私有鏡像倉庫Harbor
一、Harbor概述
Habor是由VMWare公司開源的容器鏡像倉庫。事實上,Habor是在Docker Registry上進行了相應的企業級擴展,從而得到了更加普遍的應用,這些新的企業級特性包括:管理用戶界面,基於角色的訪問控制 ,AD/LDAP集成以及審計日誌等,足以知足基本企業需求。
官方地址:https://vmware.github.io/harbor/cn/前端
各組件功能以下:harbor-adminserver:配置管理中心harbor-dbMysql:數據庫harbor-jobservice:負責鏡像複製harbor-log:記錄操做日誌harbor-ui:Web管理頁面和APInginx:前端代理,負責前端頁面和鏡像上傳/下載轉發redis:會話registry:鏡像存儲node
二、harbor部署
Harbor安裝有3種方式:nginx
在線安裝:從Docker Hub下載Harbor相關鏡像,所以安裝軟件包很是小git
離線安裝:安裝包包含部署的相關鏡像,所以安裝包比較大github
OVA安裝程序:當用戶具備vCenter環境時,使用此安裝程序,在部署OVA後啓動Harbor
本文記錄經過離線安裝的方式部署。
版本說明:docker-compose:1.24.0harbor:1.7.5web
2.一、安裝docker-compose
$ curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose$ chmod +x /usr/local/bin/docker-compose
2.二、安裝harbor
$ tar zxvf harbor-offline-installer-v1.7.5.tgz -C /usr/local$ cd /usr/local/harbor$ vim harbor.cfghostname = 192.168.10.10 ui_url_protocol = http harbor_admin_password = Harbor12345$ ./prepare$ ./install.sh
2.三、配置https
上面步驟2.2已經能夠知足harbor做爲實驗安裝,可是大多數狀況咱們須要harbor可以更爲安全一些,harbor的一些新的功能特性也在新版本更新說明中有相應說明,例如此1.7.5版本就額外具有着鏡像簽名,鏡像漏洞掃描,存儲helm chart、垃圾回收等功能。
https方式分爲自籤https和向官方機構申請頒發得到https證書,其中後種方式須要的步驟更少,下面內容爲自籤https步驟。redis
2.3.1 建立CA密鑰對
[root@registry harbor]# pwd/usr/local/harbor [root@registry harbor]# openssl genrsa -out ca.key 4096[root@registry harbor]# openssl req -x509 -new -nodes -sha512 -days 36500 -subj "/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.com" -key ca.key -out ca.crt
2.3.2 建立web服務器端祕鑰對
[root@registry harbor]# openssl genrsa -out yourdomain.com.key 4096[root@registry harbor]# openssl req -sha512 -new -subj "/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.com" -key yourdomain.com.key -out yourdomain.com.csr
2.3.3 使web服務器到CA進行簽約
不管是使用相似yourdomain.com的 FQDN 仍是IP來鏈接註冊表主機,運行此命令以生成符合主題備用名稱(SAN)和x509 v3擴展要求的註冊表主機證書sql
cat > v3.ext <<-EOFauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]DNS.1=yourdomain.comDNS.2=yourdomainDNS.3=hostnameEOF[root@registry harbor]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in yourdomain.com.csr -out yourdomain.com.crtSignature oksubject=/C=SC/ST=BeiJing/L=BeiJing/O=example/OU=Personal/CN=yourdomain.comGetting CA Private Key
2.3.4 配置harbor.cfg
[root@registry harbor]# vim harbor.cfg ui_url_protocol = https ......#The path of cert and key files for nginx, they are applied only the protocol is set to httpsssl_cert = /usr/local/harbor/harbor.test.cn.crt ssl_cert_key = /usr/local/harbor/harbor.test.cn.key#The path of secretkey storagesecretkey_path = /usr/local/harbor
2.3.5 生成配置和安裝
[root@registry harbor]# ./prepare[root@registry harbor]# ./install.sh
2.四、docker客戶端主機配置
Docker守將.crt文件解釋爲CA證書,將.cert文件解釋爲客戶端證書。
因此須要將服務器轉換yourdomain.com.crt爲yourdomain.com.certdocker
[root@registry harbor]# openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
拷貝yourdomain.com.cert,yourdomain.com.key和ca.crt到須要訪問倉庫的docker主機數據庫
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ cp ca.crt /etc/docker/certs.d/yourdomain.com/
如下說明了使用自定義證書的配置
/etc/docker/certs.d/ └── yourdomain.com:port ├── yourdomain.com.cert <-- Server certificate signed by CA ├── yourdomain.com.key <-- Server key signed by CA └── ca.crt <-- Certificate authority that signed the registry certificate
配置完成後登陸
[root@node02 ~]# docker login yourdomain.comUsername: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
2.五、故障排除
一、能夠從證書頒發者那裏得到中間證書。在這種狀況下,應該將中間證書與您本身的證書合併以建立證書包。您能夠經過如下命令實現此目的:
cat intermediate-certificate.pem >> yourdomain.com.crt
二、在某些運行docker守護程序的系統上,您可能須要在操做系統級別信任該證書。
在Ubuntu上,能夠經過如下命令完成:
cp yourdomain.com.crt /usr/local/share/ca-certificates/yourdomain.com.crt update-ca-certificates
在Red Hat(CentOS等)上,命令是:
cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt update-ca-trust
三、經實驗若是是從證書頒發者得到的證書,則不須要在客戶端主機配置證書,由於此證書是可信任的,直接在docker客戶端主機執行docker login便可成功登陸
2.六、harbor啓用鏡像簽名、漏洞掃描及helm chart功能
鏡像簽名簡單來講就是爲了驗證鏡像的正確性,保證在鏡像傳輸過程當中沒有中間人篡改;
漏洞掃描功能是利用的開源clair工具,利用網絡更新漏洞庫,而且對鏡像進行掃描;
helm chart是kubernetes的包管理器helm的相關應用文件,至關於Linux的yum。
要啓用這些功能,只須要在安裝時添加參數"--with-notary --with-clair --with-chartmuseum"便可:
[root@registry harbor]# ./prepare --with-notary --with-clair --with-chartmuseumGenerated and saved secret to file: /usr/local/harbor/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt Copying sql file for notary DB Generated certificate, key file: ./cert_tmp/notary-signer-ca.key, cert file: ./cert_tmp/notary-signer-ca.crt Generated certificate, key file: ./cert_tmp/notary-signer.key, cert file: ./cert_tmp/notary-signer.crt Copying certs for notary signer Copying notary signer configuration fileGenerated configuration file: ./common/config/notary/signer-config.postgres.json Generated configuration file: ./common/config/notary/server-config.postgres.json Copying nginx configuration file for notary Generated configuration file: ./common/config/nginx/conf.d/notary.server.conf Generated and saved secret to file: /usr/local/harbor/defaultalias Generated configuration file: ./common/config/notary/signer_env Generated configuration file: ./common/config/clair/postgres_env Generated configuration file: ./common/config/clair/config.yaml Generated configuration file: ./common/config/clair/clair_env The configuration files are ready, please use docker-compose to start the service. [root@registry harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum[Step 0]: checking installation environment ...Note: docker version: 18.06.1Note: docker-compose version: 1.24.0[Step 1]: loading Harbor images ... Loaded image: goharbor/harbor-adminserver:v1.7.5Loaded image: goharbor/harbor-portal:v1.7.5Loaded image: goharbor/harbor-db:v1.7.5Loaded image: goharbor/registry-photon:v2.6.2-v1.7.5Loaded image: goharbor/harbor-migrator:v1.7.5Loaded image: goharbor/harbor-core:v1.7.5Loaded image: goharbor/harbor-log:v1.7.5Loaded image: goharbor/redis-photon:v1.7.5Loaded image: goharbor/nginx-photon:v1.7.5Loaded image: goharbor/harbor-registryctl:v1.7.5Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.7.5Loaded image: goharbor/harbor-jobservice:v1.7.5Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.5Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.5Loaded image: goharbor/clair-photon:v2.0.8-v1.7.5[Step 2]: preparing environment ... Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/conf.d/notary.upstream.conf Clearing the configuration file: ./common/config/nginx/conf.d/notary.server.conf Clearing the configuration file: ./common/config/nginx/cert/harbor.test.cn.crt Clearing the configuration file: ./common/config/nginx/cert/harbor.test.cn.key Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf Clearing the configuration file: ./common/config/notary/notary-signer.crt Clearing the configuration file: ./common/config/notary/notary-signer.key Clearing the configuration file: ./common/config/notary/notary-signer-ca.crt Clearing the configuration file: ./common/config/notary/root.crt Clearing the configuration file: ./common/config/notary/signer-config.postgres.json Clearing the configuration file: ./common/config/notary/server-config.postgres.json Clearing the configuration file: ./common/config/notary/signer_env Clearing the configuration file: ./common/config/notary/server_env Clearing the configuration file: ./common/config/clair/postgresql-init.d/README.md Clearing the configuration file: ./common/config/clair/postgres_env Clearing the configuration file: ./common/config/clair/config.yaml Clearing the configuration file: ./common/config/clair/clair_env loaded secret from file: /usr/local/harbor/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt Copying sql file for notary DB Generated certificate, key file: ./cert_tmp/notary-signer-ca.key, cert file: ./cert_tmp/notary-signer-ca.crt Generated certificate, key file: ./cert_tmp/notary-signer.key, cert file: ./cert_tmp/notary-signer.crt Copying certs for notary signer Copying notary signer configuration fileGenerated configuration file: ./common/config/notary/signer-config.postgres.json Generated configuration file: ./common/config/notary/server-config.postgres.json Copying nginx configuration file for notary Generated configuration file: ./common/config/nginx/conf.d/notary.server.conf loaded secret from file: /usr/local/harbor/defaultalias Generated configuration file: ./common/config/notary/signer_env Copying offline data file for clair DB Generated configuration file: ./common/config/clair/postgres_env Generated configuration file: ./common/config/clair/config.yaml Generated configuration file: ./common/config/clair/clair_env The configuration files are ready, please use docker-compose to start the service. [Step 3]: checking existing instance of Harbor ... [Step 4]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating redis ... done Creating registry ... done Creating harbor-db ... done Creating registryctl ... done Creating harbor-adminserver ... done Creating clair ... done Creating notary-signer ... done Creating harbor-core ... done Creating notary-server ... done Creating harbor-jobservice ... done Creating harbor-portal ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.----Now you should be able to visit the admin portal at https://harbor.test.cn. For more details, please visit https://github.com/goharbor/harbor .
上述功能的具體使用,可參考官方文檔
三、harbor高可用
爲了使harbor高可用,即harbor內保存的鏡像可以高可用,在一個harbor down掉的時候,還有另一個存儲着相同鏡像的harbor倉庫供使用,harbor後期的版本包括此版本支持了鏡像複製的功能。
在使用鏡像複製功能以前,固然是須要安裝兩個harbor服務(一主一備)
3.一、新增複製目標
「系統管理」—>「倉庫管理」—>「新建目標」
填寫目標名,目標URL,用戶名,密碼等
3.二、新增複製規則
「系統管理」—>「複製管理」—>「新建規則」
填寫名稱、描述、源項目、過濾器、目標、觸發模式等
其中過濾器支持如下寫法:
*:匹配任何非分隔符字符序列/。
**:匹配任何字符序列,包括路徑分隔符/。
?:匹配任何單個非分隔符/。
{alt1,...}:若是其中一個以逗號分隔的替代項匹配,則匹配一系列字符。
3.三、測試
按照設置的規則,觀察是否當即複製或者push鏡像到主harbor中,觀察備harbor中的鏡像是否被複制
四、harbor常規操做
暫停harbor docker-compose stop docker容器stop,並不刪除容器
恢復harbor docker-compose start 恢復docker容器運行
中止harbor docker-compose down -v 中止並刪除docker容器
啓動harbor docker-compose up -d 啓動全部docker容器
修改harbor的運行配置,須要以下步驟:
中止harbordocker-compose down -v
修改配置vim harbor.cfg
執行./prepare已更新配置到docker-compose.yml文件./prepare
啓動 harbordocker-compose up -d
相關文章
- 1. Harbor 私有鏡像倉庫
- 2. Harbor私有鏡像倉庫
- 3. Harbor私有鏡像倉庫(下)
- 4. 私有鏡像倉庫Harbor部署
- 5. Harbor私有鏡像倉庫(上)
- 6. Harbor私有鏡像倉庫搭建https
- 7. 安裝harbor私有鏡像倉庫
- 8. 搭建Harbor鏡像(docker)私有倉庫
- 9. Harbor私有鏡像倉庫部署
- 10. Harbor私有鏡像倉庫搭建
- 更多相關文章...
- • Docker 鏡像加速 - Docker教程
- • Docker 鏡像使用 - Docker教程
- • 再有人問你分佈式事務,把這篇扔給他
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Harbor 私有鏡像倉庫
- 2. Harbor私有鏡像倉庫
- 3. Harbor私有鏡像倉庫(下)
- 4. 私有鏡像倉庫Harbor部署
- 5. Harbor私有鏡像倉庫(上)
- 6. Harbor私有鏡像倉庫搭建https
- 7. 安裝harbor私有鏡像倉庫
- 8. 搭建Harbor鏡像(docker)私有倉庫
- 9. Harbor私有鏡像倉庫部署
- 10. Harbor私有鏡像倉庫搭建