Harbor 初识
Harbor 初识Docker是一种容器技术,在docker之上我们可以快速运行某种容器服务。而运行容器依赖于docker镜像,docker镜像存储在docker镜像仓库中。常见的docker镜像仓库安装类别进行分配分为: 共有镜像仓库(docker hub / 阿里云等厂商多租户公共镜像仓库)、私有镜像仓库(内部搭建,私有镜像仓库)。常见的Docker私有仓库有:docker 官方镜像...
·
Harbor 初识
Docker是一种容器技术,在docker之上我们可以快速运行某种容器服务。而运行容器依赖于docker镜像,docker镜像存储在docker镜像仓库中。常见的docker镜像仓库安装类别进行分配分为: 共有镜像仓库(docker hub / 阿里云等厂商多租户公共镜像仓库)、私有镜像仓库(内部搭建,私有镜像仓库)。
常见的Docker私有仓库有:
- docker 官方镜像仓库 registry
- VMware 开源企业级镜像仓库 Harbor
- 私服 Nexus / JFrogMaven 等
今天我们介绍下Harbor 这款企业级镜像仓库
一、Harbor 介绍
Harbor是VMware开源的一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等功能
二、功能 – 可以实现什么
- 多租户,多命名空间
- 身份验证+角色访问控制
- 支持多实例镜像复制,做主从
- 内容签名 和 验证
- 镜像分析、漏洞扫描
- 私有化部署,强大的web可视化操作
- 支持restful API
三、搭建
Harbor 官方的采用docker镜像 + docker-compose 的方式进行安装。官方提供两种安装方式: 在线安装 / 离线安装 。本次我们采用在线安装的方式。
3.1. 安装环境依赖
Harbor仓库采用docker镜像 + docker-compose 的方式运行,我们需要安装docker环境和docker-compose软件。docker-compose 是单机版的docker容器编排工具,安装方式分为 二进制安装 和 包管理器安装,无论哪种安装只是生成二进制执行文件,在这里我们采用yum包管理器方式安装。
# 添加docker-ce 镜像源
[root@twjlvs-11-199 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装docker-ce 和 docker-compose
[root@twjlvs-11-199 ~]# yum install -y docker-ce docker-compose
# 启动docker服务
[root@twjlvs-11-199 ~]# systemctl start docker
# docker公网镜像加速
[root@twjlvs-11-199 ~]# cat <<EOF > /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"]
}
EOF
[root@twjlvs-11-199 ~]# cat /etc/docker/daemon.json
# 重启docker,设置开机自启
[root@twjlvs-11-199 ~]# systemctl restart docker
[root@twjlvs-11-199 ~]# systemctl enable docker
3.2. 下载harbor在线安装包
[root@twjlvs-11-199 ~]# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-online-installer-v1.8.2.tgz
# harbor 安装包托管在google的站点中,可以通过其他离线下载的下载完毕后上传到系统中
[root@twjlvs-11-199 ~]# tar -xf harbor-online-installer-v1.8.2.tgz
[root@twjlvs-11-199 ~]# ls
harbor harbor-online-installer-v1.8.2.tgz
[root@-name src]# cd harbor
[root@-name harbor]# ls
harbor.yml install.sh LICENSE prepare
3.3. 修改配置
在harbor.yml中存放着harbor的一些重要配置,如 对外监听地址、管理员用户名、密码等,我们需要修改
[root@twjlvs-11-199 ~]# vim harbor.yml
# 我们修改下对外监听的域名,其他安装需求修改
hostname: 10.40.11.193
harbor_admin_password: Harbor12345
data_volume: /data
3.4. 安装启动
[root@hw-capitaltest03-11-193 harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.1
Note: docker-compose version: 1.18.0
[Step 1]: preparing environment ...
prepare base dir is set to /usr/local/src/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating registry ... done
Creating harbor-core ... done
[Step 2]: starting Harbor ...
Creating harbor-portal ... done
Creating nginx ... done
Creating registryctl ...
Creating registry ...
Creating harbor-db ...
Creating redis ...
Creating harbor-core ...
Creating harbor-portal ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://10.40.11.193.
For more details, please visit https://github.com/goharbor/harbor .
我们注意到harbor对外监听的地址为ip地址,下面我们web登录上去查看
登录成功,我们看到我们有一个默认的公开的项目library,Harbor是一个多租户的企业级仓库,我们看到有用户管理等功能。下面我们进行简单的测试。
四、测试
harbor是一个企业级的docker镜像仓库,核心的功能还是镜像的存储。与docker官方的registry不同的是,harbor是一个多租户的、具有角色认证的私有仓库,这就意味这私用harbor仓库会像使用docker-hub一样先进行登录
4.1 docker longing 登录
[root@hw-capitaltest03-11-193 harbor]# docker login 10.40.11.193
Username: admin
Password:
Error response from daemon: Get https://10.40.11.193/v2/: dial tcp 10.40.11.193:443: connect: connection refused
[root@hw-capitaltest03-11-193 harbor]# docker login 10.40.11.193:80
Username: admin
Password:
Error response from daemon: Get https://10.40.11.193:80/v2/: http: server gave HTTP response to HTTPS client
在登录过程中我们看到docker默认使用443端口进行登录,而harbor默认情况下我们没有启用https,也没有配置ssl证书。于是出现了443端口,连接拒绝,且必须ssl协议
4.2 https安装问题方案
docker 从docker 仓库中推送或获取镜像都是默认走https协议的。目前有两种解决方案:
4.2.1 方案一: 修改docker配置文件,关闭证书 “insecure-registries”: [“10.40.11.xx:xx”]
每台docker主机都需要添加证书,操作繁杂,且需要重启docker服务,每次更换docker仓库需要考虑到网段 vip等问题。
# 修改配置文件
[root@hw-paymenttest03-11-203 ~]# vim /etc/docker/daemon.json
[root@hw-paymenttest03-11-203 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"],
"insecure-registries": ["10.40.11.193:80"]
}
# 注意格式,加速镜像后面要有","
# 重启docker服务
[root@hw-paymenttest03-11-203 ~]# systemctl restart docker
# 确认docker当前的配置 是否已经添加到 Insecure Registries信任仓库
[root@hw-paymenttest03-11-203 ~]# docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.1
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-693.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.796GiB
Name: hw-paymenttest03-11-203.7dtest.cn
ID: HHZG:XICF:RQTD:FBEZ:YTTP:EIOZ:B7XE:IESD:R2KI:ZT73:FW2G:Z7DS
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
10.40.11.193:80
127.0.0.0/8
Registry Mirrors:
https://docker.mirrors.ustc.edu.cn/
Live Restore Enabled: false
# 登录测试
[root@hw-paymenttest03-11-203 ~]# docker login 10.40.11.193:80
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4.2.2 方案二: 配置ssl证书,配置harbor走https协议
- 配置私有证书,配置harbor https。
配置私有证书后,harbor可以走https,但是存在ca证书的信任问题。可以在linux的ca证书里面添加自建ca为受信任的ca证书。每台docker主机都需要添加证书,操作繁杂。 - 配置免费的公网域名证书,访问harbor时通过公网访问。技能实现ssl加密,又能保障所有docker主机可以正常使用 推荐使用!!!
五、架构
# 在harbor搭建成功后,会产生一些依赖文件,如各种配置文件,docker-compose.yml 编排文件
[root@hw-capitaltest03-11-193 harbor]# ls
common docker-compose.yml harbor.yml install.sh LICENSE prepare
# docker ps 我们发现,harbor 创建了9个不同功能的容器,可以通过该docker-compose查看各个容器之间的管理关系,数据卷等
[root@hw-capitaltest03-11-193 harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dee1d10c4fb7 goharbor/nginx-photon:v1.8.2 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes (healthy) 0.0.0.0:80->80/tcp nginx
362fd4a7f67d goharbor/harbor-jobservice:v1.8.2 "/harbor/start.sh" 5 minutes ago Up 5 minutes harbor-jobservice
2c56923a0341 goharbor/harbor-portal:v1.8.2 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes (healthy) 80/tcp harbor-portal
8a02d64da712 goharbor/harbor-core:v1.8.2 "/harbor/start.sh" 5 minutes ago Up 5 minutes (healthy) harbor-core
8b1db2f7fee6 goharbor/harbor-registryctl:v1.8.2 "/harbor/start.sh" 5 minutes ago Up 5 minutes (healthy) registryctl
6a1fa0700d6a goharbor/registry-photon:v2.7.1-patch-2819-v1.8.2 "/entrypoint.sh /etc…" 5 minutes ago Up 5 minutes (healthy) 5000/tcp registry
b5c7fae11507 goharbor/harbor-db:v1.8.2 "/entrypoint.sh post…" 5 minutes ago Up 5 minutes (healthy) 5432/tcp harbor-db
b26214811e78 goharbor/redis-photon:v1.8.2 "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 6379/tcp redis
ac02b25459b7 goharbor/harbor-log:v1.8.2 "/bin/sh -c /usr/loc…" 5 minutes ago Up 5 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@hw-capitaltest03-11-193 harbor]# cat docker-compose.yml
version: '2.3'
services:
log:
image: goharbor/harbor-log:v1.8.2
container_name: harbor-log
restart: always
dns_search: .
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.2
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: /data/secret/registry/root.crt
target: /etc/registry/root.crt
networks:
- harbor
dns_search: .
depends_on:
- log
xxxxxx
.........
Proxy:他是一个nginx的前端代理,代理Harbor的registry,UI, token等服务
db:负责储存用户权限、审计日志、Dockerimage分组信息等数据
UI:提供图形化界面,帮助用户管理registry上的镜像, 并对用户进行授权
jobsevice:jobsevice是负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log
Adminserver:是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置
Registry:镜像仓库,负责存储镜像文件
Log:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析
六、docker-compose 操作
Harbor采用docker-compose 将众多的harbor核心组件编排到一台docker主机中,常用的docker-compose命令有哪些呢?
# docker-compose ps 查看当前docker 容器的列表 及其状态
[root@hw-capitaltest03-11-193 harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
# docker-compose stop 关闭docker容器,后面跟容器名称,什么不跟为all
[root@hw-capitaltest03-11-193 harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-portal ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-log ... done
[root@hw-capitaltest03-11-193 harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------
harbor-core /harbor/start.sh Exit 137
harbor-db /entrypoint.sh postgres Exit 255
harbor-jobservice /harbor/start.sh Exit 137
harbor-log /bin/sh -c /usr/local/bin/ ... Exit 137
harbor-portal nginx -g daemon off; Exit 0
nginx nginx -g daemon off; Exit 0
redis docker-entrypoint.sh redis ... Exit 137
registry /entrypoint.sh /etc/regist ... Exit 137
registryctl /harbor/start.sh Exit 137
# docker-compose start 启动服务,什么不跟为启动所有服务
[root@hw-capitaltest03-11-193 harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
[root@hw-capitaltest03-11-193 harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
# docker-compose restart redis 重启xx容器,什么不跟为重启所有容器
[root@hw-capitaltest03-11-193 harbor]# docker-compose restart redis
Restarting redis ... done
# docker-compose up 启动docker-compose定义的所有容器,前台模式,日志输出到前台。注意!!! 前台模式下 ctrl+c 会stop所有容器
[root@hw-capitaltest03-11-193 harbor]# docker-compose up
harbor-log is up-to-date
registryctl is up-to-date
redis is up-to-date
registry is up-to-date
harbor-db is up-to-date
harbor-core is up-to-date
harbor-portal is up-to-date
harbor-jobservice is up-to-date
nginx is up-to-date
Attaching to harbor-log, registryctl, redis, registry, harbor-db, harbor-core, harbor-portal, harbor-jobservice, nginx
registryctl | WARNING: no logs are available with the 'syslog' log driver
redis | WARNING: no logs are available with the 'syslog' log driver
registry | WARNING: no logs are available with the 'syslog' log driver
harbor-db | WARNING: no logs are available with the 'syslog' log driver
harbor-core | WARNING: no logs are available with the 'syslog' log driver
harbor-portal | WARNING: no logs are available with the 'syslog' log driver
harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver
nginx | WARNING: no logs are available with the 'syslog' log driver
# 注意!!! 前台模式下 ctrl+c 会stop所有容器
^CGracefully stopping... (press Ctrl+C again to force)
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-portal ... done
Stopping harbor-core ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-log ... done
# docker-compose up -d 后台模式启动 docker-compose 定义的容器
[root@hw-capitaltest03-11-193 harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------
harbor-core /harbor/start.sh Exit 137
harbor-db /entrypoint.sh postgres Exit 255
harbor-jobservice /harbor/start.sh Exit 137
harbor-log /bin/sh -c /usr/local/bin/ ... Exit 137
harbor-portal nginx -g daemon off; Exit 0
nginx nginx -g daemon off; Exit 0
redis docker-entrypoint.sh redis ... Exit 137
registry /entrypoint.sh /etc/regist ... Exit 137
registryctl /harbor/start.sh Exit 137
[root@hw-capitaltest03-11-193 harbor]# docker-compose up -d
Starting harbor-log ... done
Starting registryctl ...
Starting redis ...
Starting registry ...
Starting registry ... done
Starting harbor-core ... done
Starting harbor-jobservice ...
Starting harbor-portal ... done
Starting nginx ... done
六、参考:
官方安装指南: https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
github: https://github.com/goharbor/harbor
官网: https://goharbor.io/
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)