Harbor实战:一步步构建Docker私有镜像仓库的权威指南
#作者: 西门吹雪
文章目录
- harbor搭建docker私有仓库
- 安装Docker
- 安装Docker-compose
- 搭建Harbor
- 配置Harbor
- 启动Harbor
- 使用Harbor
harbor搭建docker私有仓库
Harbor是一个企业级Registry管理项目。它对开源的Docker Registry服务进行了扩展和开发,增加了许多企业用户需要的功能。Harbor通常被用于部署成一套组织公司使用的私有环境,这个私有Registry服务对于非常关心安全的企业来说是十分重要的。此外,私有Registry仓库服务还可以避免通过从公域网下载拉取镜像,从而提高企业开发效率。
Harbor是VMware公司开源的企业级Docker Registry项目。其目标是帮助用户迅速搭建一个企业级的Docker registry服务。它提供了管理Dashboard, 基于角色的访问控制(Role Based Access Control)集成、以及审计日志(Audit logging) 等企业用户需求的功能,同时还原生支持中文。Harbor的组件都是以Docker容器的形式构建的,使用Docker Compose来对它进行部署。
在Harbor中,用户主要分为两类。一类为管理员,另一类为普通用户。两类用户都可以成为项目的成员。而管理员可以对用户进行管理。
Harbor项目也是使用go语言开发,Web采用beego。容器应用的开发和运行离不开可靠的镜像管理。从安全和效率等方面考虑,在企业私有环境内部署的Registry服务是非常必要的。
Harbor由VMware中国研发团队为企业用户设计的Registry Server开源项目,包括了权限管理(RBAC)、图形管理界面、LDAP/AD集成、审计、自我注册、HA等企业必需的功能,同时针对中国用户的特点,原生支持中文,并计划实现镜像复制(roadmap)等功能。
Harbor系主要由五个容器组成:Proxy、Core Services(包含UI, tokenservice和webhook)、Database、Registry和Log Collector。
- Proxy: 提供反向代理服务,用户的不同请求由Proxy分发到后端Registry。Harbor中使用的是官方的nginx镜像。
- Core services: Harbor项目的核心组件,主要提供权限管理、审计、管理界面UI、token service以及可供其他系统调用的API等功能。
- Database: 提供数据持久化服务,采用了官方的mysql镜像。
- Registry: Docker官方的开源的Registry镜像,主要提供镜像的存储和分发功能。
- Log Collector: 负责收集其他容器的日志并进行日志轮转。
安装Docker
首先安装docker环境,这个可以根据电脑系统的不同,选择不同的安装方式。
- Mac安装
- Ubantu安装
- Windows安装
- centos安装
我这里是用脚本直接在centos上直接安装的:
yum-config-manager \--add-repo \https://download.docker.com/linux/centos/docker-ce.repo;yum-config-manager --enable docker-ce-edge;yum-config-manager --disable docker-ce-edge;yum install docker-ce;systemctl start docker.service;
systemctl enable docker.service;
安装成功之后可以查看下:
> docker --verison
Docker version 18.06.0-ce, build 0ffa825
安装Docker-compose
然后安装docker-compose:
curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-composechmod +x /usr/local/bin/docker-compose;docker-compose --version;
安装完成后可以运行下:
> docker-compose --version
docker-compose version 1.21.2, build a133471
搭建Harbor
从Harbor下载安装包.
wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgztar xvf harbor-online-installer-v1.1.2.tgz
配置Harbor
进入刚刚解压过后的Harbor文件中,会看到harbor.cfg文件,该文件就是Harbor的配置文件:
## Configuration file of Harbor#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
#hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
#默认情况下,harbor使用的端口是80,若使用自定义的端口,除了要改docker-compose.yml文件中的配置外,
#这里的hostname也要加上自定义的端口,都在在docker login、push时会报错
hostname = 191.234.163.251:3000#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
#访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http#The password for the root user of mysql db, change this before any production use.
#mysql数据库root用户默认密码root123
db_password = root123#Maximum number of job workers in job service
max_job_workers = 3 #Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key#The path of secretkey storage
secretkey_path = /data#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui#************************BEGIN INITIAL PROPERTIES************************#Email account settings for sending out password resetting emails.#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
#配置Harbor来发送邮件,当然改配置并不是必须的 .注意:默认的ssl链接没有被启用,如果SMTP需要ssl支持,可以设置以下参数以支持。
email_identity = email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
# 启动Harbor后,管理员登录的密码,默认是Harbor12345
# 若修改了此处的admin登录密码。则登录后台时使用修改后的密码
harbor_admin_password = Harbor12345##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
#认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth#The url for an ldap endpoint.
#LDAP认证方式的URL (e.g. ldaps://ldap.mydomain.com). 当 auth_mode 被设置为ldap_auth 的时候。
ldap_url = ldaps://ldap.mydomain.com#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
# 链接LDAP/AD服务的用户域(e.g. uid=admin,ou=people,dc=mydomain,dc=com).
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com#the password of the ldap_searchdn
#为上面设定的用户域设置密码 ldap_searchdn
#ldap_search_pwd = password#The base DN from which to look up a user in LDAP/AD
#基础域为方便寻找一个用户e.g. ou=people,dc=mydomain,dc=com. 仅当 auth_mode is 设置为ldap_auth的时候才使用
ldap_basedn = ou=people,dc=mydomain,dc=com#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#用户搜索过滤 (objectClass=person).
#ldap_filter = (objectClass=person)# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
#该参数被用来匹配一个LDAP搜索的用户,可以使uid,cn,email或者其他的方式
ldap_uid = uid #the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
#用户搜索范围, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE. Default is 3.
ldap_scope = 3 #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5#Turn on or off the self-registration feature
#是否开启自注册
self_registration = on#The expiration time (in minute) of token created by token service, default is 30 minutes
#Token有效时间,默认30分钟
token_expiration = 30#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
#用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员)
project_creation_restriction = everyone#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on
#************************END INITIAL PROPERTIES************************
#############
由于Habor默认使用80端口,可能在系统的服务中会用到,所以我们就需要更改一下端口进行启动使用。
配置下docker-compose.yml:
version: '2'
services:log:image: vmware/harbor-log:v1.1.2container_name: harbor-log restart: alwaysvolumes:- /var/log/harbor/:/var/log/docker/:zports:- 127.0.0.1:1514:514networks:- harborregistry:image: vmware/registry:2.6.1-photoncontainer_name: registryrestart: alwaysvolumes:- /data/registry:/storage:z- ./common/config/registry/:/etc/registry/:znetworks:- harborenvironment:- GODEBUG=netdns=cgocommand:["serve", "/etc/registry/config.yml"]depends_on:- loglogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "registry"mysql:image: vmware/harbor-db:v1.1.2container_name: harbor-dbrestart: alwaysvolumes:- /data/database:/var/lib/mysql:znetworks:- harborenv_file:- ./common/config/db/envdepends_on:- loglogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "mysql"adminserver:image: vmware/harbor-adminserver:v1.1.2container_name: harbor-adminserverenv_file:- ./common/config/adminserver/envrestart: alwaysvolumes:- /data/config/:/etc/adminserver/config/:z- /data/secretkey:/etc/adminserver/key:z- /data/:/data/:znetworks:- harbordepends_on:- loglogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "adminserver"ui:image: vmware/harbor-ui:v1.1.2container_name: harbor-uienv_file:- ./common/config/ui/envrestart: alwaysvolumes:- ./common/config/ui/app.conf:/etc/ui/app.conf:z- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z- /data/secretkey:/etc/ui/key:z- /data/ca_download/:/etc/ui/ca/:znetworks:- harbordepends_on:- log- adminserver- registrylogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "ui"jobservice:image: vmware/harbor-jobservice:v1.1.2container_name: harbor-jobserviceenv_file:- ./common/config/jobservice/envrestart: alwaysvolumes:- /data/job_logs:/var/log/jobs:z- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z- /data/secretkey:/etc/jobservice/key:znetworks:- harbordepends_on:- ui- adminserverlogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "jobservice"proxy:image: vmware/nginx:1.11.5-patchedcontainer_name: nginxrestart: alwaysvolumes:- ./common/config/nginx:/etc/nginx:znetworks:- harborports:- 3000:80 #前面是位宿主机的端口,后面的是容器中的端口- 443:443- 4443:4443depends_on:- mysql- registry- ui- loglogging:driver: "syslog"options: syslog-address: "tcp://127.0.0.1:1514"tag: "proxy"
networks:harbor:external: false
原来的端口映射为80:80,这里我修改为了3000:80。
这里需要注意下,修改完之后,一定要将harbor.conf配置文件中的hostname给修改下,改为ip:port。ip就是部署harbor的机器IP,port就是这里设置的端口号。
启动Harbor
修改配置文件之后在Harbor目录下执行:
> ./install.sh[Step 0]: checking installation environment ...Note: docker version: 17.03.2Note: docker-compose version: 1.22.0[Step 1]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.[Step 2]: checking existing instance of Harbor ...[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Pulling log (vmware/harbor-log:v1.1.2)...
v1.1.2: Pulling from vmware/harbor-log
93b3dcee11d6: Pull complete
d31900e63a3f: Pull complete
d267ee2912d5: Pull complete
827766337aa5: Pull complete
c0f98490f831: Pull complete
Digest: sha256:2de84ff1c41d6277203a2f70b66704ff18cd99fa29958131ea4b350656826d65
Status: Downloaded newer image for vmware/harbor-log:v1.1.2
Pulling registry (vmware/registry:2.6.1-photon)...
2.6.1-photon: Pulling from vmware/registry
93b3dcee11d6: Already exists
d9573f25cba0: Pull complete
e4dfb2b317a8: Pull complete
9b43c0ce6f50: Pull complete
Digest: sha256:f9183e3c721ff9703c26b816e2a7b4cb39349ddf3ce6b9c90a626f5bf6399b77
Status: Downloaded newer image for vmware/registry:2.6.1-photon
Pulling mysql (vmware/harbor-db:v1.1.2)...
v1.1.2: Pulling from vmware/harbor-db
6d827a3ef358: Pull complete
ed0929eb7dfe: Pull complete
03f348dc3b9d: Pull complete
fd337761ca76: Pull complete
ac3f5f870257: Pull complete
38a247b5bcdf: Pull complete
8d528ca18a06: Pull complete
70601d0f6e97: Pull complete
1d7a793f527d: Pull complete
15e9fd86591a: Pull complete
79b5a6ccbd39: Pull complete
831d582888b7: Pull complete
8d1e15502c2a: Pull complete
eb434983945e: Pull complete
Digest: sha256:01f73b927b8160c95230acbc4bfe0c023ffa0426b30155cae5a3c04819965a24
Status: Downloaded newer image for vmware/harbor-db:v1.1.2
Pulling adminserver (vmware/harbor-adminserver:v1.1.2)...
v1.1.2: Pulling from vmware/harbor-adminserver
93b3dcee11d6: Already exists
73cee1677514: Pull complete
a0fb654d0080: Pull complete
f9d9f0947564: Pull complete
Digest: sha256:4e73cda76633d39ed000f812923208a7652da9e51e85143bb9939ff91d8fe7fa
Status: Downloaded newer image for vmware/harbor-adminserver:v1.1.2
Pulling ui (vmware/harbor-ui:v1.1.2)...
v1.1.2: Pulling from vmware/harbor-ui
93b3dcee11d6: Already exists
73cee1677514: Already exists
7af31ef2857c: Extracting [==================================================>] 6.587 MB/6.587 MB
857d22952c74: Download complete
a7aa89c1f4b2: Download complet
...
[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating registry ... done
Creating harbor-adminserver ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done✔ ----Harbor has been installed and started successfully.----Now you should be able to visit the admin portal at http://191.234.163.251:3000.
For more details, please visit https://github.com/vmware/harbor .这样Harbor就启动了,然后登录 http://191.234.163.251:3000/ 就可以看到Harbor的Dashboard了!
看到这里就表示Harbor已经安装好了!
使用Harbor
Harnor安装启动完毕之后,我们可以往Harbor上上传,下载镜像。这时,我们可能会去登录。如下操作命令:
> docker login http://120.92.169.191:3000Error response from daemon: Get https://120.92.169.191:3000/v1/users/: http: server gave HTTP response to HTTPS client
这里登录失败,原因是harbor配置中默认使用http连接,而docker默认采用https方式连接,所以如果上面的配置文件中你采用默认参数“ui_url_protocol = http ”,Docker认为是不安全的,push镜像会报错,还需要修改docker配置.
这里我的操作是在一台服务器上运行的然后修改如下配置:
> vim /usr/lib/systemd/system/docker.serviceExecStart=/usr/bin/dockerd--insecure-registry=http://120.92.169.191:3000
> systemctl restart docker
如果在本地搭建可能需要修改如下配置:
> vim /etc/default/docker
DOCKER_OPTS=" --insecure-registry 127.0.0.1:8000"> systemctl restart docker
这样就配置好了!
然后登录Harbor:
> docker login 120.92.169.191:3000Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
这样就显示登录设置成功了.
接着我们可以把本地的一个镜像打包上传到Harbor上,这里我们需要给镜像打标签,以便上传到私有镜像仓库Harbor上,其中library是harbor默认提供的项目。
> docker tag pingcap/tidb 120.92.169.191:3000/library/pingcap-tidb
> docker push 120.92.169.191:3000/library/pingcap-tidb
The push refers to repository [120.92.169.191:3000/library/pingcap-tidb]
7df78689bd98: Pushed
2f92424593b3: Pushed
a73e6b801a9d: Pushed
2989495fcb75: Pushed
4fe15f8d0ae6: Pushed
latest: digest: sha256:59c01b7959ea173811a0a868a9d930df80f6037565e36d2d167c9d3138b152c1 size: 1365
这样一个本地的镜像就上传到私有仓库Harbor上了,当自己需要的时候可以随时拉取Harbor仓库上的镜像使用.
