一、简介
Harbor是VMware中国研发团队开发并开源企业级Registry,对中文支持很友好。
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。
Harbor具有如下特点:
1.基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
2.镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
3.图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
4.AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
5.审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
6.国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
7.RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
8.部署简单 - 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。
二、Harbor 获取地址
1.Harbor中文官网:https://vmware.github.io/harbor/cn/
2.Github地址:https://github.com/vmware/harbor
3.Harbor下载地址:https://github.com/vmware/harbor/releases
4.Harbor二进制离线包镜像站点:http://harbor.orientsoft.cn/
三、Harbor 安装前准备
1.安装 docker
# yum install -y yum-utils device-mapper-persistent-data lvm2 # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum -y install docker-ce # docker --version Docker version 17.06.2-ce, build cec0b72 # systemctl start docker # systemctl status docker # systemctl enable docker
2.安装 docker-compose
# yum -y install python-pip # pip install --upgrade pip # pip -V pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7) # pip install docker-compose # docker-compose version docker-compose version 1.16.1, build 6d1ac219 docker-py version: 2.5.1 CPython version: 2.7.5 OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
四、安装 Habor
1.解压并载入镜像(注:制作本文档时harbor版本已更新至1.2.2,请自行下载)
# tar -zxvf harbor-offline-installer-v1.2.0.tgz # cd harbor # docker load -i harbor.v1.2.0.tar.gz # docker images REPOSITORY TAG IMAGE ID CREATED SIZE vmware/harbor-log v1.2.0 c7887347f435 7 weeks ago 200MB vmware/harbor-jobservice v1.2.0 1fb18427db11 7 weeks ago 164MB vmware/harbor-ui v1.2.0 b7069ac3bd4b 7 weeks ago 178MB vmware/harbor-adminserver v1.2.0 a18331f0c1ae 7 weeks ago 142MB vmware/harbor-db v1.2.0 deb8033b1c86 7 weeks ago 329MB vmware/registry 2.6.2-photon 5d9100e4350e 2 months ago 173MB vmware/postgresql 9.6.4-photon c562762cbd12 2 months ago 225MB vmware/clair v2.0.1-photon f04966b4af6c 3 months ago 297MB vmware/nginx-photon 1.11.13 285492ff20d6 4 months ago 147MB vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 6 months ago 324MB vmware/notary-photon signer-0.5.0 b1eda7d10640 7 months ago 156MB vmware/notary-photon server-0.5.0 6e2646682e3c 7 months ago 157MB photon 1.0 e6e4e4a2ba1b 16 months ago 127MB
2.配置 harbor
# sed -i "s/reg.mydomain.com/192.168.100.100/g" harbor.cfg # sed -i "s/sample_admin/admin/g" harbor.cfg ##该命令纯属为了好看,并没有使用相关配置 # grep ^[a-z] harbor.cfg ###能看则看 ### 指定 harbor 的主机名,可以是IP地址,也可以是域名(不能注释再指定) hostname = 192.168.100.100 ### 指定用户访问使用的协议,默认http ui_url_protocol = http ### 指定 mysql 数据库管理员密码 db_password = root123 ### 作业服务中的最大复制worker数(缺省值为3) max_job_workers = 3 ### 是否允许创建用于生成/验证注册表令牌的私钥和根证书(默认为on) customize_crt = on ### 设置证书文件路径 ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA clair_db_password = password ### 邮件相关信息配置 email_identity = ### 配置邮件服务器地址 email_server = smtp.mydomain.com ### 配置邮件服务器端口 email_server_port = 25 ### 配置用户 email_username = [email protected] ### 配置密码 email_password = abc ### 配置发件人地址 email_from = admin <[email protected]> ### 配置是否进行ssl加密 email_ssl = false ### 指定 harbor 管理员密码 harbor_admin_password = Harbor12345 ### 使用的认证类型。默认为db_auth,即凭据存储在MySQL数据库中(Harbor还 支持本地及LDAP认证方式) auth_mode = db_auth ### LDAP端点URL,仅当auth_mode设置为ldap_auth时使用 ldap_url = ldaps://ldap.mydomain.com ### 查找用户的基本DN,仅当auth_mode设置为ldap_auth时使用 ldap_basedn = ou=people,dc=mydomain,dc=com ### 用于在LDAP搜索期间匹配用户的属性 ldap_uid = uid ### 用于搜索用户的范围 ldap_scope = 3 ## 设置LDAP超时时间 ldap_timeout = 5 ### 是否允许开放注册(默认允许) self_registration = on ### 令牌服务创建的令牌的过期时间(以分钟为单位,默认30分钟) token_expiration = 30 ### 用户创建项目的权限,默认是everyone(所有人),也可以设置为adminonly(只有管理员才能创建) project_creation_restriction = everyone ### 确定当 Harbor 与远程注册表实例通信时是否验证SSL / TLS证书 verify_remote_cert = on
注:harbor 的主机名 hostname 不能注释再指定,必须删除默认设置再指定主机名,不然会产生错误。
3.安装 harbor
# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 17.06.2 Note: docker-compose version: 1.16.1 [Step 1]: loading Harbor images ... Loaded image: vmware/registry:2.6.2-photon Loaded image: photon:1.0 Loaded image: vmware/notary-photon:signer-0.5.0 Loaded image: vmware/clair:v2.0.1-photon Loaded image: vmware/harbor-ui:v1.2.0 Loaded image: vmware/harbor-log:v1.2.0 Loaded image: vmware/harbor-db:v1.2.0 Loaded image: vmware/nginx-photon:1.11.13 Loaded image: vmware/postgresql:9.6.4-photon Loaded image: vmware/harbor-adminserver:v1.2.0 Loaded image: vmware/harbor-jobservice:v1.2.0 Loaded image: vmware/notary-photon:server-0.5.0 Loaded image: vmware/harbor-notary-db:mariadb-10.1.10 [Step 2]: preparing environment ... loaded secret from file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/app.conf Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [Step 3]: checking existing instance of Harbor ... [Step 4]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... Creating harbor-log ... done Creating harbor-adminserver ... Creating registry ... Creating harbor-db ... Creating harbor-adminserver Creating registry Creating registry ... done Creating harbor-db ... done Creating harbor-ui ... done Creating harbor-jobservice ... Creating nginx ... Creating nginx Creating nginx ... done ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://192.168.100.100. For more details, please visit https://github.com/vmware/harbor .
4.查看容器状况
# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/harbor_adminserver Up harbor-db docker-entrypoint.sh mysqld Up 3306/tcp harbor-jobservice /harbor/harbor_jobservice Up harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp harbor-ui /harbor/harbor_ui Up nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
Harbor共由七个容器组成:
a.harbor-adminserver:harbor系统管理服务
b.harbor-db: 由官方mysql镜像构成的数据库容器
c.harbor-jobservice:harbor的任务管理服务
d.harbor-log:harbor的日志收集、管理服务
e.harbor-ui:harbor的web页面服务
f.nginx:负责流量转发和安全验证
g.registry:官方的Docker registry,负责保存镜像
5.应用 harbor
浏览器输入 http://harborip 登陆 harbor 镜像仓库页面(帐号admin,密码为harbor.cfg默认密码Harbor12345)
进入harbor后界面如下
新建项目(注:默认项目是私有的,公开请打勾)
新建完成之后就可以上传镜像到 harbor 镜像仓库了。
a.更改 docker 配置
# grep "ExecStart" /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd --insecure-registry=192.168.100.100 # systemctl daemon-reload # systemctl restart docker
注:docker默认使用https传输镜像,这里使用的是http,所以需要指定,无论上传还是下载都需要指定
b.登陆 harbor(注:第一种方便,第二种安全,实际中请使用第二种)
# docker login -u admin -p Harbor12345 192.168.100.100 Login Succeeded
# docker login 192.168.100.100 Username: admin Password: Login Succeeded
c.给镜像打 tag 并上传至 harbor
# docker tag 99e59f495ffa 192.168.100.100/k8s/pause-amd64:3.0 # docker push 192.168.100.100/k8s/pause-amd64:3.0 The push refers to a repository [192.168.100.100/k8s/pause-amd64] 5f70bf18a086: Pushed 41ff149e94f2: Pushed 3.0: digest: sha256:f04288efc7e65a84be74d4fc63e235ac3c6c603cf832e442e0bd3f240b10a91b size: 939
d.查看上传情况
e.下载镜像(pull命令如下图)
附:
1.停止harbor
# cd harbor # docker-compose stop
2.启动harbor
# cd harbor # docker-compose start
3.官方安装文档
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
4.https官方配置指南
https://github.com/vmware/harbor/blob/master/docs/configure_https.md