一、介绍
1、Harbor 简介
Harbor 是 VMware 公司开源的企业级 Docker Registry 项目,其目标是帮助用户迅速搭建一个企业级的 Docker Registry 服务。
它以 Docker 公司开源的 Registry 为基础,提供了管理 UI,基于角色的访问控制(Role Based Access Control),AD/LDAP 集成、以及审计日志(Audit logging) 等企业用户需求的功能,同时还原生支持中文。
2、搭建 Harbor
官方教程:https://goharbor.io/docs/2.4.0/install-config/
Harbor 本地安装支持在线和离线,另外也可以部署到 Kubernetes 中。这里采用本地在线安装方式。
3、部署准备
# 配置 docker-ce 的 yum 源
cat << EOF > /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
EOF
# 安装 docker(20.10.11-ce+) 和 docker-compose(1.18.0+)
sudo yum install -y docker-ce docker-ce-cli containerd.io bash-completion docker-compose
# 配置 docker 自动提示
cp /usr/share/bash-completion/completions/docker /etc/bash_completion.d/
# 配置开机启动
systemctl enable --now docker
# 查看安装版本
docker --version
Docker version 20.10.11, build 370c289
docker-compose --version
docker-compose version 1.18.0, build 8dd22a9
4、制作证书
# 生成 CA 证书
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=load.iregistry.com" -key ca.key -out ca.crt
# 生成服务证书
openssl genrsa -out load.iregistry.com.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=load.iregistry.com" -key load.iregistry.com.key -out load.iregistry.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.100.120
DNS.1= load.iregistry.com
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in load.iregistry.com.csr -out load.iregistry.com.crt
# 生成 docker 证书
openssl x509 -inform PEM -in load.iregistry.com.crt -out load.iregistry.com.cert
mkdir -p /etc/docker/certs.d/load.iregistry.com/
cp load.iregistry.com.crt /etc/docker/certs.d/load.iregistry.com/
cp load.iregistry.com.key /etc/docker/certs.d/load.iregistry.com/
cp ca.crt /etc/docker/certs.d/load.iregistry.com/
# 重启 docker
sudo systemctl restart docker
二、部署Harbor 2.4.0版本
1、下载
# 下载在线安装包
cd /usr/local/
curl -O -L https://github.com/goharbor/harbor/releases/download/v2.4.0/harbor-online-installer-v2.4.0.tgz
# 解压
tar -zxvf harbor-online-installer-v2.4.0.tgz
2、修改配置文件
cd harbor && cp harbor.yml.tmpl harbor.yml
vim harbor.yml
hostname: iregistry.baidu-int.com
certificate: /etc/docker/certs.d/iregistry.baidu-int.com/iregistry.baidu-int.com.crt
private_key: /etc/docker/certs.d/iregistry.baidu-int.com/iregistry.baidu-int.com.key
data_volume: /data/harbor
3、初始化配置
[root@harbor harbor]# mkdir /data/harbor/
[root@harbor harbor]# sudo ./prepare
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/conf.d/notary.upstream.conf
Clearing the configuration file: /config/nginx/conf.d/notary.server.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/notary/server-config.postgres.json
Clearing the configuration file: /config/notary/server_env
Clearing the configuration file: /config/notary/signer_env
Clearing the configuration file: /config/notary/signer-config.postgres.json
Clearing the configuration file: /config/notary/notary-signer.crt
Clearing the configuration file: /config/notary/notary-signer.key
Clearing the configuration file: /config/notary/root.crt
Clearing the configuration file: /config/notary/notary-signer-ca.crt
Clearing the configuration file: /config/trivy-adapter/env
Clearing the configuration file: /config/chartserver/env
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
4、安装,包括 Notary, Trivy, 和 Chart Repository Service
[root@harbor harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.11
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/nginx-photon:v2.4.0
Loaded image: goharbor/registry-photon:v2.4.0
Loaded image: goharbor/harbor-portal:v2.4.0
Loaded image: goharbor/harbor-jobservice:v2.4.0
Loaded image: goharbor/notary-server-photon:v2.4.0
Loaded image: goharbor/notary-signer-photon:v2.4.0
Loaded image: goharbor/trivy-adapter-photon:v2.4.0
Loaded image: goharbor/prepare:v2.4.0
Loaded image: goharbor/harbor-core:v2.4.0
Loaded image: goharbor/harbor-exporter:v2.4.0
Loaded image: goharbor/harbor-log:v2.4.0
Loaded image: goharbor/harbor-db:v2.4.0
Loaded image: goharbor/harbor-registryctl:v2.4.0
Loaded image: goharbor/redis-photon:v2.4.0
Loaded image: goharbor/chartmuseum-photon:v2.4.0
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Successfully called func: create_cert
Copying certs for notary signer
Copying nginx configuration file for notary
Generated configuration file: /config/nginx/conf.d/notary.upstream.conf
Generated configuration file: /config/nginx/conf.d/notary.server.conf
Generated configuration file: /config/notary/server-config.postgres.json
Generated configuration file: /config/notary/server_env
Generated and saved secret to file: /data/secret/keys/defaultalias
Generated configuration file: /config/notary/signer_env
Generated configuration file: /config/notary/signer-config.postgres.json
Creating harbor-log ... done
Generated configuration file: /config/chartserver/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating harbor-db ... done
Creating redis ... done
Creating network "harbor_harbor" with the default driver
Creating notary-signer ... done
Creating harbor-core ... done
Creating network "harbor_notary-sig" with the default driver
Creating nginx ... done
Creating registry ...
Creating registryctl ...
Creating redis ...
Creating harbor-portal ...
Creating chartmuseum ...
Creating harbor-db ...
Creating notary-signer ...
Creating trivy-adapter ...
Creating harbor-core ...
Creating notary-server ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
5、启停服务
# 进去配置目录
cd /usr/local/harbor
# 构建并后台启动容器
docker-compose up -d
# 查看服务
docker-compose ps
# 启动
docker-compose start
# 停止
docker-compose stop
# 重启
docker-compose restart
# 停止 harbor 服务并删除容器
docker-compose down -v
# 删除相关数据
rm -rf /var/log/harbor/
rm -rf /data/harbor/*
6、登录
# 本地添加域名映射
sudo echo "192.168.100.120 load.iregistry.com" >> /etc/hosts
# docker 登录,输入密码:Harbor12345 (默认密码)
docker login -u admin https://load.iregistry.com
7、其他node节点主机配置本机harbor仓库
# 各 node 节点,在本地添加域名映射
sudo echo "192.168.100.120 load.iregistry.com" >> /etc/hosts
# 从 master 复制 docker 证书到本地
mkdir -p /etc/docker/certs.d/load.iregistry.com/
scp root@192.168.100.120:/etc/docker/certs.d/load.iregistry.com/* /etc/docker/certs.d/load.iregistry.com/
#添加registries
cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://2mrc6wis.mirror.aliyuncs.com"],
"insecure-registries": ["https://load.iregistry.com"]
}
systemctl restart docker
三、推送、拉取镜像
1、推送镜像
# 登录 Harbor
docker login -u test https://load.iregistry.com
# 提交镜像
docker tag hello-world load.iregistry.com/load/hello-world
docker push load.iregistry.com/load/hello-world
2、拉取镜像
docker pull load.iregistry.com/load/hello-world
3、配置代理 Docker Hub
代理仓库仅能 pull,不能 push
用户管理–创建用户
官方教程:https://goharbor.io/docs/2.4.0/install-config/
Harbor 本地安装支持在线和离线,另外也可以部署到 Kubernetes 中。这里采用本地在线安装方式。 3、部署准备
# 配置 docker-ce 的 yum 源 cat << EOF > /etc/yum.repos.d/docker-ce.repo [docker-ce-stable] name=Docker CE Stable - \$basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg EOF # 安装 docker(20.10.11-ce+) 和 docker-compose(1.18.0+) sudo yum install -y docker-ce docker-ce-cli containerd.io bash-completion docker-compose # 配置 docker 自动提示 cp /usr/share/bash-completion/completions/docker /etc/bash_completion.d/ # 配置开机启动 systemctl enable --now docker # 查看安装版本 docker --version Docker version 20.10.11, build 370c289 docker-compose --version docker-compose version 1.18.0, build 8dd22a9
4、制作证书
# 生成 CA 证书 openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=load.iregistry.com" -key ca.key -out ca.crt # 生成服务证书 openssl genrsa -out load.iregistry.com.key 4096 openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=load.iregistry.com" -key load.iregistry.com.key -out load.iregistry.com.csr cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = 192.168.100.120 DNS.1= load.iregistry.com EOF openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in load.iregistry.com.csr -out load.iregistry.com.crt # 生成 docker 证书 openssl x509 -inform PEM -in load.iregistry.com.crt -out load.iregistry.com.cert mkdir -p /etc/docker/certs.d/load.iregistry.com/ cp load.iregistry.com.crt /etc/docker/certs.d/load.iregistry.com/ cp load.iregistry.com.key /etc/docker/certs.d/load.iregistry.com/ cp ca.crt /etc/docker/certs.d/load.iregistry.com/ # 重启 docker sudo systemctl restart docker
二、部署Harbor 2.4.0版本 1、下载
# 下载在线安装包 cd /usr/local/ curl -O -L https://github.com/goharbor/harbor/releases/download/v2.4.0/harbor-online-installer-v2.4.0.tgz # 解压 tar -zxvf harbor-online-installer-v2.4.0.tgz
2、修改配置文件
cd harbor && cp harbor.yml.tmpl harbor.yml vim harbor.yml hostname: iregistry.baidu-int.com certificate: /etc/docker/certs.d/iregistry.baidu-int.com/iregistry.baidu-int.com.crt private_key: /etc/docker/certs.d/iregistry.baidu-int.com/iregistry.baidu-int.com.key data_volume: /data/harbor
3、初始化配置
[root@harbor harbor]# mkdir /data/harbor/ [root@harbor harbor]# sudo ./prepare prepare base dir is set to /usr/local/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/conf.d/notary.upstream.conf Clearing the configuration file: /config/nginx/conf.d/notary.server.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/passwd Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registry/root.crt Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Clearing the configuration file: /config/notary/server-config.postgres.json Clearing the configuration file: /config/notary/server_env Clearing the configuration file: /config/notary/signer_env Clearing the configuration file: /config/notary/signer-config.postgres.json Clearing the configuration file: /config/notary/notary-signer.crt Clearing the configuration file: /config/notary/notary-signer.key Clearing the configuration file: /config/notary/root.crt Clearing the configuration file: /config/notary/notary-signer-ca.crt Clearing the configuration file: /config/trivy-adapter/env Clearing the configuration file: /config/chartserver/env Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir
4、安装,包括 Notary, Trivy, 和 Chart Repository Service
[root@harbor harbor]# sudo ./install.sh --with-notary --with-trivy --with-chartmuseum [Step 0]: checking if docker is installed ... Note: docker version: 20.10.11 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.18.0 [Step 2]: loading Harbor images ... Loaded image: goharbor/nginx-photon:v2.4.0 Loaded image: goharbor/registry-photon:v2.4.0 Loaded image: goharbor/harbor-portal:v2.4.0 Loaded image: goharbor/harbor-jobservice:v2.4.0 Loaded image: goharbor/notary-server-photon:v2.4.0 Loaded image: goharbor/notary-signer-photon:v2.4.0 Loaded image: goharbor/trivy-adapter-photon:v2.4.0 Loaded image: goharbor/prepare:v2.4.0 Loaded image: goharbor/harbor-core:v2.4.0 Loaded image: goharbor/harbor-exporter:v2.4.0 Loaded image: goharbor/harbor-log:v2.4.0 Loaded image: goharbor/harbor-db:v2.4.0 Loaded image: goharbor/harbor-registryctl:v2.4.0 Loaded image: goharbor/redis-photon:v2.4.0 Loaded image: goharbor/chartmuseum-photon:v2.4.0 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /usr/local/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/passwd Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /data/secret/keys/secretkey Successfully called func: create_root_cert Successfully called func: create_cert Copying certs for notary signer Copying nginx configuration file for notary Generated configuration file: /config/nginx/conf.d/notary.upstream.conf Generated configuration file: /config/nginx/conf.d/notary.server.conf Generated configuration file: /config/notary/server-config.postgres.json Generated configuration file: /config/notary/server_env Generated and saved secret to file: /data/secret/keys/defaultalias Generated configuration file: /config/notary/signer_env Generated configuration file: /config/notary/signer-config.postgres.json Creating harbor-log ... done Generated configuration file: /config/chartserver/env Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir Creating harbor-db ... done Creating redis ... done Creating network "harbor_harbor" with the default driver Creating notary-signer ... done Creating harbor-core ... done Creating network "harbor_notary-sig" with the default driver Creating nginx ... done Creating registry ... Creating registryctl ... Creating redis ... Creating harbor-portal ... Creating chartmuseum ... Creating harbor-db ... Creating notary-signer ... Creating trivy-adapter ... Creating harbor-core ... Creating notary-server ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.----
5、启停服务
# 进去配置目录 cd /usr/local/harbor # 构建并后台启动容器 docker-compose up -d # 查看服务 docker-compose ps # 启动 docker-compose start # 停止 docker-compose stop # 重启 docker-compose restart # 停止 harbor 服务并删除容器 docker-compose down -v # 删除相关数据 rm -rf /var/log/harbor/ rm -rf /data/harbor/*
6、登录
# 本地添加域名映射 sudo echo "192.168.100.120 load.iregistry.com" >> /etc/hosts # docker 登录,输入密码:Harbor12345 (默认密码) docker login -u admin https://load.iregistry.com
7、其他node节点主机配置本机harbor仓库
# 各 node 节点,在本地添加域名映射 sudo echo "192.168.100.120 load.iregistry.com" >> /etc/hosts # 从 master 复制 docker 证书到本地 mkdir -p /etc/docker/certs.d/load.iregistry.com/ scp root@192.168.100.120:/etc/docker/certs.d/load.iregistry.com/* /etc/docker/certs.d/load.iregistry.com/ systemctl restart docker
三、推送、拉取镜像 1、推送镜像
# 登录 Harbor docker login -u test https://load.iregistry.com # 提交镜像 docker tag hello-world load.iregistry.com/load/hello-world docker push load.iregistry.com/load/hello-world
2、拉取镜像
docker pull load.iregistry.com/load/hello-world
3、配置代理 Docker Hub 代理仓库仅能 pull,不能 push 用户管理–创建用户 仓库管理–创建Docker Hub目标 项目–新建项目:docker-hub,镜像代理选中上面创建的Docker Hub目标 将用户harbor加入docker-hub项目中,设置为项目管理员角色 通过代理拉取Docker Hub中的hello-world镜像 Harbor UI 查看拉取的hello-world镜像" width="749" height="437">
仓库管理–创建Docker Hub目标
项目–新建项目:docker-hub,镜像代理选中上面创建的Docker Hub目标
将用户harbor加入docker-hub项目中,设置为项目管理员角色
通过代理拉取Docker Hub中的hello-world镜像
Harbor UI 查看拉取的hello-world镜像
暂无评论内容