Docker-Harbor private warehouse deployment and management

One, Harbor

1.2 Introduction to Harbor

Harbor is an open source enterprise-level DockerRegistry (warehouse) project of VMware. The project address is https://github.com/vmware/harbor.
Harbor's goal is to help users quickly build an enterprise-level DockerRegistry service.
Harbor is based on the docker company's open source registry, providing management UI, role-based access control (Role Based Access Control), AD/LDAP integration, and audit logging (Auditlogging) and other functions required by enterprise users. At the same time, it also supports Chinese .
Every component of Harbor is built in the form of a Docker container, and it is deployed using docker-compose. The docker-compose template used to deploy Harbor is located in /usr/local/bin/harbor/docker-compose.yml (custom)

1.2 Features of Harbor

• Role-based control: users and Docker mirror repositories are organized and managed through "projects". One user can have different permissions for multiple mirror repositories in the unified namespace (projec)
• Graphical user interface: users can browse through the browser, retrieve the current Docker mirror warehouse, manage projects and namespaces
• Audit management: All the errors of this angry mirror warehouse can be recorded and traced for audit management
• Mirror-based replication strategy: Mirror can be replicated between multiple Harbor instances.
• Support LDAP authentication: Harbor user authorization can use existing users.
• Image deletion and garbage collection: The image can be deleted and the space occupied by the image can be reclaimed.
• Simple deployment function: harbor provides online and offline installation, in addition to virtualappliance installation
• The relationship between harbor and docker registry: Harbor essentially encapsulates the docker registry and extends its own business template.

1.3 Harbor's simple architecture

Harbor mainly has 6 modules. By default, the components of each harbor are encapsulated into a docker container, so harbor can be deployed through compose, which is divided into 8 containers to run in total, which can be viewed through docker-compose ps

• Proxy: Harbor's registry, UI, token services and other components are all behind a reverse proxy. The proxy forwards requests from browsers and docker clients to the back-end service.
• Registry: Responsible for storing Docker images and processing Docker push/pull requests. Because Harbor enforces permission control on access to the mirror, the Registry will force the client to obtain a valid token from the token service for every push/pull request.
• Core services: Harbor's core functions, mainly including the following 3 services:
• UI: As a Registry Webhook, it assists users to manage mirroring in the form of a graphical user interface.
  - WebHookis a mechanism arranged in the registry, the registry when the mirror is changed, may be notified to the Harbor webhook endpoint. Harbor uses webhooks to update logs, initialize synchronization jobs, etc.
  - Token servicebased on the user role in a project for every push / pull request allocation corresponding token. If the corresponding request does not contain a token, the registry will redirect the request to the token service.
  -Used Databaseto store project metadata, user data, role data, synchronization strategy and mirror metadata.
• Job services: Mainly used for mirror replication, local mirrors can be synchronized to remote Harbor instances.
• Log collector: Responsible for collecting logs of other modules to one place

1.4 Harbor configuration file parameters

vim /usr/local/harbor/harbor.cfg，关于 Harbor.cfg 配置文件中有两类参数：所需参数和可选参数

Required parameters: These parameters need to be set in the configuration file Harbor.cfg. If the user updates them and runs the install.sh script to reinstall Harbour, the parameters will take effect. The specific parameters are as follows:

• hostname: used to access the user interface and register services. It should be the IP address or fully qualified domain name (FQDN) of the target machine, such as 192.168.195.128 or hub.kgc.cn. Do not use localhost or 127.0.0.1 as the host name.
• ui_url_protocol: (http or https, the default is http) the protocol used to access the UI and token/notification service. If notarization is enabled, this parameter must be https
• max_job_workers: Mirror copy job thread.
• db_password: The password of the root user of the MySQL database used for db_auth.
• customize_crt: This attribute can be set to on or off, and is on by default. When opening this property, prepare a script to create a private key and root certificate for generating/verifying registry tokens.
• When the key and root certificate are provided by an external source, set this property to off.
• ssl_cert: The path of the SSL certificate, which is only applied when the protocol is set to https.
• secretkey_path: The key path used to encrypt or decrypt the remote register password in the replication policy.

Optional parameters: These parameters are optional for updating, that is, users can leave them as default values ​​and update them on the Web UI after starting Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time. If you update these parameters later, Harbor.cfg will be ignored.
注意：如果选择通过UI设置这些参数，请确保在启动Harbour后立即执行此操作。具体来说，必须在注册或在 Harbor 中创建任何新用户之前设置所需的

• auth_mode. When there are users in the system (except the default admin user), auth_mode cannot be modified. The specific parameters are as follows:
• Email: Harbor needs this parameter to send a "password reset" email to the user, and only when this feature is needed.

请注意，在默认情况下SSL连接时没有启用。如果SMTP服务器需要SSL，但不支持STARTTLS，那么应该通过设置启用SSL email_ssl = TRUE。

• harbour_admin_password: The initial password of the administrator, which only takes effect when Harbour is started for the first time. After that, this setting will be ignored, and the administrator's password should be set in the UI.

请注意，默认的用户名/密码是 admin/Harbor12345。

• auth_mode: The type of authentication used. By default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication, set it to ldap_auth.
• self_registration: Enable/disable user registration function. When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.

注意：当 auth_mode 设置为 ldap_auth 时，自注册功能将始终处于禁用状态，并且该标志被忽略。

• Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes.
• project_creation_restriction: A flag used to control which users have the right to create projects. By default, everyone can create a project.

如果将其值设置为“adminonly”，那么只有 admin 可以创建项目。

• verify_remote_cert: open or close, open by default. This flag determines whether to verify the SSL/TLS certificate when Harbor communicates with the remote register instance.

将此属性设置为 off 将绕过 SSL/TLS 验证，这在远程实例具有自签名或不可信证书时经常使用。 另外，默认情况下，Harbour 将镜像存储在本地文件系统上。在生产环境中，可以考虑 使用其他存储后端而不是本地文件系统， 如 S3、Openstack Swif、Ceph 等。但需要更新 common/templates/registry/config.yml 文件。

2. Simulation experiment

CPU name	IP address	Required software
harbor server	192.168.153.40	docker-ce、harbor、docker-compose
Client	192.168.153.60	docker-this

2.1 Harbor server configuration

cd /usr/local/      #拉入压缩包
tar zxvf harbor-offline-installer-v1.2.2.tgz

cd harbor/
vim harbor.cfg
... ...
hostname = 192.168.153.40
... ...

sh install.sh

docker images
docker ps -a

• harbor-log: Collect log information of other harbors. rsyslogd
• harbor-jobservice: Harbor is mainly used for synchronization before mirroring the warehouse
• harbor-ui: A user interface module used to manage the registry. Mainly the front-end page and the back-end CURD interface
• harbor-adminserver: harbor system management interface, can modify the system configuration and obtain system information
• harbor-db: Store project metadata, users, rules, replication strategies and other information
• nginx: a reverse proxy component of harbor, proxy registry, ui, token and other services. This proxy forwards various requests from the harbor web and docker client to the back-end service. It's nginx. Nginx is responsible for traffic forwarding and security verification. The external traffic is all transferred from nginx, which distributes traffic to the back-end UI and the docker registry that is being stored in the docker image.
• registry: A service that stores docker images and provides pull/push services. Harbor needs to control access to the image. When the client pulls or pushes each time, the registry needs the client to go to the token service to obtain a usable token.
• redis: store cache information
• Webhook: When the image state in the registry changes, it records the update log, copy and other operations.
• Token service: The token is issued today when the docker client is pulling/pushing.

You can also use docker-compose ps to view the status of the container, but it needs to be executed in the /usr/local/harbor directory

Browser login test

http://192.168.153.40/harbor

Mirror upload and download test of harbor server

docker login -u admin -p Harbor12345 http://127.0.0.1

docker pull cirros		#cirros镜像小于15M，便于测验
...
...
docker tag cirros:latest 127.0.0.1/test/cirros:v1  #打上v1标签，便于区别
docker push 127.0.0.1/test/cirros:v1 		#上传至harbor

Return to browser to view

2.2 Client test

vim /usr/lib/systemd/system/docker.service
... ...
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.153.40 --con    tainerd=/run/containerd/containerd.sock             #修改此行，使客户端可以连接harbor服务器
... ...

systemctl daemon-reload
systemctl restart docker

docker login -u admin -p Harbor12345 http://192.168.153.40  #登录

docker pull cirros
docker tag cirros:latest 192.168.153.40/test/cirros:v2	#打上v2标签，区别v1
docker push 192.168.153.40/test/cirros:v2 		#上传镜像

Return to browser to view

2.3 Maintenance and Management of Harbor Private Warehouse

• You can use docker-compose to manage Harbor, and the commands must be run in the same directory as docker-compose.yml.
• Pay attention when modifying the harbor.cfg configuration file
• First stop the existing Harbor instance and update Harbor.cfg; then run the prepare script to fill in the configuration; finally, recreate and start the Harbor instance.

##必须在/usr/local/harbor目录下执行
docker-compose down -v      #关闭所有容器
vim harbor.cfg
... ...
./prepare                   #重新填充配置
docker-compose up -d        #开启容器

1. System Management> User Management> ＋Users> Create User> Set as Administrator


2. Project> Project Name> Members> ＋Members> New Member> Developer

Test on the client

docker logout 192.168.153.40     #注销
docker login 192.168.153.40      #登录

docker pull 192.168.153.40/test/cirros:v1	        #下载v1镜像
docker tag cirros 192.168.153.40/test/cirros:v3     #打上v3标签
docker push 192.168.153.40/test/cirros:v3           #上传v3镜像

2.4 Migrating Harbor data

• Close the harbor warehouse first: docker-compose down -v
• Copy harbor data:

#Persistent data, such as mirroring, databases, etc. are in the host's /data/ directory, and logs are in the host's /var/log/Harbor/ directory
#/data/database/ database content, such as authentication data
#/data/ registry/ image file content

• Pull the data directly to the corresponding directory of the target server and redeploy it