Article Directory
- 1. Introduction to Harbor
- 2. Main functions of Harbor
- Three, Harbor architecture components
-
- 1. Proxy: reverse proxy tool
- 2. Registry: Responsible for storing docker images and processing upload/download commands. For user access control, it points to a token service, forcing users to carry a legal token every docker pull/push request, and the registry will decrypt and verify the token with the public key.
- 3. Core service: The core function of Harbor:
- 4. Database: Provide database services, store user permissions, audit logs, docker image grouping information and other data
- 5. Log collector: In order to help monitor the operation of the harbor, it is responsible for collecting logs of other components for future analysis
- Fourth, Harbor deployment
1. Introduction to Harbor
Although Docker officially provides a public mirror repository, it is also very necessary to deploy the Registry in our private environment in terms of security and efficiency.
Harbor is an enterprise-level Docker Registry management project open sourced by VMware. Compared with docker official, it has more rights and complete architecture design. It is suitable for large-scale docker cluster deployment to provide warehouse services.
It mainly provides the Dcoker Registry management interface UI, which can be based on role-based access control, mirror replication, AD/LDAP integration, log audit and other functions, and fully supports Chinese.
Insert picture description here
2. Main functions of Harbor
Role-based access control
Users and Docker mirror repositories are organized and managed through "projects". A user can have different permissions for multiple mirror repositories in the same namespace (project).
Mirror-based replication strategy The
mirror can be replicated in multiple Registry instances (the mirror in the warehouse can be synchronized to the remote Harbor, similar to the MySQL master-slave synchronization function), especially suitable for load balancing, high availability, hybrid cloud and multi-cloud Scenes.
Graphical user interface
Users can browse through the browser, retrieve the current Docker mirror warehouse, manage projects and namespaces.
Support AD/LDAP
Harbor can integrate the existing AD/LDAP in the enterprise for authentication management.
Mirror deletion and garbage collection
Harbor supports deleting mirrors on the Web, reclaiming useless mirrors, and freeing up disk space. The image can be deleted and the space occupied by the image can be recovered.
Audit management
All operations on the mirror warehouse can be recorded and traced for audit management.
RESTful API
RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
Simple deployment
Provides online and offline installation tools, and can also be installed on the vSphere platform (OVA mode) virtual device.
All components of Harbor are deployed in Docker, so Harbor can be quickly deployed using Docker Compose.
Note: Since Harbor is based on Docker Registry V2, the docker version must be >= 1.10.0 docker-compose >= 1.6.0
Three, Harbor architecture components
Architecture component diagram:
1. Proxy: reverse proxy tool
2. Registry: Responsible for storing docker images and processing upload/download commands. For user access control, it points to a token service, forcing users to carry a legal token every docker pull/push request, and the registry will decrypt and verify the token with the public key.
3. Core service: The core function of Harbor:
UI: Graphical interface
Webhook: Get the status changes of the image on the registry in time, configure the webhook on the registry, and pass the status changes to the UI module.
Token service: complex to issue tokens to each docker push/p/ull command based on user permissions. If the Docker client initiates a request to the registry service, if it does not contain a token, it will be redirected here. After the token is obtained, the request will be made to the registry again.
4. Database: Provide database services, store user permissions, audit logs, docker image grouping information and other data
5. Log collector: In order to help monitor the operation of the harbor, it is responsible for collecting logs of other components for future analysis
Fourth, Harbor deployment
4.1. Environmental preparation
Two virtual machines:
harbor (harbor server, used to build a private warehouse)
192.168.100.3 docker-ce, docker-compose (must be installed), Harbor
client (client, used for remote access to private warehouse) 192.168.100.4 docker-ce
4.2. Install compose and harbor
1. Download the software
cd /opt/dockersoft/
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
2. Configure Harbor parameter file and start
vim /usr/local/harbor/harbor.cfg
[root@pc-3 dockersoft]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
[root@pc-3 harbor]# systemctl start docker
Cd /usr/local/harbor
After changing the parameters, you need to modify this command, and you don’t need to run this script to modify the optional parameters.
[root@pc-3 harbor]# sh install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.13
Note: docker-compose version: 1.21.1
[Step 1]: loading Harbor images ...
dd60b611baaa: Loading layer 133.2MB/133.2MB
........................................................
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.100.3.
For more details, please visit https://github.com/vmware/harbor .
[root@pc-3 harbor]#
Access 192.168.100.3
Login user, user name and password are defined in the configuration file and can be viewed
Create user zhangsan
Add member zhangsan to project sha
Test Zhang San login
4.3 Local service login docker login -u admin -p Harbor12345 http://127.0.0.1
[root@pc-3 harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@pc-3 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1/sha/nginx v1 7e4d58f0e5f3 13 days ago 133MB
4.4 Local mirror upload
[root@docker01 harbor]# docker tag nginx:latest 127.0.0.1/sha/nginx:v1
[root@docker01 harbor]# docker push 127.0.0.1/sha/nginx
[root@pc-3 harbor]# docker push 127.0.0.1/sha/nginx
The push refers to repository [127.0.0.1/sha/nginx]
908cf8238301: Pushed
eabfa4cd2d12: Pushed
60c688e8765e: Pushed
f431d0917d41: Pushed
07cab4339852: Pushed
v1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
4.5 Remote client login, try to upload mirror
[root@pc-4 dockersoft]# docker login -u admin -p Harbor12345 http://192.168.100.3
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.100.3/v2/: dial tcp 192.168.100.3:443: connect: connection refused
[root@pc-4 dockersoft]#
443 error will be reported, this is because harbor is based on http 80 instead of httpds
solution:
14 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.100.3 -containerd=/run/container d/containerd.sock
[root@pc-4 dockersoft]# docker login -u admin -p Harbor12345 http://192.168.100.3
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@pc-4 dockersoft]#
4.6 Remote upload mirror centos: 7
[root@pc-4 dockersoft]# docker pull centos:7
7: Pulling from library/centos
75f829a71a1c: Pull complete
Digest: sha256:19a79828ca2e505eaee0ff38c2f3fd9901f4826737295157cc5212b7a372cd2b
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
[root@pc-4 dockersoft]# docker tag centos:7 192.168.100.3/sha/centos7:v1
[root@pc-4 dockersoft]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.100.3/sha/centos7 v1 7e6257c9f8d8 6 weeks ago 203MB
centos 7 7e6257c9f8d8 6 weeks ago 203MB
[root@pc-4 dockersoft]# docker push 192.168.100.200/accp/centos7
The push refers to repository [192.168.100.200/accp/centos7]
An image does not exist locally with the tag: 192.168.100.200/accp/centos7
[root@pc-4 dockersoft]# docker push 192.168.100.3/sha/centos7
The push refers to repository [192.168.100.3/sha/centos7]
613be09ab3c0: Pushed
v1: digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9 size: 529
[root@pc-4 dockersoft]#
4.7 Download mirror operation
[root@pc-4 dockersoft]# docker pull 192.168.100.3/sha/nginx:v1
v1: Pulling from sha/nginx
d121f8d1c412: Pull complete
ebd81fc8c071: Pull complete
655316c160af: Pull complete
d15953c0e0f8: Pull complete
2ee525c5c3cc: Pull complete
Digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Status: Downloaded newer image for 192.168.100.3/sha/nginx:v1
192.168.100.3/sha/nginx:v1
4.8. Error summary
//报错:
docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR:Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed:jptables
--wait-t nat-I DOCKER -i br-25094fc09b3c -j RETURN:jptables: No chain/target/match by that
name.
(exit status 1))
//解决:关闭防火墙后,docker需要重启
systemctl restart docker
docker-compose up -daemon
8.Harbor 容器的关闭与启动
docker-compose up -d "所有容器启动"
docker-compose down -v "所有Harbor容器停止,但保留数据镜像"
[root@docker01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1/accp/nginx v1 7e4d58f0e5f3 13 days ago 133MB
nginx latest 7e4d58f0e5f3 13 days ago 133MB
127.0.0.1/accp/centos7 v1 7e6257c9f8d8 6 weeks ago 203MB
vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 3 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 3 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 3 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB
photon 1.0 e6e4e4a2ba1b 4 years ago 128MB