Harbor Registry (also known as Harbor Cloud Native Product Warehouse or Harbor Mirror Warehouse). Originally created by the Cloud Native Lab of VMware's China R&D Center, it was open sourced in March 2016.
Harbor's communication defaults to https, but if you want to use https, you need to issue a certificate. If you don't want to use https communication, you need to modify the configuration of docker and containerd. (See below for the configuration method)
The demonstration architecture is as follows: a total of three servers.
| docker | harbor | containerd |
| 26.91 | 26.93 | 26.92 |
| make mirror image | mirror warehouse | pull image |
Harbor installation:
On the 26.93 server, install docker and modify daemon.json, then restart dcoker.
{
"registry-mirrors": ["https://frz7i079.mirror.aliyuncs.com"],
"insecure-registries":["192.168.26.93"]
}Each line of json is separated by commas.
Install docker-compose
yum install docker-compose or decompress the prepared offline installation package, and then enter the harbor directory,
Among them, harbor.v2.3.5.tar.gz is an offline image, use docker load -i harbor.v2.3.5.tar.gz to import it.
harbor.yml.tmp is a template file, cp harbor.yml.tmp harbor.yml, vi harbor.yml to modify the configuration:
hostname: Change to the local address xx26.93, and delete the two lines of https and its port. Further down, you can see that the administrator password is Harbor12345, wq.
Run the prepare script ./prepare, run ./install.sh, and then open the web and enter the ip to access Harbor, the user name is admin, and the password is Harbor12345.
Operations such as creating users and creating projects can be performed on the web, where users can set identities, such as administrators, visitors, etc.; the categories in the project and mirror nomenclature have the same meaning. (Warehouse address/category/image name: tag, such as docker.io/library/nginx:latest). Create an administrator named tom here as the account used to log in later.
We need to create a project to store the uploaded image, project name cka, access level: public (referring to anonymous users who do not need to log in to pull, but no matter whether it is public or not, they need to log in when pushing the image), storage capacity: -1 GiB (referring to No capacity cap).
At this point, the basic configuration of the harbor side is completed. It should be noted that the images need to be classified before pushing the images.
把镜像命名为 192.168.26.93/cka/镜像名:tag 192.168.26.93是harbor服务器,cka是分
类(项目)
docker tag nginx 192.168.26.93/cka/nginx:v1We need to configure the daemon.json of the pusher 26.91, the address added here is still harbor, and then restart the docker of 26.91 after wq.
{
"registry-mirrors":["https://frz7i079.mirror.aliyuncs.com"],
"insecure-registries":["192.168.26.93"]
}Everything is ready, log in to the harbor server: docker login 192.168.26.93 -u tom -p xxxxx (the user name and password may not be written in the command), after login, a file will appear to record the login information, which can be viewed by using ls .docker/ config.json. The string of characters after auth is the username and password, which can be decrypted using echo characters | base64 -d.
After successful login, you can docker push 192.168.26.93/cka/nginx:v1 to push the image to the harbor warehouse.
When downloading the image that 26.91 pushes to the harbor warehouse on the 26.92 server, you need to edit /etc/containerd/config.toml first, find the mirrors, copy and paste and modify, add the harbor end ip, and change the second line https to http,
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://frz7i079.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.26.93"]
endpoint = ["http://192.168.26.93"]Then restart containerd, and then crictl can pull the image of the harbor warehouse.
If you want to use nerdctl to pull the image, you can add the parameter --insecure-registry to the pull command to pull:
nerdctl --insecure-registry pull 192.168.26.93/cka/nginx:1
If you do not want to add parameters to pull, you need to modify the configuration file /etc/nerdctl/nerdctl.toml, and change insecure_registry = false to true. to pull.
It should be noted that crictl does not have a login function. If you encounter a mirror whose project access level is private, you need to log in. But nerdctl has a login function.
If you want to restart the harbor service, you need to enter the harbor directory, then docker-compose stop, then docker-compose up -d, and wait for the operation to complete.