5. harbor镜像仓库
harbor
Harbor 是一个开源的容器镜像仓库,用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点:支持多种镜像格式、易于使用、安全性和访问控制
项目地址:https://gitcode.com/gh_mirrors/ha/harbor
免费下载资源
·
一、镜像仓库
1、类型
公有仓库, DockerHub
私有仓库, 企业级的应用
2、构建私有仓库的方案
- registry镜像,早期
- harbor软件
vmware开源的
提供webUI
日志审计
权限分配
统一认证
二、部署harbor仓库(单机版)
1、安装docker(略)
2、安装docker-compose工具
[root@localhost ~]# mv docker-compose /usr/local/bin/
[root@localhost ~]# chmod a+x /usr/local/bin/docker-compose
[root@localhost ~]# docker-compose version
docker-compose version 1.29.0, build 07737305
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
3、安装harbor
[root@localhost ~]# mkdir /work
[root@localhost ~]# tar xf harbor-offline-installer-v2.2.2.tgz -C /work/
[root@localhost ~]# cp /work/harbor/harbor.yml.tmpl /work/harbor/harbor.yml
4、生成harbor需要的证书、密钥(V3版本证书)
4.1 创建CA
[root@localhost ~]# mkdir /opt/ssl
[root@localhost ~]# cd /opt/ssl
[root@localhost ssl]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................++
.......................................................................................................++
e is 65537 (0x10001)
[root@localhost ssl]#
[root@localhost ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor.linux.com" -key ca.key -out ca.crt
[root@localhost ssl]# ls
ca.crt ca.key
4.2 创建harbor仓库需要的证书
[root@localhost ssl]# openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................++
......................++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -sha512 -subj "/CN=harbor.linux.com" -key server.key -out server.csr
[root@localhost ssl]# cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.linux.com
[root@localhost ssl]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/CN=harbor.linux.com
Getting CA Private Key
[root@localhost ssl]#
5、编辑harbor配置文件
[root@localhost ~]# vim /work/harbor/harbor.yml
hostname: harbor.linux.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/ssl/server.crt
private_key: /opt/ssl/server.key
6、启动harbor
[root@localhost harbor]# ./prepare
prepare base dir is set to /work/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 26.1.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.0
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@localhost harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f9f9ae9ded5 goharbor/harbor-jobservice:v2.2.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
7c9156960ee5 goharbor/nginx-photon:v2.2.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
4d42f7530a21 goharbor/harbor-core:v2.2.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
6b20c3728d4b goharbor/harbor-db:v2.2.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
7e5d825d7161 goharbor/harbor-registryctl:v2.2.2 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
79c07047e9e3 goharbor/redis-photon:v2.2.2 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
2b6f7e8ce7b0 goharbor/harbor-portal:v2.2.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
ca7e332c47e9 goharbor/registry-photon:v2.2.2 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
c2ddc9c858a5 goharbor/harbor-log:v2.2.2 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp
三、harbor仓库的使用
1、创建项目
2、创建用户、授权
3、上传镜像
3.1 登录仓库
[root@martin-host ~]# mkdir /etc/docker/certs.d/harbor.linux.com -p
[root@martin-host ~]#
[root@martin-host ~]# scp root@192.168.140.11:/opt/ssl/server.crt /etc/docker/certs.d/harbor.linux.com/
root@192.168.140.11's password:
server.crt 100% 1846 2.4MB/s 00:00
[root@martin-host ~]#
[root@martin-host ~]# ls /etc/docker/certs.d/harbor.linux.com/
server.crt
[root@martin-host ~]#
[root@martin-host ~]# docker login harbor.linux.com
Username: martin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
3.2 为镜像打标记
[root@martin-host ~]# docker tag websocket-server:1.0 harbor.linux.com/miaosha/websocket-server:1.0
3.3 上传镜像
[root@martin-host ~]# docker push harbor.linux.com/miaosha/websocket-server:1.0
The push refers to repository [harbor.linux.com/miaosha/websocket-server]
00f2a652d376: Pushed
1b9504956550: Pushed
20f340df0413: Pushed
6c3e7df31590: Pushed
1.0: digest: sha256:9a8a24800c9eef5700585a8f461169735b14519760750c4c946857926c737a7e size: 1166
[root@martin-host ~]#
3.4 退出仓库
[root@martin-host ~]# docker logout harbor.linux.com
Removing login credentials for harbor.linux.com
[root@martin-host ~]#
四、harbor核心组件
-
core service
提供web UI、令牌token、与registry交互获取镜像的元数据信息在webUI上展示 -
registry
负责镜像的上传、下载 -
Log collector
采集日志 -
Job service
负责在多个harbor仓库间同步数据 -
Proxy
使用nginx对后端所有组件进行反向代理 -
Database
redis:存储前端用户产生的令牌
harbor-db:关系型数据库,存放harbor仓库上数据;默认是postgreSQL/pgSQL
五、harbor高可用设计方案
- 核心思想
禁用其自带的数据库,配置连接第三方的库, 保证多个harbor间的数据同步
192.168.140.11 harbor仓库
192.168.140.12 harbor仓库
192.168.140.10 后端数据库、存储
1、配置nfs作harbor的数据存储目录
[root@localhost ~]# cat /etc/exports
/harbor_data 192.168.140.11(rw,no_root_squash) 192.168.140.12(rw,no_root_squash)
[root@localhost ~]#
[root@localhost ~]# systemctl enable --now nfs-server
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
[root@localhost ~]#
[root@localhost ~]#
2、安装redis,作为harbor共享缓存
[root@martin-host ~]# docker run -tid --name=harbor_redis --net=host --restart=always redis:latest
b61a5a1b15ef6c87f1ff9a37673bbf789945ace577b7aeaea069f4734a601b16
[root@martin-host ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b61a5a1b15ef redis:latest "docker-entrypoint.s…" 3 seconds ago Up 2 seconds harbor_redis
3、安装postgreSQL, 作为harbor的共享数据库
[root@martin-host ~]# mkdir -p /pgsql/data
[root@martin-host ~]# docker run -tid --name=harbor_pgsql -e POSTGRES_PASSWORD=redhat -e PGDATA=/var/lib/postgresql/data/pgdata -v /pgsql/data:/var/lib/postgresql/data/pgdata --net=host --restart=always postgres:12.2
87474ae582f7850b75b3adb3b73dba88645c7ce9c14c68b83d34657ca2eaeca6
[root@martin-host ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
87474ae582f7 postgres:12.2 "docker-entrypoint.s…" 6 seconds ago Up 4 seconds harbor_pgsql
[root@martin-host ~]# docker exec -ti harbor_pgsql bash
root@martin-host:/#
root@martin-host:/# psql -h 127.0.0.1 -p 5432 -U postgres
psql (12.2 (Debian 12.2-2.pgdg100+1))
Type "help" for help.
postgres=# create user harbor with password 'redhat';
CREATE ROLE
postgres=# create database harbor;
CREATE DATABASE
postgres=# create database harbor_clair;
CREATE DATABASE
postgres=# create database harbor_notary_server;
CREATE DATABASE
postgres=# create database harbor_notary_signer;
CREATE DATABASE
postgres=# grant all on database harbor to harbor;
GRANT
postgres=# grant all on database harbor_clair to harbor;
GRANT
postgres=# grant all on database harbor_notary_server to harbor;
GRANT
postgres=# grant all on database harbor_notary_signer to harbor;
GRANT
postgres=# exit
修改pgSQL的配置文件,允许远程主机(harbor仓库)连接
root@martin-host:/var/lib/postgresql/data/pgdata# echo "host all all all trust" >> pg_hba.conf
4、两台harbor仓库挂载nfs存储作持久卷
[root@localhost harbor]# tail -n 1 /etc/fstab
192.168.140.13:/harbor_data /data nfs defaults 0 0
[root@localhost harbor]# mount -a
[root@localhost harbor]# df -hT | grep nfs
192.168.140.13:/harbor_data nfs4 20G 33M 20G 1% /data
5、编辑harbor配置文件,禁用自带数据库,连接外部数据库
# Harbor DB configuration
# database:
# The password for the root user of Harbor DB. Change this before any production use.
# password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
# max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
# max_open_conns: 1000
// 配置harbor连接外部的pgsql
external_database:
harbor:
host: 192.168.140.10
port: 5432
db_name: harbor
username: harbor
password: redhat
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: 192.168.140.10
port: 5432
db_name: harbor_notary_signer
username: harbor
password: redhat
ssl_mode: disable
notary_server:
host: 192.168.140.10
port: 5432
db_name: harbor_notary_server
username: harbor
password: redhat
ssl_mode: disable
//配置harbor连接外部redis
external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
host: 192.168.140.10:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
trivy_db_index: 5
idle_timeout_seconds: 30
6、启动harbor
[root@harbor_01 harbor]# ./prepare
[root@harbor_01 harbor]# ./install.sh
// 注意查看harbor启动的容器数量,缺少自带的数据库; redis/harbor-db
[root@localhost harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
814ac469d518 goharbor/nginx-photon:v2.2.2 "nginx -g 'daemon of…" 32 seconds ago Up 31 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
ad3918f2fefc goharbor/harbor-jobservice:v2.2.2 "/harbor/entrypoint.…" 32 seconds ago Up 31 seconds (healthy) harbor-jobservice
91312576c578 goharbor/harbor-core:v2.2.2 "/harbor/entrypoint.…" 32 seconds ago Up 31 seconds (healthy) harbor-core
782d76121ad3 goharbor/registry-photon:v2.2.2 "/home/harbor/entryp…" 33 seconds ago Up 32 seconds (healthy) registry
11e5acde4206 goharbor/harbor-portal:v2.2.2 "nginx -g 'daemon of…" 33 seconds ago Up 32 seconds (healthy) harbor-portal
02eb98775c46 goharbor/harbor-registryctl:v2.2.2 "/home/harbor/start.…" 33 seconds ago Up 32 seconds (healthy) registryctl
e61628856f6f goharbor/harbor-log:v2.2.2 "/bin/sh -c /usr/loc…" 33 seconds ago Up 32 seconds (healthy) 127.0.0.1:1514->10514/tcp
另外一台harbor仓库配置参考上述
7、测试两台harbor仓库可正常访问
8、配置haproxy做harbor仓库的负载均衡
[root@martin-host ~]# cat /opt/work/haproxy.cfg
frontend harbor
bind 0.0.0.0:9443
mode tcp
use_backend harbor_server
backend harbor_server
mode tcp
balance roundrobin
server harbor01 192.168.140.11:443
server harbor02 192.168.140.12:443
[root@martin-host ~]#
[root@martin-host ~]#
[root@martin-host ~]# docker run -tid --name=harbor_haproxy -p 443:9443 -v /opt/work/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg --restart=always haproxy:latest
f1e660162065993f5de24ac24ad9357418cde58de11bcbe06e8d07402d39d1fe
[root@martin-host ~]#
[root@martin-host ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f1e660162065 haproxy:latest "docker-entrypoint.s…" 4 seconds ago Up 3 seconds 0.0.0.0:443->9443/tcp, :::443->9443/tcp harbor_haproxy
// 客户端测试通过haproxy访问仓库
GitHub 加速计划 / ha / harbor
23.24 K
4.68 K
下载
Harbor 是一个开源的容器镜像仓库,用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点:支持多种镜像格式、易于使用、安全性和访问控制
最近提交(Master分支:2 个月前 )
bccfd5fb
Signed-off-by: stonezdj <stone.zhang@broadcom.com> 1 天前
d39d9797
Signed-off-by: yminer <miner.yang@broadcom.com>
Co-authored-by: yminer <miner.yang@broadcom.com> 2 天前
旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。
更多推荐
17
0- 0
已为社区贡献1条内容
所有评论(0)