In the actual production operation and maintenance, often we need to publish the image on dozens, hundreds or more nodes. This time on a single host Docker image has been unable to meet, more and more projects, mirror on more and more, are put on a Docker host is not enough, we need a system like Git repository as a mirror to unified management. Presented here is an enterprise-class warehouse mirror Harbor, it will serve as a mirror of our container warehouse center cloud platform.
Habor by VMWare company is open source container warehouse mirror. In fact, Habor on Docker Registry is a corresponding enterprise-class scalability, to obtain a more widely used, these new enterprise-class features include: management user interface, role-based access control, AD / LDAP integration, and audit logs etc., sufficient to meet basic business needs.
Official Address: https://vmware.github.io
Github:https://github.com/goharbor/harbor
1, Harbor main function
-
Role-based access control (RBAC)
In the enterprise, often have different development teams responsible for different projects, like a mirror, like the code, the role of the different needs of each person is different, so you need access control, assign the appropriate permissions based on roles.
For example, developers need to build the project which is used to read and write permissions (push / pull), the test need only read access (pull), operation and maintenance of general administrative image storage, with the ability to assign permissions, the project manager has all rights. -
Mirroring
Warehouse image can be synchronized to the remote Harbor, similar to the master-slave synchronization MySQL.
-
LDAP
Harbor supports LDAP authentication, you can easily access existing LDAP.
-
Mirroring and space reclamation delete
Harbor remove the mirror support in the Web, recycling unwanted mirror, free up disk space.
-
Graphic page management
Users are search terms mirror and project management.
-
audit
All operations of the warehouse has been recorded.
-
REST API
Complete API, easy to integrate with the outside.
2, Harbor Components
| Package | Features |
| harbor-adminserver | Configuration Management Center |
| harbor-db | Mysql数据库 |
| harbor-jobservice | 负责镜像复制 |
| harbor-log | 记录操作日志 |
| harbor-ui | Web管理页面和API |
| nginx | 前端代理,负责前端页面和镜像上传/下载转发 |
| redis | 会话 |
| registry | 镜像存储 |
3、Harbor部署
环境要求:
Harbor安装有3种方式:
-
在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
-
离线安装:安装包包含部署的相关镜像,因此安装包比较大
-
OVA安装程序:当用户具有vCenter环境时,使用此安装程序,在部署OVA后启动Harbor
我们采用离线安装,首先下载离线安装包:https://github.com/vmware/harbor/releases
HTTP方式部署
基本配置:
准备配置文件:
# ./prepare
安装并启动Harbor:
# ./install.sh
查看运行状态:
部署完成,是不是很简单呢!
如果有非Up状态,先看日志:
# ls /var/log/harbor/
adminserver.log jobservice.log mysql.log proxy.log redis.log registry.log ui.log
HTTPS方式部署:
如果想以https加密方式提供服务可以参考这个免费的视频教程:https://ke.qq.com/course/311382
或者参考官方文档:https://github.com/vmware/harbor/blob/master/docs/configure_https.md
4、登录Web页面
浏览器输入:http://10.206.240.188
账号:admin
密码:Harbor12345
这里有4个项目,library是默认自带的,通常用这个存储一些公共的镜像,这个项目下镜像谁都可以pull,但不能push,push需要先登录。其他3个项目是我自己创建的,请忽略。
5、library项目赋予新用户push权限
先创建一个用户:
进入library项目,将用户加入这个成员:
这样lizhenliang用户就具备了对这个library项目的push权限。
注:创建新项目赋予用户权限同等方式。
7、上传镜像
接下来将刚才构建的镜像推送到Harbor仓库,先看看我们要推送的镜像:
在推送之前,需要注意第一列,这个完整格式是:
如果镜像只放在本地存储REPOSITORY写什么都可以,但推送到镜像仓库就必须指定仓库中心地址。
所以,先打重命名REPOSITORY,其实就是引用源镜像标记了一个目标镜像:
访问拒绝,刚说过,push需先登录:
8、下载镜像
其他Docker主机怎么下载刚推送的镜像呢?
由于我们搭建的Harbor是以HTTP提供服务的,而Docker CLI默认以HTTPS 访问仓库,所以要先配置可信任,否则pull镜像仓库失败。如果是HTTPS提供服务就不用配置这一步了。
pull的地址跟push时是一样的。
说说