp                                                           harbor-db
52154006aff2        vmware/registry:2.6.2-photon       "/entrypoint.sh se..."   43 seconds ago      Up 41 seconds (healthy)   5000/tcp                                                           registry
d2e0beebc66e        vmware/harbor-log:v1.3.0           "/bin/sh -c /usr/l..."   45 seconds ago      Up 42 seconds (healthy)   127.0.0.1:1514->10514/tcp

访问及测试

http://192.168.200.107
默认账号:admin 密码:配置文件中harbor_admin_password的值

日常应用

Harbor使用

设置客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
方法1:
# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.200.107
方法2:(推荐)
# cat /etc/docker/daemon.json
{
  "registry-mirrors": ["https://tdimi5q1.mirror.aliyuncs.com"],
  "insecure-registries": ["192.168.200.107"]
}
# systemctl restart docker
# systemctl status docker.service


# docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
ca4f61b1923c: Pull complete
Digest: sha256:66ef312bbac49c39a89aa9bcc3cb4f3c9e7de3788c944158df3ee0176d32b751
Status: Downloaded newer image for hello-world:latest
# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
hello-world         latest              f2a91732366c        2 months ago        1.85kB
# docker tag hello-world 192.168.200.107/yttx/hello-world:v1.0
# docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
192.168.200.107/yttx/hello-world   v1.0                f2a91732366c        2 months ago        1.85kB
hello-world                        latest              f2a91732366c        2 months ago        1.85kB
# docker push 192.168.200.107/yttx/hello-world:v1.0
The push refers to a repository [192.168.200.107/yttx/hello-world]
f999ae22f308: Preparing
denied: requested access to the resource is denied    # 后台没配置该用户权限
# docker push 192.168.200.107/yttx/hello-world:v1.0
The push refers to a repository [192.168.200.107/yttx/hello-world]
f999ae22f308: Pushed
v1.0: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524

https配置

1
2
3
4
5
# vim harbor.cfg
hostname = registry-1.madslq.cn
ui_url_protocol = https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key

生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
root@linux-node8 harbor]# mkdir -p /data/cert/
[root@linux-node8 harbor]# openssl genrsa -out /data/cert/server.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.......................+++
e is 65537 (0x10001)
[root@linux-node8 harbor]# openssl req -x509 -new -nodes -key /data/cert/server.key -subj "/CN=registry-1.madslq.cn" -days 5000 -out /data/cert/server.crt
[root@linux-node8 harbor]# ls -al /data/cert/
total 8
drwxr-xr-x 2 root root   40 Mar  4 23:32 .
drwxr-xr-x 3 root root   17 Mar  4 23:30 ..
-rw-r--r-- 1 root root 1094 Mar  4 23:32 server.crt
-rw-r--r-- 1 root root 1679 Mar  4 23:31 server.key

客户端配置

1
2
3
4
5
6
7
8
9
10
11
12
[root@linux-node8 harbor]# cp /data/cert/server.crt /etc/docker/certs.d/registry-1.madslq.cn/server.crt
[root@linux-node8 harbor]# systemctl restart docker
[root@linux-node8 harbor]# docker login registry-1.madslq.cn
Username: admin
Password:
Login Succeeded
[root@linux-node8 harbor]# docker push registry-1.madslq.cn/k8s/nginx:1.10
The push refers to a repository [registry-1.madslq.cn/k8s/nginx]
de344a0ad635: Pushed
db9dceda8ac9: Pushed
5d6cbe0dbcf9: Pushed
1.10: digest: sha256:f15ae03013d6561bfc36ca273407a346457952f507e792d4712a4bce8c5c0e8f size: 948

镜像仓库

成员

镜像仓库

Harbor高可用

私有云相对来说对镜像的请求并非高频,在做HA的时候还是结合实际情况,切勿为了HA而HA,还要综合考量成本,安全等因素。

FQA

1、报错1:

1
2
3
4
5
6
[root@linux-node8 certs.d]# docker login https://registry-1.madslq.cn
Username: admin
Password:
Error response from daemon: Get https://registry-1.madslq.cn/v2/: x509: certificate is valid for madslq.cn, not registry-1.madslq.cn
解决:
保证hostname及证书生成过程中的域名一直即都是registry-1.madslq.cn即可

2、报错2:

1
2
3
4
5
[root@linux-node8 certs.d]# docker login https://registry-1.madslq.cn
Username: admin
Password:
Error response from daemon: Get https://registry-1.madslq.cn/v2/: dial tcp 192.168.200.108:443: getsockopt: connection refused
解决:服务为启动,检查Harbor服务

参考资料

官网资料
Github地址

======================================================
希望各位朋友支持一下

本文作者:dongsheng
本文地址https://mds1455975151.github.io/archives/d6923a8b.html
版权声明:转载请注明出处!

坚持技术分享,您的支持将鼓励我继续创作!