Harbor:
Harbor is to build an open source, enterprise-class solutions for warehouse private docker mirror, it is more advanced packaging Docker Registry, which in addition to providing friendly Web UI interface, user roles and rights management, user actions audit and other functions, it also K8s integrated plug-ins (Add-ons) warehouse that Helm chart by download, management, installation K8s plug-ins, and chartmuseum can provide warehousing chart data [Note: helm equivalent k8s of yum]. It also incorporates two open-source security components, is a Notary, the other is Clair, Notary similar to the CA private center, and Clair is a container security scanning tools, CVE vulnerability database that provided by the major manufacturers to get the latest vulnerability information, and scan users to upload a container if there is a known vulnerability information, the two security features for enterprise-class private warehouse is very meaningful.
Supplementary:
Nexus is a Maven repository manager, if you use Maven, you can from Maven Central Repository component (artifact) download needed, but this is usually not a good practice, you should be a Maven repository server locally to set up, the agent remote repository while maintaining local warehouses to save bandwidth and time, Nexus to meet such needs. In addition, he provides a powerful warehouse management, member search function, which is based on REST, friendly UI is a extjs of REST client, it takes up less memory, based on a simple file system rather than the database. These advantages make it increasingly became the most popular Maven repository manager.
Notary is a project that allows anyone trust any data collection. Notary project includes server and client, and used to run a set of interacting with believable. Notary aims to allow people to easily publish and validate content to make the Internet more secure. We often rely on TLS to protect communications with our Web server, which in itself is flawed, because malicious content can substitute when the server is compromised legitimate content. With Notary, publishers can use to maintain a highly secure key to sign off its contents. Once the content publisher is ready, they can be trusted collection of signatures they pushed Notary server. Consumers through secure channels the publisher's public key, and can communicate with any server or Notary (unsafe) Mirror, publisher of relying only key to determine the validity and integrity of the received content. Notary based on TUF project, a distribution and security issues of universal design update for the software.
Clair:
Reference: https://blog.csdn.net/liumiaocn/article/details/76697022
by scanning the container layer, and discover vulnerabilities warning, using data based on database Common Vulnerabilities and Exposures (CVE referred to), various Linux distributions generally have their own source of CVE, while Clair is its match to determine the presence or absence of vulnerability, such as HeartBleed of CVE: CVE-2014-0160.
Clair currently supports the following data sources:
HARBOR:
这是VMWare公司提供的一个docker私有仓库构建程序,功能非常强大.
1. 支持多租户签名和认证
2. 支持安全扫描和风险分析
3. 这次日志审计
4. 基于角色的访问控制
5. 支持可扩展的API和GUI
6. Image replication between instances
7. 国际化做的很好(目前仅支持英文和中文)
Harbor部署:
1. 从GitHub上下载Harbor的二进制发行包.
2. 准备必要的环境:
yum install docker-ce docker-compose
3. 解压后,先编辑harbor.cfg
vim harbor.cfg
hostname = node1.test.com
ui_url_protocol = http
max_job_workers = 3 #启动3个处理用户上传下载的进程,若为4核,3个就是最好的。
admiral_url = NA #NA:不自定义管理URL
harbor_admin_password = Harbor12345 #默认的管理员密码
#默认它会自动创建一个mysql容器,并设置mysql的root密码为root123,
#注意:从harbor v1.7.5以后使用的数据库默认是postgresql
db_password = root123
#若想让其使用外部数据库,可修改下面参数为外部数据库的地址.
db_host = postgresql
#若启用了--with-clair时,注意修改clair的数据库密码,还有redis的密码,因为clair需要使用redis。
clair_db_password = root123
4. 运行 install.sh ,若需要启用harbor的其它功能,可查看 install.sh --help
安装完成后,它会提示你访问harbor的地址是多少,你就可以直接在浏览器中访问这个地址了。
5. 可测试打开harbor,并测试上传镜像。
5.1 在测试上传镜像时,需要先登录harbor的Web界面,然后创建一个项目,这个项目就相当于公司中不同的项目组,每个项目组分别管理各自的项目镜像,以便后期该项目不需要时,可直接删除该项目。
5.2 然后到harbor客户端,测试登录harbor仓库,并尝试上传镜像
5.2.1 因为这里使用了非安全的HTTP,因此需要修改docker的启动参数
vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --selinux-enabled=false --insecure-registry 192.168.10.154
#若没有启用SELinux可设置不启用它
#--insecure-registry 即指定一个非安全的仓库,这里指定内网harbor地址为192.168.10.154
# 若有多个可重复--insecure-registry
5.2.2 测试上传镜像
~]# docker login http://192.168.10.154
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json. #这里需要注意: 登录成功后,用户名密码会保存到config.json中。
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
~]# docker push 192.168.10.154/test1/nginx-alpine:v1 #这样就可以上传镜像到harbor上了。
6. 可自行查看 docker-compose.yml, install.sh 实际执行的docker-compose命令.
docker-compose
#命令在运行时,会自动在当前目录下,找docker-compose.yml配置文件,若找到则安装里面的定义
#来决定到哪里去找镜像,先启动那个容器,启动镜像需要挂载什么卷等。
在配置Harbor时,若出现问题,可结合/var/log/harbor中的日志文件来查看问题.
我通常会这样查看:
tail -f /var/log/harbor/*.log
Harbor配置HTTPS:
1. 修改 harbor.cfg
hostname = harbor.zcf.com
ui_url_protocol = https
ssl_cert = /data/docker/certs/harbor.zcf.com.crt
ssl_cert_key = /data/docker/certs/harbor.zcf.com.key
harbor_admin_password = adminpass
2. 创建证书,并放到上面定义的目录中
测试使用,可使用我用shell写的证书制作工具:
https://github.com/zhang75656/shell-tools/blob/master/gencret.sh
chmod +x gencret.sh
./gencret.sh --help #可查看使用帮助.但前提是必须安装openssl
3. 重新执行 ./install.sh 即可,这样harbor服务端就可以工作了.
Harbor 客户端配置:
1. 在docker配置目录下创建证书目录,
#注意: 证书目录是存放harbor服务器的证书文件.
# docker login harbor.zcf.com
# 当执行上面命令登录harbor时,默认docker会到/etc/docker/certs.d/下去找 harbor.zcf.com这个目录,看其下面是否有证书可用。
# 所以,需要将harbor服务器上的证书scp过来,放到docker客户端的这个目录中。
mkdir /etc/docker/certs.d/harbor.zcf.com
Harbor通过Systemd管理时,所需要的systemd脚本参考:
[Unit]
the Description = bigdisk Docker Container Starter-Compose
the After docker.service = network-online.target
the Requires = docker.service network-online.target
[-Service]
the WorkingDirectory = / [path_to_harbor] where # is the need to modify Harbor installation directory.
OneShot = Type
RemainAfterExit = yes
ExecStart = / usr / bin / -d # docker-compose up here need to confirm whether the path docker-compose the path consistent with its own system.
ExecStop = / usr / local / bin / docker-compose Down
ExecReload = / usr / bin / Compose Docker-up -d
[the Install]
WantedBy = multi-user.target