簡介
Harbor是基于docker registry服務吼肥,添加了用戶權限管理驶赏、鏡像復制等功能的鏡像倉庫励两。具體模塊如下:
image.png
主要組件包括
proxy【nginx前端代理,用來分發(fā)前端頁面ui訪問和鏡像上傳和下載流量】低剔;
ui【提供了一個web管理頁面袱蚓,還包括一個前端頁面和后端API,底層使用mysql數據庫】逾一;
registry【鏡像倉庫铸本,負責存儲鏡像文件,當鏡像上傳完畢后通過hook通知ui創(chuàng)建repository遵堵,registry的token認證通過ui組件完成】箱玷;
adminserver【系統(tǒng)配置管理中心附帶檢查存儲用量怨规,ui和jobserver啟動時候需要加載adminserver的配置】;
jobsevice【負責鏡像復制工作的锡足,他和registry通信波丰,從一個registry pull鏡像然后push到另一個registry,并記錄job_log】舶得;
log【日志匯總組件掰烟,通過docker的log-driver把日志匯總到一起】。
1沐批、文件下載
wget https://storage.googleapis.com/harbor-releases/harbor-online-installer-v1.5.1.tgz
如果下載不下來纫骑,可以使用百度云盤下載
https://pan.baidu.com/s/1BzzOz2i6lO_gj2ozVVYdpA
- 安裝參考:
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
2、安裝Docker-Compose(pip方式)
- yum添加源
[ root@localhost]# yum -y install epel-release
- 安裝python-pip
[root@localhost]# yum -y install python-pip
- 安裝docker-compose
[root@localhost]# pip install -U docker-compose
[root@localhost ~]# docker-compose -v
docker-compose version 1.21.2, build a133471
3九孩、配置修改:
解壓縮之后先馆,修改harbor.cfg文件,該文件就是Harbor的配置文件躺彬。
## Configuration file of Harbor
# hostname設置訪問地址煤墙,可以使用ip、域名顾患,不可以設置為127.0.0.1或localhost
hostname = 172.16.1.146
# 訪問協(xié)議番捂,默認是http个唧,也可以設置https江解,如果設置https,則nginx ssl需要設置on
ui_url_protocol = http
# mysql數據庫root用戶默認密碼root123徙歼,實際使用時修改下
db_password = root123
# 是否開啟自注冊,on開啟犁河,off關閉,可以關閉掉魄梯。
self_registration = off
# 啟動Harbor后桨螺,管理員UI登錄的密碼,默認是Harbor12345
harbor_admin_password = Harbor12345
#鏡像同步job數量
max_job_workers = 50
customize_crt = on
#https時候使用
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
# 郵件設置酿秸,發(fā)送重置密碼郵件時使用
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
# 認證方式灭翔,這里支持多種認證方式,如LADP辣苏、本次存儲肝箱、數據庫認證。默認是db_auth稀蟋,mysql數據庫認證
auth_mode = db_auth
# LDAP認證時配置項
#ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
#ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
#ldap_uid = uid
#ldap_scope = 3
#ldap_timeout = 5
# Token有效時間煌张,默認30分鐘
token_expiration = 30
# 用戶創(chuàng)建項目權限控制,默認是everyone(所有人)退客,也可以設置為adminonly(只能管理員)
project_creation_restriction = everyone
verify_remote_cert = on
#日志數量
log_rotate_count = 50
#單個日志大小
log_rotate_size = 200M
4骏融、docker-compose配置修改链嘀,視情況修改
修改頁面端口
- 修改docker-compose.yml;
proxy:
image: vmware/nginx-photon:v1.5.1
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
# 如需要,可以修改對外端口為
# - 8888:80
- 80:80
- 443:443
- 4443:4443
depends_on:
- 修改common/templates/registry/config.yml :
auth:
token:
issuer: harbor-token-issuer
# 如果需要档玻,可以添加端口8888
# realm: $public_url:8888/service/token
修改docker-compose.yml
version: '2'
services:
log:
image: vmware/harbor-log:v1.5.1
container_name: harbor-log
restart: always
volumes:
# harbor 日志目錄
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: vmware/registry-photon:v2.6.2-v1.5.1
container_name: registry
restart: always
volumes:
# registry 存儲目錄
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.5.1
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.5.1
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.5.1
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certificates/:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.5.1
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
networks:
- harbor
depends_on:
- redis
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
redis:
image: vmware/redis-photon:v1.5.1
container_name: redis
restart: always
volumes:
- /data/redis:/data
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: vmware/nginx-photon:v1.5.1
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
5怀泊、啟動
sudo ./install.sh --with-clair
[root@localhost harbor]# sudo ./install.sh --with-clair
[root@node146 harbor]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (health: starting)
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp
6、客戶端配置修改
免https修改
修改 /etc/docker/daemon.json误趴,添加 insecure-registries":["172.16.1.146"] 配置
# 需要注意不能覆蓋原來的配置
[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146"] }' >> /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146"] }
##重啟docker
root@localhost ~]# systemctl daemon-reload
root@localhost ~]# service docker restart
如果不配置包个,客戶端使用時候會報錯: Error response from daemon: Get https://172.16.1.146/v2/: dial tcp 172.16.1.146:443: getsockopt: connection refused
7、頁面展示
更多使用說明參考:https://github.com/vmware/harbor/blob/master/docs/user_guide.md
image.png
image.png
8冤留、使用
- 登錄
[root@localhost harbor]# docker login 172.16.1.146
Username (admin): admin
Password:
Login Succeeded
- 打標簽并且上傳
[root@localhost harbor]# docker tag registry:2.6.2 172.16.1.146/wondertek/registry:2.6.2
[root@localhost harbor]# docker push 172.16.1.146/wondertek/registry:2.6.2
The push refers to a repository
172.16.1.146/wondertek/registry]
9113493eaae1: Layer already exists
621c2399d41a: Layer already exists
59e80739ed3f: Layer already exists
febf19f93653: Layer already exists
e53f74215d12: Layer already exists
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364
- 刪除本地鏡像 重新下載
[root@localhost harbor]# docker rmi 172.16.1.146/wondertek/registry:2.6.2
Untagged: 172.16.1.146/wondertek/registry:2.6.2
Untagged: 172.16.1.146/wondertek/registry@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
[root@localhost harbor]# docker pull 172.16.1.146/wondertek/registry:2.6.2
Trying to pull repository 172.16.1.146/wondertek/registry ...
2.6.2: Pulling from 172.16.1.146/wondertek/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146/wondertek/registry:2.6.2
