Harbor:
Harbor is to build an open source, enterprise-class solutions for warehouse private docker mirror, it is more advanced packaging Docker Registry, which in addition to providing friendly Web UI interface, user roles and rights management, user actions audit and other functions, it also K8s integrated plug-ins (Add-ons) warehouse that Helm chart by download, management, installation K8s plug-ins, and chartmuseum can provide warehousing chart data [Note: helm equivalent k8s of yum]. It also incorporates two open-source security components, is a Notary, the other is Clair, Notary similar to the CA private center, and Clair is a container security scanning tools, CVE vulnerability database that provided by the major manufacturers to get the latest vulnerability information, and scan users to upload a container if there is a known vulnerability information, the two security features for enterprise-class private warehouse is very meaningful.
Supplementary:
Nexus is a Maven repository manager, if you use Maven, you can from Maven Central Repository component (artifact) download needed, but this is usually not a good practice, you should be a Maven repository server locally to set up, the agent remote repository while maintaining local warehouses to save bandwidth and time, Nexus to meet such needs. In addition, he provides a powerful warehouse management, member search function, which is based on REST, friendly UI is a extjs of REST client, it takes up less memory, based on a simple file system rather than the database. These advantages make it increasingly became the most popular Maven repository manager.
Notary is a project that allows anyone trust any data collection. Notary project includes server and client, and used to run a set of interacting with believable. Notary aims to allow people to easily publish and validate content to make the Internet more secure. We often rely on TLS to protect communications with our Web server, which in itself is flawed, because malicious content can substitute when the server is compromised legitimate content. With Notary, publishers can use to maintain a highly secure key to sign off its contents. Once the content publisher is ready, they can be trusted collection of signatures they pushed Notary server. Consumers through secure channels the publisher's public key, and can communicate with any server or Notary (unsafe) Mirror, publisher of relying only key to determine the validity and integrity of the received content. Notary based on TUF project, a distribution and security issues of universal design update for the software.
Clair:
Reference: https://blog.csdn.net/liumiaocn/article/details/76697022
by scanning the container layer, and discover vulnerabilities warning, using data based on database Common Vulnerabilities and Exposures (CVE referred to), various Linux distributions generally have their own source of CVE, while Clair is its match to determine the presence or absence of vulnerability, such as HeartBleed of CVE: CVE-2014-0160.
Clair currently supports the following data sources:
HARBOR:
This is a VMWare company provides a docker private warehouse building program, very powerful.
1. To support multi-tenant signed and certified
2. Support for security scanning and risk analysis
3. The audit log
4. Role-based access control
5. It supports scalable API and the GUI
6. Image Replication instances the BETWEEN
7. overtaken by international well (currently only available in English and Chinese)
Harbor Deployment:
1. Download the binary distributions from Harbor on GitHub.
2. prepare the necessary environment:
yum install Docker Docker-ce-Compose
3. After decompression, first edit harbor.cfg
vim harbor.cfg
hostname = node1.test. COM
ui_url_protocol = HTTP
max_job_workers = 3 # 3 starts processing the user upload and download process, if a 4-core, 3 is the best.
admiral_url = NA #NA: Do not customize manage the URL of
harbor_admin_password = default administrator password Harbor12345 #
# default it will automatically create a mysql container, and set the mysql root password is root123,
# NOTE: Use From the harbor v1.7.5 the default database is PostgreSQL
db_password = root123
# If you want to let it use an external database, you can modify the following parameters for the address of the external database.
DB_HOST = PostgreSQL
# If the --with-clair enabled, pay attention to modify clair database password, as well as redis password, because clair need redis.
= root123 clair_db_password
4. Run install.sh, if you need to enable harbor other functions, you can see install.sh --help
after the installation is complete, it will prompt you visit the harbor address is how much, you can access directly from the browser the address of.
The test may be open harbor, and the test image uploaded.
5.1 in the test image uploading, you need to log in harbor Web interface, and then create a project, which is equivalent to the company in a different project teams, each team separately manage their projects mirror, so that the latter does not require the project You can delete the item directly.
5.2 and then to the harbor client to test login harbor warehouse, and try to upload image
5.2.1 is used here as a non-secure HTTP, it is necessary to modify the startup parameters docker's
vim /usr/lib/systemd/system/docker.service
ExecStart = / usr / bin / dockerd -H fd: // --containerd = / RUN / containerd / containerd.sock --selinux-enabled = false --insecure-Registry 192.168.10.154
# If you do not enable SELinux enabled may not set it
# --insecure-registry which specifies a non-secure repository, designated herein harbor network address 192.168.10.154
# if a plurality of repeated --insecure-registry
5.2.2 Test Upload image
~] # Docker the Login http://192.168.10.154
Authenticating with existing Credentials ...
!. Your password by Will the WARNING BE in the Stored UNENCRYPTED # /root/.docker/config.json to note here: Login after successful, the user name passwords are saved to config.json in.
Remove Credential Helper A to the Configure the this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
the Login Succeeded.
~] # Docker Push 192.168.10.154/test1/nginx-alpine:v1 # so that you can upload the image to the harbor.
6. You can see the self-docker-compose.yml, install.sh docker-compose command actually executed.
Docker-Compose
# command runs automatically in the current directory, find docker-compose.yml configuration file, if you find installed inside the defined
# to determine where to find the image, start the container, start mirrored volumes, and so what needs to mount.
When configuring Harbor, if problems arise, can be combined / var / log / harbor in the log file to see if the problem.
I usually see this:
tail -f /var/log/harbor/*.log
Harbor configure HTTPS:
1. modify harbor.cfg
hostname = harbor.zcf.com
ui_url_protocol = HTTPS
ssl_cert = /data/docker/certs/harbor.zcf.com.crt
ssl_cert_key = /data/docker/certs/harbor.zcf.com.key
harbor_admin_password = adminpass
2 create a certificate, and place the directory defined above
test use, I use the shell can be used to write the certificate Maker:
https://github.com/zhang75656/shell-tools/blob/master/gencret.sh
chmod the X-+ gencret.sh
./gencret.sh can be viewed using the --help # help but only if you must install openssl.
3. re-run ./install.sh can, so that harbor the server can work.
Harbor client configuration:
1. Create the configuration directory in the docker certificate directory,
# Note: Certificates directory is stored harbor server certificate file
# docker the Login harbor.zcf.com
# When executing the above command login harbor, docker will default to / etc / docker / this directory to find harbor.zcf.com certs.d / down, to see if there are certificates available below.
# So, we need to scp the certificate on the server over the harbor, into the client's directory docker.
mkdir /etc/docker/certs.d/harbor.zcf.com
When Harbor by Systemd management, needed systemd script reference:
[Unit]
the Description = bigdisk Docker Container Starter-Compose
the After docker.service = network-online.target
the Requires = docker.service network-online.target
[-Service]
the WorkingDirectory = / [path_to_harbor] where # is the need to modify Harbor installation directory.
OneShot = Type
RemainAfterExit = yes
ExecStart = / usr / bin / -d # docker-compose up here need to confirm whether the path docker-compose the path consistent with its own system.
ExecStop = / usr / local / bin / docker-compose Down
ExecReload = / usr / bin / Compose Docker-up -d
[the Install]
WantedBy = multi-user.target