容器雲平臺No.5~企業級私有鏡像倉庫Harbor V2.02

時間 2020-09-25

標籤容器平臺 no.5 企業私有鏡像倉庫 harbor v2.02 简体版

原文原文鏈接

鏡像倉庫

倉庫，顧名思義，就是存放東西的地方，Docker倉庫,理所固然，就是存放docker鏡像的地方了。
Docker倉庫分公有倉庫和私有倉庫。共有倉庫有hub.docker.com、gcr.io、k8s.gcr.io等，通常經常使用開源應用程序的官方鏡像都存放於共有倉庫，可是鑑於這些倉庫都在國外，下載速度比較慢。尤爲k8s相關的鏡像。
私有倉庫通常是公司內部自行搭建，用於存放內部構建的docker鏡像，部署服務時從私有倉庫下載，分發速度快。nginx

Docker 官方提供了一個搭建私有倉庫的鏡像 registry ，只需把鏡像下載下來，運行容器並暴露5000端口，就可使用了。這裏不作詳細介紹。
###harbor
一個用於存儲docker鏡像的企業級Registry服務。相比較於原生的Regisrty來講，它具備不少的優點。git

提供分層傳輸機制，優化網絡傳輸
提供WEB界面，優化用戶體驗
支持水平擴展集羣
良好的安全機制
Harbor提供了基於角色的訪問控制機制，並經過項目來對鏡像進行組織和訪問權限的控制

harbor架構圖

安裝harbor

PS：由於鏡像倉庫屬於基礎服務，建議使用單獨的服務器部署。github

一、下載離線安裝包redis

# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz

二、解壓並根據需求自行修改harbor.yml配置文件，這裏直接是用默認docker

# tar -zxf harbor-offline-installer-v2.0.2.tgz
# cd harbor/
# mv  harbor.yml.tmpl harbor.yml

三、執行安裝命令
這裏使用默認安裝，感興趣的能夠安裝更多Notary, Clair, or Chart Repository Service等服務。使用./install.sh --with-notary --with-clair --with-chartmuseumjson

./install.sh
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.26.2
[Step 2]: loading Harbor images ...
Loaded image: goharbor/prepare:v2.0.2
Loaded image: goharbor/harbor-jobservice:v2.0.2
Loaded image: goharbor/harbor-registryctl:v2.0.2
Loaded image: goharbor/registry-photon:v2.0.2
Loaded image: goharbor/harbor-core:v2.0.2
Loaded image: goharbor/notary-signer-photon:v2.0.2
Loaded image: goharbor/clair-photon:v2.0.2
Loaded image: goharbor/trivy-adapter-photon:v2.0.2
Loaded image: goharbor/harbor-log:v2.0.2
Loaded image: goharbor/nginx-photon:v2.0.2
Loaded image: goharbor/clair-adapter-photon:v2.0.2
Loaded image: goharbor/chartmuseum-photon:v2.0.2
Loaded image: goharbor/harbor-portal:v2.0.2
Loaded image: goharbor/harbor-db:v2.0.2
Loaded image: goharbor/redis-photon:v2.0.2
Loaded image: goharbor/notary-server-photon:v2.0.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /opt/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating registryctl   ... done
Creating redis         ... done
Creating harbor-db     ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
 ----Harbor has been installed and started successfully.----

查看下運行了哪些服務？vim

docker ps 
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS                   PORTS                       NAMES
8d746c430f3e        goharbor/harbor-jobservice:v2.0.2    "/harbor/entrypoint."   4 minutes ago       Up 4 minutes (healthy)                               harbor-jobservice
388f24831ec9        goharbor/nginx-photon:v2.0.2         "nginx -g 'daemon of"   4 minutes ago       Up 4 minutes (healthy)   0.0.0.0:80->8080/tcp        nginx
15bc12fd3826        goharbor/harbor-core:v2.0.2          "/harbor/entrypoint."   4 minutes ago       Up 4 minutes (healthy)                               harbor-core
bb48e39130e5        goharbor/harbor-db:v2.0.2            "/docker-entrypoint."   4 minutes ago       Up 4 minutes (healthy)   5432/tcp                    harbor-db
1bcd0ffcae82        goharbor/harbor-registryctl:v2.0.2   "/home/harbor/start."   4 minutes ago       Up 4 minutes (healthy)                               registryctl
8ef9f3d3a668        goharbor/redis-photon:v2.0.2         "redis-server /etc/r"   4 minutes ago       Up 4 minutes (healthy)   6379/tcp                    redis
e05d4d845f3f        goharbor/harbor-portal:v2.0.2        "nginx -g 'daemon of"   4 minutes ago       Up 4 minutes (healthy)   8080/tcp                    harbor-portal
c5fcd2369931        goharbor/registry-photon:v2.0.2      "/home/harbor/entryp"   4 minutes ago       Up 4 minutes (healthy)   5000/tcp                    registry
61e69b171b33        goharbor/harbor-log:v2.0.2           "/bin/sh -c /usr/loc"   4 minutes ago       Up 4 minutes (healthy)   127.0.0.1:1514->10514/tcp   harbor-log

從輸出信息能夠看出，安裝不服務組件仍是挺多的，能夠參考架構圖。
至此，harbor安裝好了，如今來測試下往這個倉庫上傳鏡像、從這個私有倉庫下載鏡像安全

上傳鏡像

首先登錄私有倉庫bash

docker login 10.26.27.106
Username: admin
Password: 
Error response from daemon: Get https://10.26.27.106/v2/: dial tcp 10.26.27.106:443: connect: connection refused

發現，登錄失敗，由於這裏倉庫沒有配置https，docker默認只容許登錄https的服務，http認爲是不安全的。
如今咱們來修改docker的配置，容許docker登錄不安全的倉庫
vim /etc/docker/daemon.json,添加"insecure-registries":["10.26.27.106"]服務器

{
  "registry-mirrors": ["https://ci7pm4nx.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com"],
  "insecure-registries":["10.26.27.106"]
}

再次登錄

# systemctl restart docker
# docker login http://10.26.27.106
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

如今看到，已經登錄成功了，讓咱們從公有倉庫下載一個鏡像，而後傳到私有倉庫中

docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
df8698476c65: Pull complete 
Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

使用tag個給剛纔下載的busybox鏡像打標籤，改成10.26.27.106/library/busybox:latest

# docker tag busybox:latest 10.26.27.106/library/busybox:latest
# docker push 10.26.27.106/library/busybox:latest
The push refers to repository [10.26.27.106/library/busybox]
be8b8b42328a: Pushed 
latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527

能夠看到，已經上傳成功。

下載鏡像

首先咱們刪除因此的busybox鏡像

docker images|grep busybox
10.26.27.106/libary/busybox                         latest              6858809bf669        4 days ago          1.23MB
10.26.27.106/library/busybox                        latest              6858809bf669        4 days ago          1.23MB
busybox                                             latest              6858809bf669        4 days ago          1.23MB

docker rmi busybox 10.26.27.106/library/busybox     10.26.27.106/libary/busybox
Untagged: busybox:latest
Untagged: busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Untagged: 10.26.27.106/library/busybox:latest
Untagged: 10.26.27.106/library/busybox@sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Untagged: 10.26.27.106/libary/busybox:latest
Deleted: sha256:6858809bf669cc5da7cb6af83d0fae838284d12e1be0182f92f6bd96559873e3
Deleted: sha256:be8b8b42328a15af9dd6af4cba85821aad30adde28d249d1ea03c74690530d1c

下載鏡像

docker pull 10.26.27.106/library/busybox
Using default tag: latest
latest: Pulling from library/busybox
df8698476c65: Pull complete 
Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Status: Downloaded newer image for 10.26.27.106/library/busybox:latest
10.26.27.106/library/busybox:latest

能夠看到，下載成功，收工￥#@￥#@￥@

注：文中圖片來源於網絡，若有侵權，請聯繫我及時刪除。