harbor倉庫部署 無論是使用Docker-distribution去自建倉庫,還是通過官方鏡像跑容器的方式去自建倉庫,通過前面的演示我們可以發現其是非常的簡陋的,還不如直接使用官方的Docker Hub去管理鏡像來得方便,至少官方的Docker Hub能夠通過web界面來管理鏡像,還能在web界 ...
harbor倉庫部署
目錄
無論是使用Docker-distribution去自建倉庫,還是通過官方鏡像跑容器的方式去自建倉庫,通過前面的演示我們可以發現其是非常的簡陋的,還不如直接使用官方的Docker Hub去管理鏡像來得方便,至少官方的Docker Hub能夠通過web界面來管理鏡像,還能在web界面執行搜索,還能基於Dockerfile利用Webhooks和Automated Builds實現自動構建鏡像的功能,用戶不需要在本地執行docker build,而是把所有build上下文的文件作為一個倉庫推送到github上,讓Docker Hub可以從github上去pull這些文件來完成自動構建。
但無論官方的Docker Hub有多強大,它畢竟是在國外,所以速度是最大的瓶頸,我們很多時候是不可能去考慮使用官方的倉庫的,但是上面說的兩種自建倉庫方式又十分簡陋,不便管理,所以後來就出現了一個被 CNCF 組織青睞的項目,其名為Harbor。
Harbor簡介
Harbor是由VMWare在Docker Registry的基礎之上進行了二次封裝,加進去了很多額外程式,而且提供了一個非常漂亮的web界面。
Project Harbor是一個開源的可信雲本地註冊項目,用於存儲、標記和掃描上下文。
Harbor擴展了開源Docker分發版,增加了用戶通常需要的功能,如安全、身份和管理。
Harbor支持高級特性,如用戶管理、訪問控制、活動監視和實例之間的複製。
Harbor的功能
Harbor的核心功能是存儲和管理Artifact
訪問控制:訪問控制是多個用戶使用同一個倉庫存儲Artifact時的基本需求,也是Harbor早期版本提供的主要功能之一
鏡像簽名:鏡像在本質上是軟體的封裝形式,從安全形度來看,開發人員在部署鏡像前需要保證鏡像內容的完整性(integrity)
鏡像掃描:容器鏡像打包了代碼、軟體及其所需的運行環境,已發佈的軟體及其依賴的庫都可能存在安全漏洞
高級管理功能:Harbor在版本迭代中還根據社區反饋,為管理員及用戶提供了很多高級管理功能以支持更加複雜的使用場景,包括Artifact複製策略、存儲配額管理、Tag保留策略(Artifact保留策略)和垃圾回收等
Docker compose
Harbor在物理機上部署是非常難的,而為了簡化Harbor的應用,Harbor官方直接把Harbor做成了在容器中運行的應用,而且這個容器在Harbor中依賴類似redis、mysql、pgsql等很多存儲系統,所以它需要編排很多容器協同起來工作,因此VMWare Harbor在部署和使用時,需要藉助於Docker的單機編排工具(Docker compose)來實現。
Compose是一個用於定義和運行多容器Docker應用程式的工具。使用Compose,您可以使用一個YAML文件來配置應用程式的服務。然後,使用一個命令創建並啟動配置中的所有服務。
Harbor部署
提前進入Harbor官方文檔(https://github.com/goharbor/harbor)下載harbor-offline-installer-v2.5.3這個包,操作如下:
在左上角輸入harbor搜索
進入 Docker compose官方文檔(https://docs.docker.com/compose/)進行部署操作
分別開啟兩台機子,一臺為客戶端,一臺為鏡像倉庫端
client為客戶端,harbor為鏡像倉庫端
需要保證兩台機子都要有docker
客戶端:
[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# bash
[root@client ~]# which docker
/usr/bin/docker
[root@client yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo
[root@client yum.repos.d]# scp docker-ce.repo 192.168.222.251:/etc/yum.repos.d/
The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
[email protected]'s password:
docker-ce.repo 100% 2261 1.0MB/s 00:00
//將客戶端的docker傳給鏡像倉庫端
鏡像倉庫端:
[root@localhost2 ~]# hostnamectl set-hostname harbor
[root@localhost2 ~]# bash
[root@harbor ~]# cd /etc/yum.repos.d/
[root@harbor yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo mysql-community-source.repo mysql-community.repo
//查看是否有docker鏡像倉庫
[root@harbor yum.repos.d]# dnf -y install docker-ce
//進行安裝
在剛剛那個頁面的基礎上往下翻
往下翻,進行手動安裝
[root@harbor ~]# DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
[root@harbor ~]# mkdir -p $DOCKER_CONFIG/cli-plugins //創建.docker
[root@harbor ~]# ls -a
. .bash_profile .docker .wget-hsts
.. .bashrc .mysql_history anaconda-ks.cfg
.bash_history .config .tcshrc mysql57-community-release-el7-11.noarch.rpm
.bash_logout .cshrc .viminfo
[root@harbor ~]# ls .docker/
cli-plugins
[root@harbor cli-plugins]# ls //將提前下載好的包拉取進來
docker-compose
[root@harbor cli-plugins]# chmod +x docker-compose //賦予執行許可權
[root@harbor cli-plugins]# ll
total 25188
-rwxr-xr-x 1 root root 25792512 Aug 11 22:07 docker-compose
[root@harbor cli-plugins]# ./docker-compose --help //此下麵的命令都可以使用
Usage: docker compose [OPTIONS] COMMAND
Docker Compose
Options:
--ansi string Control when to print ANSI control characters
("never"|"always"|"auto") (default "auto")
--compatibility Run compose in backward compatibility mode
--env-file string Specify an alternate environment file.
-f, --file stringArray Compose configuration files
--profile stringArray Specify a profile to enable
--project-directory string Specify an alternate working directory
(default: the path of the, first specified, Compose
file)
-p, --project-name string Project name
Commands:
build Build or rebuild services
convert Converts the compose file to platform's canonical format
cp Copy files/folders between a service container and the local filesystem
create Creates containers for a service.
down Stop and remove containers, networks
events Receive real time events from containers.
exec Execute a command in a running container.
images List images used by the created containers
kill Force stop service containers.
logs View output from containers
ls List running compose projects
pause Pause services
port Print the public port for a port binding.
ps List containers
pull Pull service images
push Push service images
restart Restart containers
rm Removes stopped service containers
run Run a one-off command on a service.
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker Compose version information
Run 'docker compose COMMAND --help' for more information on a command.
[root@harbor cli-plugins]# pwd
/root/.docker/cli-plugins
//目前是當前用戶可以使用這個命令
[root@harbor cli-plugins]# ln -sv /root/.docker/cli-plugins/docker-compose /usr/bin/
'/usr/bin/docker-compose' -> '/root/.docker/cli-plugins/docker-compose'
//做個軟鏈接使其在系統的其他地方也可以使用
[root@harbor cli-plugins]# cd
[root@harbor ~]# which docker-compose
/usr/bin/docker-compose
[root@harbor ~]# docker compose version
Docker Compose version v2.7.0
//查看版本
[root@harbor ~]# cd /usr/src/
[root@harbor src]# ls
debug harbor-offline-installer-v2.5.3.tgz kernels
//將之前下載好的包拉進這裡面
[root@harbor src]# tar xf harbor-offline-installer-v2.5.3.tgz -C /usr/local/
[root@harbor src]# ls /usr/local/
bin etc games harbor include lib lib64 libexec sbin share src
[root@harbor src]# cd /usr/local/harbor/
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl install.sh prepare
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vim harbor.yml
[root@harbor harbor]# hostnamectl set-hostname harbor.example.com
[root@harbor harbor]# bash
//可以提前修改一下主機名
hostname: harbor.example.com //修改為主機名
#https: //註釋掉證書相關的
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
harbor_admin_password: Harbor12345 //此為網頁訪問時的登錄密碼
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 //資料庫的密碼
data_volume: /data //數據存放的目錄
# insecure The flag to skip verifying registry certificate
insecure: false //不安全的功能關閉了(驗證證書的)
# are all valid.
rotate_size: 200M //日誌滾動(每天會自動保存一定數量的日誌會重命名為一個不同名字的文件)
# The directory on your host that store log
location: /var/log/harbor //日誌存放
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare
[root@harbor harbor]# ./install.sh
//執行這個腳本
....
[Step 5]: starting Harbor ...
[+] Running 10/10
⠿ Network harbor_harbor Created 0.1s
⠿ Container harbor-log Started 0.8s
⠿ Container redis Started 1.9s
⠿ Container registryctl Started 1.9s
⠿ Container registry Started 2.1s
⠿ Container harbor-portal Started 2.1s
⠿ Container harbor-db Started 2.0s
⠿ Container harbor-core Started 2.8s
⠿ Container harbor-jobservice Started 3.7s
⠿ Container nginx Started 3.8s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:80 [::]:*
使用IP登錄管理Harbor:
登錄成功後界面:
使用Harbor的註意事項:
- 在客戶端上傳鏡像時一定要記得執行docker login進行用戶認證,否則無法直接push
- 在客戶端使用的時候如果不是用的https則必須要在客戶端的/etc/docker/daemon.json配置文件中配置insecure-registries參數
- 數據存放路徑應在配置文件中配置到一個容量比較充足的共用存儲中
- Harbor是使用docker-compose命令來管理的,如果需要停止Harbor也應用docker-compose stop來停止,其他參數請--help
[root@harbor ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27d358705acf goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-jobservice
917a7155677e goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
6230fed03071 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-core
290772e4a195 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 10 minutes ago Up 10 minutes (healthy) registryctl
a78c22de9b73 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 10 minutes ago Up 10 minutes (healthy) redis
ef4560266151 goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 10 minutes ago Up 10 minutes (healthy) registry
282d2180241e goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-db
383c26c94150 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) harbor-portal
7fcbe6d544c9 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 11 minutes ago Up 10 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl prepare
common docker-compose.yml harbor.yml install.sh
[root@harbor harbor]# docker-compose stop
[+] Running 9/9
⠿ Container harbor-jobservice Stopped 0.3s
⠿ Container nginx Stopped 0.4s
⠿ Container registryctl Stopped 10.2s
⠿ Container harbor-portal Stopped 0.2s
⠿ Container harbor-core Stopped 0.3s
⠿ Container harbor-db Stopped 0.3s
⠿ Container redis Stopped 0.3s
⠿ Container registry Stopped 0.3s
⠿ Container harbor-log Stopped 10.2s
[root@harbor harbor]# docker-compose start
[+] Running 9/9
⠿ Container harbor-log Started 0.7s
⠿ Container harbor-db Started 1.3s
⠿ Container redis Started 1.0s
⠿ Container registry Started 0.9s
⠿ Container registryctl Started 1.2s
⠿ Container harbor-portal Started 1.0s
⠿ Container harbor-core Started 0.6s
⠿ Container nginx Started 1.1s
⠿ Container harbor-jobservice Started 0.9s
[root@harbor ~]# vim harbor.sh //設置腳本使其開機自啟
[root@harbor ~]# cat harbor.sh
#!/bin/bash
/usr/local/harbor && docker-compose start
[root@harbor ~]# chmod +x harbor.sh //給腳本賦予執行許可權
[root@harbor ~]# ll
total 8
-rw-------. 1 root root 1081 Jul 19 16:17 anaconda-ks.cfg
-rwxr-xr-x 1 root root 55 Aug 12 12:15 harbor.sh
[root@harbor ~]# reboot //重啟虛擬機
[root@harbor ~]# docker ps //查看狀態
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27d358705acf goharbor/harbor-jobservice:v2.5.3 "/harbor/entrypoint.…" 14 hours ago Up 11 seconds (health: starting) harbor-jobservice
917a7155677e goharbor/nginx-photon:v2.5.3 "nginx -g 'daemon of…" 14 hours ago Up 11 seconds (health: starting) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
6230fed03071 goharbor/harbor-core:v2.5.3 "/harbor/entrypoint.…" 14 hours ago Up 11 seconds (health: starting) harbor-core
290772e4a195 goharbor/harbor-registryctl:v2.5.3 "/home/harbor/start.…" 14 hours ago Up 11 seconds (health: starting) registryctl
a78c22de9b73 goharbor/redis-photon:v2.5.3 "redis-server /etc/r…" 14 hours ago Up 11 seconds (health: starting) redis
ef4560266151 goharbor/registry-photon:v2.5.3 "/home/harbor/entryp…" 14 hours ago Up 11 seconds (health: starting) registry
282d2180241e goharbor/harbor-db:v2.5.3 "/docker-entrypoint.…" 14 hours ago Up 12 seconds (health: starting) harbor-db
383c26c94150 goharbor/harbor-portal:v2.5.3 "nginx -g 'daemon of…" 14 hours ago Up 11 seconds (health: starting) harbor-portal
7fcbe6d544c9 goharbor/harbor-log:v2.5.3 "/bin/sh -c /usr/loc…" 14 hours ago Up 12 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
//成功實現開機自啟
