A, Habor Profile
1, harbor Introduction
github address: https: //github.com/goharbor/harbor
Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing.
Harbor Enterprise Registry is a server for storing and distributing Docker mirrored by adding features necessary for some companies, such as security, identity management, and extends the open source Docker Distribution. As a private enterprise server Registry, Harbor provides better performance and security. Registry user build and enhance the efficiency of the runtime environment of the transmission image. Harbor mirror resources to support replication of nodes installed in multiple Registry, mirroring all saved in a private Registry, ensure data and intellectual property in the company's internal network management and control. In addition, Harbor also provides advanced security features, such as user management, access control and audit activities.
2, and component architecture diagram
Harbor mainly consists of six components in the architecture:
-
Proxy : Harbor's registry, UI, token and other services through a unified front to receive a reverse proxy browser, Docker client's request and forwards the request to the backend different services.
-
Registry : Docker responsible for storing images, and processing docker push / pull command. Since we want the user access control, that is, different users have different read and write access to Docker image, Registry will point to a token service, mandatory user per docker pull / push requests must carry a valid token, Registry will pass public key to decrypt the token verification.
-
Services Core : This is the core functionality Harbor, offers the following services:
-
The UI : provides a graphical interface to help image (image) on the user management registry, and user authorization.
-
webhook : where timely access to the registry image state change, disposed on webhook Registry, the state change is transmitted to the UI module.
-
token service : responsible for each docker push / pull Docker command issued token request initiated by the client to Regiøstry service based on user permissions, if you do not include token, you will be redirected to here, and then re-obtain the token request to the Registry..
-
Database : provides database services to core services, is responsible for storing user permissions, audit logs, Docker image grouping information and other data.
-
Services the Job : providing mirroring remote replication capabilities, can be synchronized to the local mirror other instances Harbor.
-
Collector the Log : To help monitor Harbor operation, is responsible for collecting the other components of the log, for later analysis.
3, Harbor achieve
Each component is constructed in the form Harbor Docker container, also using official Docker Compose to deploy it. Docker Compose template is positioned for deployment Harbor harbor / docker-compose.yml, opens the template file is found Harbor container 7 thereof;
# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/harbor_adminserver Up harbor-db docker-entrypoint.sh mysqld Up 3306/tcp harbor-jobservice /harbor/harbor_jobservice Up harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp harbor-ui /harbor/harbor_ui Up nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
- nginx : nginx responsible for traffic forwarding and security verification, the flow of foreign offers are from nginx transit, so open https port 443, which will be distributed to the back-end flow of ui and are docker docker registry mirrored storage.
- JobService-harbor : a harbor to harbor JobService-job management module, the main job in a harbor which is synchronized to the previously used image repository;
- UI-Harbor : Harbor UI is a web-page management, a front end and a rear main page of CURD interface;
- Registry : Registry is the primary repository docker, responsible for saving images.
- AdminServer-harbor : harbor-harbor is AdminServer system management interface may be configured to modify the system and obtain system information.
- These containers are connected together in the form of Docker link, access each other through the container between the container name. For end users, only it needs to be exposed proxy (ie, Nginx) service port.
- db-harbor : harbor is harbor-db database, which preserves the job and project personnel rights management systems. Since the harbor is also certified by the data, mostly ldap docked enterprises in production processes;
- log-harbor : harbor harbor is a log-log service, unified management of harbor logs. Syslog container can be seen that the uniform log output by inspect.
- These containers are connected together in the form of Docker link, so that each can be accessed by the name of the container between the containers. For end users, only it needs to be exposed proxy (ie, Nginx) service port.
Second, install and configure high availability architecture Harbor
1, Environment Description
Environmental name | version |
system version | CentOS Linux release 7.6.1810 (Core) |
docker this | 18.09.7-EC |
docker-compose | v1.18.0 |
Harbor | v1.8.0 |
Mounting | Offline installation |
Installation location |
Description Information Server
CPU name | IP addresses | Character | CPU | memory |
master | 192.168.100.156 | master | >=2 | >=2G |
node01 | 192.168.100.157 | worker | >=2 | >=2G |
node02 | 192.168.100.158 | worker | >=2 | >=2G |
2, installation docker
Before installation, please refer to blog : https://www.cnblogs.com/liangyuntao-ts/p/10657009.html
3, mounting docker-compose v1.18.0
$ yum install -y docker-compose $ docker-compose --verison docker-compose version 1.18.0, build 8dd22a9
4、离线安装harbor v1.8.0
下载地址https://github.com/goharbor/harbor/releases
大家也可以到我的网盘下载:https://pan.baidu.com/s/1qazfH-9DPeMe-ofIxlEhLw
提取码:l540
$ tar -xvf harbor-offline-installer-v1.8.0.tgz $ cd harbor $ vim harbor.yml hostname: 192.168.100.156 //改成本机的IP,由于是做高可用,通过IP来负载均衡 $ cd /home/harbor $ sh install.sh
输出的部分信息:
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.100.156.
For more details, please visit https://github.com/goharbor/harbor .
5、浏览器登陆 http://192.168.100.156
用户名:admin 密码:Harbor12345
6、在master部署nginx
$ mkdir nginx && cd nginx $ docker pull nginx:1.13.12 故障解决方案,拉取镜像的时候报错 [root@master nginx]# docker pull nginx:1.13.12 Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 解决方案: 1)创建daemon.json文件 vim /etc/docker/daemon.json 2) 写入: { "registry-mirrors":["https://docker.mirrors.ustc.edu.cn"] } 3)重启: [root@km docker]# systemctl daemon-reload [root@km docker]# systemctl restart docker 4)完美解决。 --------------------- 作者:那记忆微凉 来源:CSDN 原文:https://blog.csdn.net/BigData_Mining/article/details/86769696 版权声明:本文为博主原创文章,转载请附上博文链接!
7、编写nginx的配置文件nginx.conf
$ vim nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } stream { upstream hub { server 192.168.100.156:80; } server { listen 80; proxy_pass hub; proxy_timeout 300s; proxy_connect_timeout 5s; } }
8、编写Nginx重启脚本
$ vim restart.sh #!/bin/bash docker stop harbor nginx docker rm harbor nginx docker run -idt --net=host --name harbornginx -v /home/nginx/nginx.conf:/etc/nginx/nginx.conf nginx:1.13.12 sh restart.sh
9、在本地电脑绑定HOST,以便进行域名访问
192.168.100.150 harbor.test.com
三、设置Harbor双主复制
四、进行测试
创建一个kubernetes的项目,在创建其他用户,如test,将这个用户以开发人员的身份加入项目中,让其有推送镜像的权限
$ docker tag nginx:1.13.12 hub.test.com/kubernetes/nginx:1.13.12 //把镜像打上自己的标签 $ vim /etc/host 192.168.100.150 harbor.test.com 遇到一个故障,无法解除 [root@master nginx]# docker login harbor.test.com Username: test Password: Error response from daemon: Get https://harbor.test.com/v2/: dial tcp 192.168.100.150:443: connect: connection refused 解决方法 $ vim /usr/lib/systemd/system/docker.service 添加如下内容 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=192.168.100.156