Table of contents
Second, the characteristics of Harbor
4. Deploy and configure Docker Harbor
1. First you need to install the Docker-Compose service
1. What is Harbor
Harbor is an open source enterprise-level Docker Registry project of VMware, whose goal is to help users quickly build an enterprise-level Docker Registry service.
Based on Docker's open-source Registry, Harbor provides graphical management UI, role-based access control (Role Based AccessControl), AD/LDAP integration, and audit logging (Audit logging) and other functions required by enterprise users, and restores native Chinese support .
Each component of Harbor is built as a Docker container, which is deployed using docker-compose. The docker-compose template for deploying Harbor is located at harbor/docker-compose.yml.
Second, the characteristics of Harbor
1. Role-based control: Users and warehouses are organized based on projects, and users can have different permissions in projects.
2. Mirror-based replication strategy: Mirrors can be replicated (synchronized) between multiple Harbor instances.
3. Support LDAP/AD: Harbor can integrate the existing AD/LDAP (similar to a table in a database) within the enterprise to authenticate and manage existing users.
4. Mirror deletion and garbage collection: mirrors can be deleted, and the space occupied by the mirror can also be reclaimed.
5. Graphical user interface: Users can browse through a browser, search mirror warehouses and manage projects.
6. Audit management: All operations on the mirror warehouse can be recorded and traced for audit management.
7. Support RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
8. The relationship between Harbor and docker registry: Harbor essentially encapsulates docker registry and extends its own business template.
3. The composition of Harbor
In terms of architecture, Harbor mainly has six components: Proxy, Registry, Core services, Database (Harbor-db), Log collector (Harbor-log), and Job services.
1. Proxy: It is a front-end proxy of nginx. Harbor's Registry, UI, Token service and other components are all behind the nginx reverse proxy. The proxy forwards requests from browsers and docker clients to different backend services.
2. Registry: Responsible for storing Docker images and processing Docker push/pull commands. Due to the need to control user access, that is, different users have different read and write permissions for Docker images, the Registry will point to a Token service, forcing users to carry a legal Token for each Docker pull/push request, and the Registry will pass public Key to decrypt and verify Token.
3. Core services: The core functions of Harbor, mainly provide the following three services
- UI (harbor-ui): Provides a graphical interface to help users manage images on the Registry and authorize users.
- WebHook: In order to obtain the status change of the image on the Registry in time, configure a Webhook on the Registry to pass the status change to the UI module.
- Token service: Responsible for issuing Tokens for each Docker push/pull command according to user permissions. If the request initiated by the Docker client to the Registry service does not contain a Token, it will be redirected to the Token service, and after obtaining the Token, it will make a new request to the Registry.
4. Database (harbor-db): Provides database services for core services and is responsible for storing data such as user permissions, audit logs, and Docker image grouping information.
5. Job services: Mainly used for mirror replication, the local mirror can be synchronized to the remote Harbor instance.
6. Log collector (harbor-log): Responsible for collecting logs of other components to one place.
Each component of Harbor is built as a Docker container, so it is deployed using Docker Compose.
It is divided into 7 containers to run, and can be viewed by executing the docker-compose ps command in the directory where docker-compose.yml is located. The names are: nginx, harbor-jobservice, harbor-ui, harbor-db, harbor-adminserver, registry , harbor-log.
Among them, harbor-adminserver is mainly used as a back-end configuration data management, and does not have many other functions. All data to be manipulated by harbor-ui is completed through a data configuration management center such as harbor-adminserver.
4. Deploy and configure Docker Harbor
1. First you need to install the Docker-Compose service
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
2. Deploy Harbor service
install harbor
Harbor's compressed package download address: https://github.com/goharbor/harbor/releases
wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/Modify the configuration file
#修改harbor安装的配置文件
vim /usr/local/harbor/harbor.cfg
#--5行--修改,设置为Harbor服务器的IP地址或者域名
hostname = 192.168.116.70
#--59行--指定管理员的初始密码,默认的用户名/密码是admin/Harbor12345
harbor_admin_password = Harbor12345Add local warehouse address to docker configuration file
About Harbor.cfg There are two types of parameters in the configuration file: required parameters and optional parameters
(1) required parametersThese parameters need to be set in the configuration file Harbor.cfg. The parameters will take effect if the user updates them and runs the install.sh script to reinstall Harbor. The specific parameters are as follows:
●hostname: used to access user interface and register service. It should be the target machine's IP address or a fully qualified domain name (FQDN), such as 192.168.80.10 or hub.kgc.cn. Do not use localhost or 127.0.0.1 as the hostname.● ui_url_protocol: (http or https, default is http) the protocol used to access the UI and token/notification services. If notarization is enabled, this parameter must be https.
● max_job_workers: Mirror replication job threads.
● db_password: MySQL database root user password for db_auth.
●customize_crt: This attribute can be set to on or off, and it is on by default. When this property is turned on, the prepare script creates a private key and root certificate, which are used to generate/verify registry tokens. Set this property to off when the key and root certificate are provided by an external source.
● ssl_cert: path to SSL certificate, only applied when protocol is set to https.
● secretkey_path: The key path used to encrypt or decrypt the remote register password in the replication policy.
(2) Optional parameters
These parameters are optional for updates, ie users can leave them as default and update them on the web UI after launching Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time, and Harbor.cfg will be ignored for subsequent updates to these parameters.
Note: If you choose to set these parameters through the UI, make sure to do so immediately after launching Harbor. Specifically, the desired auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be changed. The specific parameters are as follows:
●Email: Harbor needs this parameter to send "password reset" email to users, and it should be enabled only when this function is required. Note that SSL connections are not enabled by default. If the SMTP server requires SSL, but does not support STARTTLS, then SSL should be enabled by setting email_ssl=TRUE.●harbor_admin_password: The initial password of the administrator, which only takes effect when Harbor starts for the first time. Afterwards, this setting will be ignored and the administrator's password should be set in the UI. Note that the default username/password is admin/Harbor12345.
● auth_mode: The type of authentication used, by default it is db_auth, i.e. the credentials are stored in the database. For LDAP authentication, set this to ldap_auth.
● self_registration: enable/disable user registration function. When disabled, new users can only be created by Admin users, and only admin users can create new users in Harbor. NOTE: When auth_mode is set to ldap_auth, self-registration is always disabled and this flag is ignored.
●Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes.
● project_creation_restriction: Flag used to control which users have permission to create projects. By default, everyone can create a project. If its value is set to "adminonly", only admins can create projects.
●verify_remote_cert: open or close, open by default. This flag determines whether to verify SSL/TLS certificates when Harbor communicates with remote register instances. Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate.
Also, by default, Harbor stores images on the local filesystem. In a production environment, consider using other storage backends instead of local file systems, such as object storage such as S3, Openstack Swift, Ceph, etc. But the common/templates/registry/config.yml file needs to be updated.
Harbor's default image storage path is in the /data/registry directory, which is mapped to the /storage directory in the docker container. This parameter is specified in docker-compose.yml and modified before docker-compose up -d runs. If you want to store the Docker image to another disk path, you can modify this parameter.
Start harbor, execute the prepare file first, and then execute the install.sh file
After viewing the start, stop and restart, you need to use the docker-compose command
docker-compose ps #View status
docker-compose up -d #start
docker-compose stop #stop
docker-compose restart #restart
3. Use the harbor warehouse
Use a browser to access the local ip, use the default username admin, password Harbor12345 to log in
(1) Project management
New Project
To push the image, follow the two-step method shown
docker login -u username -p password harbor warehouse address
Simulate pulling the image in this project (private projects can only be pulled after logging in, and public projects can be pulled directly)
All projects will be generated in /data/registry/docker/registry/v2/repositories
(2) User management
new user
Let new users use two methods for mirroring operations:
- Promote the newly created user to the administrator role;
- Adds members to the specified project, specifying their roles.
| Role | Permission Description |
|---|---|
| visitor | Read-only access to specified items |
| Developer | Have read and write permissions for the specified item, but no delete permission |
| Maintenance personnel | Has read and write permissions for specified projects, and can also modify other configurations, such as creating Webhooks |
| project manager | In addition to read and write permissions, it also has management permissions such as user management/mirror scanning |