Article directory

1. Introduction to Harbor
Second, Harbor deployment

1. Introduction to Harbor

1. What is Harbor

Harbor is an open source enterprise-level Docker Registry project of VMware. Its goal is to help users quickly build an enterprise-level Docker Registry service.

Based on Docker's open source Registry, Harbor provides graphical management UI, Role Based Access Control (Role Based Access Control), AD/LDAP integration, and audit logging (Auditlogging) and other functions required by enterprise users. At the same time, it supports Chinese language. .

Every component of Harbor is built as a Docker container, which is deployed using docker-compose. The docker-compose template for deploying Harbor is located in harbor/docker-compose.yml

2. What are the characteristics of Harbor

**(1), role-based control: **Users and warehouses are organized based on projects, and users can have different permissions in the project. (such as setting readable or writable for the user)

**(2) Mirror-based replication strategy: **Mirrors can be replicated (synchronized) between multiple Harbor instances.

**(3), support LDAP/AD: ** Harbor can integrate existing AD/LDAP (similar to a database table) within the enterprise for authentication and management of existing users.

**(4), Mirror deletion and garbage collection: **Mirrors can be deleted, and the space occupied by the mirrors can also be reclaimed.

**(5), Graphical user interface: **Users can browse through the browser, search the mirror warehouse and manage the project.

**(6), Audit management: ** All operations against the mirror warehouse can be recorded and traced for audit management.

**(7), Support RESTful API: **RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.

(8) The relationship between Harbor and docker registry: Harbor essentially encapsulates the docker registry and extends its own business template.

3. What components does Harbor consist of?

Harbor's architecture mainly includes six components : Proxy, Registry, Core services, Database ( Harbor-db), Log collector ( Harbor-log), and Job services .

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-Cgzq6Zpb-1647704063641) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \1.bmp)]$

1) Proxy: Harbor's Registry, UI, Token services and other components are all behind the nginx reverse proxy. The proxy will come from browsers, docker clients

The requests are forwarded to different services on the backend.

2) Registry: Responsible for storing Docker images and handling Docker push/pull commands. Because user access control is required, that is, different users have access to Docker images

With different read and write permissions, the Registry will point to a Token service, forcing users to carry a valid Token in every Docker pull/push request.

The Registry will decrypt and verify the Token through the public key.

3) Core services: The core functions of Harbor, which mainly provide the following three services:

UI (harbor-ui): Provides a graphical interface to help users manage images on the Registry and authorize users.

WebHook: In order to obtain the status change of the image on the Registry in time, configure the Webhook on the Registry and pass the status change to the UI module.

Token service: Responsible for issuing tokens for each Docker push/pull command according to user permissions. Docker client requests to the Registry service,

If the Token is not included, it will be redirected to the Token service, and after obtaining the Token, it will make a request to the Registry again.

4) Database (harbor-db): Provides database services for core services, and is responsible for storing data such as user permissions, audit logs, and Docker image grouping information.

5) Job services: Mainly used for mirror replication, local mirrors can be synchronized to remote Harbor instances.

6) Log collector (harbor-log): Responsible for collecting logs of other components to one place.

Every component of Harbor is built as a Docker container, so use Docker Compose to deploy it.

There are a total of 7 containers to run, which can be viewed by executing the docker-compose ps command in the directory where docker-compose.yml is located. The names are: nginx, harbor-jobservice, harbor-ui, harbor-db, harbor-adminserver, registry , harbor-log.

Among them, harbor-adminserver is mainly used as a back-end configuration data management, and there are not many other functions. All data that harbor-ui needs to operate is completed through a data configuration management center such as harbor-adminserver.

Second, Harbor deployment

service name	operating system	IP	components
Harbor server	Centos7.4	192.168.100.135	docker-ce、docker-compose、harbor-offline-v1.2.2
Client server	Centos7.4	192.168.100.142	docker-ce

Turn off firewall and SElinux on all servers

systemctl stop firewalld

setenforce 0

Harbor server

1. Download docker-compose and Harbor (I upload and download it directly here)

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-w5Rt6OZI-1647704063643) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \2.bmp)]$

2. Give docker-compose permission and check the version after moving

[root@bogon opt]# chmod +x docker-compose 
[root@bogon opt]# mv docker-compose /usr/local/bin/
[root@bogon opt]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-byb86DUj-1647704063644) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \3.bmp)]$

3. Unzip the Harbor service and modify the configuration file

[root@bogon opt]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

[root@bogon opt]# vim /usr/local/harbor/harbor.cfg 

##第五行##设置为harbor服务器的ip地址
 hostname = 192.168.100.135
##第五十九行##将默认密码改掉设置自己的密码
harbor_admin_password = abc123


关于 Harbor.cfqg 配置文件中有两类参数∶ 所需参数和可选参数
1、所需参数∶这些参数需要在配置文件 Harbor.cfg 中设置。如果用户更新它们并运行 instal1.sh 脚本重新安装 Harbour，参数将生效。具体参数如下∶
 
- hostname∶用于访问用户界面和 register 服务。它应该是目标机器的 IP 地址或完全限定的域名（FQDN），
例如 192.168.80.10 或 hub.clj.cn。不要使用 localhost 或 127.0.0.1 为主机名。
 
- ui_url_protocol∶（http 或 https，默认为 http）用于访问 UI 和令牌/通知服务的协议。如果处于启用状态，则此参数必须为 https。
 
- max_job_workers∶ 镜像复制作业线程。
 
- db_password∶ 用于db_auth 的 MySOL 数据库root 用户的密码。
 
- customize_crt∶ 该属性可设置为打开或关闭，默认打开。打开此属性时，准备脚本创建私钥和根证书，用于生成/验证注册表令牌。当由外部来源提供密钥和根证书时，将此属性设置为 off。
 
- ssl_cert∶ SSL 证书的路径，仅当协议设置为 https 时才应用。
- secretkey_path∶ 用于在复制策略中加密或解密远程 register 密码的密钥路径。
 
2。可造参数，这些参数转于更新垫可选的。即用户可以将其保贸为默认值。并在启动 Harbor 后在 Web UI 上进行更新。
如果进入 Harbor.cfg，只会在第一次启动 Harbor 时生效，随后对这些参数的更新，Harbor.cfg 将被忽略。
 
注意∶ 如果选择通过 UI 设置这些参数，请确保在启动 Harbor 后立即执行此操作。具体来说，必须在注册或在 Harbor 中创建任何
新用户之前设置所需的 auth_nods。当系统中有用户时（除了默认的 admin 用户）， auth_nod不能被修改。
具体参数如下∶
 
- Emai1∶Harbor 需要该参数才能向用户发送"密码重置"电子邮件，并且只有在需要该功能时才启用。请注意，在默认情况下 SSL连接制没有启用。
如果 SMTP 服务器需要 SSL，但不支持 STARTTLS，那么应该通过设置启用 SSL emai1_ssl = TRUE。
 
- harbour_admin_password：管理员的的初始密码，只在 Harbor 第一次启动时生效。之后此设置将被忽略，
并且应在 UI 中设置管理员的密码。请注意，默认的用户名/密码是admin/Harbor12345。
 
- auth_node∶ 使用的认证类型，默认情况下，它是 db_auth，即凭据存储在数据库中。对于LDAP身份验证，请将其设置为 ldap_auth。
 
- self_registration∶ 启用/禁用用户注册功能。禁用时，新用户只能由 admin 用户创建，只有管理员用户可以在 Harbour中创建新用户。
注意∶当 auth_mode 设置为 ldap_auth 时。自注册功能将始终处于禁用状态，并且该标志被忽略。
 
- Token_expiration，由令牌服务创建的令牌的到期时间（分钟），默认为 30 分钟。
 
- project_creation_restriction，用于控制哪写用户有权创建项目的标志。默以情况下，每个人都可以创建一个项目。
如果将其植设置为 “adminonly“，那么只有 admin 可以创建项目。
 
- verify_remote_cert: 打开或关闭，默认打开。此标志决定了当Harbor与远程register 实例通信时是否验证SSL/TLS证书。
将此属性设置为off将绕过SSL/TLS验证，这在远程实例具有自签名或不可信证书时经常使用。
 
另外，默认情况下，Harbour将镜像存储在本地文件系统上。在生产环境中，可以考虑使用其他存储后端而不是本地文件系统，如
S3、 openstack Swif、 Ceph 等对象存储。但需要更新common/templates/registry/config.yml 文件。

4. Start the harbor service

[root@bogon opt]# cd /usr/local/harbor/
[root@bogon harbor]# ./install.sh

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-TKRu6Knh-1647704063644) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \4.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-p75D5Kx8-1647704063645) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \5.bmp)]$

5... View the harbor startup image

[root@bogon harbor]# docker-compose ps

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-3ExQ7lMB-1647704063646) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \6.bmp)]$

6. Create a new project for testing

Visit http://192.168.100.135, enter the account password to log in

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-w0HTZfUT-1647704063647) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \8.bmp)]$

7. Use the Docker command to log in and push the image locally through 127.0.0.1. By default, the Registry server listens on port 80
insert image description here

8. The web page checks whether the mirror in the private library exists

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-DId70ZOj-1647704063649) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \11.bmp)]$

9. Upload images on other clients

The above operations are performed locally on the Harbor server. If other clients log in to Harbor, the following error will be reported. The reason for this problem is that Docker Registry uses HTTPS by default for interaction, but HTTP service is used by default to build private images, so the following error occurs when interacting with private images. The following error:

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-PWCpZdVd-1647704063650) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \12.bmp)]$

The workaround is as follows:

(1) By default, http access is used when the Docker client modifies the configuration and starts the docker-server

[root@zqh systemd]# cd /usr/lib/systemd/system
[root@zqh system]# vim docker.service

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-6qwhSR9M-1647704063650) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \13.bmp)]$

(2) After reloading Docker, log in to Harbor again

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-JiU0Txqr-1647704063651) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \14.bmp)]$

10. Download the tomcat image in the Harbor repository

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-Fh3ye0iI-1647704063651) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \15.bmp)]$

11. Download the cirros image from the public network and upload it to our Harbor warehouse

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-BfcPaYuE-1647704063652) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \17.bmp)]$

12. Log in to the web interface to view

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-sbbFHVhx-1647704063653) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \18.bmp)]$

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-JyWceFhl-1647704063653) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \19.bmp)]$

3. Maintenance and management of Harbor

1. Create a project through Harbor Web

____ In Harbor repositories, any image must have a project to which it belongs before it can be pushed to the registry.

Click "+Project", fill in the project name, if the project level is set to "Private", uncheck it. If it is set to a public repository, everyone has read permission for the images under this project, and you do not need to execute "Docker login" on the command line to download images. The image operation is the same as that of Docker Hub.

2. Create a Harbor user

(1) Create users and assign permissions

In the web management interface, click System Management --> User Management --> +User,

Fill in the username "zz", the email address is "[email protected]", the full name is "zzz", the password is "13579Abc", and the comment is "administrator" (can be omitted).

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-Ok5wTDV3-1647704063654) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \20.bmp)]$

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-HhyullCf-1647704063655) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \21.bmp)]$

(2) Use ordinary users to operate the image on the client

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-N0C78ScX-1647704063655) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \22.bmp)]$

$[External link image transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the image and upload it directly (img-RWDTEe7j-1647704063656) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\DOcker Harbor \23.bmp)]$

Remove the Harbor service container while retaining the image data/database, and perform migration
//Operation on the Harbor server
(1) Remove the Harbor service container
```
cd /usr/local/harbor
docker-compose down -v
```

(2) Package the mirror data in the project
//persistent data, such as mirrors, databases, etc. in the /data/ directory of the host, and logs in the /var/log/Harbor/ directory of the host

ls /data/registry/docker/registry/v2/repositories/myproject-zqh
cd /data/registry/docker/registry/v2/repositories/myproject-zqh
tar zcvf kgc-registry.tar.gz ./*

insert image description here

Docker (six) Harbor