华子目录
- `harbor`简介
- 实验环境准备
- 下载软件包
- 安装`docker-ce`
- hosts解析
- 实验步骤
- 配置https加密传输
- 解压
- 进入解压目录,修改文件配置
- 启动`harbor`
- 测试
- 客户端配置`harbor本地加速器`
- 注意
- 通过`docker compose`管理`harbor`
harbor
简介
harbor
是由wmware
公司开源的企业级docker registry
项目
它提供了以下主要功能和特点:
- 基于
角色
的访问控制
(RBAC
):可以为不同的用户
和用户组
分配不同的权限
,增强了安全性和管理的灵活性
惊醒复制
:支持在不同的harbor
实例之间复制镜像
,方便在多个数据中心或环境中分发镜像图形化用户界面
(UI
):提供了直观的web
界面,便于管理镜像仓库、项目、用户
等。审计日志
:记录了对镜像仓库
的各种操作
,有助于追踪和审查活动
垃圾回收
:可以清理不再使用的镜像
,节约存储空间
实验环境准备
下载软件包
- 网址:https://github.com/goharbor/harbor/releases
这里我们选择v2.5.4
版本
选择.tgz
的包,进行下载
安装docker-ce
[root@docker-harbor ~]# yum install docker-ce -y[root@docker-harbor ~]# systemctl enable --now docker
hosts解析
[root@docker-harbor ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.139 reg.huazi.com
实验步骤
配置https加密传输
- 做
证书
和key
[root@docker-harbor ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/huazi.com.key -addext "subjectAltName = DNS:reg.huazi.com" -x509 -days 365 -out certs/huazi.com.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:docker
Organizational Unit Name (eg, section) []:registry
Common Name (eg, your name or your server's hostname) []:reg.huazi.com
Email Address []:admin@huazi.com[root@docker-harbor ~]# cd certs/
[root@docker-harbor certs]# ls
huazi.com.crt huazi.com.key
[root@docker-harbor certs]#
证书位置
:/root/certs/huazi.com.crt
key位置
:/root/certs/huazi.com.key
客户端
获取harbor端
的证书
[root@docker-harbor ~]# mkdir -p /etc/docker/certs.d/reg.huazi.com/
[root@docker-harbor ~]# cp /root/certs/huazi.com.crt /etc/docker/certs.d/reg.huazi.com/ca.crt[root@docker-harbor ~]# systemctl restart docker
解压
[root@docker-harbor ~]# tar -zxvf harbor-offline-installer-v2.5.4.tgz
harbor/harbor.v2.5.4.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
进入解压目录,修改文件配置
[root@docker-harbor ~]# cd harbor/
[root@docker-harbor harbor]# ls
common.sh harbor.v2.5.4.tar.gz harbor.yml.tmpl install.sh LICENSE prepare[root@docker-harbor harbor]# cp harbor.yml.tmpl harbor.yml[root@docker-harbor harbor]# ls
common.sh harbor.v2.5.4.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare#其中harbor.v2.5.4.tar.gz是一个镜像包
[root@docker-harbor harbor]# vim harbor.yml
hostname: reg.huazi.com# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /root/certs/huazi.com.crtprivate_key: /root/certs/huazi.com.key# enable strong ssl ciphers (default: false)# strong_ssl_ciphers: falseharbor_admin_password: 123456
启动harbor
[root@docker-harbor harbor]# ./install.sh --helpNote: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
-
设置主机名和其他必要属性:
- 确实,您需要在
harbor.yml
文件中设置主机名(hostname)和其他必要的配置属性。 - 主机名不应设置为
localhost
或127.0.0.1
,因为Harbor需要能够被外部客户端访问。
- 确实,您需要在
-
关于Notary:
- 注意:根据
Harbor
的最新文档
,Notary
可能已经被弃用
或不再是Harbor
的核心组件
。在配置Harbor
时,如果您看到关于Notary
的文档或选项,请确保它们与您正在使用的Harbor
版本保持一致。如果Notary
已被弃用,则不应再尝试启用它。 - 如果您的
Harbor
版本仍然支持Notary
,并且您需要在Harbor
中启用它,那么您可能需要在安装或配置Harbor
时添加--with-notary
选项(尽管这取决于您的Harbor
版本)。但是,由于Notary
需要HTTPS
,您还必须在harbor.yml
中设置ui_url_protocol
为https
,并提供有效的SSL证书(ssl_cert
和ssl_cert_key
)。
- 注意:根据
-
关于Trivy:
- 如果您需要在
Harbor
中启用Trivy
(一个用于容器镜像
的漏洞扫描器
),请在安装或配置Harbor
时添加--with-trivy
选项。
- 如果您需要在
-
关于Chartmuseum:
- 注意:同样地,根据
Harbor
的最新文档
,Chartmuseum
可能已经被整合为Harbor
的一个内置组件,或者作为可选插件提供,或者已经完全被另一个组件取代。请查阅您正在使用的Harbor版本的官方文档
以获取准确信息。 - 如果您的
Harbor版本
仍然支持Chartmuseum
作为独立组件,并且您需要在Harbor
中启用它,那么您可能需要在安装或配置Harbor
时添加--with-chartmuseum
选项。但是,请注意,如果Chartmuseum
已被整合或取代,则此选项可能不再有效。
- 注意:同样地,根据
这里我们需要Chartmuseum
组件
[root@docker-harbor harbor]# ./install.sh --with-chartmuseum[Step 0]: checking if docker is installed ...Note: docker version: 27.3.1[Step 1]: checking docker-compose is installed ...Note: Docker Compose version v2.29.7[Step 2]: loading Harbor images ...
......
......
......
[+] Running 12/12✔ Network harbor_harbor-chartmuseum Created 0.1s✔ Network harbor_harbor Created 0.1s✔ Container harbor-log Started 0.4s✔ Container harbor-portal Started 1.4s✔ Container chartmuseum Started 1.1s✔ Container redis Started 1.5s✔ Container registry Started 1.4s✔ Container registryctl Started 1.2s✔ Container harbor-db Started 1.4s✔ Container harbor-core Started 1.8s✔ Container harbor-jobservice Started 2.3s✔ Container nginx Started 2.3s
✔ ----Harbor has been installed and started successfully.----[root@docker-harbor harbor]# ls
common docker-compose.yml harbor.yml install.sh prepare
common.sh harbor.v2.5.4.tar.gz harbor.yml.tmpl LICENSE
- 当执行完后,我们发现出现了
docker-compose.yml
文件,这时就可以使用docker compose
工具管理harbor后台
[root@docker-harbor harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.5.4 388b5ac2eed4 2 years ago 87.4MB
goharbor/chartmuseum-photon v2.5.4 e5134e6ca037 2 years ago 231MB
goharbor/redis-photon v2.5.4 c89d59625d5a 2 years ago 155MB
goharbor/trivy-adapter-photon v2.5.4 1142826e8329 2 years ago 251MB
goharbor/notary-server-photon v2.5.4 e542ccac08c2 2 years ago 112MB
goharbor/notary-signer-photon v2.5.4 65644cf6aaa1 2 years ago 109MB
goharbor/harbor-registryctl v2.5.4 984f0c8cd458 2 years ago 136MB
goharbor/registry-photon v2.5.4 5e2d95b5227f 2 years ago 78.1MB
goharbor/nginx-photon v2.5.4 0e682f78c76f 2 years ago 154MB
goharbor/harbor-log v2.5.4 1c30eb78ebc4 2 years ago 161MB
goharbor/harbor-jobservice v2.5.4 01ec4f1c5ddd 2 years ago 233MB
goharbor/harbor-core v2.5.4 fb4df7c64e84 2 years ago 208MB
goharbor/harbor-portal v2.5.4 bba3d21bc4b9 2 years ago 162MB
goharbor/harbor-db v2.5.4 76e7b3295f2b 2 years ago 225MB
goharbor/prepare v2.5.4 5582f3ef9fbe 2 years ago 163MB
[root@docker-harbor harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9750c866f450 goharbor/nginx-photon:v2.5.4 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, [::]:80->8080/tcp, 0.0.0.0:443->8443/tcp, [::]:443->8443/tcp nginx
7d2a693579de goharbor/harbor-jobservice:v2.5.4 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
569947c42e90 goharbor/harbor-core:v2.5.4 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
8ef39f2a9087 goharbor/harbor-registryctl:v2.5.4 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
ce6c6ddef843 goharbor/chartmuseum-photon:v2.5.4 "./docker-entrypoint…" About a minute ago Up About a minute (healthy) chartmuseum
f2aaf4d9bdda goharbor/registry-photon:v2.5.4 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
2f9cb0b7d2d6 goharbor/redis-photon:v2.5.4 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
1de7bf425061 goharbor/harbor-db:v2.5.4 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
ee52470792cd goharbor/harbor-portal:v2.5.4 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
497e949edfa7 goharbor/harbor-log:v2.5.4 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
此时容器
会被自动开启
测试
- 新建一个项目
huazi项目
中目前没有镜像
客户端配置harbor本地加速器
[root@docker-harbor docker]# cd /etc/docker/
[root@docker-harbor docker]# vim daemon.json
{"registry-mirrors": ["https://reg.huazi.com"]
}[root@docker-harbor docker]# systemctl restart docker
- 客户端登录到
harbor仓库
[root@docker-harbor harbor]# docker login reg.huazi.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-storesLogin Succeeded
- 上传镜像(上传到
reg.huazi.com
网址中的huazi
目录下)
[root@docker-harbor ~]# docker images
timinglee/mario latest 9a35a9e43e8c 9 years ago 198MB[root@docker-harbor docker]# docker tag timinglee/mario:latest reg.huazi.com/huazi/mario[root@docker-harbor ~]# docker images
timinglee/mario latest 9a35a9e43e8c 9 years ago 198MB
reg.huazi.com/huazi/mario latest 9a35a9e43e8c 9 years ago 198MB#上传成功
[root@docker-harbor docker]# docker push reg.huazi.com/huazi/mario
Using default tag: latest
The push refers to repository [reg.huazi.com/huazi/mario]
5f70bf18a086: Pushed
44e5704d49fb: Pushed
dbe97b1b7330: Pushed
90222f49bc4c: Pushed
708fd576a927: Pushed
4aeeaca5ce76: Pushed
latest: digest: sha256:f4a933fb5a431e84e3d2623bfaa776c0d973d572b6db0a0b16dc243ffc7bcfa1 size: 2392
- 在
huazi
目录下发现上传的镜像
- 上传镜像(上传到
reg.huazi.com
网址中的library
目录下)
[root@docker-harbor docker]# docker tag timinglee/mario:latest reg.huazi.com/library/chaojimali[root@docker-harbor docker]# docker images
reg.huazi.com/library/chaojimali latest 9a35a9e43e8c 9 years ago 198MB#发现上传成功
[root@docker-harbor docker]# docker push reg.huazi.com/library/chaojimali
Using default tag: latest
The push refers to repository [reg.huazi.com/library/chaojimali]
5f70bf18a086: Pushed
44e5704d49fb: Pushed
dbe97b1b7330: Pushed
90222f49bc4c: Pushed
708fd576a927: Pushed
4aeeaca5ce76: Pushed
latest: digest: sha256:f4a933fb5a431e84e3d2623bfaa776c0d973d572b6db0a0b16dc243ffc7bcfa1 size: 2392
- 在
library
目录下发现上传的镜像
注意
- 在
docker tag
时,harbor仓库网址名称
和项目名称
一定要正确
,否则上传会失败
harbor
仓库搭建成功后,默认
会有一个管理员
账户admin
当删掉
这个chaojimali镜像
后,重新拉取
[root@docker-harbor docker]# docker rmi reg.huazi.com/library/chaojimali:latest
Untagged: reg.huazi.com/library/chaojimali:latest
Untagged: reg.huazi.com/library/chaojimali@sha256:f4a933fb5a431e84e3d2623bfaa776c0d973d572b6db0a0b16dc243ffc7bcfa1
[root@docker-harbor docker]# docker pull chaojimali
Using default tag: latest
latest: Pulling from library/chaojimali
Digest: sha256:f4a933fb5a431e84e3d2623bfaa776c0d973d572b6db0a0b16dc243ffc7bcfa1
Status: Downloaded newer image for chaojimali:latest
docker.io/library/chaojimali:latest
[root@docker-harbor docker]# docker images
chaojimali latest 9a35a9e43e8c 9 years ago 198MB
通过docker compose
管理harbor
docker compose down
:停止并删除容器
[root@docker-harbor harbor]# docker compose down
WARN[0000] /root/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 12/12✔ Container harbor-jobservice Removed 0.1s✔ Container chartmuseum Removed 0.1s✔ Container nginx Removed 0.2s✔ Container registryctl Removed 10.1s✔ Container harbor-portal Removed 0.1s✔ Container harbor-core Removed 0.1s✔ Container harbor-db Removed 0.1s✔ Container registry Removed 0.1s✔ Container redis Removed 0.2s✔ Container harbor-log Removed 10.1s✔ Network harbor_harbor Removed 0.1s✔ Network harbor_harbor-chartmuseum Removed 0.1s
docker compose up -d
:启动容器
-d
后台运行
[root@docker-harbor harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES[root@docker-harbor harbor]# docker compose up -d
WARN[0000] /root/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 12/12✔ Network harbor_harbor-chartmuseum Created 0.1s✔ Network harbor_harbor Created 0.1s✔ Container harbor-log Started 0.3s✔ Container harbor-db Started 1.0s✔ Container chartmuseum Started 0.9s✔ Container registry Started 1.1s✔ Container registryctl Started 1.0s✔ Container harbor-portal Started 0.9s✔ Container redis Started 1.1s✔ Container harbor-core Started 1.4s✔ Container harbor-jobservice Started 1.7s✔ Container nginx Started 1.8s
[root@docker-harbor harbor]#
[root@docker-harbor harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61e8a6e26ad5 goharbor/nginx-photon:v2.5.4 "nginx -g 'daemon of…" 19 seconds ago Up 17 seconds (health: starting) 0.0.0.0:80->8080/tcp, [::]:80->8080/tcp, 0.0.0.0:443->8443/tcp, [::]:443->8443/tcp nginx
fa10c0be1ad3 goharbor/harbor-jobservice:v2.5.4 "/harbor/entrypoint.…" 19 seconds ago Up 17 seconds (health: starting) harbor-jobservice
cbd69a01ce0d goharbor/harbor-core:v2.5.4 "/harbor/entrypoint.…" 19 seconds ago Up 18 seconds (health: starting) harbor-core
4352cec1c54b goharbor/harbor-registryctl:v2.5.4 "/home/harbor/start.…" 19 seconds ago Up 18 seconds (health: starting) registryctl
b4568f0c1d07 goharbor/chartmuseum-photon:v2.5.4 "./docker-entrypoint…" 19 seconds ago Up 18 seconds (health: starting) chartmuseum
eed6568a9ea5 goharbor/redis-photon:v2.5.4 "redis-server /etc/r…" 19 seconds ago Up 18 seconds (health: starting) redis
ff667909ae29 goharbor/registry-photon:v2.5.4 "/home/harbor/entryp…" 19 seconds ago Up 18 seconds (health: starting) registry
132db9f5db03 goharbor/harbor-db:v2.5.4 "/docker-entrypoint.…" 19 seconds ago Up 18 seconds (health: starting) harbor-db
287bc1e29cdf goharbor/harbor-portal:v2.5.4 "nginx -g 'daemon of…" 19 seconds ago Up 18 seconds (health: starting) harbor-portal
255ae63496e6 goharbor/harbor-log:v2.5.4 "/bin/sh -c /usr/loc…" 19 seconds ago Up 19 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log