![[Docker] Harbor Construction - Linux Virtualization for Linux System Operation, Maintenance and Management - Programming Development Tutorial_CentOS - Tiger Course Network](https://img-blog.csdnimg.cn/img_convert/cc6e91be5d605f41d8581d98c5daee43.jpeg)
Table of contents
1. Docker private warehouse (Registry)
2. Build a local private warehouse
2.1 First download the registry image
2.2 Add a private mirror warehouse address in the daemon.json file
2.3 Run the registry container
2.4 Docker container restart strategy
2.6 Upload to private warehouse
2.7 List all mirrors of private warehouse
2.8 What are the centos mirrors that create private warehouses?
2.8 Delete the original centos image first, and then test the private warehouse download
4.1 Deploy Docker-Compose service
4.2.1 Download or upload Harbor installer
4.2.2 Modify the configuration file installed by harbor
5. Maintenance and management of Harbor
5.1 Create a project through Harbor Web
(1) Create a user and assign permissions
(3) Use a common account to operate the image on the client
(1) Remove the Harbor service container
(2) Package the image data in the project
1. Docker private warehouse (Registry)
1.1 Introduction to Registry
Docker warehouses are divided into private warehouses and public warehouses. Public warehouses can be used as long as they are officially registered users and log in. But for the use of warehouses, enterprises still have their own exclusive images, so the construction of private libraries is also necessary.
For native warehouses, Docker provides Registry, which can help us build our own private warehouses, but the disadvantages are also obvious, that is, it is difficult to manage and cannot perform complex operations
2. Build a local private warehouse
2.1 First download the registry image
docker pull registry
2.2 Add a private mirror warehouse address in the daemon.json file
vim /etc/docker/daemon.json
{
"insecure-registries": ["192.168.237.21:5000"],
}
systemctl restart docker.service2.3 Run the registry container
docker run -itd -v /data/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry:latest-itd: Open a pseudo terminal in the container for interactive operation and run in the background
-v: Bind the host's /data/registry directory to the container's /var/lib/registry directory (this directory is the directory where mirror files are stored in the registry container) to achieve data persistence;
-p: port mapping; access to port 5000 of the host machine will access the service of the registry container
--restart=always: This is the restart strategy, always restart the container when the container exits
--name registry: Create a container named registry
registry:latest: This is the image that was pulled just now
2.4 Docker container restart strategy
no: the default policy, do not restart the container when the container exits
on-failure: When the container exits abnormally (exit status is not 0), the container will be restarted
on-failure:3 : Restart the container when the container exits abnormally, up to 3 times always: Always restart the container when the container exits
unless-stopped: Always restart the container when the container exits, but does not consider containers that have been stopped when the Docker daemon starts
2.5 Tag the image
docker tag centos:7 192.168.237.21:5000/centos:v12.6 Upload to private warehouse
docker push 192.168.237.21:5000/centos:v12.7 List all mirrors of private warehouse
curl http://192.168.10.23:5000/v2/_catalog2.8 What are the centos mirrors that create private warehouses?
tag curl http://192.168.10.23:5000/v2/centos/tags/list2.8 Delete the original centos image first, and then test the private warehouse download
docker rmi -f 8652b9f0cb4c docker pull 192.168.10.23:5000/centos:v13. Introduction to Harbor
3.1 What is Harbor
Harbor is an open source enterprise-level Docker Registry project of VMware, whose goal is to help users quickly build an enterprise-level Docker Registry service.
Based on Docker's open-source Registry, Harbor provides graphical management UI, role-based access control (Role Based AccessControl), AD/LDAP integration, and audit logging (Audit logging) and other functions required by enterprise users, and restores native Chinese support .
Each component of Harbor is built as a Docker container, which is deployed using docker-compose. The docker-compose template for deploying Harbor is located at harbor/docker-compose.yml.
3.2 Characteristics of Harbor
1. Role-based control: Users and warehouses are organized based on projects, and users can have different permissions in projects.
2. Mirror-based replication strategy: Mirrors can be replicated (synchronized) between multiple Harbor instances.
3. Support LDAP/AD: Harbor can integrate the existing AD/LDAP (similar to a table in a database) within the enterprise to authenticate and manage existing users.
4. Image deletion and garbage collection: images can be deleted, and the space occupied by images can also be reclaimed.
5. Graphical user interface: Users can browse through a browser, search mirror warehouses and manage projects.
6. Audit management: All operations on the mirror warehouse can be recorded and traced for audit management.
7. Support RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
8. The relationship between Harbor and docker registry: Harbor essentially encapsulates docker registry and expands its own business template.
3.3 The composition of Harbor
In terms of architecture, Harbor mainly has six components: Proxy, Registry, Core services, Database (Harbor-db), Log collector (Harbor-log), and Job services.
The process of docker Harbor private warehouse operation
1. All requests or thought operations will be first handed over to the proxy (reverse proxy)
2. The proxy will first forward the request to the backend Core services, which include
3. UI, token (authentication service), webhook (some service functions of the website)
4. Forward to the registry (mirror storage). If you need to download the image and other permission operations, you need to pass the token token authentication service in Core services.
5. Each download and upload generates an operation record, generates a log, and saves it in the database
6. The database records and saves the meta-information of the image and the identity information of users and groups, and the relevant operations are allowed only through authentication and authorization
- Proxy: It is a front-end proxy of nginx. Harbor's Registry, UI, Token service and other components are all behind the nginx reverse proxy. The proxy forwards requests from browsers and docker clients to different backend services.
- Registry: Responsible for storing Docker images and processing Docker push/pull commands. Due to the need to control user access, that is, different users have different read and write permissions for Docker images, the Registry will point to a Token service, forcing users to carry a legal Token for each Docker pull/push request, and the Registry will pass public Key to decrypt and verify Token. Core services: The core functions of Harbor,
- 1) UI (harbor-ui): Provides a graphical interface to help users manage images on the Registry and authorize users.
- 2) WebHook: In order to obtain the status change of the image on the Registry in time, configure a Webhook on the Registry to pass the status change to the UI module.
- 3) Token service: Responsible for issuing Tokens for each Docker push/pull command according to user permissions. If the request initiated by the Docker client to the Registry service does not contain a Token, it will be redirected to the Token service, and after obtaining the Token, it will make a new request to the Registry.
- Database (harbor-db): Provides database services for core services and is responsible for storing data such as user permissions, audit logs, and Docker image grouping information.
- Job services: Mainly used for image replication, the local image can be synchronized to the remote Harbor instance.
- Log collector (harbor-log): Responsible for collecting logs of other components into one place.
Four. Deploy Harbor
Harbor server 192.168.237.21 docker-ce, docker-compose, harbor-offline-v1.2.2
client server 192.168.237.22 docker-ce
4.1 Deploy Docker-Compose service
Download or upload Docker-Compose
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version4.2 Deploy Harbor service
4.2.1 Download or upload Harbor installer
2. wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/4.2.2 Modify the configuration file installed by harbor
vim /usr/local/harbor/harbor.cfg
--5行--修改,设置为Harbor服务器的IP地址或者域名
hostname = 192.168.10.23
--59行--指定管理员的初始密码,默认的用户名/密码是admin/Harbor12345
harbor_admin_password = Harbor123454.3 There are two types of parameters in the Harbor.cfg configuration file: required parameters and optional parameters
4.3.1 Required parameters
These parameters need to be set in the configuration file Harbor.cfg. The parameters will take effect if the user updates them and runs the install.sh script to reinstall Harbor. The specific parameters are as follows:
● hostname: used to access the user interface and register services. It should be the target machine's IP address or a fully qualified domain name (FQDN), such as 192.168.10.23 or hub.kgc.cn. Do not use localhost or 127.0.0.1 as the hostname.
● ui_url_protocol: (http or https, default is http) the protocol used to access the UI and token/notification services. If notarization is enabled, this parameter must be https.
● max_job_workers: Mirror replication job threads.
● db_password: MySQL database root user password for db_auth.
●customize_crt: This attribute can be set to on or off, and it is on by default. When this property is turned on, the prepare script creates a private key and root certificate, which are used to generate/verify registry tokens. Set this property to off when the key and root certificate are provided by an external source.
● ssl_cert: path to SSL certificate, only applied when protocol is set to https.
● secretkey_path: the key path used to encrypt or decrypt the remote register password in the replication policy
4.3.2 Optional parameters
These parameters are optional for updates, ie users can leave them as default and update them on the web UI after launching Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time, and Harbor.cfg will be ignored for subsequent updates to these parameters.
Note: If you choose to set these parameters through the UI, make sure to do so immediately after launching Harbor. Specifically, the desired auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be changed. The specific parameters are as follows:
●Email: This parameter is required by Harbor to send "password reset" emails to users, and should only be enabled if this functionality is required. Note that SSL connections are not enabled by default. If the SMTP server requires SSL, but does not support STARTTLS, then SSL should be enabled by setting email_ssl=TRUE.
●harbor_admin_password: The initial password of the administrator, which only takes effect when Harbor starts for the first time. Afterwards, this setting will be ignored and the administrator's password should be set in the UI. Note that the default username/password is admin/Harbor12345.
● auth_mode: The type of authentication used, by default it is db_auth, i.e. the credentials are stored in the database. For LDAP authentication, set this to ldap_auth.
● self_registration: enable/disable user registration function. When disabled, new users can only be created by Admin users, and only admin users can create new users in Harbor. NOTE: When auth_mode is set to ldap_auth, self-registration is always disabled and this flag is ignored.
●Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes.
● project_creation_restriction: Flag used to control which users have permission to create projects. By default, everyone can create a project. If its value is set to "adminonly", only admins can create projects.
●verify_remote_cert: open or close, open by default. This flag determines whether to verify SSL/TLS certificates when Harbor communicates with remote register instances. Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate
Also, by default, Harbor stores images on the local filesystem. In a production environment, consider using other storage backends instead of local file systems, such as object storage such as S3, Openstack Swift, Ceph, etc. But the common/templates/registry/config.yml file needs to be updated. Harbor's default image storage path is in the /data/registry directory, which is mapped to the /storage directory in the docker container. This parameter is specified in docker-compose.yml and modified before docker-compose up -d runs.
If you want to store the Docker image to another disk path, you can modify this parameter.
4.4 Start Harbor
cd /usr/local/harbor/
After configuring harbor.cfg, execute the ./prepare command to generate some necessary files (environment) for the container started by harbor
Then execute the command ./install.sh to pull the image and start the container
4.5 View Harbor startup image
cd /usr/local/harbor/
docker-compose ps4.6 Create a new project
(1) Browser access: http://192.168.10.23 to log in to the Harbor WEB UI interface, the default administrator username and password are admin/Harbor12345
(2) After entering the user name and password to log in to the interface, a new project can be created. Click the "+Item" button
(3) Fill in the project name as "myproject-kgc", click the "OK" button to create a new project
(4) At this time, you can use the Docker command to log in and push the image locally through 127.0.0.1. The Registry server listens on port 80 by default.
//登录 Harbor
docker login [-u admin -p Harbor12345] http://127.0.0.1
//下载镜像进行测试
docker pull nginx
//将镜像打标签
格式:docker tag 镜像:标签 仓库IP/项目名称/镜像名:标签
docker tag nginx:latest 127.0.0.1/myproject-kgc/nginx:v1
//上传镜像到 Harbor
docker push 127.0.0.1/myproject-kgc/nginx:v1(5) You can see this image and related information under the myproject-kgc directory on the Harbor interface
-
Upload images on other clients The above operations are performed locally on the Harbor server. If other clients log in to Harbor, the following error will be reported. The reason for this problem is that the Docker Registry interaction uses HTTPS by default, but the default HTTP service is used to build a private image, so the following error occurs when interacting with a private image.
docker login -u admin -p Harbor12345 http://192.168.10.23
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.10.23/v2/: dial tcp 192.168.10.23:443: connect: connection refused
(1) Configure operations on the Docker client
//解决办法是:在 Docker server 启动的时候,增加启动参数,默认使用 HTTP 访问。
vim /usr/lib/systemd/system/docker.service
--13行--修改
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.10.23 --containerd=/run/containerd/containerd.sock
或
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.10.23
//重启 Docker,再次登录 s
ystemctl daemon-reload
systemctl restart docker
//再次登录 Harbor
docker login -u admin -p Harbor12345 http://192.168.10.23
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Login Succeeded
//将自动保存凭据到/root/.docker/config.json,下次登录时可直接使用凭据登录 Harbor
//下载镜像进行测试
docker pull 192.168.10.23/myproject-kgc/nginx:v1
//上传镜像进行测试
docker pull cirros
docker tag cirros:latest 192.168.10.23/myproject-kgc/cirros:v2
docker push 192.168.10.23/myproject-kgc/cirros:v2(2) Refresh Harbor's web management interface to view, and you will find that there are two images in the myproject-kgc project
5. Maintenance and management of Harbor
5.1 Create a project through Harbor Web
In the Harbor repository, any image must have a project of its own before being pushed to regsitry. Click "+Project" and fill in the project name. If the project level is set to "Private", do not check it. If it is set as a public warehouse, everyone has read permission for the images under this project, and you don't need to execute "Docker login" on the command line to download the images, and the image operations are consistent with Docker Hub.
5.2 Create a Harbor user
(1) Create a user and assign permissions
In the web management interface, click System Management -> User Management -> +User,
Fill in the user name as "kgc-zhangsan", the email address as " [email protected] ", the full name as "zhangsan", the password as "Abc123456", and the comment as "administrator" (can be omitted).
Attachment: After the user is successfully created, click the "..." button on the left to set the user created above as an administrator role or delete it. In this example, no settings are made.
(2) Add project members
Click Project -> myproject-kgc-> Members -> + Members, fill in the user kgc-zhangsan created above and assign the role as "Developer".
Attachment: At this time, click the "..." button on the left to change or delete the member role
(3) Use a common account to operate the image on the client
//Delete the above tagged local image
docker rmi 192.168.10.23/myproject-kgc/cirros:v2//Exit the current user first, then log in with the account kgc-zhangsan created above
docker logout 192.168.10.23
docker login 192.168.10.23
或
docker login -u kgc-zhangsan -p Abc123456 http://192.168.10.23//Download and upload images for testing
docker pull 192.168.10.23/myproject-kgc/cirros:v2
docker tag cirros:latest 192.168.10.23/myproject-kgc/cirros:v3 docker push 192.168.10.23/myproject-kgc/cirros:v35.3 View logs
Web interface logs, operation logs record user-related operations in chronological order
5.4 Modify Harbor.cfg
Configuration file To change optional parameters in Harbor's configuration file, first stop the existing Harbor instance and update Harbor.cfg; then run the prepare script to populate the configuration; finally recreate and start the Harbor instance.
When using docker-compose to manage Harbor, it must be run in the same directory as docker-compose.yml.
cd /usr/local/harbor docker-compose down -v
vim harbor.cfg #只能修改可选参数
./prepare
docker-compose up -d
//如果有以下报错,需要开启防火墙 firewalld 服务解决
Creating network "harbor_harbor" with the default driver ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-b53c314f45e8 -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))
systemctl restart firewalld.service docker-compose up -d5.6 Remove the Harbor service container while retaining the mirrored data/database and perform migration
//Operate on the Harbor server
(1) Remove the Harbor service container
cd /usr/local/harbor
docker-compose down -v(2) Package the image data in the project
//Persistent data, such as mirrors, databases, etc. are in the host's /data/ directory, and the logs are in the host's /var/log/Harbor/ directory ls
ls /data/registry/docker/registry/v2/repositories/myproject-kgc
cd /data/registry/docker/registry/v2/repositories/myproject-kgc tar zcvf kgc-registry.tar.gz ./*5.6 If you need to redeploy, you need to remove all the data in the Harbor service container
cd /usr/local/harbor
docker-compose down -v
rm -r /data/database