11.部署 harbor 私有仓库

11.部署 harbor 私有仓库

本文档介绍使用 docker-compose 部署 harbor 私有仓库的步骤,你也可以使用 docker 官方的 registry 镜像部署私有仓库(部署 Docker Registry)。

使用的变量

本文档用到的变量定义如下:

$ export NODE_IP=10.64.3.7 # 当前部署 harbor 的节点 IP
$

下载文件

从 docker compose 发布页面下载最新的 docker-compose 二进制文件

$ wget https://github.com/docker/compose/releases/download/1.21.2/docker-compose-Linux-x86_64
$ mv ~/docker-compose-Linux-x86_64 /opt/k8s/bin/docker-compose
$ chmod a+x  /opt/k8s/bin/docker-compose
$ export PATH=/opt/k8s/bin:$PATH
$

从 harbor 发布页面下载最新的 harbor 离线安装包

$ wget  --continue https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.1.tgz
$ tar -xzvf harbor-offline-installer-v1.5.1.tgz
$

导入 docker images

导入离线安装包中 harbor 相关的 docker images:

$ cd harbor
$ docker load -i harbor.v1.5.1.tar.gz
$

创建 harbor nginx 服务器使用的 x509 证书

创建 harbor 证书签名请求:

$ cat > harbor-csr.json <<EOF
{
  "CN": "harbor",
  "hosts": [
    "127.0.0.1",
    "${NODE_IP}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "4Paradigm"
    }
  ]
}
EOF
  • hosts 字段指定授权使用该证书的当前部署节点 IP,如果后续使用域名访问 harbor 则还需要添加域名;

生成 harbor 证书和私钥:

$ cfssl gencert -ca=/etc/kubernetes/cert/ca.pem   -ca-key=/etc/kubernetes/cert/ca-key.pem   -config=/etc/kubernetes/cert/ca-config.json   -profile=kubernetes harbor-csr.json | cfssljson -bare harbor

$ ls harbor*
harbor.csr  harbor-csr.json  harbor-key.pem harbor.pem

$ sudo mkdir -p /etc/harbor/ssl
$ sudo mv harbor*.pem /etc/harbor/ssl
$ rm harbor.csr  harbor-csr.json

修改 harbor.cfg 文件

$ cp harbor.cfg{,.bak}
$ vim harbor.cfg
$ diff harbor.cfg{,.bak}
7c7
< hostname = 192.168.1.81
---
> hostname = reg.mydomain.com
11c11
< ui_url_protocol = https
---
> ui_url_protocol = http
23,24c23,24
< ssl_cert =  /etc/harbor/ssl/harbor.pem
< ssl_cert_key = /etc/harbor/ssl/harbor-key.pem
---
> ssl_cert = /data/cert/server.crt
> ssl_cert_key = /data/cert/server.key

$ cp prepare{,.bak}
$ vim prepare
$ diff prepare{,.bak}
453a454
>         print("%s %w", args, kw)
490c491
<     empty_subj = "/"
---
>     empty_subj = "/C=/ST=/L=/O=/CN=/"
  • 需要修改 prepare 脚本的 empyt_subj 参数,否则后续 install 时出错退出:

    Fail to generate key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt

参考:https://github.com/vmware/harbor/issues/2920

加载和启动 harbor 镜像

$ sudo mkdir /data
$ sudo chmod 777 /var/run/docker.sock /data
$ sudo apt-get install python
$ ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 18.03.0

Note: docker-compose version: 1.21.2

[Step 1]: loading Harbor images ...
Loaded image: vmware/clair-photon:v2.0.1-v1.5.1
Loaded image: vmware/postgresql-photon:v1.5.1
Loaded image: vmware/harbor-adminserver:v1.5.1
Loaded image: vmware/registry-photon:v2.6.2-v1.5.1
Loaded image: vmware/photon:1.0
Loaded image: vmware/harbor-migrator:v1.5.1
Loaded image: vmware/harbor-ui:v1.5.1
Loaded image: vmware/redis-photon:v1.5.1
Loaded image: vmware/nginx-photon:v1.5.1
Loaded image: vmware/mariadb-photon:v1.5.1
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1
Loaded image: vmware/harbor-log:v1.5.1
Loaded image: vmware/harbor-db:v1.5.1
Loaded image: vmware/harbor-jobservice:v1.5.1
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1

[Step 2]: preparing environment ...
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

[Step 3]: checking existing instance of Harbor ...

[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis              ... done
Creating harbor-adminserver ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

? ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://192.168.1.81.
For more details, please visit https://github.com/vmware/harbor .

访问管理界面

确认所有组件都工作正常:

$ docker-compose  ps
       Name                     Command                  State                                    Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/start.sh                 Up (healthy)
harbor-db            /usr/local/bin/docker-entr ...   Up (healthy)   3306/tcp
harbor-jobservice    /harbor/start.sh                 Up
harbor-log           /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-ui            /harbor/start.sh                 Up (healthy)
nginx                nginx -g daemon off;             Up (healthy)   0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis                docker-entrypoint.sh redis ...   Up             6379/tcp
registry             /entrypoint.sh serve /etc/ ...   Up (healthy)   5000/tcp

浏览器访问 https://${NODE_IP},示例的是 https://192.168.1.81

由于是在 virtualbox 虚机 kube-node2 中运行,所以需要做下端口转发,Vagrant 文件中已经指定 host 端口为 4443,也可以在 virtualbox 的 GUI 中直接添加端口转发:

浏览器访问 https://127.0.0.1:443,用账号 admin 和 harbor.cfg 配置文件中的默认密码 Harbor12345 登陆系统。

harbor 运行时产生的文件、目录

harbor 将日志打印到 /var/log/harbor 的相关目录下,使用 docker logs XXX 或 docker-compose logs XXX 将看不到容器的日志。

$ # 日志目录
$ ls /var/log/harbor
adminserver.log  jobservice.log  mysql.log  proxy.log  registry.log  ui.log
$ # 数据目录,包括数据库、镜像仓库
$ ls /data/
ca_download  config  database  job_logs registry  secretkey

docker 客户端登陆

将签署 harbor 证书的 CA 证书拷贝到 /etc/docker/certs.d/192.168.1.81 目录下

$ sudo mkdir -p /etc/docker/certs.d/192.168.1.81
$ sudo cp /etc/kubernetes/cert/ca.pem /etc/docker/certs.d/192.168.1.81/ca.crt
$

登陆 harbor

$ docker login 192.168.1.81
Username: admin
Password:

认证信息自动保存到 ~/.docker/config.json 文件。

其它操作

下列操作的工作目录均为 解压离线安装文件后 生成的 harbor 目录。

$ # 停止 harbor
$ docker-compose down -v
$ # 修改配置
$ vim harbor.cfg
$ # 更修改的配置更新到 docker-compose.yml 文件
$ ./prepare
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/nginx/cert/admin.pem
Clearing the configuration file: ./common/config/nginx/cert/admin-key.pem
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/adminserver/env
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
$ sudo chmod -R 666 common ## 防止容器进程没有权限读取生成的配置
$ # 启动 harbor
$ docker-compose up -d

作者:半兽人
链接:https://www.orchome.com/664
来源:OrcHome
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。

原文地址:https://www.cnblogs.com/linux20190409/p/10977018.html

时间: 2024-10-04 06:42:11

11.部署 harbor 私有仓库的相关文章

部署 harbor`私有仓库

部署 harbor 私有仓库 下载 docker-compose-1.12.0 # wget https://github.com/docker/compose/releases/download/1.12.0/docker-compose-Linux-x86_64 # mv docker-compose-Linux-x86_64 /usr/bin/docker-compose # chmod a+x /usr/bin/docker-compose 下载 harbor-1.1.2 # wget

Harbor私有仓库中如何彻底删除镜像释放存储空间?

简介: Harbor私有仓库运行一段时间后,仓库中存有大量镜像,会占用太多的存储空间.直接通过Harbor界面删除相关镜像,并不会自动删除存储中的文件和镜像.需要停止Harbor服务,执行垃圾回收命令,进行存储空间清理和回收. 相关资料: 1.Harbor用户手册中的相关说明: Next, delete the actual files of the repository using the registry's garbage collection(GC). Make sure that no

Docker以https访问Harbor私有仓库(二)

1 说明 前文Centos7搭建Harbor私有仓库(二)中,我们以https方式搭建了Harbor,本篇我们主要配置Docker以https方式访问Harbor私有仓库 2 Docker配置 2.1 Mac系统 2.1.1 配置Docker Mac系统中只需配置Proferences -> Proxies使用System Proxy即可,如下: 2.1.2 登录私服验证 docker login registry.anxminise.cc #登录私服 2.2 Windows系统 待补充 2.3

NPM私有包部署到私有仓库

NPM私有包部署到私有仓库1.项目部署到NPM2.私有仓库的搭建1,项目部署到NPM注册NPM账号注册地址:https://www.npmjs.com/ 注册完成后进入邮箱验证 账号登录 npm login 登录成功用 npm who am i 进行验证 初始化npm库 npm init 然后依次输入相应的参数,其中version必填,最后生成的pagkage如下图 在pagkage同级写一个测试文件,向外暴露接口 至此,一个npm包创建完成 发布共有NPM包 npm publish 发布成功之

CentOS部署Harbor镜像仓库

关于Harbor Harbor是用于存储和分发Docker镜像的镜像仓库服务,相比Docker Registry,Harbor在安全.标识.管理等方面做了增强,更适合企业使用: 官方网站:https://goharbor.io/ 官方开源:https://github.com/goharbor/harbor 环境信息 今天要部署的Harbor版本是1.9.0,本次部署用的机器信息如下: 操作系统:CentOS Linux release 7.7.1908 Docker:19.03.2 docke

Centos 7.x部署Harbor镜像仓库

一.环境准备 OS:CentOS Linux release 7.5.1804 (Core)?IP:172.16.8.46 安装要求如下: 二.docker安装 参考https://blog.csdn.net/xiegh2014/article/details/80454019 三.安装docker-compose curl -L https://github.com/docker/compose/releases/download/1.21.0/docker-compose-$(uname -

Centos7搭建Harbor私有仓库(一)

1 说明 前文Centos7搭建DockerRegistry介绍了DockerRegistry的搭建,但它没有UI页面,因此选择Harbor 以下基于镜像CentOS-7-x86_64-Minimal-1804进行搭建 均已root用户进行操作 2 安装docker和docker-compose 参见Centos7安装DockerCE安装Docker引擎 2.1 安装docker-compose 1.下载docker-compose的最新版本 curl -L "https://github.co

Docker部署私有仓库(registry&amp;Harbor)

仓库(Repository)是集中存放镜像的地方.一个容易混淆的概念是注册服务器(registry).实际上注册服务器是管理仓库的具体服务器,每个服务器上可以有多个仓库,而每个仓库下面有多个镜像.从这方面来说,仓库可以被认为是一个具体的项目或目录.例如对于仓库地址docker.sina.com.cn/centos:centos7来说,docekr.sian.com.cn是注册服务器地址,centos是仓库名,centos7是仓库的tag(标签). Docker Hub 官方仓库目前docker官

Docker私有仓库部署和管理

Docker私有仓库部署和管理 本章结构: Harbor介绍 部署Harbor所依赖的Docker Compose服务 部署Harbor服务 Harbor日常操作管理 Harbor管理生命周期 Harbor介绍 Harbor是VMware公司开源的企业级Docker Registry项目 Harbor的优势 基于角色控制 基于镜像的复制策略 支持LDAP目录服务/AD域服务 图像删除和垃圾收集 图形UI(可以访问Web界面) 审计 RESTful API Harbor架构组成 Proxy: 通过