Table of contents
4. Deploy and configure Docker Harbor
First you need to install the Docker-Compose service
Docker configuration file adds local warehouse address
After checking the start, stop and restart, you need to use the docker-compose command
Let the new user use two methods for mirror operations:
1. What is Harbor
Harbor is VMware's open source enterprise-level Docker Registry project. Its goal is to help users quickly build an enterprise-level Docker Registry service.
Harbor is based on Docker's open source Registry and provides functions required by enterprise users such as graphical management UI, role-based access control (Role Based AccessControl), AD/LDAP integration, and audit logging (Auditlogging). It also natively supports Chinese .
Each component of Harbor is built as a Docker container and is deployed using docker-compose. The docker-compose template used to deploy Harbor is located in harbor/docker-compose.yml.
2. Characteristics of Harbor
1. Role-based control: Users and warehouses are organized based on projects, and users can have different permissions in projects.
2. Mirror-based replication strategy: Mirrors can be replicated (synchronized) between multiple Harbor instances.
3. Support LDAP/AD: Harbor can integrate existing AD/LDAP (a table similar to a database) within the enterprise for authentication and management of existing users.
4. Image deletion and garbage collection: Images can be deleted and the space occupied by the image can also be recycled.
5. Graphical user interface: Users can browse, search image warehouses and manage projects through a browser.
6. Audit management: All operations on the image warehouse can be recorded and traced for audit management.
7. Support RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
8. The relationship between Harbor and docker registry: Harbor essentially encapsulates docker registry and expands its own business template.
3. The composition of Harbor
Harbor's architecture mainly consists of six components: Proxy, Registry, Core services, Database (Harbor-db), Log collector (Harbor-log), and Job services.
1. Proxy: It is an nginx front-end proxy. Harbor's Registry, UI, Token service and other components are all behind the nginx reverse proxy. The proxy forwards requests from browsers and docker clients to different backend services.
2.Registry: Responsible for storing Docker images and processing Docker push/pull commands. Since user access control is required, that is, different users have different read and write permissions on Docker images, the Registry will point to a Token service, forcing the user to carry a legal Token for each Docker pull/push request. The Registry will pass the public Use the key to decrypt and verify the Token.
3.Core services: Harbor’s core functions, mainly providing the following 3 services
UI (harbor-ui): Provides a graphical interface to help users manage images on the Registry and authorize users.
WebHook: In order to obtain the status changes of the image on the Registry in a timely manner, configure a Webhook on the Registry and pass the status changes to the UI module.
Token service: Responsible for issuing tokens for each Docker push/pull command based on user permissions. If the request initiated by the Docker client to the Registry service does not contain a Token, it will be redirected to the Token service. After obtaining the Token, the request will be made to the Registry again.
4. Database (harbor-db): Provides database services for core services and is responsible for storing user permissions, audit logs, Docker image grouping information and other data.
5.Job services: Mainly used for image replication. Local images can be synchronized to remote Harbor instances.
6.Log collector (harbor-log): Responsible for collecting logs from other components to one place.
Every component of Harbor is built as a Docker container, so use Docker Compose to deploy it.
A total of 7 containers are run. You can view it by executing the docker-compose ps command in the directory where docker-compose.yml is located. The names are: nginx, harbor-jobservice, harbor-ui, harbor-db, harbor-adminserver, registry. , harbor-log.
Among them, harbor-adminserver is mainly used as a back-end configuration data management and does not have many other functions. All data to be operated by harbor-ui is completed through a data configuration management center such as harbor-adminserver.
4. Deploy and configure Docker Harbor
First you need to install the Docker-Compose service
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod 777 /usr/local/bin/docker-compose
Deploy Harbor service
Harbor’s compressed package download address: https://github.com/goharbor/harbor/releases
wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/Modify configuration file
#修改harbor安装的配置文件
vim /usr/local/harbor/harbor.cfg
#--5行--修改,设置为Harbor服务器的IP地址或者域名
hostname = 192.168.116.70
#--59行--指定管理员的初始密码,默认的用户名/密码是admin/Harbor12345
harbor_admin_password = Harbor12345
Docker configuration file adds local warehouse address
About the Harbor.cfg configuration file, there are two types of parameters: required parameters and optional parameters
(1) Required parameters
These parameters need to be set in the configuration file Harbor.cfg. If the user updates them and runs the install.sh script to reinstall Harbor, the parameters will take effect. The specific parameters are as follows:
●hostname: used to access the user interface and register service. It should be the IP address or fully qualified domain name (FQDN) of the target machine, such as 192.168.80.10 or hub.kgc.cn. Do not use localhost or 127.0.0.1 as the host name.
●ui_url_protocol: (http or https, default http) Protocol used to access the UI and token/notification services. If notarization is enabled, this parameter must be https.
●max_job_workers: Mirror replication job thread.
●db_password: The password of the MySQL database root user used for db_auth.
●customize_crt: This attribute can be set to on or off, and is on by default. When this property is turned on, prepares the script to create the private key and root certificate used to generate/verify registry tokens. Set this property to off when the key and root certificate are provided by an external source.
●ssl_cert: The path of the SSL certificate, applied only when the protocol is set to https.
●secretkey_path: The key path used to encrypt or decrypt the remote register password in the replication policy.
(2) Optional parameters
These parameters are optional for updates, i.e. the user can leave them as default and update them on the Web UI after launching Harbor. If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time. Subsequent updates to these parameters, Harbor.cfg will be ignored.
Note: If you choose to set these parameters through the UI, be sure to do so immediately after starting Harbor. Specifically, the required auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be modified. The specific parameters are as follows:
●Email: Harbor requires this parameter to send a "password reset" email to the user, and is only enabled when this feature is required. Please note that by default SSL is not enabled when connecting. If the SMTP server requires SSL but does not support STARTTLS, then SSL should be enabled by setting email_ssl = TRUE.
●harbor_admin_password: The initial password of the administrator, which only takes effect when Harbor is started for the first time. Afterwards, this setting will be ignored and the administrator's password should be set in the UI. Please note that the default username/password is admin/Harbor12345.
●auth_mode: The authentication type used, by default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication, set this to ldap_auth.
●self_registration: Enable/disable user registration function. When disabled, new users can only be created by Admin users, and only Admin users can create new users in Harbor. Note: When auth_mode is set to ldap_auth, the self-registration feature is always disabled and this flag is ignored.
●Token_expiration: The expiration time (minutes) of the token created by the token service, the default is 30 minutes.
●project_creation_restriction: Flag used to control which users have permission to create projects. By default, everyone can create a project. If its value is set to "adminonly", only admin can create projects.
●verify_remote_cert: turn on or off, turned on by default. This flag determines whether Harbor verifies SSL/TLS certificates when communicating with remote register instances. Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate.
Additionally, Harbor stores images on the local file system by default. In a production environment, consider using other storage backends instead of local file systems, such as S3, Openstack Swif, Ceph and other object stores. But the common/templates/registry/config.yml file needs to be updated.
Harbor's default image storage path is in the /data/registry directory, which is mapped to the /storage directory in the docker container. This parameter is specified in docker-compose.yml and modified before running docker-compose up -d. If you want to store the Docker image to another disk path, you can modify this parameter.
Start harbor
Execute the prepare file first, and then execute the install.sh file
After checking the start, stop and restart, you need to use the docker-compose command
docker-compose ps #View status
docker-compose up -d #Start
docker-compose stop #Stop
docker-compose restart #Restart
Use harbor warehouse
Use a browser to access the local IP and log in using the default username admin and password Harbor12345.
User Management
Create new user
Let the new user use two methods for mirror operations:
- Promote the new user to the administrator role;
- Add members to the specified project and specify their roles
| Role | Permission description |
|---|---|
| visitor | Have read-only access to the specified project |
| Developer | Have read and write permissions for the specified project, but no delete permissions |
| Maintenance personnel | Have read and write permissions for the specified project, and can also modify other configurations, such as creating Webhooks |
| project manager | In addition to read and write permissions, it also has management permissions such as user management/image scanning. |