您的位置: 首页  >  文章  >  Docker私有仓库Harbor介绍和部署记录

Docker私有仓库Harbor介绍和部署记录

分类: 文章 2023-11-29 13:15:16

Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry
也是非常必要的。之前介绍了Docker私有仓库Registry,这里介绍另一款企业级Docker镜像仓库Harbor的部署和使用,在Kubernetes集群中,推荐使用Harbor仓库环境。

一、Harbor仓库介绍

我们在日常Docker容器使用和管理过程中,渐渐发现部署企业私有仓库往往是很有必要的, 它可以帮助你管理企业的一些敏感镜像, 同时由于Docker Hub的下载速度和GFW的原因, 往往需要将一些无法直接下载的镜像导入本地私有仓库. 而Harbor就是部署企业私有仓库的一个不二之选。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,Harbor主要提供Dcoker Registry管理UI,提供的功能包括:基于角色访问的控制权限管理(RBAC)、AD/LDAP集成、日志审核、管理界面、自我注册、镜像复制和中文支持等。Harbor的目标是帮助用户迅速搭建一个企业级的Docker registry服务。它以Docker公司开源的registry为基础,额外提供了如下功能:
->  基于角色的访问控制(Role Based Access Control)
->  基于策略的镜像复制(Policy based image replication)
->  镜像的漏洞扫描(Vulnerability Scanning)
->  AD/LDAP集成(LDAP/AD support)
->  镜像的删除和空间清理(Image deletion & garbage collection)
->  友好的管理UI(Graphical user portal)
->  审计日志(Audit logging)
->  RESTful API
->  部署简单(Easy deployment)

Harbor的所有组件都在Dcoker中部署,所以Harbor可使用Docker Compose快速部署。需要特别注意:由于Harbor是基于Docker Registry V2版本,所以docker必须大于等于1.10.0版本docker-compose必须要大于1.6.0版本

二、Harbor仓库结构

Harbor的每个组件都是以Docker容器的形式构建的,可以使用Docker Compose来进行部署。如果环境中使用了kubernetes,Harbor也提供了kubernetes的配置文件。Harbor大概需要以下几个容器组成ui(Harbor的核心服务)、log(运行着rsyslog的容器,进行日志收集)、mysql(由官方mysql镜像构成的数据库容器)、Nginx(使用Nginx做反向代理)、registry(官方的Docker registry)、adminserver(Harbor的配置数据管理器)、jobservice(Harbor的任务管理服务)、redis(用于存储session)。

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,整体架构还是很清晰的。下面借用了网上的架构图:

Docker私有仓库Harbor介绍和部署记录

===========================================================================

Docker私有仓库Harbor介绍和部署记录

Harbor依赖的外部组件
-> Nginx(即Proxy代理层): Nginx前端代理,主要用于分发前端页面ui访问和镜像上传和下载流量; Harbor的registry,UI,token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
-> Registry v2: 镜像仓库,负责存储镜像文件; Docker官方镜像仓库, 负责储存Docker镜像,并处理docker push/pull命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token进行解密验证。
-> Database(MySQL或Postgresql):为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。

Harbor自有组件
-> Core services(Admin Server): 这是Harbor的核心功能,主要提供以下服务: 
    -> UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
    -> webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
    -> Auth服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
    -> API: 提供Harbor RESTful API
-> Replication Job Service:提供多个 Harbor 实例之间的镜像同步功能。
-> Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。

再来仔细看下Harbor主要组件和数据流走向:

 

Docker私有仓库Harbor介绍和部署记录

-> proxy,它是一个nginx前端代理,主要是分发前端页面ui访问和镜像上传和下载流量,上图中通过深蓝色先标识;
-> ui提供了一个web管理页面,当然还包括了一个前端页面和后端API,底层使用mysql数据库;
-> registry是镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,上图通过红色线标识,当然registry的token认证也是通过ui组件完成;
-> adminserver是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置,通过灰色线标识;
-> jobsevice是负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log,上图通过紫色线标识;
-> log是日志汇总组件,通过docker的log-driver把日志汇总到一起,通过浅蓝色线条标识。

Harbor的误区
误区一: Harbor是负责存储容器镜像的 (Harbor是镜像仓库,那么它就应当是存储镜像的)
其实关于镜像的存储,Harbor使用的是官方的docker registry服务去完成,至于registry是用本地存储或者s3都是可以的,Harbor的功能是在此之上提供用户权限管理、镜像复制等功能,提高使用的registry的效率。

误区二:Harbor镜像复制是存储直接复制 (镜像的复制,很多人以为应该是镜像分层文件的直接拷贝)
其实Harbor镜像复制采用了一个更加通用、高屋建瓴的做法,通过docker registry 的API去拷贝,这不是省事,这种做法屏蔽了繁琐的底层文件操作、不仅可以利用现有docker registry功能不必重复造轮子,而且可以解决冲突和一致性的问题。

Harbor的部署
这里不建议使用kubernetes来部署, 原因是镜像仓库非常重要, 尽量保证部署和维护的简洁性, 因此这里直接使用compose的方式进行部署。官方提供3种部署Harbor的方式:
1)在线安装: 从Docker Hub下载Harbor的镜像来安装, 由于Docker Hub比较慢, 建议Docker配置好加速器。
2)离线安装: 这种方式应对与部署主机没联网的情况使用。需要提前下载离线安装包: harbor-offline-installer-.tgz 到本地
3)OVA安装: 这个主要用vCentor环境是使用

后面部署时会为Docker配置镜像加速器, 因此会采用在线部署的方式, 部署步骤如下:
-> 下载Harbor最新的在线安装包
-> 配置Harbor (harbor.cfg)
-> 运行install.sh来安装和启动Harbor
-> Harbor的日志路径:/var/log/harbor

Harbor仓库部署的官方要求的最小系统配置
-> 2个cpu
-> 4g内存
-> 40g硬盘,因为是存储镜像的所以推荐硬盘大点。

参考
Harbor GitHub
Harbor 安装手册
Harbor 用户手册

三、Harbor仓库环境部署记录

3.1) 环境要求和准备工作

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

Harbor以容器的形式进行部署, 因此可以被部署到任何支持Docker的Linux发行版, 要使用Harbor,需要安装docker和docker-compose编排工具,并且具备如下环境:

Python2.7+

Docker Engine 1.10+

Docker Compose 1.6.0+

 

这里测试环境部署到Centos7.5机器上,如下:

[[email protected] ~]# cat /etc/redhat-release

CentOS Linux release 7.6.1810 (Core)

 

[[email protected] ~]# setenforce 0

[[email protected] ~]# cat /etc/sysconfig/selinux

...........

SELINUX=disabled

 

[[email protected] ~]# systemctl stop firewalld

[[email protected] ~]# systemctl disable firewalld

[[email protected] ~]# firewall-cmd --state

not running

 

centos7自带的python版本就是2.7.5

[[email protected] ~]# python --version

Python 2.7.5

3.2) 安装Docker

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

更新yum包

[[email protected] ~]# yum update

   

卸载旧版本 Docker

[[email protected] ~]# yum remove docker docker-common docker-selinux docker-engine

   

安装软件包

[[email protected] ~]# yum install -y yum-utils device-mapper-persistent-data lvm2

   

添加 Docker yum源

[[email protected] ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

Loaded plugins: fastestmirror

adding repo from: https://download.docker.com/linux/centos/docker-ce.repo

grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo

repo saved to /etc/yum.repos.d/docker-ce.repo

   

安装 Docker (直接yum按照docker-ce即可)

随着Docker的不断流行与发展,docker公司(或称为组织)也开启了商业化之路,Docker 从 17.03版本之后分为 CE(Community Edition) 和 EE(Enterprise Edition):

1) Docker EE由公司支持,可在经过认证的操作系统和云提供商中使用,并可运行来自Docker Store的、经过认证的容器和插件。

2) Docker CE是免费的Docker产品的新名称,Docker CE包含了完整的Docker平台,非常适合开发人员和运维团队构建容器APP。

   事实上,Docker CE 17.03,可理解为Docker 1.13.1的Bug修复版本。因此,从Docker 1.13升级到Docker CE 17.03风险相对是较小的。

   

[[email protected] ~]# yum -y install docker-ce

   

启动 Docker

[[email protected] ~]# systemctl start docker

[[email protected] ~]# systemctl enable docker

[[email protected] ~]# systemctl status docker

● docker.service - Docker Application Container Engine

   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)

   Active: active (running) since Sun 2019-05-26 22:15:34 CST; 27min ago

     Docs: https://docs.docker.com

 Main PID: 15260 (dockerd)

   CGroup: /system.slice/docker.service

           └─15260 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

 

May 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26T22:15:33.570826805+08:00" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420175490, READY" module=grpc

May 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26T22:15:33.570899114+08:00" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc42006de20, READY" module=grpc

May 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26T22:15:33.665440742+08:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"

May 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26T22:15:33.666111994+08:00" level=info msg="Loading containers: start."

May 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26T22:15:33.913110547+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16... IP address"

May 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26T22:15:34.088687650+08:00" level=info msg="Loading containers: done."

May 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26T22:15:34.128885651+08:00" level=info msg="Docker daemon" commit=481bc77 graphdriver(s)=overlay2 version=18.09.6

May 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26T22:15:34.129073367+08:00" level=info msg="Daemon has completed initialization"

May 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26T22:15:34.223886566+08:00" level=info msg="API listen on /var/run/docker.sock"

May 26 22:15:34 harbor-node systemd[1]: Started Docker Application Container Engine.

Hint: Some lines were ellipsized, use -l to show in full.

   

查看 Docker 版本号

[[email protected] ~]# docker --version

Docker version 18.09.6, build 481bc77156

  

[[email protected] ~]# docker version

Client:

 Version:           18.09.6

 API version:       1.39

 Go version:        go1.10.8

 Git commit:        481bc77156

 Built:             Sat May  4 02:34:58 2019

 OS/Arch:           linux/amd64

 Experimental:      false

  

Server: Docker Engine - Community

 Engine:

  Version:          18.09.6

  API version:      1.39 (minimum version 1.12)

  Go version:       go1.10.8

  Git commit:       481bc77

  Built:            Sat May  4 02:02:43 2019

  OS/Arch:          linux/amd64

  Experimental:     false

3.3) 安装Docker Compose

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Docker Compose 是 Docker 容器进行编排的工具,定义和运行多容器的应用,可以一条命令启动多个容器。

 

安装 epel-release

[[email protected] ~]# yum install epel-release

   

安装 python-pip

[[email protected] ~]# yum install -y python-pip

   

安装 docker-compose

[[email protected] ~]# pip install docker-compose

.........

Successfully installed asn1crypto-0.24.0 bcrypt-3.1.6 cached-property-1.5.1 certifi-2019.3.9 cffi-1.12.3 chardet-3.0.4 cryptography-2.6.1 docker-3.7.2 docker-compose-1.24.0 docker-pycreds-0.4.0 dockerpty-0.4.1 docopt-0.6.2 enum34-1.1.6 functools32-3.2.3.post2 idna-2.7 jsonschema-2.6.0 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0 requests-2.20.1 texttable-0.9.1 urllib3-1.24.3 websocket-client-0.56.0

You are using pip version 8.1.2, however version 19.1.1 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.

   

查看 docker-compose 版本号

[[email protected] ~]# docker-compose -version

docker-compose version 1.24.0, build 0aa5906

  

[[email protected] ~]# pip freeze | grep compose

You are using pip version 8.1.2, however version 19.1.1 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.

docker-compose==1.24.0

   

安装 git

[[email protected] ~]# yum install git

3.4) 为Docker配置加速器, 方便通过国内镜像服务器快速拉取Docker Hub提供的镜像

1

2

3

4

5

[[email protected] ~]# mkdir -p /etc/docker

[[email protected] ~]# cat /etc/docker/daemon.json

{

  "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"]

}

3.5) 下载Harbor安装包,配置Harbor
Harbor的GitHub仓库的Release页面, 下载最新的在线安装包(如果下载不了, 请从这里下载百度网盘Harbor   提取码:xu3j)

Docker私有仓库Harbor介绍和部署记录

这里分为在线和离线的版本,我下载的是1.8.0在线的版本

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

[[email protected] ~]# ll harbor-online-installer-v1.8.0.tgz

-rw-r--r-- 1 root root 7954 May 26 22:45 harbor-online-installer-v1.8.0.tgz

 

[[email protected] ~]# tar -zvxf harbor-online-installer-v1.8.0.tgz

[[email protected] ~]# cd harbor

[[email protected] harbor]# ls

harbor.yml  install.sh  LICENSE  prepare

 

下载下来之后解压缩,目录下会有harbor.yaml (新版本是.yaml文件,之前版本是.conf 或者 .cfg文件),就是Harbor的配置文件了。

[[email protected] harbor]# cp harbor.yml harbor.yml.bak

[[email protected] harbor]# vim harbor.yml

[[email protected] harbor]# cat harbor.yml |grep -v "#"|grep -v "^$"

hostname: 172.16.60.213

http:

  port: 80

harbor_admin_password: [email protected]             

database:

  password: root123

data_volume: /data

clair:

  updaters_interval: 12

  http_proxy:

  https_proxy:

  no_proxy: 127.0.0.1,localhost,core,registry

jobservice:

  max_job_workers: 10

chart:

  absolute_url: disabled

log:

  level: info

  rotate_count: 50

  rotate_size: 200M

  location: /var/log/harbor

_version: 1.8.0

 

配置解释

hostname: 修改成Harbao部署机自身的ip地址

db_password: 这是postgresql数据库root密码

harbor_admin_password: harbor初始管理员密码为Harbor12345, 这里最好修改成自己的密码,默认密码至少8位,最好是大小写、数字和特殊字符。

 

配置完Harbor之后,接着进行安装启动Harbor,Harbor目录下有一个install.sh, 执行它来进行安装

[[email protected] harbor]# ./install.sh

...........

...........

✔ ----Harbor has been installed and started successfully.----

 

Now you should be able to visit the admin portal at http://172.16.60.213.

For more details, please visit https://github.com/goharbor/harbor .

 

安装完成后,会发现解压目录harbor下面多了一个docker-compose.yml文件,里面包含了harbor依赖的镜像和对应容器创建的信息

 

查看harbor对应容器信息(还可以执行"docker images""docker ps"查看harbor的镜像和容器情况)

[[email protected] harbor]# docker-compose ps       #"注意docker-compose"命令只能在当前harbor目录下使用(因为该目录下有harbor配置文件)

      Name                     Command                  State                 Ports         

---------------------------------------------------------------------------------------------

harbor-core         /harbor/start.sh                 Up (healthy)                           

harbor-db           /entrypoint.sh postgres          Up (healthy)   5432/tcp                

harbor-jobservice   /harbor/start.sh                 Up                                     

harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp

harbor-portal       nginx -g daemon off;             Up (healthy)   80/tcp                  

nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->80/tcp      

redis               docker-entrypoint.sh redis ...   Up             6379/tcp                

registry            /entrypoint.sh /etc/regist ...   Up (healthy)   5000/tcp                

registryctl         /harbor/start.sh                 Up (healthy) 

 

然后就可以访问harbor了,访问地址为:http://172.16.60.213

用户名为admin,密码为配置文件中定义的"[email protected]"

Docker私有仓库Harbor介绍和部署记录

Docker私有仓库Harbor介绍和部署记录

Harbor 服务的关闭和启动

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

1) Harbor的日志路径:var/log/harbor

[[email protected] harbor]# cat harbor.yml|grep log

log:

  # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

  # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

  # The directory on your host that store log

  location: /var/log/harbor

    

[[email protected] harbor]# ls /var/log/harbor/

core.log  jobservice.log  portal.log  postgresql.log  proxy.log  redis.log  registryctl.log  registry.log

    

2) 停止和关闭harbor命令: "docker-compose down -v"

[[email protected] harbor]# docker-compose down -v

Stopping nginx             ... done

Stopping harbor-jobservice ... done

Stopping harbor-portal     ... done

Stopping harbor-core       ... done

Stopping redis             ... done

Stopping registryctl       ... done

Stopping registry          ... done

Stopping harbor-db         ... done

Stopping harbor-log        ... done

Removing nginx             ... done

Removing harbor-jobservice ... done

Removing harbor-portal     ... done

Removing harbor-core       ... done

Removing redis             ... done

Removing registryctl       ... done

Removing registry          ... done

Removing harbor-db         ... done

Removing harbor-log        ... done

Removing network harbor_harbor

    

[[email protected] harbor]# docker-compose ps

Name   Command   State   Ports

------------------------------

    

[[email protected] harbor]# docker ps

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

    

可以修改harbor配置文件,比如这里修改harbor的web登录端口,由80端口修改为8080端口

[[email protected] harbor]# vim harbor.yml

.........

http:

  # port for http, default is 80. If https enabled, this port will redirect to https port

  port: 8080

    

然后将harbor修改的配置更新到 docker-compose.yml 文件

[[email protected] harbor]# ./prepare

prepare base dir is set to /root/harbor

Clearing the configuration file/config/log/logrotate.conf

Clearing the configuration file/config/nginx/nginx.conf

Clearing the configuration file/config/core/env

Clearing the configuration file/config/core/app.conf

Clearing the configuration file/config/registry/config.yml

Clearing the configuration file/config/registry/root.crt

Clearing the configuration file/config/registryctl/env

Clearing the configuration file/config/registryctl/config.yml

Clearing the configuration file/config/db/env

Clearing the configuration file/config/jobservice/env

Clearing the configuration file/config/jobservice/config.yml

Generated configuration file/config/log/logrotate.conf

Generated configuration file/config/nginx/nginx.conf

Generated configuration file/config/core/env

Generated configuration file/config/core/app.conf

Generated configuration file/config/registry/config.yml

Generated configuration file/config/registryctl/env

Generated configuration file/config/db/env

Generated configuration file/config/jobservice/env

Generated configuration file/config/jobservice/config.yml

loaded secret from file/secret/keys/secretkey

Generated configuration file/compose_location/docker-compose.yml

Clean up the input dir

    

防止容器进程没有权限读取生成的配置

[[email protected] harbor]# ll common/

total 0

drwxr-xr-x 9 root root 105 May 26 23:10 config

    

[[email protected] harbor]# chmod -R 777 common

    

[[email protected] harbor]# ll common/

total 0

drwxrwxrwx 9 root root 105 May 27 00:41 config

    

=======================================================================================================================================

特别注意: 这里的common权限如果设置太小,可能会导致harbor启动后,报下面的错

发现启动harbor后,如上有些服务,如nginx,registry状态一直是"Restarting",这时需要查看日志:

[[email protected] harbor]# tail -100 /var/log/harbor/registry.log |grep error

May 27 01:01:18 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied

May 27 01:01:21 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied

May 27 01:01:23 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied

May 27 01:01:27 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied

=======================================================================================================================================

    

最后再次启动 harbor

[[email protected] harbor]# docker-compose up -d

Creating network "harbor_harbor" with the default driver

Creating harbor-log ... done

Creating registryctl ... done

Creating registry    ... done

Creating redis       ... done

Creating harbor-db   ... done

Creating harbor-core ... done

Creating harbor-jobservice ... done

Creating harbor-portal     ... done

Creating nginx             ... done

    

查看服务

[[email protected] harbor]# docker-compose  ps

      Name                     Command                       State                     Ports      

------------------------------------------------------------------------------------------------------

harbor-core         /harbor/start.sh                 Up (health: starting)                        

harbor-db           /entrypoint.sh postgres          Up (health: starting)   5432/tcp             

harbor-jobservice   /harbor/start.sh                 Up                                           

harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (health: starting)   127.0.0.1:1514->10514/tcp

harbor-portal       nginx -g daemon off;             Up (health: starting)   80/tcp               

nginx               nginx -g daemon off;             Up (health: starting)   0.0.0.0:8080->80/tcp 

redis               docker-entrypoint.sh redis ...   Up                      6379/tcp             

registry            /entrypoint.sh /etc/regist ...   Up (health: starting)   5000/tcp             

registryctl         /harbor/start.sh                 Up (health: starting) 

    

然后访问http://172.16.60.213:8080,即可访问harbor的web界面

 

###############################################################################################

要是想修改harbor的登陆用户密码,则最好在harbor web界面里直接修改,这样是最保险的!

 

如果是想通过修改harbar.yaml文件来重置harbor用户密码,则不能单纯的修改后就执行"./prepare"和重启docker-compose,这样是不能修改harbor用户密码的!

这时因为harbor在这里用的是postgresql数据库,以pdkdf2算法保存的秘文密码!需要先进入"harbor-db"容器内部,执行相关postgresql命令行。

而且postgresql的用户密码采用的是pbkdf2算法,需要提前计算好新密码的**值,pdkdf2算法需要"盐值""迭代次数"和**长度int型等,特别麻烦!!

 

所以如果忘记harbor的web密码或者是admin密码需要重置,并且对于postgresql数据库 或者 pbkdf2算法操作不熟悉的话,建议删除data源数据的database,重新部署!

做法如下:

# docker-compose down -v

# rm -rf /data/database

# vim harbor.yaml           #在这里重置或修改密码

# docker-compose up -d

 

这样就可以使用重置后的新密码登陆harbor web界面了,但是之前创建的用户和项目就都删除了。

这种情况最好适用于刚创建初期。

 

###############################################################################################

docker-compose up -d          # 后台启动,如果容器不存在根据镜像自动创建

docker-compose down -v        # 停止容器并删除容器

docker-compose start          # 启动容器,容器不存在就无法启动,不会自动创建镜像

docker-compose stop           # 停止容器

   

需要注意:

其实上面是停止docker-compose.yml中定义的所有容器,默认情况下docker-compose就是操作同目录下的docker-compose.yml文件。

如果使用其他yml文件,可以使用-f自己指定。

->  登录Harbor web界面,在"系统管理"->"配置管理"->"认证模式"->"允许自注册"这一项的对勾去掉,则登录的时候就不会有"用户注册"这一功能了。
->  可以在"配置管理"这一项进行认证模式,邮箱,标签等设置。

3.6) 使用Harbor私有仓库  

3.6.1)harbor的login登录

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

1)在harbor远程别的客户机上登录

[[email protected] ~]# docker login 172.16.60.213

Username: admin

Password:

Error response from daemon: Get https://172.16.60.213/v1/users/: dial tcp 172.16.60.213:443: connect: connection refused

  

在进行harbor登录或上传代码时,会报出上面错误!

这是因为docker1.3.2版本开始默认docker registry使用的是https,而Harbor默认设置的是http方式而不是https,所以当执行用docker login、pull、push等

命令操作非https的docker regsitry的时就会报错。

  

解决办法:

如下,在/etc/docker/daemon.json文件里添加"insecure-registries"配置

[[email protected] ~]# vim /etc/docker/daemon.json

{

    "insecure-registries": [

        "172.16.60.213"

      ]

}

  

然后重启docker服务

[[email protected] ~]# systemctl restart docker

  

接着再次验证harbor登录,发现就能登录上了

[[email protected] ~]# docker login 172.16.60.213      #或者直接执行"docker login -u admin -p [email protected] 172.16.60.213"命令登陆

Username: admin

Password:

Login Succeeded

[[email protected] ~]#

  

2)如果是在harbor本机登录,出现上面的报错:

[[email protected] harbor]# docker login 172.16.60.213

Username: admin

Password:

Error response from daemon: Get https://172.16.60.213/v1/users/: dial tcp 172.16.60.213:443: connect: connection refused

  

解决办法:

/etc/docker/daemon.json 文件里添加"insecure-registries"配置 (第一行是之前添加的docker加速配置),注意两行之间有一个","逗号隔开

[[email protected] harbor]# vim /etc/docker/daemon.json

{

  "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"],

  "insecure-registries": ["172.16.60.213"]

}

  

修改过后重启docker, 然后重启Harbor服务

[[email protected] harbor]# systemctl restart docker

[[email protected] harbor]# docker-compose stop

[[email protected] harbor]# docker-compose start

  

然后再测试再harbor本机登录

[[email protected] harbor]# docker login 172.16.60.213

Username: admin

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

  

Login Succeeded

[[email protected] harbor]#

  

登录的账号信息都保存到/root/.docker/config.json文件里了

[[email protected] harbor]# cat /root/.docker/config.json

{

        "auths": {

                "172.16.60.213": {

                        "auth""YWRtaW46a2V2aW5AQk8xOTg3"

                }

        },

        "HttpHeaders": {

                "User-Agent""Docker-Client/18.09.6 (linux)"

        }

  

只要/root/.docker/config.json里的信息不删除,后续再次登录的时候,就不用输入用户名和密码了

[[email protected] ~]# docker login 172.16.60.213

Authenticating with existing credentials...

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

  

Login Succeeded

===============================================================
注意事项总结:
harbor支持http和https,但如果使用http的话,在拉取镜像的时候,会抛出仓库不受信任的异常。
需要在所有的docker客户端的docker配置文件/etc/docker/daemon.json中添加如下配置:

1

2

3

{

    "insecure-registries": ["https://*.*.*.*"]

}

如果使用自签名的https证书,仍然会提示证书不受信任的问题。需要将自签名的ca证书发送到所有的docker客户端的指定目录。
关于使用自签名证书配置harbor的具体过程可以参考: https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

3.6.2)harbor仓库的使用

1

2

3

4

5

6

7

8

#镜像打标签的命令

# docker tag 镜像名:标签 私服地址/仓库项目名/镜像名:标签

 

#推送到私服的命令

#docker push 私服地址/仓库项目名/镜像名:标签

 

#从私服拉取镜像的命令

#docker pull 私服地址/仓库项目名/镜像名:标签

首先在Harbor web界面里最好创建一个自己需要的"项目" (或者使用默认的"library"项目),项目公开和私有:
-  Public: 所有用户对于公开项目都有读权限,这种方式对于你想把一些仓库分享给其他人的时候,是非常方便的.
-  Private: 私有项目只能被有特定用户权限的人去访问。这种方式对于内部团队来说共享也是比较方便的

比如创建一个公开项目"kevin_bo",点击进去可以看到推送镜像的信息提示
Docker私有仓库Harbor介绍和部署记录

Docker私有仓库Harbor介绍和部署记录

Docker私有仓库Harbor介绍和部署记录

然后就可以在Harbor服务器的终端命令行里进行镜像推送到Harbor仓库的操作了:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

在进行harbor镜像推送和拉取操作前,需要事先login登录到harbor仓库里,这样才有harbor镜像的推送和拉取的权限!!

[[email protected] ~]# docker login 172.16.60.213

Authenticating with existing credentials...

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

先查看本机有哪些镜像

[[email protected] ~]# docker images

REPOSITORY                    TAG                        IMAGE ID            CREATED             SIZE

goharbor/redis-photon         v1.8.0                     66d7402d2770        10 days ago         103MB

goharbor/harbor-registryctl   v1.8.0                     0ca3e2b624f5        10 days ago         96.2MB

goharbor/registry-photon      v2.7.1-patch-2819-v1.8.0   1e7d99ccba24        10 days ago         81.3MB

goharbor/nginx-photon         v1.8.0                     4a4b48b32ae4        10 days ago         36MB

goharbor/harbor-log           v1.8.0                     e718bdc405a3        10 days ago         81.5MB

goharbor/harbor-jobservice    v1.8.0                     d47940dd883f        10 days ago         118MB

goharbor/harbor-core          v1.8.0                     b07a1a4be17f        10 days ago         135MB

goharbor/harbor-portal        v1.8.0                     76298a1ef089        10 days ago         42.9MB

goharbor/harbor-db            v1.8.0                     d1e0b3df3e95        10 days ago         140MB

goharbor/prepare              v1.8.0                     769ca785dab0        10 days ago         139MB

 

比如推送其中的goharbor/redis-photon:v1.8.0镜像到Harbor仓库的"kevin_bo"项目里

[[email protected] ~]# docker tag goharbor/redis-photon:v1.8.0 172.16.60.213/kevin_bo/redis-photon:v1.0

[[email protected] ~]# docker push 172.16.60.213/kevin_bo/redis-photon:v1.0

The push refers to repository [172.16.60.213/kevin_bo/redis-photon]

8864c4b9ac3d: Pushed

420b26399278: Pushed

4433bcd802e7: Pushed

268091c30a67: Pushed

23d9f72a5270: Pushed

v1.0: digest: sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d size: 1366

 

查看本机的images,发现多了一个上面制作的镜像,就是原来goharbor/redis-photon:v1.8.0的tag,可以选择删除

[[email protected] ~]# docker rmi 172.16.60.213/kevin_bo/redis-photon:v1.0

Untagged: 172.16.60.213/kevin_bo/redis-photon:v1.0

Untagged: 172.16.60.213/kevin_bo/redis-photon@sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d

 

[[email protected] ~]# docker images

REPOSITORY                    TAG                        IMAGE ID            CREATED             SIZE

goharbor/redis-photon         v1.8.0                     66d7402d2770        10 days ago         103MB

goharbor/harbor-registryctl   v1.8.0                     0ca3e2b624f5        10 days ago         96.2MB

goharbor/registry-photon      v2.7.1-patch-2819-v1.8.0   1e7d99ccba24        10 days ago         81.3MB

goharbor/nginx-photon         v1.8.0                     4a4b48b32ae4        10 days ago         36MB

goharbor/harbor-log           v1.8.0                     e718bdc405a3        10 days ago         81.5MB

goharbor/harbor-jobservice    v1.8.0                     d47940dd883f        10 days ago         118MB

goharbor/harbor-core          v1.8.0                     b07a1a4be17f        10 days ago         135MB

goharbor/harbor-portal        v1.8.0                     76298a1ef089        10 days ago         42.9MB

goharbor/harbor-db            v1.8.0                     d1e0b3df3e95        10 days ago         140MB

goharbor/prepare              v1.8.0                     769ca785dab0        10 days ago         139MB

 

同理,推送其他镜像是同样的操作,比如再推送goharbor/harbor-core:v1.8.0到harbor仓库的"kevin_bo"项目里

[[email protected] ~]# docker tag goharbor/harbor-core:v1.8.0 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

[[email protected] ~]# docker push 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

The push refers to repository [172.16.60.213/kevin_bo/goharbor/harbor-core]

5385ffb8451e: Pushed

36e1cb2d6ffa: Pushed

452d238b3e48: Pushed

af3a6f89469a: Pushed

05bc5efb1724: Pushed

23d9f72a5270: Mounted from kevin_bo/redis-photon

v1.0: digest: sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de size: 1580

 

[[email protected] ~]# docker images

REPOSITORY                                    TAG                        IMAGE ID            CREATED             SIZE

goharbor/redis-photon                         v1.8.0                     66d7402d2770        10 days ago         103MB

goharbor/harbor-registryctl                   v1.8.0                     0ca3e2b624f5        10 days ago         96.2MB

goharbor/registry-photon                      v2.7.1-patch-2819-v1.8.0   1e7d99ccba24        10 days ago         81.3MB

goharbor/nginx-photon                         v1.8.0                     4a4b48b32ae4        10 days ago         36MB

goharbor/harbor-log                           v1.8.0                     e718bdc405a3        10 days ago         81.5MB

goharbor/harbor-jobservice                    v1.8.0                     d47940dd883f        10 days ago         118MB

goharbor/harbor-core                          v1.8.0                     b07a1a4be17f        10 days ago         135MB

172.16.60.213/kevin_bo/goharbor/harbor-core   v1.0                       b07a1a4be17f        10 days ago         135MB

goharbor/harbor-portal                        v1.8.0                     76298a1ef089        10 days ago         42.9MB

goharbor/harbor-db                            v1.8.0                     d1e0b3df3e95        10 days ago         140MB

goharbor/prepare                              v1.8.0                     769ca785dab0        10 days ago         139MB

[[email protected] ~]# docker rmi 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

Untagged: 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

Untagged: 172.16.60.213/kevin_bo/goharbor/harbor-core@sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de

 

[[email protected] ~]# docker images

REPOSITORY                    TAG                        IMAGE ID            CREATED             SIZE

goharbor/redis-photon         v1.8.0                     66d7402d2770        10 days ago         103MB

goharbor/harbor-registryctl   v1.8.0                     0ca3e2b624f5        10 days ago         96.2MB

goharbor/registry-photon      v2.7.1-patch-2819-v1.8.0   1e7d99ccba24        10 days ago         81.3MB

goharbor/nginx-photon         v1.8.0                     4a4b48b32ae4        10 days ago         36MB

goharbor/harbor-log           v1.8.0                     e718bdc405a3        10 days ago         81.5MB

goharbor/harbor-jobservice    v1.8.0                     d47940dd883f        10 days ago         118MB

goharbor/harbor-core          v1.8.0                     b07a1a4be17f        10 days ago         135MB

goharbor/harbor-portal        v1.8.0                     76298a1ef089        10 days ago         42.9MB

goharbor/harbor-db            v1.8.0                     d1e0b3df3e95        10 days ago         140MB

goharbor/prepare              v1.8.0                     769ca785dab0        10 days ago         139MB

然后登录到Harbor web 界面里,就可以看到"kevin_bo"项目里就有了上面推送的两个镜像了,点击到对应的镜像了,还可以对镜像进行打标签,复制镜像等操作:

Docker私有仓库Harbor介绍和部署记录

Docker私有仓库Harbor介绍和部署记录

比如将"kevin_bo"项目里上面的kevin_bo/goharbor/harbor-core镜像复制到"library"项目里

Docker私有仓库Harbor介绍和部署记录

然后到"library"项目里就能看到上面从"kevin_bo"项目里复制过来的镜像了

Docker私有仓库Harbor介绍和部署记录

注意: harbor私仓的相关容器映射到主机的volumes数据卷的空间要有保证,最好是单独的分区空间
上面测试harbor容器通过volumes映射到主机的目录是/data, 可以到这里查看harbor推送的镜像:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

[[email protected] repositories]# pwd

/data/registry/docker/registry/v2/repositories

 

可以查看两个"项目"

[[email protected] repositories]# ll

total 0

drwxr-xr-x 4 10000 10000 42 May 27 14:01 kevin_bo

drwxr-xr-x 3 10000 10000 27 May 27 14:08 library

 

[[email protected] repositories]# ll kevin_bo/

total 0

drwxr-xr-x 3 10000 10000 25 May 27 14:01 goharbor

drwxr-xr-x 5 10000 10000 55 May 27 13:58 redis-photon

 

[[email protected] repositories]# ll library/

total 0

drwxr-xr-x 3 10000 10000 21 May 27 14:08 172.16.60.213

 

[[email protected] repositories]# ll library/172.16.60.213/

total 0

drwxr-xr-x 3 10000 10000 25 May 27 14:08 library

========测试下在harbor客户端下载harbor仓库里的镜像=======

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

[[email protected] ~]# docker login 172.16.60.213

Username: admin

Password:

Login Succeeded

 

[[email protected] ~]# docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

 

从harbor仓库拉取镜像

[[email protected] ~]# docker pull 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

Trying to pull repository 172.16.60.213/kevin_bo/goharbor/harbor-core ...

v1.0: Pulling from 172.16.60.213/kevin_bo/goharbor/harbor-core

4e360eca2e60: Pull complete

c066267eb2b9: Pull complete

932afda2a169: Pull complete

7ed16fb7e79a: Pull complete

d09137d80617: Pull complete

588769341947: Pull complete

Digest: sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de

 

Status: Downloaded newer image for 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0

[[email protected] ~]# docker pull 172.16.60.213/kevin_bo/redis-photon:v1.0

Trying to pull repository 172.16.60.213/kevin_bo/redis-photon ...

v1.0: Pulling from 172.16.60.213/kevin_bo/redis-photon

4e360eca2e60: Already exists

b08cc3be5c43: Pull complete

a750a309c85d: Pull complete

49b2d8335a1a: Pull complete

31e8f89dc042: Pull complete

Digest: sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d

Status: Downloaded newer image for 172.16.60.213/kevin_bo/redis-photon:v1.0

 

[[email protected] ~]# docker images

REPOSITORY                                    TAG                 IMAGE ID            CREATED             SIZE

172.16.60.213/kevin_bo/redis-photon           v1.0                66d7402d2770        10 days ago         103 MB

172.16.60.213/kevin_bo/goharbor/harbor-core   v1.0                b07a1a4be17f        10 days ago         135 MB

可以在登录Harbor web界面之后,修改相关用户的密码。在不同用户账号下创建项目,以及推送和拉取harbor镜像操作

3.6.3)Harbor的https证书启用
通过上面可知,harbor默认安装后采用的是http方式,后面使用的时候可能会发现很多不方面。因为Docker客户端登录harbor进行镜像推送或拉取时默认是https方式!所以http方式下,需要在每一台harbor客户端机器上都要设置"insecure-registries", 感觉很麻烦!所以最好还是将harbor默认的http方式改为https方式!另外,从安全角度考虑,容器的仓库在生产环境中往往也是需要被设定为https的方式,而harbor将这些证书的创建和设定都进行了简单的集成,下面来看一下在harbor下如何使用https的方式。配置记录如下:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

在创建证书之前,为了方面验证,需要将前面在客户端机器上/etc/docker/daemon.json文件里添加"insecure-registries"配置删除

[[email protected] ~]# vim /etc/docker/daemon.json

{}

  

[[email protected] ~]# rm -rf /root/.docker

    

重启docker服务

[[email protected] ~]# systemctl restart docker

  

将harbor部署机自身的/etc/docker/daemon.json文件里添加"insecure-registries"配置也删除

[[email protected] ~]# vim /etc/docker/daemon.json

{

  "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"]

}

  

[[email protected] ~]# rm -rf /root/.docker

  

然后重启docker和docker-compose

[[email protected] ~]# systemctl restart docker

[[email protected] ~]# docker-compose down -t

[[email protected] ~]# docker-compose up -d

  

1)创建CA

[[email protected] harbor]# pwd

/root/harbor

[[email protected] harbor]# mkdir ssl

[[email protected] harbor]# cd ssl/

[[email protected] ssl]# pwd

/root/harbor/ssl

  

[[email protected] ssl]# openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

Generating a 4096 bit RSA private key

......................................++

...................................................................................................................................................................................................................................................................++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:DevOps               

Organizational Unit Name (eg, section) []:Tec

Common Name (eg, your name or your server's hostname) []:172.16.60.213

Email Address []:[email protected]

  

2) 创建证书请求文件csr

[[email protected] ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 172.16.60.213.key  -out 172.16.60.213.csr

Generating a 4096 bit RSA private key

.++

..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++

writing new private key to '172.16.60.213.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:DevOps

Organizational Unit Name (eg, section) []:Tec

Common Name (eg, your name or your server's hostname) []:172.16.60.213

Email Address []:[email protected]

  

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:DevOps

  

3) 创建证书

[[email protected] ssl]# echo subjectAltName = IP:172.16.60.213 > extfile.cnf

[[email protected] ssl]# openssl x509 -req -days 365 -in 172.16.60.213.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 172.16.60.213.crt

Signature ok

subject=/C=CN/ST=beijing/L=beijing/O=DevOps/OU=Tec/CN=172.16.60.213/emailAddress[email protected]

Getting CA Private Key

  

4) 设定证书 & 修改

查看证书所在路径, 后面将harbor.yaml文件中的路径也同样设定

[[email protected] ssl]# pwd

/root/harbor/ssl

[[email protected] ssl]# ll

total 28

-rw-r--r-- 1 root root 2033 May 28 01:16 172.16.60.213.crt

-rw-r--r-- 1 root root 1809 May 28 01:15 172.16.60.213.csr

-rw-r--r-- 1 root root 3272 May 28 01:15 172.16.60.213.key

-rw-r--r-- 1 root root 2114 May 28 01:13 ca.crt

-rw-r--r-- 1 root root 3268 May 28 01:13 ca.key

-rw-r--r-- 1 root root   17 May 28 01:16 ca.srl

-rw-r--r-- 1 root root   34 May 28 01:16 extfile.cnf

  

5) 修改harbor.yaml文件

先关闭docker-compose

[[email protected] harbor]# pwd

/root/harbor

[[email protected] harbor]# docker-compose down -v

Stopping nginx             ... done

Stopping harbor-jobservice ... done

Stopping harbor-portal     ... done

Stopping harbor-core       ... done

Stopping harbor-db         ... done

Stopping registryctl       ... done

Stopping redis             ... done

Stopping registry          ... done

Stopping harbor-log        ... done

Removing nginx             ... done

Removing harbor-jobservice ... done

Removing harbor-portal     ... done

Removing harbor-core       ... done

Removing harbor-db         ... done

Removing registryctl       ... done

Removing redis             ... done

Removing registry          ... done

Removing harbor-log        ... done

Removing network harbor_harbor

  

[[email protected] harbor]# docker-compose ps

Name   Command   State   Ports

------------------------------

  

[[email protected] harbor]# vim harbor.yml

.................

.................

  

# http related config

#http:

  # port for http, default is 80. If https enabled, this port will redirect to https port

  #port: 80

  

# https related config

https:

#   # https port for harbor, default is 443

    port: 443

#   # The path of cert and key files for nginx

    certificate: /root/harbor/ssl/172.16.60.213.crt

    private_key: /root/harbor/ssl/172.16.60.213.key

.................

.................

  

================================================================================================================

特别注意:

上面harbor.yaml文件中修改的配置格式一定要正确!"https"要顶格写,"port:443" 和 "certificate""private_key"保持缩进一致!

否则在下面执行"./prepare"更新命令时,会报错:

[[email protected] harbor]# ./prepare

..........

  File "/usr/lib/python3.6/site-packages/yaml/composer.py", line 84, in compose_node

    node = self.compose_mapping_node(anchor)

  File "/usr/lib/python3.6/site-packages/yaml/composer.py", line 127, in compose_mapping_node

    while not self.check_event(MappingEndEvent):

  File "/usr/lib/python3.6/site-packages/yaml/parser.py", line 98, in check_event

    self.current_event = self.state()

  File "/usr/lib/python3.6/site-packages/yaml/parser.py", line 439, in parse_block_mapping_key

    "expected <block end>, but found %r" % token.id, token.start_mark)

yaml.parser.ParserError: while parsing a block mapping

  in "/input/harbor.yml", line 15, column 4

expected <block end>, but found '<block mapping start>'

  in "/input/harbor.yml", line 17, column 5

   

上面的报错,就是由于harbor.yaml文件配置格式不正确导致的!!!!

================================================================================================================

  

接着执行prepare脚本,将harbor修改的配置更新到 docker-compose.yml 文件

[[email protected] harbor]# ./prepare

prepare base dir is set to /root/harbor

Clearing the configuration file/config/log/logrotate.conf

Clearing the configuration file/config/nginx/nginx.conf

Clearing the configuration file/config/core/env

Clearing the configuration file/config/core/app.conf

Clearing the configuration file/config/registry/config.yml

Clearing the configuration file/config/registry/root.crt

Clearing the configuration file/config/registryctl/env

Clearing the configuration file/config/registryctl/config.yml

Clearing the configuration file/config/db/env

Clearing the configuration file/config/jobservice/env

Clearing the configuration file/config/jobservice/config.yml

Generated configuration file/config/log/logrotate.conf

Generated configuration file/config/nginx/nginx.conf

Generated configuration file/config/core/env

Generated configuration file/config/core/app.conf

Generated configuration file/config/registry/config.yml

Generated configuration file/config/registryctl/env

Generated configuration file/config/db/env

Generated configuration file/config/jobservice/env

Generated configuration file/config/jobservice/config.yml

loaded secret from file/secret/keys/secretkey

Generated configuration file/compose_location/docker-compose.yml

Clean up the input dir

  

查看一下docker-compose.yml文件,发现已经将新配置的443端口的https信息更新到docker-compose.yml文件里了

如下80端口和443端口都配置了,所以harbor访问时是http强转到https的

[[email protected] harbor]# cat docker-compose.yml |grep 443 -C3

    dns_search: .

    ports:

      - 80:80

      - 443:443

    depends_on:

      - postgresql

      - registry

  

重启docker-compose

[[email protected] harbor]# docker-compose up -d

Creating network "harbor_harbor" with the default driver

Creating harbor-log ... done

Creating registry    ... done

Creating harbor-db   ... done

Creating registryctl ... done

Creating redis       ... done

Creating harbor-core ... done

Creating harbor-jobservice ... done

Creating harbor-portal     ... done

Creating nginx             ... done

  

[[email protected] harbor]# docker-compose ps

      Name                     Command                  State                        Ports                

------------------------------------------------------------------------------------------------------------

harbor-core         /harbor/start.sh                 Up (healthy)                                         

harbor-db           /entrypoint.sh postgres          Up (healthy)   5432/tcp                              

harbor-jobservice   /harbor/start.sh                 Up                                                   

harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp             

harbor-portal       nginx -g daemon off;             Up (healthy)   80/tcp                                

nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp

redis               docker-entrypoint.sh redis ...   Up             6379/tcp                              

registry            /entrypoint.sh /etc/regist ...   Up (healthy)   5000/tcp                              

registryctl         /harbor/start.sh                 Up (healthy)

  

在harbor部署机本机确认login登陆 (使用80端口或443端口都可以,自动跳转的)

[[email protected] harbor]# docker login -u admin -p [email protected] 172.16.60.213

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Error response from daemon: Get https://172.16.60.213/v2/: x509: certificate signed by unknown authority

  

[[email protected] harbor]# docker login -u admin -p [email protected] 172.16.60.213:443

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Error response from daemon: Get https://172.16.60.213:443/v2/: x509: certificate signed by unknown authority

  

以上出现报错,解决办法:

此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。

 

解决办法:

[[email protected] harbor]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[[email protected] harbor]# cat /root/harbor/ssl/172.16.60.213.crt >> /etc/pki/tls/certs/ca-bundle.crt

[[email protected] harbor]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

 

由于证书是docker的daemon需要用到的,所以需要重启docker服务,进而也要重启docker-compose

[[email protected] harbor]# systemctl restart docker

[[email protected] harbor]# docker-compose down -v

[[email protected] harbor]# docker-compose up -d

 

然后再次尝试在harbor本机登陆, 发现就可以正常登陆了!!

[[email protected] harbor]# docker login -u admin -p [email protected] 172.16.60.213

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

登陆的权限信息保存到/root/.docker/config.json 文件里了,只要这个文件不删除,下次就可以不需要输入用户名和密码直接登陆了!

[[email protected] harbor]# cat /root/.docker/config.json

{

        "auths": {

                "172.16.60.213": {

                        "auth""YWRtaW46a2V2aW5AQk9CTzEyMw=="

                }

        },

        "HttpHeaders": {

                "User-Agent""Docker-Client/18.09.6 (linux)"

        }

}

 

[[email protected] harbor]# docker login 172.16.60.213

Authenticating with existing credentials...

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

上面是使用80端口登陆的,后面加上443端口也是可以登陆的

[[email protected] harbor]# docker login 172.16.60.213:443

Username: admin

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

[[email protected] harbor]# docker login 172.16.60.213:443

Authenticating with existing credentials...

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

[[email protected] ssl]# docker login -u admin -p [email protected] 172.16.60.213:443

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

 

==========================================================================================

上面是在harbor本机尝试的登陆,现在在远程客户机上(这里客户机为172.16.60.214)测试harbor登陆:

 

首先很重要的一步,这一步极其关键!一定不要忘记操作!!

就是需要将harbor服务端生成的CA证书拷贝到每个远程客户机的"/etc/docker/certs.d/harbor服务器的域名或ip/" 目录下

[[email protected] ~]# mkdir /etc/docker/certs.d/172.16.60.213/

 

接着在harbor服务器将CA证书拷贝过来

[[email protected] ssl]# rsync -e "ssh -p22" -avpgolr ./* [email protected]:/etc/docker/certs.d/172.16.60.213/

 

然后在客户机上查看是否拷贝过来了harbor服务端的CA证书

[[email protected] 172.16.60.213]# pwd

/etc/docker/certs.d/172.16.60.213

[[email protected] 172.16.60.213]# ls

172.16.60.213.crt  172.16.60.213.csr  172.16.60.213.key  ca.crt  ca.key  ca.srl  extfile.cnf

 

进行同样的授权操作,

[[email protected] 172.16.60.213]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[[email protected] 172.16.60.213]# cat /etc/docker/certs.d/172.16.60.213/172.16.60.213.crt >> /etc/pki/tls/certs/ca-bundle.crt

[[email protected] 172.16.60.213]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

 

重启docker服务

[[email protected] 172.16.60.213]# systemctl restart docker

 

最后进行harbor登陆,就可以正常登陆了!

[[email protected] 172.16.60.213]# docker login -u admin -p [email protected] 172.16.60.213:443

Login Succeeded

 

[[email protected] 172.16.60.213]# cat /root/.docker/config.json                          

{

        "auths": {

                "172.16.60.213:443": {

                        "auth""YWRtaW46a2V2aW5AQk9CTzEyMw=="

                }

        }

}

 

上面是使用443端口登陆harbor仓库是正常的,如果此时使用80端口登陆,则出现如下报错:

[[email protected] 172.16.60.213]# docker login -u admin -p [email protected] 172.16.60.213

Error response from daemon: Missing client certificate 172.16.60.213.cert for key 172.16.60.213.key

 

所以在客户端就使用443端口来登陆harbor仓库了!

Docker私有仓库Harbor介绍和部署记录

3.6.4) Harbor私仓的高可用
通过三个harbor完成高可用部署,前面通过负载均衡器对外提供服务。共享数据库与缓存。结构如下 :

Docker私有仓库Harbor介绍和部署记录

还有一种比较简单的方法:部署2台harbor服务器,配置部署一样,实现原理:

Docker私有仓库Harbor介绍和部署记录

创建docker harbor主主复制
就是在两个harbor私仓的web界面里创建相互之间的镜像同步关系,同步关系可以选择相同用户或不同用户之间。这样就可以保证harbor私仓的双机热备关系了。即:
1) "系统管理"->"仓库管理"->"新建目标", 填写对端harbor信息
2) "系统管理"->"同步管理"->"新建规则", 规则里会引用目的Registry,也就是上面一步创建的目标。同步模式有Push-based,Pull-based;触发模式有自动和定时。

相关推荐