構建企業級鏡像倉庫

構建企業級鏡像倉庫

Harbor是由VMware公司開源的鏡像倉庫,harbor是在docker Registry上進行了企業級擴展,從而得到了更普遍的應用,這些新的企業級特性包括:管理用戶界面,基於角色的訪問控制,AD/LDAP繼承以及審計日誌的功能,足以知足企業需求.
官方地址: https://vmware.github.io/barbor/cn/

安裝harbor

wget https://www.chenleilei.net/soft/k8s/harbor-offline-installer-v1.9.3.tgz
tar xf harbor-offline-installer-v1.9.3.tgz
cd harbor
vi harbor.yml
   修改hostname爲本機IP地址
#hostname: reg.mydomain.com
hostname: 10.0.0.64
   修改完畢後保存.

準備harbor倉庫: 
[root@master1 harbor]# ./prepare   

#注意安裝harbor須要依賴兩個環境 一個是docker 一個是docker compose
docker已經安裝完畢.如今安裝docker compose
同時你直接安裝也會提醒你 沒有安裝docke-compose:
  Note: docker version: 19.03.7
  ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again

1. 安裝docker compose:
git clone https://github.com/docker/compose.git 或者上傳 compose
https://www.chenleilei.net/soft/docker/docker-compose-Linux-x86_64.tar.gz

課件:第一階段從新認識Docker課件.zip中也有,上傳docker-compose
[root@master1 harbor]# tar xf docker-compose-Linux-x86_64.tar.gz 
[root@master1 harbor]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
[root@master1 harbor]# chmod +x /usr/bin/docker-compose 

2. 安裝harbor
   wget https://www.chenleilei.net/soft/k8s/harbor-offline-installer-v1.9.3.tgz
   tar xf harbor-offline-installer-v1.9.3.tgz
   [root@master1 ~]# tar -xf harbor-offline-installer-v1.9.3.tgz -C /usr/local/
   [root@master1 ~]# mv  /usr/local/
   [root@master1 ~]# cd /usr/local/harbor
   [root@master1 ~]# vi harbor.yml
   修改hostname爲本機IP地址
    #hostname: reg.mydomain.com  這行註釋,下面寫:
    hostname: 10.0.0.64
    修改完畢後保存.

3. 啓動harbor
   [root@master1 harbor]# ./prepare
   [root@master1 harbor]# ./install.sh   #安裝,以後若是要啓動則使用: /harbor/start.sh 便可

4. 檢擦harbor啓動狀態:
   [root@k8s-master2 harbor]# ps -ef|grep harbor
root     101657 101620  0 16:18 ?        00:00:00 /bin/sh /harbor/start.sh
root     101934 101657  0 16:18 ?        00:00:00 sudo -E -u #10000 /harbor/harbor_registryctl -c /etc/registryctl/config.yml
10000    101939 101934  0 16:18 ?        00:00:00 /harbor/harbor_registryctl -c /etc/registryctl/config.yml
10000    101970 101952  0 16:18 ?        00:00:00 /harbor/harbor_core
10000    102052 102035  0 16:18 ?        00:00:00 /harbor/harbor_jobservice -c /etc/jobservice/config.yml
root     102587  45443  0 16:19 pts/1    00:00:00 grep --color=auto harbor

5. 登陸harbor
   默認帳號密碼:
   admin
   Harbor12345

harbor的平常使用

harbor須要建立用戶,分配給運維或開發人員使用.

如何推送鏡像到harbor中?

本地先dockerfile製做個鏡像:
FROM centos:7
LABEL maintainer www.chenleilei.net
RUN useradd  www -u 1200 -M -s /sbin/nologin
RUN mkdir -p /var/log/nginx
RUN yum install -y cmake pcre pcre-devel openssl openssl-devel gd-devel \
    zlib-devel gcc gcc-c++ net-tools iproute telnet wget curl &&\
    yum clean all && \
    rm -rf /var/cache/yum/*
RUN wget https://www.chenleilei.net/soft/nginx-1.16.1.tar.gz
RUN tar xf nginx-1.16.1.tar.gz
WORKDIR nginx-1.16.1
RUN ./configure --prefix=/usr/local/nginx --with-http_image_filter_module --user=www --group=www \
    --with-http_ssl_module --with-http_v2_module --with-http_stub_status_module \
    --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/nginx/nginx.pid
RUN make -j 4 && make install && \
    rm -rf /usr/local/nginx/html/*  && \
    echo "leilei hello" >/usr/local/nginx/html/index.html  && \
    rm -rf nginx* && \
    ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\
    ln -sf /dev/stdout /var/log/nginx/access.log && \
    ln -sf /dev/stderr /var/log/nginx/error.log
RUN chown -R www.www /var/log/nginx
ENV LOG_DIR /var/log/nginx
ENV PATH $PATH:/usr/local/nginx/sbin
#COPY nginx.conf /usr/local/nginx/conf/nginx.conf
EXPOSE 80
WORKDIR /usr/local/nginx
CMD ["nginx","-g","daemon off;"]

#運行鏡像:
docker run --name ngix-test-001 -d -p 81:80 nginx-test-v001

訪問測試:

推送鏡像到harbor

推送鏡像:
1. 給鏡像打 tag 標籤
docker tag nginx:v1 192.168.31

harbor推送失敗:
[root@k8s-master2 ~]# docker push 10.0.0.64/library/nginx-test-v001:v1
The push refers to repository [10.0.0.64/library/nginx-test-v001]
Get https://10.0.0.64/v2/: dial tcp 10.0.0.64:443: connect: connection refused
緣由: harbor默認是https訪問的,須要添加可信任,而咱們經過 docker info查看到的信任IP段只有本地127.0.0.0網段
Insecure Registries:
 127.0.0.0/8
爲此,咱們須要添加可信任的IP網段才行,那麼如何添加呢?

解決harbor推送失敗:
1. 修改 /etc/docker/daemon.json
添加以下行:
"Insecure-registries" :["10.0.0.64"] 

這裏的IP是harbor倉庫地址.
修改結果:
[root@k8s-master2 ~]# cat /etc/docker/daemon.json
{
  "registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"],
  "insecure-registries": ["10.0.0.64"]
}

2. 重啓docker
systemctl restart docker

3. 重啓docker-compose
[root@k8s-master2 ~]# cd /usr/local/harbor
[root@k8s-master2 harbor]# docker-compose up -d
harbor-log is up-to-date
Starting redis         ... done
Starting registryctl   ... done
Starting harbor-portal ... done
Starting harbor-db     ... done
Starting registry      ... done
Starting harbor-core   ... done
Starting nginx             ... done
Starting harbor-jobservice ... done

4. 訪問測試:
[root@k8s-master2 harbor]# docker push 10.0.0.64/library/nginx-test-v001:v1
The push refers to repository [10.0.0.64/library/nginx-test-v001]
16993e70a899: Preparing 
0421a59391fa: Preparing 
f05ef613e381: Preparing 
4ab7410d5afa: Preparing 
b27e978348d3: Preparing 
d22782d861b3: Waiting 
0ce0bd1d9b33: Waiting 
cf2a9408f4c6: Waiting 
77b174a6a187: Waiting 
denied: requested access to the resource is denied    ## 訪問拒絕,這裏須要登陸.

5. 登陸docker harbor
   默認帳號密碼:
   admin
   Harbor12345

   [root@k8s-master2 harbor]# docker login 10.0.0.64
   Username: admin
   Password: Harbor12345
   WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
   Configure a credential helper to remove this warning. See
   https://docs.docker.com/engine/reference/commandline/login/#credentials-store

   Login Succeeded    <---- 登陸成功

6. 推送鏡像:
[root@k8s-master2 harbor]# docker push 10.0.0.64/library/nginx-test-v001:v1
The push refers to repository [10.0.0.64/library/nginx-test-v001]
16993e70a899: Pushed 
0421a59391fa: Pushed 
f05ef613e381: Pushed 
4ab7410d5afa: Pushed 
b27e978348d3: Pushed 
d22782d861b3: Pushed 
0ce0bd1d9b33: Pushed 
cf2a9408f4c6: Pushed 
77b174a6a187: Pushed 
v1: digest: sha256:6483a2324e2e0653d19df3f8fdc2aa46c77f83cd9f2d0ae7f3d5a6be8c42a74f size: 2206

檢查鏡像:

推送鏡像步驟整理:

1. 添加harbor信任
1. 給鏡像打tag標籤  docker tag nginx:v1 10.0.0.64/library/nginx-test-v001:v1
2. 登陸到倉庫       docker login 10.0.0.64   默認帳號 admin  默認密碼 Harbor12345
3. 推送到指定倉庫.  docker push 10.0.0.64/library/nginx-test-v001:v1

1. 添加harbor信任:
[root@k8s-master2 ~]# cat /etc/docker/daemon.json
{
  "registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"],
  "insecure-registries": ["10.0.0.64"]
}

2. 重啓docker 
systemctl restart docker.service

3. 查看已有鏡像:
[root@master1 ~]# docker images
REPOSITORY           TAG             IMAGE ID            CREATED             SIZE
tomcat-test-v001     latest          e4b4d9a3f4c5        29 hours ago        440MB
nginx-test-v001      latest          7bcaac8aad94        47 hours ago        393MB
php-test-v001        latest          c4b98af05f73        2 days ago          1.28GB
php-v001             latest          5171da25ff33        3 days ago          1.25GB

4. 鏡像打tag:
docker tag tomcat-test-v001:latest 10.0.0.64/library/tomcat-test-v001:v1
docker tag nginx-test-v001:latest 10.0.0.64/library/nginx-test-v001:v1
docker tag php-test-v001:latest 10.0.0.64/library/php-test-v001:v1
docker tag php-v001:latest 10.0.0.64/library/php-v001:v1

5. 登陸到harbor倉庫
docker login 10.0.0.64
admin
Harbor12345

6. 推送打了tag的鏡像到harbor倉庫
docker push 10.0.0.64/library/tomcat-test-v001:v1
docker push 10.0.0.64/library/nginx-test-v001:v1
docker push 10.0.0.64/library/php-test-v001:v1
docker push 10.0.0.64/library/php-v001:v1

查看鏡像倉庫:

其餘服務器下載鏡像:

docker pull 10.0.0.64/library/nginx-test-v001:v1
下載鏡像:
1. 添加鏡像信任:
[root@k8s-node2 ~]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://ajvcw8qn.mirror.aliyuncs.com"],
  "insecure-registries": ["10.0.0.64"]    #<---------這裏添加harbor鏡像服務器地址
}

2. 重啓docker
[root@k8s-node2 ~]# systemctl restart docker.service 

3. 下載鏡像:
[root@k8s-node2 ~]# docker pull 10.0.0.64/library/nginx-test-v001:v1
v1: Pulling from library/nginx-test-v001
ab5ef0e58194: Pull complete 
b509a6ae8ffc: Pull complete 
fefb59570f3b: Pull complete 
fd607da77780: Pull complete 
ed2847488055: Pull complete 
c063aa4d1077: Pull complete 
db6ecc614f20: Pull complete 
07de16398d4c: Pull complete 
e4b6a1a29212: Pull complete 
Digest: sha256:7c74ebe5fdddf71fad1303cb89511d0389128c18f6f773575fb52eca1aa35edf
Status: Downloaded newer image for 10.0.0.64/library/nginx-test-v001:v1
10.0.0.64/library/nginx-test-v001:v1

4. 查看列表:
[root@k8s-node2 ~]# docker images
REPOSITORY                              TAG          IMAGE ID            CREATED             SIZE
10.0.0.64/library/nginx-test-v001       v1           7bcaac8aad94        2 days ago          393MB
nginx                                   latest       6678c7c2e56c        2 weeks ago         127MB
registry.aliyuncs.com/google_containers/kube-proxy  v1.17.0  7d54289267dc    3 months ago    116MB
kubernetesui/dashboard                v2.0.0-beta4    6802d83967b9        6 months ago        84MB
lizhenliang/flannel                   v0.11.0-amd64   ff281650a721        13 months ago       52.6MB
registry.aliyuncs.com/google_containers/pause    3.1  da86e6ba6ca1        2 years ago         742kB