table of Contents
One, Harbor
1.1 Overview of Harbor
■ Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker. (Registry is its core component)
The advantages of Harbor compared to registry are: Harbor supports multiple functions, graphical interface management, multi-user permissions, role management mechanism, and security mechanism
■ The server host needs to install Python, Docker engine and Docker Compose (web environment supports PY language, so Python needs to be installed)
Two, Harbor deployment
2.1. Download Harbor installer
[root@docker ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /opt
[root@docker ~]# cd /opt
[root@docker opt]# ls
[root@docker opt]# cd harbor/
[root@docker harbor]# ls
2.2, configure harbor parameter file
Note: There are two types of parameters in the Harbor.cfg configuration file: required parameters and optional parameters
(1) Required parameters These parameters need to be set in the configuration file Harbor.cfg. If the user updates them and runs the install.sh script to reinstall Harbour, the parameters will take effect. The specific parameters are as follows:
- hostname: used to access the user interface and register services. It should be the IP address or fully qualified domain name (FQDN) of the target machine
such as 192.168.140.30 or hub.gc.cn. Do not use localhost or 127.0.0.1 as the host name - ui_url_protocol: (http or https, the default is http) the protocol used to access uI and token/notification services. If notarization is enabled, this parameter must be https. (During authentication, the Mysql database will be compared and the token will be granted)
- max_job_workers: mirror copy job thread
- db_password: The password of the root user of the MySQL database used for db_auth
- customize_crt: This attribute can be set to open or close, and it is open by default. When opening this property, prepare a script to create a private key and root certificate for generating/verifying registry tokens. When the key and root certificate are provided by an external source, set this property to off
- ssl_cert: the path of the SSL certificate, only applied when the protocol is set to https
- ssl_cert_key: the path of the SSL key, only applied when the protocol is set to https
- secretkey_path: The key path used to encrypt or decrypt the remote register password in the replication policy
(2) Optional parameters
These parameters are optional for updating, that is, users can leave them as default values and update them on the Web ul after starting Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time, and then these The update of the parameters, Harbor.cfg will be ignored.
Note: If you choose to set these parameters through the UI, please make sure to perform this operation immediately after starting Harbour. Specifically, the required auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be modified. The specific parameters are as follows:
- Email: Harbor needs this parameter to send "password reset" emails to users, and it is only needed when this feature is needed, and it is not enabled when sSL is connected by default. If the SMTP server requires ssL but does not support STARTTLS, then SSL should be enabled by setting email_ssl = TRUE
- harbour_admin_password: The initial password of the administrator, which only takes effect when Harbour is started for the first time. After that, this setting will be ignored, and the administrator's password should be set in U.
Please note that the default username/password is admin/Harbor12345 - auth_mode: The type of authentication used. By default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication (authentication in the form of a file), please set it to ldap_auth
- self_registration: Enable/disable user registration function. When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
Note: When auth_mode is set to ldap_auth, the self-registration function will always be disabled, and the flag is ignored - Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes
- project_creation_restriction: A flag used to control which users have the right to create projects. By default, everyone can create a project.
If the value is set to "adminonly", then only admin can create projects - verify_remote_cert: open or close, open by default. This flag determines whether to verify the SSL/TLS certificate when Harbor communicates with the remote register instance.
Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate - In addition, by default, Harbour stores the image on the local file system. In a production environment, you can consider using other storage backends instead of local file systems, such as S3, Openstack Swif, Ceph, etc. But need to update the common/templates/registry/config.yml file
2.3, start harbor
[root@docker harbor]# vim harbor.cfg
[root@docker opt]# rz #下载docker-compose
[root@docker opt]# ls
containerd docker-compose harbor rh test.sh
[root@docker opt]# chmod +x docker-compose
[root@docker opt]# mv docker-compose /usr/bin/
[root@docker harbor]# sh install.sh
[root@docker harbor]# docker-compose ps
2.3.1. Log in to harbor through a browser
2.3.2, local login
[root@docker harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
2.3.3, download mirror test
[root@docker harbor]# docker pull cirros
2.3.4. Tag the image
[root@docker harbor]# docker tag cirros:latest 127.0.0.1/public-07/cirros:v1
2.3.5, upload the image to harbor
[root@docker harbor]# docker push 127.0.0.1/public-07/cirros:v1
2.3.6, the client downloads the mirror
[root@docker1 system]# docker login -u admin -p Harbor12345 http://192.168.140.20
[root@docker1 system]# docker pull 192.168.140.20/public-07/cirros:v1
2.3.7. Download the apache image and upload it to the private warehouse
[root@docker1 system]# docker pull httpd
[root@docker1 system]# docker images
[root@docker1 system]# docker tag httpd:latest 192.168.140.20/public-07/httpd:v1 #打标签
[root@docker1 system]# docker images
[root@docker1 system]# docker push 192.168.140.20/public-07/httpd:v1
2.4. Reinstall after modifying the configuration file
[root@docker harbor]# docker-compose down -v #必须在有docker-compose.yml文件的目录下操作
[root@docker harbor]# ./prepare #重新执行安装
[root@docker harbor]# docker-compose up -d
[root@docker harbor]# docker ps -a
2.5, create a Harbor user
Create user first
2.5.1, add members
[root@docker1 system]# docker login -u zhangsan -p Abc12345 http://192.168.140.20
2.5.2, use the new membership to download the mirror
[root@docker1 system]# docker images
[root@docker1 system]# docker pull 192.168.140.20/public-07/cirros:v1
[root@docker1 system]# docker images
注:如需重新部署,需要移除 Harbor服务容器全部数据
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的/var/log/Harbor/目录下
rm -rf /data/database/
rm -rf /data/registry/