Introduction and usage guide of the enterprise-level Docker Registry open source tool Harbor

Abstract: In the process of using Docker tools to build and manage the entire container ecosystem, image can be said to be an important link, and the operation of various containers must also rely on images to start. Therefore, the storage of images has become very important. Of course, the registry service is officially provided in docker, which can be said to have met many needs for basic image storage. However, within an enterprise, we need to consider more issues, such as image management, web-based display, permission management, and review and other requirements. Fortunately, vmware has open sourced the Harbor tool, which I personally feel is good. This article mainly introduces Harbor and the basic usage guide.

Introduction and basic architecture of Harbor

Introduction to Harbor

Basic Architecture

Harbor Installation and Configuration Guide

Harbor can be installed and deployed in the following three ways:

• Online installation:  Users can download the official image of harbor directly from docker hub.

• Offline installation:  Users need to download the source package and build images by themselves. The source package is relatively large

• Virtual Appliance:  This method is generally used to build a private warehouse on a third-party platform as a component of the platform, such as vsphere, etc., and you need to download the OVA version of Harbor.

Click me for the official download page   .

To install Harbor's virtual appliance, please click me .

This guide mainly explains how to install and configure Harbor step by step by using online and offline methods. The installation steps are basically the same.

If the user runs an old version of harbor, data may need to be migrated to the new database queue. For detailed steps, please click me

In addition, the steps to deploy on kubernetes and see the following link harbor on kubernets

Harbor dependencies

Harbor is deployed on the server as a docker container, so it can be deployed on any linux distribution. Python, docker, and docker-compose tools need to be installed on the target host.

• Python requires 2.7+. It should be noted that it is best to install the corresponding linux version of python.
• Docker engine requires 1.10+ currently the newer version 1.12.  docker installation
• Docker Compose requires 1.6.0+.  Compose installation

Harbor installation and configuration

The installation steps are as follows:

1. Download the installation package
2. Modify the relevant configuration  harbor.cfg ;
3. Run  install.sh  to install and start harbor;

1. Download the installation package

Click the link to download the binary package  Harbor download  . Select an online or offline package to download. Use the  tar  command to unzip the downloaded source package

Online package installation:

    $ tar xvf harbor-online-installer-<version>.tgz

Offline package installation:

    $ tar xvf harbor-offline-installer-<version>.tgz

2. Configure Harbor

Configuration parameters are placed in the file  harbor.cfg  . Detailed parameter explanations must at least configure the  hostname  parameter

• hostname : Configure the hostname of the target host, which is used to access Harbor ui and mirror warehouses. It can be configured as an ip address and a full domain name, such as 192.168.1.10 or  reg.yourdomain.com. Do not use  localhost or  127.0.0.1 as the hostname
• ui_url_protocol : ( http  or  https . The default protocol is  http ) The protocol used to access the UI and the token/notification service. The default is  http . To set the https protocol, see the link  Configure Harbor to support the https protocol .
• Email settings : Configure Harbor to send emails. Of course, changing the configuration is not necessary. Note: The default ssl link is not enabled. If SMTP needs ssl support, you can set the following parameters to support it.

• email_ssl = true

    * email_server = smtp.mydomain.com 
    * email_server_port = 25
    * email_username = sample_admin@mydomain.com
    * email_password = abc
    * email_from = admin <sample_admin@mydomain.com>  
    * email_ssl = false        
  

• harbor_admin_password : Set the administrator's internal password, which takes effect when Harbor is started for the first time. After this setting is ignored, and the administrator's password will be reset in the UI. The default username and password are as follows:  admin/Harbor12345  .

• auth_mode : The method used for authentication,  db_auth is used by default , and the authentication will be dismembered and stored in the database. If you need to set LDAP authentication, you need to use ldap_auth .

• ldap_url : URL of LDAP authentication method (eg  ldaps://ldap.mydomain.com). When  auth_mode  is set to ldap_auth  .

• ldap_searchdn : User domain to link to LDAP/AD service (eg  uid=admin,ou=people,dc=mydomain,dc=com).

• ldap_search_pwd : Set the password ldap_searchdn for the user domain set  above .

• ldap_basedn : The base domain for finding a user eg  ou=people,dc=mydomain,dc=com. Only used when  auth_mode is  set to ldap_auth

• ldap_filter : User search filter  (objectClass=person).

• ldap_uid : This parameter is used to match a user in an LDAP search, which can be uid, cn, email or other methods.

• ldap_scope : User search scope, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE. Default is 3.

• db_password : mysql database root user password  db_auth .

• self_registration : ( on  or  off . Default is  on ) Enables and disables the user registration function. When disabled, new user functions are created by the admin user. _Note : When  auth_mode  is set to  ldap_auth , self-registration will always be turned off and this parameter will be ignored.

• use_compressed_js : ( on  or  off . Defaults to  on ) For production use, it is recommended to set this parameter to  on . Set this parameter to off in deployment mode  so that js files can be modified separately.

• max_job_workers : (default  3 ) Set the maximum working copy in the task service. For each image copy task, there will be a worker to synchronize all tags from the repository to the remote. Increasing this value will allow more current replica tasks. However, because each worker consumes certain resources such as network/cpu/io, the value must be set reasonably according to the system resources.

• secret_key : This value is the password for encrypting and decrypting the remote warehouse in the replication policy, with a length of 16 characters. This value must be modified in production. NOTE: After changing this key, previously encrypted password of a policy can not be decrypted.

• token_expiration : token expiration time, default 30 minutes

• verify_remote_cert : ( on  or  off . Default  on ) This parameter determines whether to use SSL/TLS when interacting with the remote registry instance of the harbor box. When set to off, generally the remote registry will use self-signed or untrusted certificate.

• customize_crt : ( on  or  off . The default is on ) When set to on, a script will be used to create the private key and root certificate to authenticate the registry token

• The following parameters: crt_country ,  crt_state ,  crt_location ,  crt_organization ,  crt_organizationalunit , crt_commonname ,  crt_email  are used for the provincial key. When set to off, key and root certificates can be used in external sources. Custom certificate for Harbor token service

3. Configure backend storage (optional)

By default, Harbor will store image files to the local file system. In the production environment, you should consider using some backend storage instead of the local file system, such as S3, openstack swift or ceph, etc. templates/registry/config.ymlYou can select the update storage method in the file . For example, if you want to use Openstack Swift as your storage backend, the corresponding configuration will be as follows:

storage:
  swift:
    username: admin
    password: ADMIN_PASS
    authurl: http://keystone_addr:35357/v3/auth
    tenant: admin
    domain: default
    region: regionOne
    container: docker_images

Note: For details about the storage backend of the docker registry, see the corresponding link  Registry configuration details  .

4. Complete the installation of Harbor and start Harbor

Once  harbord.cfg  and the storage backend are configured, a install.shscript can be used to install and start the Harbor service. It should be noted that it may take some time to perform this operation, because some images files related to Harbor need to be downloaded from the docker hub.

    $ sudo ./install.sh

If everything works fine after the above script is executed, you can enter the hostname configured in the configuration file harbor.cfg on the browser and use the configured admin user to access the Harbor service. http://reg.yourdomain.com  Default admin username and password: username/password: admin/Harbor12345 .

After logging in with the admin user, first create a project, for example myproject. Then the user can docker login reg.yourdomain.comlog in and perform a push image. (The default registry service listens on port 80):

sh
$ docker login reg.yourdomain.com
$ docker push reg.yourdomain.com/myproject/myrepo:mytag

Important note:  The default installed Harbor uses the  HTTP  protocol. Therefore, when users are using it, they need to add the following parameters to the docker daemon configuration file  --insecure-registry reg.yourdomain.com and restart docker.

For more information on using Harbor, please click on my Harbor User Guide  .

5. Configure Harbor to support HTTPs access

Harbor does not run with any authentication and uses http by default for serving. This approach is correspondingly simpler for deployment or test environments, but is not recommended in production environments. To enable HTTPS support, see the link below to  configure Harbor to support https .

Manage Harbor's lifecycle

You can use docker-compose to manage the entire lifecycle of Harbor. The following are the corresponding management commands. It should be noted that docker-compose must be executed in the directory with the docker-compose.yml file:

Stop Harbor service:

$ sudo docker-compose stop
Stopping harbor_proxy_1 ... done
Stopping harbor_ui_1 ... done
Stopping harbor_registry_1 ... done
Stopping harbor_mysql_1 ... done
Stopping harbor_log_1 ... done
Stopping harbor_jobservice_1 ... done

Start Harbor service:

$ sudo docker-compose start
Starting harbor_log_1
Starting harbor_mysql_1
Starting harbor_registry_1
Starting harbor_ui_1
Starting harbor_proxy_1
Starting harbor_jobservice_1

If you need to modify the configuration of Harbor, you first need to stop the running Harbor instance, update the harbor.cfg file, and run it againinstall.sh

$ sudo docker-compose down

$ vim harbor.cfg

$ sudo install.sh

Delete the Harbor container and save the image file and Harbor's database file:

$ sudo docker-compose rm
Going to remove harbor_proxy_1, harbor_ui_1, harbor_registry_1, harbor_mysql_1, harbor_log_1, harbor_jobservice_1
Are you sure? [yN] y
Removing harbor_proxy_1 ... done
Removing harbor_ui_1 ... done
Removing harbor_registry_1 ... done
Removing harbor_mysql_1 ... done
Removing harbor_log_1 ... done
Removing harbor_jobservice_1 ... done

Delete Harbor's database information and image files (usually for clean installation):

$ rm -r /data/database
$ rm -r /data/registry

More docker-compose command usage guide

Persistent data and log files

By default, registry data is persisted to the target host's /data/directory. When a Harbor container is deleted or recreated, the data will not change. Additionally, Harbor uses rsyslog to collect per-container logs. By default, CPP log files are stored in the target host's /var/log/harbor/directory for troubleshooting

Configure Harbor to listen to a custom port

By default, Harbor listens on 80 and 443 (requires configuration) as the entry for the admin user to log in. Of course, this port can also be customized.

HTTP protocol

1. Modify the docker-compose.yml file to replace the port mapping in the ui, eg 8888:80.

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 8888:80
      - 443:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

2. Modify the template file templates/registry/config.yml
and add the custom port ":8888" after the parameter "$ui_url".

auth:
  token:
    issuer: registry-token-issuer
    realm: $ui_url:8888/service/token
    rootcertbundle: /etc/registry/root.crt
    service: token-service

3. Run install.sh to update and start harbor.

$ sudo docker-compose down
$ sudo install.sh

HTTPS protocol

1. Enable Https protocol guide  guide .
2. Modify the docker-compose.yml configuration file

Modify the 443 port mapping in the compose file, for example: 4443:443.

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 80:80
      - 4443:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

3. Modify the template file templates/registry/config.yml
to add a custom port after "$ui_url", such as ":4443"

auth:
  token:
    issuer: registry-token-issuer
    realm: $ui_url:4443/service/token
    rootcertbundle: /etc/registry/root.crt
    service: token-service

4. Run install.sh to update and start Harbor.

$ sudo docker-compose down
$ sudo install.sh

Troubleshooting

1. When harbor is not working properly, you can use the following command to view the running container information:

    $ sudo docker-compose ps
       Name                      Command               State                  Ports                   
  -----------------------------------------------------------------------------------------------------
  harbor_jobservice_1   /harbor/harbor_jobservice        Up                                               
  harbor_log_1          /bin/sh -c crond && rsyslo ...   Up    0.0.0.0:1514->514/tcp                    
  harbor_mysql_1        /entrypoint.sh mysqld            Up    3306/tcp                                 
  harbor_proxy_1        nginx -g daemon off;             Up    0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp 
  harbor_registry_1     /entrypoint.sh serve /etc/ ...   Up    5000/tcp                                 
  harbor_ui_1           /harbor/harbor_ui                Up

If a container is in a non-up state, you can check the container log/var/log/harbor

2. When performing elastic load balancing nginx response proxy for harbor, you can view
make/config/nginx/nginx.conf the relevant configuration in the  following files location /,  location /v2/ location /service/.

proxy_set_header X-Forwarded-Proto $scheme;

https://my.oschina.net/xxbAndy/blog/786712