One: Introduction
1. Harbor is an enterprise-level Registry service for storing Docker images.
2. Registry is an official private warehouse image of Dcoker, you can tag the local image and push it to the private warehouse of the container starting from Registry. Enterprises can use Dokcerfile to generate their own images according to their own needs and push them to private warehouses, which can greatly improve the efficiency of pulling images
Two: Harbor core components explained
Harbor's architecture is mainly composed of five components:
1. Proxy:
Harbor's registry, UI, token and other services, through a front-end reverse proxy to uniformly receive browser and Docker client requests, and forward the request to the back end Different services.
2. Registry:
Responsible for storing Docker images and processing docker push / pull commands. Since we want to control access to users, that is, different users have different read and write permissions to the Docker image, the Registry will point to a token service, forcing the user to carry a legal token every time the docker pull / push request, Registry will pass The public key decrypts and validates the token.
3. Core services:
This is the core function of Harbor. It mainly provides the following services:
1) UI: Provides a graphical interface to help users manage images on the registry and authorize users.
2) Webhook: In order to obtain the status of the image status change on the registry in a timely manner, configure webhook on the Registry to pass the status change to the UI module.
3) Token service: Responsible for issuing tokens for each docker push / pull command according to user permissions. Docker client requests to the Regiøstry service will be redirected here if they do not contain the token. After obtaining the token, proceed to the Registry request.
4) Database:
Provides database services for core services and is responsible for storing data such as user permissions, audit logs, and Docker image grouping information.
5) Log collector:
To help monitor the operation of Harbor, it is responsible for collecting logs of other components for future analysis.
Three: Comparison between Harbor and Registry
Harbor and Registry are both Docker's mirrored warehouses, but Harbor is the choice of more companies because it has many advantages compared to Regisrty.
1. Provide a layered transmission mechanism to optimize network transmission.
Docker images are layered, and if each transmission uses full files (so FTP is not suitable), it is obviously not economical. A mechanism for identifying layered transmission must be provided, and the UUID of the layer as the identifier to determine the object of transmission.
2. Provide a WEB interface to optimize the user experience
. It is obviously inconvenient to upload and download using only the name of the image. A user interface is required to support login and search functions, including distinguishing between public and private images.
3. Support horizontal expansion clusters
When a user uploads and downloads images to a centralized server, the corresponding access pressure needs to be decomposed.
4. A good security mechanism
The development team in the enterprise has many different positions. For different positions, different permissions are assigned to have better security.
5. Harbor provides a role-based access control mechanism and controls the organization and access rights of the mirror through the project. In Kubernetes, resources are isolated by namespace. In enterprise-level application scenarios, the combination of the two can effectively manage and access the mirror resources used by kubernetes, enhancing the security of mirror use. Especially in a multi-tenant scenario, the management and access control of multi-tenant mirror resources can be achieved through a combination of tenants, namespaces, and projects.
Four: Harbor simple deployment
Server configuration
note: All service components of Harbor are deployed in Docker, so the official installation uses Docker-compose for rapid deployment, so we need to install Docker, Docker-compose. Because Harbor is based on Docker Registry V2 version, so we need Docker The version is not less than 1.10.0, and the Docker-compose version is not less than 1.6.0
【注:如果安装不上就先安装epel-release源,然后安装docker-compose!
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
】
1、安装harbor依赖环境
1)安装docker
yum -y install docker
2)安装docker-compose
yum -y install docker-compose
3)依赖软件安装
yum install -y yum-utils device-mapper-persistent-data lvm2 python-pip
2、下载离线安装包harbor-offline-installer-v1.5.3.tgz
1)使用下载命令wget或者aria2c下载harbor
wget 【https://github.com/goharbor/harbor/releases 找到字需要安装的版本】
2)解压harbor到本地
tar zxf harbor-offline-installer-vXXXX.tgz
3)配置文件【harbor默认的数据存储目录就是/data目录 (安装时会自动创建)如下图】
# cd harbor/
# vim harbor.cfg
4) Installation
【cd /barbor】
检测并创建harbor需要文件
# ./prepare
安装
# ./install.sh
停止
sudo docker-compose stop
启动
sudo docker-compose start
UI interface login
http://linux.com admin / Harbor12345 [Configure hosts]
Command line login
Since Docker since 1.3.X, the docker registry interaction uses HTTPS by default, but we build a private image by default using HTTP service, so you need to modify the configuration or it will report
[Error response from daemon: Get https://linux.com/ v1 / users /: dial tcp XXX.XXX.XXX.XXX:443: connect: connection refused
】
Method 1:
# vi /usr/lib/systemd/system/docker.service
Method 2:
# cd /etc/docker/
# vi daemon.json
{
"insecure-registries" : ["linux.com"]
}
Restart docker
# systemctl daemon-reload
# systemctl restart docker
# docker login linux.com
给镜像打标签
# docker tag photon:1.0 linux.com/test/photon:1.0
上传镜像
# docker push linux.com/test/photon:1.0
删除镜像
# docker rmi linux.com/test/photon:1.0
References
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
