Docker5-docker私庫的搭建及經常使用方法-harbor-registry方式
1、簡介
一、官方已經提供registry鏡像爲何還須要用harbor
1)registry缺乏鏡像清理機制,能夠push可是不能刪除,耗費空間
2)registry缺少相應的擴展機制
3)harbor特色:
- Cloud native registry:雲本地環境 With support for both container images and Helm charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.
- Role based access control:RBAC基於角色的權限控制 Users and repositories are organized via 'projects' and a user can have different permission for images or Helm charts under a project.
- Policy based replication: 基於策略的鏡像複製 Images and charts can be replicated (synchronized) between multiple registry instances based on policies with multiple filters (repository, tag and label). Harbor automatically retries a replication if it encounters any errors. Great for load balancing, high availability, multi-datacenter, hybrid and multi-cloud scenarios.
- Vulnerability Scanning: 漏洞掃描 Harbor scans images regularly and warns users of vulnerabilities.
- LDAP/AD support: LDAP/AD支持 Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor and assigning proper project roles to them.
- OIDC support: 身份驗證 Harbor leverages OpenID Connect (OIDC) to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.
- Image deletion & garbage collection: 鏡像刪除和垃圾清理 Images can be deleted and their space can be recycled.
- Notary: 鏡像簽名 Image authenticity can be ensured.
- Graphical user portal: 用戶界面 User can easily browse, search repositories and manage projects.
- Auditing: 審計 All the operations to the repositories are tracked.
- RESTful API: RESTful api RESTful APIs for most administrative operations, easy to integrate with external systems. An embedded Swagger UI is available for exploring and testing the API.
- Easy deployment: 安裝簡單 Provide both an online and offline installer. In addition, a Helm Chart can be used to deploy Harbor on Kubernetes.
二、什麼是harbor
VMware公司開源的企業級registry項目,基於docker registry開發的,harbor是一個用於存儲和分發docker鏡像的企業級registry服務器,經過添加須要的功能如安全性、身份認證、管理來擴展了源Docker Distribution,提高了鏡像的傳輸效率,支持registry之間複製鏡像,還提供了更高級的安全功能,好比:漏洞分析、用戶管理、訪問控制、活動審計等。該項目已經在github上得到超過了4600顆星。html
官方網址:https://goharbor.io/python
github安裝指南:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.mdlinux
下載:https://github.com/goharbor/harbor/releasesios
注意:這裏直接使用offline版本便可nginx
三、harbor圖標
2、harbor架構原理
一、架構圖
二、主要包含7個組件
Proxy:harbor的registry、UI、token server等組件都在反向代理後面,代理來自瀏覽器和Docker客戶端的請求轉發到各類後端服務git
Registry:負責存儲Docker鏡像和處理docker推/拉命令,因爲harbor須要強制執行對鏡像的訪問控制,所以registry將引導客戶端使用令牌服務,以便於每一個請i去提供有效的令牌github
Core services:harbor的核心服務,主要提供如下服務: web
UI:圖形用戶界面,能夠幫助用戶管理註冊表的圖形redis
Webhook:webhook是在註冊表中配置的一種機制,所以能夠將registry中的鏡像狀態更改填充到harbor的webhook端點。harbor使用webhook更新日誌,啓動複製和其餘一些功能。docker
Token service:令牌服務負責更加項目用戶的角色未每一個docker push/pull命令發佈令牌。若是從Docker客戶端發送的請求中沒有令牌,則registry將請求重定向到令牌服務。
Database:數據庫存儲,項目、用戶、角色、複製策略和鏡像的元數據。
Job services:用戶鏡像的複製,能夠將本地鏡像複製(同步)到其餘harbor實例。
Log collector:負責在一個地方收集其餘模塊的日誌。
redis:用於存儲session。
三、實驗架構圖
環境軟件版本:docker engine 19.03.2
docker-compose version 1.18.0
CentOS Linux release 7.7.1908 (Core)
harbor.v1.9.1
3、harbor的安裝
一、安裝方法
能夠有兩種方式安裝:online installer/offline installer
online installer :從docker hub下載安裝,下載地址請見安裝步驟章節
offline installer:無internet時,下載離線安裝包安裝
還可使用helm chart 在kubernetes上部署
二、安裝要求
1)Hardware
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
2)Software
| Software | Version | Description |
|---|---|---|
| Docker engine | version 17.06.0-ce+ or higher | For installation instructions, please refer to: docker engine doc |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: docker compose doc |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
3)Network ports
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol, this port can change in config file |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled, This port can change in config file |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
三、官方安裝步驟
The installation steps boil down to the following
Download the installer;
下載地址:https://github.com/goharbor/harbor/releases
Configure harbor.yml;
主要修改hostname主機名及hoarbor_admin_password初始密碼
Run install.sh to install and start Harbor;
運行安裝腳本
四、開始部署
1)、部署說明:harbor支持docker-compose和kubernetes的部署方式,默認是docker-compose單機部署
2)、安裝docker步驟省略
請參考Docker4-docker私庫的搭建及經常使用方法-docker-registry方式
systemctl start docker
systemctl enable docker
3)、下載安裝包
建立自定義harbor目錄:
mkdir /harbor
cd /harbor
把下載的包上傳到此自定義的harbor目錄
解壓:
tar -zxvf harbor-offline-installer-v1.9.0.tgz
4)、修改harbor.yml
暫時必須修改的兩個值:
hostname必須指定
初始密碼本身改一個,這裏改爲harbor
默認的用戶名/密碼爲admin / Harbor12345
[root@web2 harbor]# cat harbor.yml |grep hostname # The IP address or hostname to access admin UI and registry service. hostname: 192.168.216.52 #---標準域名或ip # And when it enabled the hostname will no longer used [root@web2 harbor]# cat harbor.yml |grep harbor_ad* harbor_admin_password: harbor #---初始密碼
5)安裝docker-compose
[root@web2 harbor]# ll total 607872 -rw-r--r-- 1 root root 622428100 Sep 27 14:52 harbor.v1.9.1.tar.gz -rw-r--r-- 1 root root 5798 Oct 9 15:55 harbor.yml -rwxr-xr-x 1 root root 5088 Sep 27 14:52 install.sh -rw-r--r-- 1 root root 11347 Sep 27 14:52 LICENSE -rwxr-xr-x 1 root root 1748 Sep 27 14:52 prepare [root@web2 harbor]# ./install.sh #---先運行安裝腳本,提示環境須要compose [Step 0]: checking installation environment ... Note: docker version: 19.03.2 ?.Need to install docker-compose(1.18.0+) by yourself first and run this script again. #---提示安裝compose
安裝compose
yum -y install python-pip pip install --upgrade pip pip install docker-compose docker-compose version
[root@web2 harbor]# docker-compose version docker-compose version 1.18.0, build 8dd22a9 docker-py version: 2.6.1 CPython version: 3.6.8 OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 [root@web2 harbor]#
6)運行安裝腳本
./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.2 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... b80136ee24a4: Loading layer [> ] 360.4kB/34.25MB b80136ee24a4: Loading layer [====> ] 2.884MB/34.25MB b80136ee24a4: Loading layer [=========> ] 6.488MB/34.25MB b80136ee24a4: Loading layer [==============> ] 10.09MB/34.25MB b80136ee24a4: Loading layer [======================> ] 15.14MB/34.25MB 。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略loading步驟。。。。。。。。。。。。。。。。。。。。
✔ ----Harbor has been installed and started successfully.---- #---安裝成功 Now you should be able to visit the admin portal at http://192.168.216.52. For more details, please visit https://github.com/goharbor/harbor .
到這裏就安裝完成了,此時有9個容器運行以下:
[root@web2 harbor]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e70ce2270a2b goharbor/nginx-photon:v1.9.1 "nginx -g 'daemon of?? 30 minutes ago Up 30 minutes (healthy) 0.0.0.0:80->8080/tcp nginx f8c165eb8f4e goharbor/harbor-jobservice:v1.9.1 "/harbor/harbor_jobs?? 30 minutes ago Up 30 minutes (healthy) harbor-jobservice ba46b285ff14 goharbor/harbor-core:v1.9.1 "/harbor/harbor_core" 30 minutes ago Up 30 minutes (healthy) harbor-core 5179d37b0029 goharbor/harbor-db:v1.9.1 "/docker-entrypoint.?? 30 minutes ago Up 30 minutes (healthy) 5432/tcp harbor-db 8d210e049b95 goharbor/harbor-portal:v1.9.1 "nginx -g 'daemon of?? 30 minutes ago Up 30 minutes (healthy) 8080/tcp harbor-portal 9bb9ea0b891b goharbor/harbor-registryctl:v1.9.1 "/harbor/start.sh" 30 minutes ago Up 30 minutes (healthy) registryctl 6af51f3478c5 goharbor/redis-photon:v1.9.1 "redis-server /etc/r?? 30 minutes ago Up 30 minutes (healthy) 6379/tcp redis 93656b06f470 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.1 "/entrypoint.sh /etc?? 30 minutes ago Up 30 minutes (healthy) 5000/tcp registry be49e0941ce4 goharbor/harbor-log:v1.9.1 "/bin/sh -c /usr/loc?? 30 minutes ago Up 30 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log [root@web2 harbor]#
7)訪問web界面
4、如何使用harbor-registry
一、客戶端登錄,使用http協議須要修改不安全的註冊來用容許http連接
注意:客戶端在login以前須要添加 「--insecure-registry」 不安全的註冊。 即通訊使用 http 協
不修改登錄報錯:
[root@web1 docker]# docker login 192.168.216.52 Authenticating with existing credentials... Login did not succeed, error: Error response from daemon: Get https://192.168.216.52/v2/: dial tcp 192.168.216.52:443: connect: connection refused Username (admin): admin^H^H^H Password: Error response from daemon: Get https://192.168.216.52/v2/: dial tcp 192.168.216.52:443: connect: connection refused
修改/etc/docker/daemon.json文件,如沒有就建立一個:(修改的是客戶端的)
[root@web1 docker]# pwd /etc/docker [root@web1 docker]# ll total 8 -rw-r--r-- 1 root root 52 Oct 10 17:42 daemon.json.bak -rw------- 1 root root 244 Jul 25 11:16 key.json [root@web1 docker]# mv daemon.json.bak daemon.json [root@web1 docker]# cat daemon.json { "insecure-registries":["http://192.168.216.52"] } #---而後重啓docker [root@web1 docker]# systemctl daemon-reload&&systemctl restart docker
登錄:
docker login 192.168.216.52
注:這裏實際上是須要用戶名密碼的,就用以前修改harbor.yml裏面默認密碼admin/harbor,下面實例是由於已經登錄過因此沒有提示密碼
[root@web1 docker]# docker login 192.168.216.52 Authenticating with existing credentials... WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@web1 docker]#
也能夠直接加用戶密碼參數登錄
[root@web1 docker]# docker login -u admin -p harbor 192.168.216.52 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@web1 docker]#
二、上傳鏡像
使用docker push 命令
docker push 192.168.216.52/library/zxg/centos_nginx:v1
1)打標籤
[root@web1 docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB atlassian/jira-software latest c4b90dede4f3 7 weeks ago 624MB zxg/my_nginx v1 b164f4c07c64 2 months ago 126MB zxg/my_nginx latest f07837869dfc 2 months ago 126MB nginx latest e445ab08b2be 2 months ago 126MB alpine latest b7b28af77ffe 3 months ago 5.58MB centos latest 9f38484d220f 6 months ago 202MB [root@web1 docker]# docker tag 7c6604cacec1 192.168.216.52/library/zxg/centos_nginx:v1
[root@web1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.216.52/library/zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB
2)上傳
[root@web1 docker]# docker push 192.168.216.52/library/zxg/centos_nginx:v1 The push refers to repository [192.168.216.52/library/zxg/centos_nginx] 7b4de0c97fbb: Pushed d69483a6face: Pushed v1: digest: sha256:2654d7a4fbab3b1be85ca177ac08ce9e13177f9ad45b827ca3ed1e1629050078 size: 742
3)檢查是否成功
三、驗證daemon.json格式
1)把剛纔客戶端的daemon.json文件發送到當前節點
[root@web1 docker]# scp daemon.json root@192.168.216.52:/etc/docker/ The authenticity of host '192.168.216.52 (192.168.216.52)' can't be established. ECDSA key fingerprint is SHA256:kvAeuWOn6RFSXvl5qFIszQEx9gLizuZER+I4VJkpAso. ECDSA key fingerprint is MD5:b7:ef:e0:3c:8f:97:01:c2:5c:9a:2e:fc:4d:e2:99:83. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.216.52' (ECDSA) to the list of known hosts. root@192.168.216.52's password: daemon.json 100% 52 9.4KB/s 00:00 [root@web1 docker]#
2)修改一下格式看看行不行
[root@web2 harbor]# cat /etc/docker/daemon.json { "insecure-registries":["192.168.216.52"] ##以前的格式是["http://192.168.216.52"] } [root@web2 harbor]#
修改後,須要重啓docker及compose
systemctl daemon-reload&&systemctl restart docker docker-compose down -v docker-compose up -d
3)login測試是否能夠登錄
[root@web2 harbor]# docker login 192.168.216.52 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #登錄正常看來不是格式問題,應該就是版本問題了,低版本應該是須要修改別的配置文件
四、下載鏡像
docker pull 192.168.216.52/library/zxg/centos_nginx:v1
[root@web2 harbor]# docker pull 192.168.216.52/library/zxg/centos_nginx:v1 v1: Pulling from library/zxg/centos_nginx 8ba884070f61: Pull complete 75754525faad: Pull complete Digest: sha256:2654d7a4fbab3b1be85ca177ac08ce9e13177f9ad45b827ca3ed1e1629050078 Status: Downloaded newer image for 192.168.216.52/library/zxg/centos_nginx:v1 192.168.216.52/library/zxg/centos_nginx:v1 [root@web2 harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/chartmuseum-photon v0.9.0-v1.9.1 0aa7451af9b8 13 days ago 131MB goharbor/harbor-migrator v1.9.1 a83f1be1ec94 13 days ago 362MB goharbor/redis-photon v1.9.1 4d8d79a557df 13 days ago 110MB goharbor/clair-photon v2.0.9-v1.9.1 98b318ca3cb0 13 days ago 165MB goharbor/notary-server-photon v0.6.1-v1.9.1 78dac4ed14d8 13 days ago 138MB goharbor/notary-signer-photon v0.6.1-v1.9.1 5d9f413e14a8 13 days ago 135MB goharbor/harbor-registryctl v1.9.1 f4b2b72cdf71 13 days ago 99.6MB goharbor/registry-photon v2.7.1-patch-2819-2553-v1.9.1 d460d658f383 13 days ago 82.3MB goharbor/nginx-photon v1.9.1 0db1e12b9d30 13 days ago 43.9MB goharbor/harbor-log v1.9.1 368dd79ef99f 13 days ago 82.6MB goharbor/harbor-jobservice v1.9.1 71d4a3eaff94 13 days ago 141MB goharbor/harbor-core v1.9.1 d105210d9924 13 days ago 155MB goharbor/harbor-portal v1.9.1 2dced1823043 13 days ago 51.3MB goharbor/harbor-db v1.9.1 91784692a954 13 days ago 147MB goharbor/prepare v1.9.1 44775181c88d 13 days ago 148MB 192.168.216.51:5000/busybox v1 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.51:5000/busybox v2 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52:5000/busybox latest 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52:5000/busybox v2 19485c79a9bb 5 weeks ago 1.22MB busybox v1 19485c79a9bb 5 weeks ago 1.22MB busybox v2 19485c79a9bb 5 weeks ago 1.22MB 192.168.216.52/library/zxg/centos_nginx v1 7c6604cacec1 7 weeks ago 698MB [root@web2 harbor]#
5、其餘設定
一、使用https訪問配置harbor
請參考https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
二、管理harbor的生命週期
1)中止
docker-compose stop
2)從新啓動
docker-compose start
3)修改配置
中止harbor---》更新harbor.yml---》運行prepare腳本填充配置---》啓動harbor
docker-compose down -v #---此命令關閉harbor同時保存鏡像數據及harbor的數據庫文件在文件系統上
vim harbor.yml
docker-compose up -d
4)刪除harbor的數據庫和圖像數據(進行從新安裝)
rm -r /data/database
rm -r /data/registry
三、安裝notary(公正服務)
./install.sh --with-notry
必要設置:ui_url_protocol HTTPS
四、安裝clair服務
./install.sh --with-clair
五、安裝chart repository服務
./install.sh --with-chartmuseum
六、若是都安裝必須使用同一個命令
./install.sh --with-notary --with-clair --with-chartmuseum
七、docker-compose命令幫助
https://docs.docker.com/compose/reference/
八、數據及日誌文件
默認在/data/目錄中,能夠修改harbor.yml更改配置
九、外部數據庫
目前harbor只支持postgreSQL數據庫,使用外部數據庫,須要取消註釋external_database部分,而後首先應該建立harbor core,clair、notaryserver、notary signer這四個數據庫
十、管理harbor用戶配置命令行配置請見下面連接:
https://github.com/goharbor/harbor/blob/master/docs/configure_user_settings.md
總結流程:
安裝docker---》安裝docker-compose---》下載harbor-offline壓縮包---》上傳到linux---》解壓harbor-offline-installer-v1.9.1-rc1.tgz---》編輯解壓的harbor文件裏的harbor.yml文件---》修改關鍵值(域名/初始密碼)---》執行./install.sh腳本開始安裝---》修改客戶端的daemon.json文件,添加非信任受權---》客戶端登錄執行docker pull/push命令。
轉載請註明出處:http://www.javashuo.com/article/p-zthchbqa-ec.html
- 1. Docker4-docker私庫的搭建及經常使用方法-docker-registry方式
- 2. Docker5-docker私庫的搭建及經常使用方法-harbor-registry方式
- 3. SpringBoot介紹及經常使用的搭建方式
- 4. List經常使用方法及3種經常使用遍歷方式
- 5. JavaScript——對象的建立及經常使用方法的使用
- 6. Servlet 的經常使用建立方式
- 7. javascript數組的申明方式以及經常使用方法
- 8. 經常使用的方法
- 9. C# List經常使用方法及Dictionary經常使用方法彙總
- 10. 佈局方式以及一些佈局經常使用方法
- 更多相關文章...
- • Redis哨兵(Sentinel)模式的配置方法及其在Java中的用法 - Redis教程
- • Spring Bean的配置及常用屬性 - Spring教程
- • 常用的分佈式事務解決方案
- • Git可視化極簡易教程 — Git GUI使用方法
-
每一个你不满意的现在,都有一个你没有努力的曾经。