- A+
所属分类:linux技术
harbor仓库部署
无论是使用Docker-distribution去自建仓库,还是通过官方镜像跑容器的方式去自建仓库,通过前面的演示我们可以发现其是非常的简陋的,还不如直接使用官方的Docker Hub去管理镜像来得方便,至少官方的Docker Hub能够通过web界面来管理镜像,还能在web界面执行搜索,还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能,用户不需要在本地执行docker build,而是把所有build上下文的文件作为一个仓库推送到github上,让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大,它毕竟是在国外,所以速度是最大的瓶颈,我们很多时候是不可能去考虑使用官方的仓库的,但是上面说的两种自建仓库方式又十分简陋,不便管理,所以后来就出现了一个被 CNCF 组织青睐的项目,其名为Harbor。
Harbor简介
Harbor是由VMWare在Docker Registry的基础之上进行了二次封装,加进去了很多额外程序,而且提供了一个非常漂亮的web界面。
Project Harbor是一个开源的可信云本地注册项目,用于存储、标记和扫描上下文。
Harbor扩展了开源Docker分发版,增加了用户通常需要的功能,如安全、身份和管理。
Harbor支持高级特性,如用户管理、访问控制、活动监视和实例之间的复制。
Harbor的功能
Harbor的核心功能是存储和管理Artifact
访问控制:访问控制是多个用户使用同一个仓库存储Artifact时的基本需求,也是Harbor早期版本提供的主要功能之一
镜像签名:镜像在本质上是软件的封装形式,从安全角度来看,开发人员在部署镜像前需要保证镜像内容的完整性(integrity)
镜像扫描:容器镜像打包了代码、软件及其所需的运行环境,已发布的软件及其依赖的库都可能存在安全漏洞
高级管理功能:Harbor在版本迭代中还根据社区反馈,为管理员及用户提供了很多高级管理功能以支持更加复杂的使用场景,包括Artifact复制策略、存储配额管理、Tag保留策略(Artifact保留策略)和垃圾回收等
Docker compose
Harbor在物理机上部署是非常难的,而为了简化Harbor的应用,Harbor官方直接把Harbor做成了在容器中运行的应用,而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统,所以它需要编排很多容器协同起来工作,因此VMWare Harbor在部署和使用时,需要借助于Docker的单机编排工具(Docker compose)来实现。
Compose是一个用于定义和运行多容器Docker应用程序的工具。使用Compose,您可以使用一个YAML文件来配置应用程序的服务。然后,使用一个命令创建并启动配置中的所有服务。
Harbor部署
提前进入Harbor官方文档(https://github.com/goharbor/harbor)下载harbor-offline-installer-v2.5.3这个包,操作如下:
在左上角输入harbor搜索
进入 Docker compose官方文档(https://docs.docker.com/compose/)进行部署操作
分别开启两台机子,一台为客户端,一台为镜像仓库端
client为客户端,harbor为镜像仓库端
需要保证两台机子都要有docker
客户端: [root@localhost ~]# hostnamectl set-hostname client [root@localhost ~]# bash [root@client ~]# which docker /usr/bin/docker [root@client yum.repos.d]# ls CentOS-Base.repo docker-ce.repo [root@client yum.repos.d]# scp docker-ce.repo 192.168.222.251:/etc/yum.repos.d/ The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established. ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk. Are you sure you want to continue connecting (yes/no/[fingerprint])? y Please type 'yes', 'no' or the fingerprint: yes Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts. root@192.168.222.251's password: docker-ce.repo 100% 2261 1.0MB/s 00:00 //将客户端的docker传给镜像仓库端 镜像仓库端: [root@localhost2 ~]# hostnamectl set-hostname harbor [root@localhost2 ~]# bash [root@harbor ~]# cd /etc/yum.repos.d/ [root@harbor yum.repos.d]# ls CentOS-Base.repo docker-ce.repo mysql-community-source.repo mysql-community.repo //查看是否有docker镜像仓库 [root@harbor yum.repos.d]# dnf -y install docker-ce //进行安装 在刚刚那个页面的基础上往下翻
往下翻,进行手动安装
[root@harbor ~]# DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker} [root@harbor ~]# mkdir -p $DOCKER_CONFIG/cli-plugins //创建.docker [root@harbor ~]# ls -a . .bash_profile .docker .wget-hsts .. .bashrc .mysql_history anaconda-ks.cfg .bash_history .config .tcshrc mysql57-community-release-el7-11.noarch.rpm .bash_logout .cshrc .viminfo [root@harbor ~]# ls .docker/ cli-plugins [root@harbor cli-plugins]# ls //将提前下载好的包拉取进来 docker-compose [root@harbor cli-plugins]# chmod +x docker-compose //赋予执行权限 [root@harbor cli-plugins]# ll total 25188 -rwxr-xr-x 1 root root 25792512 Aug 11 22:07 docker-compose [root@harbor cli-plugins]# ./docker-compose --help //此下面的命令都可以使用 Usage: docker compose [OPTIONS] COMMAND Docker Compose Options: --ansi string Control when to print ANSI control characters ("never"|"always"|"auto") (default "auto") --compatibility Run compose in backward compatibility mode --env-file string Specify an alternate environment file. -f, --file stringArray Compose configuration files --profile stringArray Specify a profile to enable --project-directory string Specify an alternate working directory (default: the path of the, first specified, Compose file) -p, --project-name string Project name Commands: build Build or rebuild services convert Converts the compose file to platform's canonical format cp Copy files/folders between a service container and the local filesystem create Creates containers for a service. down Stop and remove containers, networks events Receive real time events from containers. exec Execute a command in a running container. images List images used by the created containers kill Force stop service containers. logs View output from containers ls List running compose projects pause Pause services port Print the public port for a port binding. ps List containers pull Pull service images push Push service images restart Restart containers rm Removes stopped service containers run Run a one-off command on a service. start Start services stop Stop services top Display the running processes unpause Unpause services up Create and start containers version Show the Docker Compose version information Run 'docker compose COMMAND --help' for more information on a command. [root@harbor cli-plugins]# pwd /root/.docker/cli-plugins //目前是当前用户可以使用这个命令 [root@harbor cli-plugins]# ln -sv /root/.docker/cli-plugins/docker-compose /usr/bin/ '/usr/bin/docker-compose' -> '/root/.docker/cli-plugins/docker-compose' //做个软链接使其在系统的其他地方也可以使用 [root@harbor cli-plugins]# cd [root@harbor ~]# which docker-compose /usr/bin/docker-compose [root@harbor ~]# docker compose version Docker Compose version v2.7.0 //查看版本 [root@harbor ~]# cd /usr/src/ [root@harbor src]# ls debug harbor-offline-installer-v2.5.3.tgz kernels //将之前下载好的包拉进这里面 [root@harbor src]# tar xf harbor-offline-installer-v2.5.3.tgz -C /usr/local/ [root@harbor src]# ls /usr/local/ bin etc games harbor include lib lib64 libexec sbin share src [root@harbor src]# cd /usr/local/harbor/ [root@harbor harbor]# ls LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl install.sh prepare [root@harbor harbor]# cp harbor.yml.tmpl harbor.yml [root@harbor harbor]# vim harbor.yml [root@harbor harbor]# hostnamectl set-hostname harbor.example.com [root@harbor harbor]# bash //可以提前修改一下主机名 hostname: harbor.example.com //修改为主机名 #https: //注释掉证书相关的 # https port for harbor, default is 443 # port: 443 # The path of cert and key files for nginx #certificate: /your/certificate/path #private_key: /your/private/key/path harbor_admin_password: Harbor12345 //此为网页访问时的登录密码 database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 //数据库的密码 data_volume: /data //数据存放的目录 # insecure The flag to skip verifying registry certificate insecure: false //不安全的功能关闭了(验证证书的) # are all valid. rotate_size: 200M //日志滚动(每天会自动保存一定数量的日志会重命名为一个不同名字的文件) # The directory on your host that store log location: /var/log/harbor //日志存放 [root@harbor harbor]# ls LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare [root@harbor harbor]# ./install.sh //执行这个脚本 .... [Step 5]: starting Harbor ... [+] Running 10/10 ⠿ Network harbor_harbor Created 0.1s ⠿ Container harbor-log Started 0.8s ⠿ Container redis Started 1.9s ⠿ Container registryctl Started 1.9s ⠿ Container registry Started 2.1s ⠿ Container harbor-portal Started 2.1s ⠿ Container harbor-db Started 2.0s ⠿ Container harbor-core Started 2.8s ⠿ Container harbor-jobservice Started 3.7s ⠿ Container nginx Started 3.8s ✔ ----Harbor has been installed and started successfully.---- [root@harbor harbor]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 127.0.0.1:1514 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::]:80 [::]:* 使用IP登录管理Harbor:
登录成功后界面:
使用Harbor的注意事项:
- 在客户端上传镜像时一定要记得执行docker login进行用户认证,否则无法直接push
- 在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数
- 数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中
- Harbor是使用docker-compose命令来管理的,如果需要停止Harbor也应用docker-compose stop来停止,其他参数请--help
[root@harbor ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 27d358705acf goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-jobservice 917a7155677e goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx 6230fed03071 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-core 290772e4a195 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 10 minutes ago Up 10 minutes (healthy) registryctl a78c22de9b73 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 10 minutes ago Up 10 minutes (healthy) redis ef4560266151 goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 10 minutes ago Up 10 minutes (healthy) registry 282d2180241e goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-db 383c26c94150 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) harbor-portal 7fcbe6d544c9 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 11 minutes ago Up 10 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log [root@harbor ~]# cd /usr/local/harbor/ [root@harbor harbor]# ls LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl prepare common docker-compose.yml harbor.yml install.sh [root@harbor harbor]# docker-compose stop [+] Running 9/9 ⠿ Container harbor-jobservice Stopped 0.3s ⠿ Container nginx Stopped 0.4s ⠿ Container registryctl Stopped 10.2s ⠿ Container harbor-portal Stopped 0.2s ⠿ Container harbor-core Stopped 0.3s ⠿ Container harbor-db Stopped 0.3s ⠿ Container redis Stopped 0.3s ⠿ Container registry Stopped 0.3s ⠿ Container harbor-log Stopped 10.2s [root@harbor harbor]# docker-compose start [+] Running 9/9 ⠿ Container harbor-log Started 0.7s ⠿ Container harbor-db Started 1.3s ⠿ Container redis Started 1.0s ⠿ Container registry Started 0.9s ⠿ Container registryctl Started 1.2s ⠿ Container harbor-portal Started 1.0s ⠿ Container harbor-core Started 0.6s ⠿ Container nginx Started 1.1s ⠿ Container harbor-jobservice Started 0.9s 
