harbor私有仓库创建详细步骤
一,关于harbor与docker
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
【1】docker-harbor的优势
- 基于角色控制
- 基于镜像的复制策略
- 支持LDAP/AD
- 图像删除和垃圾收集
- 图形UI
- 审计
- RESTful API
【2】相关参数的解释
- proxy:通过一个前置的反向代理统一接收浏览器、docker客户端的请求,并将请求转发给后端不同的服务
- registry:负责存储docker镜像,并处理docker push/pull命令
- core services:harbor的核心功能,包括UI、webhook、token服务
- database:为core services提供数据库服务
- log collector:负责收集其他组件的log,供日后进行分析
【3】docker-harbor管理器核心组件结构
【4】Harbor和Registry的区别
Harbor和Registry都是Docker的镜像仓库,但是Harbor作为更多企业的选择,是因为相比较于Regisrty来说,它具有很多的优势。
- 1.提供分层传输机制,优化网络传输 Docker镜像是是分层的,而如果每次传输都使用全量文件(所以用FTP的方式并不适合),显然不经济。必须提供识别分层传输的机制,以层的UUID为标识,确定传输的对象。
- 2.提供WEB界面,优化用户体验 只用镜像的名字来进行上传下载显然很不方便,需要有一个用户界面可以支持登陆、搜索功能,包括区分公有、私有镜像。
- 3.支持水平扩展集群 当有用户对镜像的上传下载操作集中在某服务器,需要对相应的访问压力作分解。
- 4.良好的安全机制 企业中的开发团队有很多不同的职位,对于不同的职位人员,分配不同的权限,具有更好的安全性。
- 5.Harbor提供了基于角色的访问控制机制,并通过项目来对镜像进行组织和访问权限的控制。kubernetes中通过namespace来对资源进行隔离,在企业级应用场景中,通过将两者进行结合可以有效将kubernetes使用的镜像资源进行管理和访问控制,增强镜像使用的安全性。尤其是在多租户场景下,可以通过租户、namespace和项目相结合的方式来实现对多租户镜像资源的管理和访问控制。
二,harbor私有仓库案例搭建
项目需求搭建环境要求
(1)服务端:20.0.0.30 docker、docker-compose、harbor-offline
(2)客户端:20.0.0.40 docker
【1】 首先准备docker环境
详细搭建步骤参考下面博客:https://blog.csdn.net/Lihuihui006/article/details/110141520
【2】 安装docker-compose
安装之前下载docker-compose到/root下
[root@server3 ~]# cp -p docker-compose /usr/local/bin/
[root@server3 ~]# chmod +x /usr/local/bin/docker-compose
【3】安装Harbor
1,上传Harbor到/root目录下并解压缩
或者可以在官网上下载
[root@server3 bin]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
2,配置Harbor参数文件
[root@server3 ~]# vim /usr/local/harbor/harbor.cfg
hostname = 20.0.0.30 #第五行,修改hostname
3,启动 Harbor
[root@server3 harbor]# cd /usr/local/harbor/
[root@server3 harbor]# ./install.sh
4,查看 Harbor 启动镜像和容器
[root@server3 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-log v1.2.2 36ef78ae27df 3 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 3 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 3 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 3 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 3 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 3 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 3 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 3 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 3 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB
photon 1.0 e6e4e4a2ba1b 4 years ago 128MB
[root@server3 harbor]#
[root@server3 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
51415bf9b11b vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
6b890e802db8 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 2 minutes ago Up 2 minutes harbor-jobservice
f05a8c7ade82 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 2 minutes ago Up 2 minutes harbor-ui
bb3825960d1d vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 3 minutes ago Up 2 minutes 3306/tcp harbor-db
cf11556fc87c vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 3 minutes ago Up 2 minutes 5000/tcp registry
858b7a915740 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 3 minutes ago Up 2 minutes harbor-adminserver
aaf90e5ca393 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 3 minutes ago Up 3 minutes 127.0.0.1:1514->514/tcp harbor-log
[root@server3 harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
[root@server3 harbor]#
5,登录20.0.0.30查看harbor仓库
-
默认用户名;admin
-
密码:Harbor12345
-
登录之后添加项目
项目添加可设置为私密或者公开,原理如同朋友圈
6,推送镜像(本地)
此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下,Register 服务器在端口 80 上侦听。
[root@server3 harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server3 harbor]# docker pull tomcat //下载镜像测试
[root@server3 harbor]# docker tag tomcat:latest 127.0.0.1/lihuihui/tomcat:v1 //镜像打标签
[root@server3 harbor]# docker push 127.0.0.1/lihuihui/tomcat:v1 //上传镜像到harbor
The push refers to repository [127.0.0.1/lihuihui/tomcat]
3be17d77a93a: Preparing
a84354b89db3: Preparing
438ec47051c4: Preparing
94982bbe98d5: Preparing
39341dafb261: Preparing
4b9227ba273c: Waiting
712264374d24: Waiting
475b4eb79695: Waiting
f3be340a54b9: Waiting
114ca5b7280f: Waiting
denied: requested access to the resource is denied
- 查看
以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor,就会报如下错误。出现这问题的原因 Docker Registry 交互默认使用的是 HTTPS,但是搭建私有镜像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误,如在另外一台客户机上登录错误如下
[root@tomcat2 ~]# docker login -u admin -p Harbor12345 http://20.0.0.30
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://20.0.0.30/v2/: dial tcp 20.0.0.30:443: connect: connection refused
[root@tomcat2 ~]#
解决办法:
在此客户上:
vim /usr/lib/systemd/system/docker.service
在14行
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 20.0.0.30 --containerd=/run/containerd/containerd.sock #中间添加--insecure-registry 20.0.0.30
#######完了之后重启守护进程与docker
systemctl daemon-reload
systemctl restart docker
[root@tomcat2 ~]# docker pull httpd
[root@tomcat2 ~]# docker tag httpd:latest 20.0.0.30/123/httpd:v1
[root@tomcat2 ~]# docker push 20.0.0.30/123/httpd
The push refers to repository [20.0.0.30/123/httpd]
c74375f55aa8: Pushed
211b9be55a20: Pushed
aa0b3e4b6d3b: Pushed
540171a10c83: Pushed
f5600c6330da: Pushed
v1: digest: sha256:4c7c70926e2f2e10a9f78b63f344c83ae97a22c7fefa96afed46c63e4e607c51 size: 1366
查看是否上传成功
7,Harbor的维护(停止与开启)
1.停止现有的 Harbor 实例(服务器端)
[root@localhost harbor]# docker-compose down -v
[root@localhost harbor]# ls
common docker-compose.yml harbor.v1.2.2.tar.gz NOTICE
docker-compose.clair.yml harbor_1_1_0_template install.sh prepare
docker-compose.notary.yml harbor.cfg LICENSE upgrade
2、更新 Harbor.cfg
[root@localhost harbor]# vim harbor.cfg
3、运行 prepare 脚本来填充配置
[root@localhost harbor]# ./prepare
4、重新创建并启动 Harbor 的实例
[root@localhost harbor]# docker-compose up -d
如果出现如下报错:
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables -- wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))
解决方法:关闭防火墙后, 解决:关闭防火墙后, docker需要重启
systemctl restart docker
docker-compose up -d
例如:
[root@server3 harbor]# cd /usr/local/harbor/
关闭(修改配置文件必须先关闭服务)
[root@server3 harbor]# docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping harbor-db ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
查看容器状态
[root@server3 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
开启
[root@server3 harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
查看容器状态
[root@server3 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
63bd37fcb99f vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 16 seconds ago Up 13 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
1f51ce6efc77 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" 16 seconds ago Up 13 seconds harbor-jobservice
aafa1a281af9 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 21 seconds ago Up 16 seconds harbor-ui
3a734f02cd11 vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" 24 seconds ago Up 21 seconds 3306/tcp harbor-db
68dad99f8840 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 24 seconds ago Up 21 seconds 5000/tcp registry
0f108fa56d96 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" 24 seconds ago Up 21 seconds harbor-adminserver
1eddf86b9bce vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" 25 seconds ago Up 23 seconds 127.0.0.1:1514->514/tcp harbor-log
[root@server3 harbor]#
8,创建用户
- 用户管理
-
创建用户并设置为管理员
-
创建项目开发人员
9,用普通用户登录
[root@server3 ~]# docker logout 20.0.0.30 //服务器上退出登录
Removing login credentials for 20.0.0.30