harbor私有仓库部署

介绍

        Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

部署环境准备

服务器配置

系统配置ip
centos 7.44/8G/200G172.21.16.90

下载所需文件

docker-compose 下载

docker compose 发布页面下载最新的 docker-compose 二进制文件

1
2
3
# wget https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
# mv ~/docker-compose-Linux-x86_64 /usr/bin/docker-compose
# chmod a+x /usr/bin/docker-compose
  • 官方的安装
    1
    2
    # curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
    # chmod +x /usr/local/bin/docker-compose
harbor 下载

        harbor 安装方式有两种,一种是在线安装,一种是离线安装,这里由于网络不好,使用的是离线安装,harbor发布页面下载最新的 harbor 离线安装包

1
2
3
# wget https://storage.googleapis.com/harbor-releases/release-1.9.0/harbor-offline-installer-v1.9.0.tgz
# tar -zxvf harbor-offline-installer-v1.9.0.tgz
#

开始安装

docker 安装

1
2
3
4
5
6
7
8
9
10
# yum-config-manager   --add-repo   https://download.docker.com/linux/centos/docker-ce.repo
# sudo yum -y install docker-ce-18.09.6-3.el7.x86_64

# cat >/etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
EOF

# sysctl -p /etc/sysctl.d/k8s.conf
# systemctl start docker

注意: 不添加/etc/sysctl.d/k8s.conf 启动docker会提示WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled

导入 docker images

导入离线安装包中harbor相关的 docker images:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cd harbor
# docker load -i harbor.v1.9.0.tar.gz
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v0.9.0-v1.9.0 00c12627cbd7 2 weeks ago 131MB
goharbor/harbor-migrator v1.9.0 75d4de5e0f16 2 weeks ago 362MB
goharbor/redis-photon v1.9.0 3249afaa9965 2 weeks ago 109MB
goharbor/clair-photon v2.0.9-v1.9.0 e54ad567c58f 2 weeks ago 165MB
goharbor/notary-server-photon v0.6.1-v1.9.0 2cdecba59f38 2 weeks ago 138MB
goharbor/notary-signer-photon v0.6.1-v1.9.0 973378593def 2 weeks ago 135MB
goharbor/harbor-registryctl v1.9.0 30a01bf0f4df 2 weeks ago 99.6MB
goharbor/registry-photon v2.7.1-patch-2819-v1.9.0 32571099a9fe 2 weeks ago 82.3MB
goharbor/nginx-photon v1.9.0 f933d62f9952 2 weeks ago 43.9MB
goharbor/harbor-log v1.9.0 28e27d511335 2 weeks ago 82.6MB
goharbor/harbor-jobservice v1.9.0 f3cd0b181a89 2 weeks ago 141MB
goharbor/harbor-core v1.9.0 f2814ed8aadd 2 weeks ago 155MB
goharbor/harbor-portal v1.9.0 0778d4c5d27e 2 weeks ago 51.3MB
goharbor/harbor-db v1.9.0 a809e14d2d49 2 weeks ago 147MB
goharbor/prepare v1.9.0 aa594772c1e8 2 weeks ago 147MB

修改 harbor.yml 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# vim harbor.yml
hostname: reg.xxlaila.cn

# email configure
email_server: smtp.exmail.qq.com
email_server_port: 465
email_username: admin@xxlaila.cn
email_password: 123
email_from: admin<admin@xxlaila.cn>
email_ssl: true

# User registration is prohibited
self_registration: off

# LDAP authentication configuration item
#ldap_url: ldaps://ldap.xxlaila.cn
#ldap_searchdn: uid=username,ou=people,dc=xxlaila,dc=com
#ldap_search_pwd: password
#ldap_basedn: ou=people,dc=xxlaila,dc=com
#ldap_filter: (objectClass=person)
#ldap_uid: uid
#ldap_scope: 3
#ldap_timeout: 5

: 新版本的邮箱、ldap现在都不需要在配置文件里面来添加配置了,直接通过web界面来进行配置即可,这里我只是添加进来,保留,😁😁😁

加载和启动 harbor 镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# mkdir /data
# chmod 777 /var/run/docker.sock /data
# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 19.03.2

Note: docker-compose version: 1.24.1

[Step 1]: loading Harbor images ...
Loaded image: goharbor/harbor-portal:v1.9.0
Loaded image: goharbor/harbor-core:v1.9.0
Loaded image: goharbor/nginx-photon:v1.9.0
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.9.0
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.9.0
Loaded image: goharbor/harbor-migrator:v1.9.0
Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.9.0
Loaded image: goharbor/prepare:v1.9.0
Loaded image: goharbor/harbor-log:v1.9.0
Loaded image: goharbor/harbor-db:v1.9.0
Loaded image: goharbor/clair-photon:v2.0.9-v1.9.0
Loaded image: goharbor/harbor-jobservice:v1.9.0
Loaded image: goharbor/harbor-registryctl:v1.9.0
Loaded image: goharbor/redis-photon:v1.9.0
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.9.0


[Step 2]: preparing environment ...
prepare base dir is set to /opt/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir



[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating registry ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://reg.xxlaila.cn.
For more details, please visit https://github.com/goharbor/harbor .

访问管理界面

确认所有组件都工作正常:

1
2
3
4
5
6
7
8
9
10
11
12
# docker-compose  ps
Name Command State Ports
------------------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (health: starting)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
harbor 组建介绍
  • harbor-core: Harbor的核心功能,主要提供以下服务:
    • UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
    • webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
    • token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
  • harbor-db: 为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
  • harbor-jobservice: harbor-jobservice 是harbor的job管理模块,job在harbor里面主要是为了镜像仓库之前同步使用的;
  • harbor-log: 为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
  • nginx: nginx负责流量转发和安全验证,对外提供的流量都是从nginx中转,所以开放https的443端口,它将流量分发到后端的ui和正在docker镜像存储的docker registry。
  • redis: 存储缓存session信息
  • registry: 官方的Docker registry ,负责储存Docker镜像
  • registryctl: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。

在浏览器访问http://reg.xxlaila.cn, 用账号 admin 和 harbor.yml 配置文件中的默认密码 Harbor12345 登陆系统
img
img

harbor 运行时产生的文件、目录

        harbor 将日志打印到 /var/log/harbor 的相关目录下,传统的docker logs XXX 或 docker-compose logs XXX 看不到容器的日志。只有使用常用系统命令来进行日志的查看

1
2
3
4
5
6
7
# # 日志目录
# ls /var/log/harbor
core.log jobservice.log portal.log postgresql.log proxy.log redis.log registryctl.log registry.log

# # 数据目录,包括数据库、镜像仓库
# ls /data/
ca_download database job_logs psc redis registry secret

其它操作

下列操作的工作目录均为解压离线安装文件后生成的 harbor 目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# # 停止 harbor
# docker-compose down -v

# # 启动 harbor
# docker-compose up -d

# # 更修改的配置更新到 docker-compose.yml 文件
# ./prepare
prepare base dir is set to /opt/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
坚持原创技术分享,您的支持将鼓励我继续创作!
0%