Introduction and basic architecture of Harbor
Harbor Installation and Configuration Guide
Harbor can be installed and deployed in the following three ways:
-
Online installation: Users can download the official image of harbor directly from docker hub.
-
Offline installation: Users need to download the source package and build images by themselves. The source package is relatively large
-
Virtual Appliance: This method is generally used to build a private warehouse on a third-party platform as a component of the platform, such as vsphere, etc., and you need to download the OVA version of Harbor.
Click me for the official download page .
To install Harbor's virtual appliance, please click me .
This guide mainly explains how to install and configure Harbor step by step by using online and offline methods. The installation steps are basically the same.
If the user runs an old version of harbor, data may need to be migrated to the new database queue. For detailed steps, please click me
In addition, the steps to deploy on kubernetes and see the following link harbor on kubernets
Harbor dependencies
Harbor is deployed on the server as a docker container, so it can be deployed on any linux distribution. Python, docker, and docker-compose tools need to be installed on the target host.
- Python requires 2.7+. It should be noted that it is best to install the corresponding linux version of python.
- Docker engine requires 1.10+ currently the newer version 1.12. docker installation
- Docker Compose requires 1.6.0+. Compose installation
Harbor installation and configuration
The installation steps are as follows:
- Download the installation package
- Modify the relevant configuration harbor.cfg ;
- Run install.sh to install and start harbor;
1. Download the installation package
Click the link to download the binary package Harbor download . Select an online or offline package to download. Use the tar command to unzip the downloaded source package
Online package installation:
$ tar xvf harbor-online-installer-<version>.tgz
Offline package installation:
$ tar xvf harbor-offline-installer-<version>.tgz
2. Configure Harbor
Configuration parameters are placed in the file harbor.cfg . Detailed parameter explanations must at least configure the hostname parameter
- hostname : Configure the hostname of the target host, which is used to access Harbor ui and mirror warehouses. It can be configured as an ip address and a full domain name, such as
192.168.1.10
orreg.yourdomain.com
. Do not uselocalhost
or127.0.0.1
as the hostname - ui_url_protocol : ( http or https . The default protocol is http ) The protocol used to access the UI and the token/notification service. The default is http . To set the https protocol, see the link Configure Harbor to support the https protocol .
- Email settings : Configure Harbor to send emails. Of course, changing the configuration is not necessary. Note: The default ssl link is not enabled. If SMTP needs ssl support, you can set the following parameters to support it.
-
email_ssl = true
* email_server = smtp.mydomain.com * email_server_port = 25 * email_username = sample_admin@mydomain.com * email_password = abc * email_from = admin <sample_admin@mydomain.com> * email_ssl = false
-
harbor_admin_password : Set the administrator's internal password, which takes effect when Harbor is started for the first time. After this setting is ignored, and the administrator's password will be reset in the UI. The default username and password are as follows: admin/Harbor12345 .
-
auth_mode : The method used for authentication, db_auth is used by default , and the authentication will be dismembered and stored in the database. If you need to set LDAP authentication, you need to use ldap_auth .
-
ldap_url : URL of LDAP authentication method (eg
ldaps://ldap.mydomain.com
). When auth_mode is set to ldap_auth . -
ldap_searchdn : User domain to link to LDAP/AD service (eg
uid=admin,ou=people,dc=mydomain,dc=com
). -
ldap_search_pwd : Set the password ldap_searchdn for the user domain set above .
-
ldap_basedn : The base domain for finding a user eg
ou=people,dc=mydomain,dc=com
. Only used when auth_mode is set to ldap_auth -
ldap_filter : User search filter
(objectClass=person)
. -
ldap_uid : This parameter is used to match a user in an LDAP search, which can be uid, cn, email or other methods.
-
ldap_scope : User search scope, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE. Default is 3.
- db_password : mysql database root user password db_auth .
-
self_registration : ( on or off . Default is on ) Enables and disables the user registration function. When disabled, new user functions are created by the admin user. _Note : When auth_mode is set to ldap_auth , self-registration will always be turned off and this parameter will be ignored.
-
use_compressed_js : ( on or off . Defaults to on ) For production use, it is recommended to set this parameter to on . Set this parameter to off in deployment mode so that js files can be modified separately.
- max_job_workers : (default 3 ) Set the maximum working copy in the task service. For each image copy task, there will be a worker to synchronize all tags from the repository to the remote. Increasing this value will allow more current replica tasks. However, because each worker consumes certain resources such as network/cpu/io, the value must be set reasonably according to the system resources.
-
secret_key : This value is the password for encrypting and decrypting the remote warehouse in the replication policy, with a length of 16 characters. This value must be modified in production. NOTE: After changing this key, previously encrypted password of a policy can not be decrypted.
-
token_expiration : token expiration time, default 30 minutes
- verify_remote_cert : ( on or off . Default on ) This parameter determines whether to use SSL/TLS when interacting with the remote registry instance of the harbor box. When set to off, generally the remote registry will use self-signed or untrusted certificate.
-
customize_crt : ( on or off . The default is on ) When set to on, a script will be used to create the private key and root certificate to authenticate the registry token
-
The following parameters: crt_country , crt_state , crt_location , crt_organization , crt_organizationalunit , crt_commonname , crt_email are used for the provincial key. When set to off, key and root certificates can be used in external sources. Custom certificate for Harbor token service
3. Configure backend storage (optional)
By default, Harbor will store image files to the local file system. In the production environment, you should consider using some backend storage instead of the local file system, such as S3, openstack swift or ceph, etc. templates/registry/config.yml
You can select the update storage method in the file . For example, if you want to use Openstack Swift as your storage backend, the corresponding configuration will be as follows:
storage:
swift:
username: admin
password: ADMIN_PASS
authurl: http://keystone_addr:35357/v3/auth
tenant: admin
domain: default
region: regionOne
container: docker_images
Note: For details about the storage backend of the docker registry, see the corresponding link Registry configuration details .
4. Complete the installation of Harbor and start Harbor
Once harbord.cfg and the storage backend are configured, a install.sh
script can be used to install and start the Harbor service. It should be noted that it may take some time to perform this operation, because some images files related to Harbor need to be downloaded from the docker hub.
$ sudo ./install.sh
If everything works fine after the above script is executed, you can enter the hostname configured in the configuration file harbor.cfg on the browser and use the configured admin user to access the Harbor service. http://reg.yourdomain.com Default admin username and password: username/password: admin/Harbor12345 .
After logging in with the admin user, first create a project, for example myproject
. Then the user can docker login reg.yourdomain.com
log in and perform a push image. (The default registry service listens on port 80):
sh
$ docker login reg.yourdomain.com
$ docker push reg.yourdomain.com/myproject/myrepo:mytag
Important note: The default installed Harbor uses the HTTP protocol. Therefore, when users are using it, they need to add the following parameters to the docker daemon configuration file --insecure-registry reg.yourdomain.com
and restart docker.
For more information on using Harbor, please click on my Harbor User Guide .
5. Configure Harbor to support HTTPs access
Harbor does not run with any authentication and uses http by default for serving. This approach is correspondingly simpler for deployment or test environments, but is not recommended in production environments. To enable HTTPS support, see the link below to configure Harbor to support https .
Manage Harbor's lifecycle
You can use docker-compose to manage the entire lifecycle of Harbor. The following are the corresponding management commands. It should be noted that docker-compose must be executed in the directory with the docker-compose.yml file:
Stop Harbor service:
$ sudo docker-compose stop
Stopping harbor_proxy_1 ... done
Stopping harbor_ui_1 ... done
Stopping harbor_registry_1 ... done
Stopping harbor_mysql_1 ... done
Stopping harbor_log_1 ... done
Stopping harbor_jobservice_1 ... done
Start Harbor service:
$ sudo docker-compose start
Starting harbor_log_1
Starting harbor_mysql_1
Starting harbor_registry_1
Starting harbor_ui_1
Starting harbor_proxy_1
Starting harbor_jobservice_1
If you need to modify the configuration of Harbor, you first need to stop the running Harbor instance, update the harbor.cfg file, and run it againinstall.sh
$ sudo docker-compose down
$ vim harbor.cfg
$ sudo install.sh
Delete the Harbor container and save the image file and Harbor's database file:
$ sudo docker-compose rm
Going to remove harbor_proxy_1, harbor_ui_1, harbor_registry_1, harbor_mysql_1, harbor_log_1, harbor_jobservice_1
Are you sure? [yN] y
Removing harbor_proxy_1 ... done
Removing harbor_ui_1 ... done
Removing harbor_registry_1 ... done
Removing harbor_mysql_1 ... done
Removing harbor_log_1 ... done
Removing harbor_jobservice_1 ... done
Delete Harbor's database information and image files (usually for clean installation):
$ rm -r /data/database
$ rm -r /data/registry
More docker-compose command usage guide
Persistent data and log files
By default, registry data is persisted to the target host's /data/
directory. When a Harbor container is deleted or recreated, the data will not change. Additionally, Harbor uses rsyslog to collect per-container logs. By default, CPP log files are stored in the target host's /var/log/harbor/
directory for troubleshooting
Configure Harbor to listen to a custom port
By default, Harbor listens on 80 and 443 (requires configuration) as the entry for the admin user to log in. Of course, this port can also be customized.
HTTP protocol
1. Modify the docker-compose.yml file to replace the port mapping in the ui, eg 8888:80.
proxy:
image: library/nginx:1.11.5
restart: always
volumes:
- ./config/nginx:/etc/nginx
ports:
- 8888:80
- 443:443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
2. Modify the template file templates/registry/config.yml
and add the custom port ":8888" after the parameter "$ui_url".
auth:
token:
issuer: registry-token-issuer
realm: $ui_url:8888/service/token
rootcertbundle: /etc/registry/root.crt
service: token-service
3. Run install.sh to update and start harbor.
$ sudo docker-compose down
$ sudo install.sh
HTTPS protocol
1. Enable Https protocol guide guide .
2. Modify the docker-compose.yml configuration file
Modify the 443 port mapping in the compose file, for example: 4443:443.
proxy:
image: library/nginx:1.11.5
restart: always
volumes:
- ./config/nginx:/etc/nginx
ports:
- 80:80
- 4443:443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
3. Modify the template file templates/registry/config.yml
to add a custom port after "$ui_url", such as ":4443"
auth:
token:
issuer: registry-token-issuer
realm: $ui_url:4443/service/token
rootcertbundle: /etc/registry/root.crt
service: token-service
4. Run install.sh to update and start Harbor.
$ sudo docker-compose down
$ sudo install.sh
Troubleshooting
- When harbor is not working properly, you can use the following command to view the running container information:
$ sudo docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------
harbor_jobservice_1 /harbor/harbor_jobservice Up
harbor_log_1 /bin/sh -c crond && rsyslo ... Up 0.0.0.0:1514->514/tcp
harbor_mysql_1 /entrypoint.sh mysqld Up 3306/tcp
harbor_proxy_1 nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
harbor_registry_1 /entrypoint.sh serve /etc/ ... Up 5000/tcp
harbor_ui_1 /harbor/harbor_ui Up
If a container is in a non-up state, you can check the container log/var/log/harbor
2. When performing elastic load balancing nginx response proxy for harbor, you can view make/config/nginx/nginx.conf
the relevant configuration in the following files location /
, location /v2/
location /service/
.
proxy_set_header X-Forwarded-Proto $scheme;
https://my.oschina.net/xxbAndy/blog/786712