Docker仓库管理工具Harbor

简介：

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，通过添加一些企业必需的功能特性，例如安全、标识和管理等，扩展了开源Docker Distribution。作为一个企业级私有Registry服务器，Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制，镜像全部保存在私有Registry中， 确保数据和知识产权在公司内部网络中管控。另外，Harbor也提供了高级的安全特性，诸如用户管理，访问控制和活动审计等
官网地址：http://vmware.github.io/harbor/index_cn.html
官方github地址：https://github.com/vmware/harbor

Harbor的官方功能介绍：

基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理，一个用户可以对多个镜像仓库在同一命名空间（project）里有不同的权限。
镜像复制 - 镜像可以在多个Registry实例中复制（同步）。尤其适合于负载均衡，高可用，混合云和多云的场景。
图形化用户界面 - 用户可以通过浏览器来浏览，检索当前Docker镜像仓库，管理项目和命名空间。
AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP，用于鉴权认证管理。
审计管理 - 所有针对镜像仓库的操作都可以被记录追溯，用于审计管理。
国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
部署简单 - 提供在线和离线两种安装工具， 也可以安装到vSphere平台(OVA方式)虚拟设备。

部署Harbor1.75分布式集群

环境准备

系统：centos7.6
关闭防火墙：systemctl stop firewalld
关闭selinux：setenforce 0
node1 IP：192.168.8.156
node2 IP：192.168.8.134

安装docker

服务器1

[root@node1 ~]#yum install docker -y
[root@node1 ~]#vim /lib/systemd/system/docker.service
#在此行末尾添加本机IP地址
14：ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.8.156
[root@node1 ~]#systemctl  start  docker
[root@node1 ~]#systemctl  enable  docker

服务器2

[root@node2 ~]#yum install docker -y
[root@node2 ~]#vim /lib/systemd/system/docker.service
14：ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.8.134
[root@node2 ~]#systemctl  start  docker
[root@node2 ~]#systemctl  enable  docker

下载Harbor离线安装包

官方安装文档：https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
服务器1

[root@node1 ~]#cd /usr/local/src/
[root@node1 harbor]#wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz

服务器2

[root@node2 ~]#cd /usr/local/src/
[root@node2 harbor]#wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz

配置 Harbor

服务器1

[root@node1 ~]#cd /usr/local/harbor/
[root@node1 harbor]#tar xvf harbor-offline-installer-v1.7.5.tgz
[root@node1 harbor]#vim harbor.cfg
[root@node1 harbor]# grep "^[a-Z]" harbor.cfg
#本机IP地址
hostname = 192.168.8.156
#通讯传输协议
ui_url_protocol = http
max_job_workers = 10 
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
#日志滚动大小
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
#设置通知邮箱地址，也可在web界面设置
email_identity = 
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
#设置登录密码
harbor_admin_password = 123456
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid 
ldap_scope = 2 
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password = 
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle = 
[root@node1  harbor]#./install.sh
#启动后会下载很多镜像，需要等待一些时间
[Step 0]: checking installation environment ...

Note: docker version: 18.09.7

Note: docker-compose version: 1.18.0

[Step 1]: loading Harbor images ...
f60840e24dbf: Loading layer [==================================================>]  33.23MB/33.23MB
ea7b46fcd541: Loading layer [==================================================>]  8.959MB/8.959MB
79b1bab71f92: Loading layer [==================================================>]   15.6MB/15.6MB
e44aff944dd8: Loading layer [==================================================>]  18.94kB/18.94kB
7f6318c65689: Loading layer [==================================================>]   15.6MB/15.6MB
Loaded image: goharbor/harbor-adminserver:v1.7.5
[Step 0]: checking installation environment ...

服务器2配置

[root@node2 ~]#cd /usr/local/harbor/
[root@node2 harbor]#tar xvf harbor-offline-installer-v1.7.5.tgz
[root@node2 harbor]#vim harbor.cfg
[root@node2 harbor]# grep "^[a-Z]" harbor.cfg
hostname = 192.168.8.134
ui_url_protocol = http
max_job_workers = 10 
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
email_identity = 
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false
harbor_admin_password = 123456
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid 
ldap_scope = 2 
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password = 
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle = 
[root@node2  harbor]#./install.sh

注：

如果出现以下提示

[root@node1 harbor]#./install.sh
Note: docker version: 18.09.7
✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.

则需要安装执行

[root@node1 ~]#yum -y install docker-compose

登录web界面进行配置

账号是admin，密码是在配置文件中设置的密码

新建项目

此处可写公开或者私有，后期也可以更改

创建复制目标

填写要复制主机的IP，并且不启动远程验证证书

创建完成

扫描二维码关注公众号，回复： 6761019 查看本文章

在node1节点上传镜像并验证

登录harbor账号

[root@node1 ~]#docker login 192.168.8.156
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传镜像测试

[root@node1 ~]#docker tag test/nginx:v1 192.168.8.156/myimage/nginx:v1
[root@node1 ~]#docker push 192.168.8.156/myimage/nginx:v1

Harbor常见操作

下载harbor镜像

[root@node1 ~]#docker login 192.168.8.156
[root@node1 ~]#docker pull 192.168.8.156/myimage/nginx:v1

停止和关闭harbor

[root@node1 ~]#cd /usr/local/src/harbor/
[root@node1 harbor]#docker-compose stop
[root@node1 harbor]#docker-compose start

注：必须进入到此目录下执行，否则会出错

[root@node1 ~]#docker-compose start 
ERROR: 
        Can't find a suitable configuration file in this directory or any
        parent. Are you in the right directory?

        Supported filenames: docker-compose.yml, docker-compose.yaml