简介
Harbor是基于docker registry服务,添加了用户权限管理、镜像复制等功能的镜像仓库。具体模块如下:
image.png
主要组件包括
proxy【nginx前端代理,用来分发前端页面ui访问和镜像上传和下载流量】;
ui【提供了一个web管理页面,还包括一个前端页面和后端API,底层使用mysql数据库】;
registry【镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,registry的token认证通过ui组件完成】;
adminserver【系统配置管理中心附带检查存储用量,ui和jobserver启动时候需要加载adminserver的配置】;
jobsevice【负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log】;
log【日志汇总组件,通过docker的log-driver把日志汇总到一起】。
1、文件下载
wget https://storage.googleapis.com/harbor-releases/harbor-online-installer-v1.5.1.tgz
如果下载不下来,可以使用百度云盘下载
https://pan.baidu.com/s/1BzzOz2i6lO_gj2ozVVYdpA
- 安装参考:
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
2、安装Docker-Compose(pip方式)
- yum添加源
[ root@localhost]# yum -y install epel-release
- 安装python-pip
[root@localhost]# yum -y install python-pip
- 安装docker-compose
[root@localhost]# pip install -U docker-compose
[root@localhost ~]# docker-compose -v
docker-compose version 1.21.2, build a133471
3、配置修改:
解压缩之后,修改harbor.cfg文件,该文件就是Harbor的配置文件。
## Configuration file of Harbor
# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
hostname = 172.16.1.146
# 访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http
# mysql数据库root用户默认密码root123,实际使用时修改下
db_password = root123
# 是否开启自注册,on开启,off关闭,可以关闭掉。
self_registration = off
# 启动Harbor后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345
#镜像同步job数量
max_job_workers = 50
customize_crt = on
#https时候使用
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
# 邮件设置,发送重置密码邮件时使用
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
# 认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth
# LDAP认证时配置项
#ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
#ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
#ldap_uid = uid
#ldap_scope = 3
#ldap_timeout = 5
# Token有效时间,默认30分钟
token_expiration = 30
# 用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员)
project_creation_restriction = everyone
verify_remote_cert = on
#日志数量
log_rotate_count = 50
#单个日志大小
log_rotate_size = 200M
4、docker-compose配置修改,视情况修改
修改页面端口
- 修改docker-compose.yml;
proxy:
image: vmware/nginx-photon:v1.5.1
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
# 如需要,可以修改对外端口为
# - 8888:80
- 80:80
- 443:443
- 4443:4443
depends_on:
- 修改common/templates/registry/config.yml :
auth:
token:
issuer: harbor-token-issuer
# 如果需要,可以添加端口8888
# realm: $public_url:8888/service/token
修改docker-compose.yml
version: '2'
services:
log:
image: vmware/harbor-log:v1.5.1
container_name: harbor-log
restart: always
volumes:
# harbor 日志目录
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: vmware/registry-photon:v2.6.2-v1.5.1
container_name: registry
restart: always
volumes:
# registry 存储目录
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.5.1
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.5.1
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.5.1
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certificates/:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.5.1
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
networks:
- harbor
depends_on:
- redis
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
redis:
image: vmware/redis-photon:v1.5.1
container_name: redis
restart: always
volumes:
- /data/redis:/data
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: vmware/nginx-photon:v1.5.1
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
5、启动
sudo ./install.sh --with-clair
[root@localhost harbor]# sudo ./install.sh --with-clair
[root@node146 harbor]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (health: starting)
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp
6、客户端配置修改
免https修改
修改 /etc/docker/daemon.json,添加 insecure-registries":["172.16.1.146"] 配置
# 需要注意不能覆盖原来的配置
[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146"] }' >> /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146"] }
##重启docker
root@localhost ~]# systemctl daemon-reload
root@localhost ~]# service docker restart
如果不配置,客户端使用时候会报错: Error response from daemon: Get https://172.16.1.146/v2/: dial tcp 172.16.1.146:443: getsockopt: connection refused
7、页面展示
更多使用说明参考:https://github.com/vmware/harbor/blob/master/docs/user_guide.md
image.png
image.png
8、使用
- 登录
[root@localhost harbor]# docker login 172.16.1.146
Username (admin): admin
Password:
Login Succeeded
- 打标签并且上传
[root@localhost harbor]# docker tag registry:2.6.2 172.16.1.146/wondertek/registry:2.6.2
[root@localhost harbor]# docker push 172.16.1.146/wondertek/registry:2.6.2
The push refers to a repository
172.16.1.146/wondertek/registry]
9113493eaae1: Layer already exists
621c2399d41a: Layer already exists
59e80739ed3f: Layer already exists
febf19f93653: Layer already exists
e53f74215d12: Layer already exists
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364
- 删除本地镜像 重新下载
[root@localhost harbor]# docker rmi 172.16.1.146/wondertek/registry:2.6.2
Untagged: 172.16.1.146/wondertek/registry:2.6.2
Untagged: 172.16.1.146/wondertek/registry@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
[root@localhost harbor]# docker pull 172.16.1.146/wondertek/registry:2.6.2
Trying to pull repository 172.16.1.146/wondertek/registry ...
2.6.2: Pulling from 172.16.1.146/wondertek/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146/wondertek/registry:2.6.2
