一、Harbor 简介
Harbor 是 VMWare 公司提供的一个用于存储和分发 Docker 镜像的企业级 Registry 服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。支持多租户、 可扩展的 API 和 Web UI、支持跨多个注册表(包括 Harbor)进行复制、支持身份集成和基于角色的访问控制。
二、Registry 简介
Registry 是 Dcoker 官方的一个私有仓库镜像,可以用来存储和管理自己的镜像。
三、Harbor 和 Registry 比较
Harbor 是 Docker Registry 的更高级封装,提供分层传输机制,优化网络传输;提供WEB界面,优化用户体验;支持水平扩展集群;有良好的安全机制;提供了基于角色的访问控制机制等等,比 Registry 强大太多了,推荐使用 Harbor。
四、Harbor 的安装使用
1.环境要求
(1)硬件要求
资源 | 最小 | 推荐 |
---|---|---|
CPU | 2 CPU | 4 CPU |
内存 | 4 GB | 8 GB |
硬盘 | 40 GB | 160 GB |
(2)软件要求
软件 | 版本 |
---|---|
Docker | Version 17.06.0-ce+ or higher |
Docker Compose | Version 1.18.0 or higher |
Openssl | 推荐最新版本 |
2.环境准备
(1)安装 docker
①配置阿里云 yum
②安装依赖
yum install -y yum-utils device-mapper-persistent-data lvm2
③设置源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache
④安装 docker
yum install -y docker-ce
⑤启动服务
systemctl start docker
(2)安装 docker-compose
①安装
curl -L https://get.daocloud.io/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
②授权
chmod +x /usr/local/bin/docker-compose
③检测版本号
docker-compose -v
3.安装 Harbor
(1)下载
下载地址:https://github.com/goharbor/harbor/releases
(2)解压
tar xzvf harbor-offline-installer-v2.5.1.tgz
(3)创建数据目录
mkdir /data
(4)修改配置文件
cd harbor
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
主要修改的内容如下,屏蔽了 https,使用了外部 redis:
hostname: 192.168.1.48
#https:
# https port for harbor, default is 443
#port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
data_volume: /data
# Uncomment external_redis if using external Redis server
external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
host: 192.168.1.48:6379
password: xxxxxx
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
trivy_db_index: 5
idle_timeout_seconds: 30
(5)安装
./install.sh
(6)查看服务启动情况
docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------
harbor-core /harbor/entrypoint.sh Up (health: starting)
harbor-db /docker-entrypoint.sh 96 13 Up (healthy)
harbor-jobservice /harbor/entrypoint.sh Up (health: starting)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,:::80->8080/tcp
registry /home/harbor/entrypoint.sh Up (healthy)
registryctl /home/harbor/start.sh Up (healthy)
4.使用
(1)登录
浏览器输入 IP 地址登录,默认用户/密码为:admin/Harbor12345
登录后进入如下页面:
(2)新建项目
新建一个项目 shop,访问级别为不公开,存储容量为 -1 表示对存储不设上限:
(3)将本地镜像 push 到私有仓库
①客户端登录
使用 docker login 进行登录:
docker login 192.168.1.48
报错:
[root@k8s-master ~]# docker login 192.168.1.48
Username: admin
Password:
Error response from daemon: Get https://192.168.1.48/v1/users/: dial tcp 192.168.1.48:443: connect: no route to host
解决方法一:
原因是服务端未配置 https 访问,解决方法是修改 /etc/docker/daemon.json,加入以下配置(其中,registry-mirrors 是为了加快速度):
vi /etc/docker/daemon.json
{
"registry-mirrors": [ "https://registry.docker-cn.com","http://hub-mirror.c.163.com"],
"insecure-registries": [ "192.168.1.48"]
}
重启 docker 服务:
systemctl daemon-reload
systemctl restart docker
解决方法二:
修改配置文件,在 ExecStart 之后添加 –insecure-registry=http://192.168.1.48:
vi /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=http://192.168.1.48
ExecStart=/usr/bin/dockerd-current \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
--insecure-registry=http://192.168.1.48 \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY \
$REGISTRIES
重启 docker 服务:
systemctl daemon-reload
systemctl restart docker
②查看本地镜像
docker images
[root@k8s-master system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/appbaseio/dejavu latest b6dc08dbb3e7 9 months ago 383 MB
docker.io/nginx latest dd34e67e3371 10 months ago 133 MB
③给 nginx 打 tag
docker tag docker.io/nginx:latest 192.168.1.48/shop/nginx:latest
[root@k8s-master system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/appbaseio/dejavu latest b6dc08dbb3e7 9 months ago 383 MB
192.168.1.48/shop/nginx latest dd34e67e3371 10 months ago 133 MB
docker.io/nginx latest dd34e67e3371 10 months ago 133 MB
④push 到仓库
docker push 192.168.1.48/shop/nginx:latest
⑤登录 harbor 查看
五、Registry 的安装使用
1.安装
(1)拉取镜像
docker pull registry
(2)启动
docker run -d --name=my_registry -p 5000:5000 -v /opt/data/my_registry:/var/lib/registry --restart=always --privileged=true registry
2.使用
(1)将本地镜像 push 到私有仓库
①查看本地镜像
docker images
[root@k8s-master system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/appbaseio/dejavu latest b6dc08dbb3e7 9 months ago 383 MB
docker.io/nginx latest dd34e67e3371 10 months ago 133 MB
②给 nginx 打 tag
docker tag docker.io/nginx:latest 192.168.1.48:5000/nginx:latest
[root@k8s-master system]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/appbaseio/dejavu latest b6dc08dbb3e7 9 months ago 383 MB
192.168.1.48:5000/nginx latest dd34e67e3371 10 months ago 133 MB
docker.io/nginx latest dd34e67e3371 10 months ago 133 MB
③push 到仓库
docker push 192.168.1.48:5000/nginx:latest
④验证是否已上传
curl -XGET http://192.168.1.48:5000/v2/_catalog
curl -XGET http://192.168.1.48:5000/v2/nginx/tags/list
[root@k8s-master system]# curl -XGET http://192.168.1.48:5000/v2/_catalog
{
"repositories":["nginx"]}
[root@k8s-master system]# curl -XGET http://192.168.1.48:5000/v2/nginx/tags/list
{
"name":"nginx","tags":["latest"]}
⑤删除私有仓库镜像
下载 delete_docker_registry_image:
curl https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null
更改目录权限,设置目录变量:
chmod 755 /usr/local/bin/delete_docker_registry_image
export REGISTRY_DATA_DIR=/opt/data/my_registry/docker/registry/v2
删除私有仓库镜像:
delete_docker_registry_image -i nginx
报错:
/usr/bin/env: ‘python’: No such file or directory
解决方法:
安装 Python:
yum install python3
如果未解决,继续如下操作:
whereis python3
ln -s /usr/bin/python3 /usr/bin/python