部署Harbor 私有仓库
harbor
Harbor 是一个开源的容器镜像仓库,用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点:支持多种镜像格式、易于使用、安全性和访问控制
项目地址:https://gitcode.com/gh_mirrors/ha/harbor
免费下载资源
·
部署Harbor 私有仓库
1、 安装部署harbor私有仓库
Harbor 被部署为多个 Docker 容器,因此可以部署在任何支持 Docker 的 Linux 发行版 上。
服务端主机需要安装 Python、Docker 和 Docker Compose。
1.下载 Harbor 安装程序
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
2. 配置 Harbor 参数文件
vim /usr/local/harbor/harbor.cfg
//5 hostname = 192.168.195.128
关于 Harbor.cfg 配置文件中有两类参数:所需参数和可选参数
(1)所需参数 这些参数需要在配置文件 Harbor.cfg 中设置。
如果用户更新它们并运行 install.sh脚本重新安装 Harbour,
参数将生效。具体参数如下:
hostname:用于访问用户界面和 register 服务。它应该是目标机器的 IP 地址或完全限 定的域名(FQDN)
例如 192.168.195.128 或 hub.kgc.cn。不要使用 localhost 或 127.0.0.1 为主机名。
ui_url_protocol:(http 或 https,默认为 http)用于访问 UI 和令牌/通知服务的协议。如果公证处于启用状态,则此参数必须为 https。
max_job_workers:镜像复制作业线程。
db_password:用于db_auth 的MySQL数据库root 用户的密码。
customize_crt:该属性可设置为打开或关闭,默认打开。打开此属性时,准备脚本创建私钥和根证书,用于生成/验证注册表令牌。
当由外部来源提供密钥和根证书时,将此属性设置为 off。
ssl_cert:SSL 证书的路径,仅当协议设置为 https 时才应用。
ssl_cert_key:SSL 密钥的路径,仅当协议设置为 https 时才应用。
secretkey_path:用于在复制策略中加密或解密远程 register 密码的密钥路径。
(2)可选参数
这些参数对于更新是可选的,即用户可以将其保留为默认值,并在启动 Harbor 后在 Web UI 上进行更新。
如果进入 Harbor.cfg,只会在第一次启动 Harbor 时生效,随后对这些参数 的更新,Harbor.cfg 将被忽略。
注意:如果选择通过UI设置这些参数,请确保在启动Harbour后立即执行此操作。具体来说,必须在注册或在 Harbor 中创建任何新用户之前设置所需的
auth_mode。当系统中有用户时(除了默认的 admin 用户),auth_mode 不能被修改。具体参数如下:
Email:Harbor需要该参数才能向用户发送“密码重置”电子邮件,并且只有在需要该功能时才需要。
请注意,在默认情况下SSL连接时没有启用。如果SMTP服务器需要SSL,但不支持STARTTLS,那么应该通过设置启用SSL email_ssl = TRUE。
harbour_admin_password:管理员的初始密码,只在Harbour第一次启动时生效。之后,此设置将被忽略,并且应 UI中设置管理员的密码。
请注意,默认的用户名/密码是 admin/Harbor12345。
auth_mode:使用的认证类型,默认情况下,它是 db_auth,即凭据存储在数据库中。对于LDAP身份验证,请将其设置为 ldap_auth。
self_registration:启用/禁用用户注册功能。禁用时,新用户只能由 Admin 用户创建,只有管理员用户可以在 Harbour中创建新用户。
注意:当 auth_mode 设置为 ldap_auth 时,自注册功能将始终处于禁用状态,并且该标志被忽略。
Token_expiration:由令牌服务创建的令牌的到期时间(分钟),默认为 30 分钟。
project_creation_restriction:用于控制哪些用户有权创建项目的标志。默认情况下, 每个人都可以创建一个项目。
如果将其值设置为“adminonly”,那么只有 admin 可以创建项目。
verify_remote_cert:打开或关闭,默认打开。此标志决定了当Harbor与远程 register 实例通信时是否验证 SSL/TLS 证书。
将此属性设置为 off 将绕过 SSL/TLS 验证,这在远程实例具有自签名或不可信证书时经常使用。
另外,默认情况下,Harbour 将镜像存储在本地文件系统上。在生产环境中,可以考虑 使用其他存储后端而不是本地文件系统,
如 S3、Openstack Swif、Ceph 等。但需要更新 common/templates/registry/config.yml 文件。
3. 启动 Harbor
sh /usr/local/harbor/install.sh
4. 查看 Harbor 启动镜像
//查看镜像
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 2 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 2 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 2 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 2 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 2 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 2 years ago 157MB
photon 1.0 e6e4e4a2ba1b 3 years ago 128MB
//查看容器
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aee770c69872 vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
74e21da53cdd vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs…" About a minute ago Up About a minute harbor-jobservice
0a37b29881e9 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" About a minute ago Up About a minute harbor-ui
f77d9c7cf595 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi…" About a minute ago Up About a minute harbor-adminserver
5dad74ff8d31 vmware/harbor-db:v1.2.2 "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp harbor-db
d09a85bb8da1 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" About a minute ago Up About a minute 5000/tcp registry
041184a34344 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &…" About a minute ago Up About a minute 127.0.0.1:1514->514/tcp harbor-log
cd /usr/local/harbor/
docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp,
0.0.0.0:4443->4443/tcp,
0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
- 如果一切都正常,应该可以打开浏览器访问 http://192.168.195.128 的管理页面,默认 的管理员用户名和密码是admin/Harbor12345。注:容器重启几次,如果无法访问harbor页面,使用的是http
//添加项目并且填写项目名称
此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下,
Register 服务器在端口 80 上侦听。
//登录
docker login -u admin -p Harbor12345 http://127.0.0.1
//下载镜像进行测试
docker pull cirros
//镜像打标签
docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1
//上传镜像到Harbor
docker push 127.0.0.1/myproject-kgc/cirros:v1
以上操作都是在 Harbor 服务器本地操作。如果其他客户端上传镜像到 Harbor,就会报
如下错误。出现这问题的原因 Docker Registry 交互默认使用的是 HTTPS,但是搭建私有镜
像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误。
[root@client ~]# docker login -u admin -p Harbor12345 http://192.168.195.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.195.128/v2/: EOF
//解决:
[root@client ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.195.128 --containerd=/run/containerd/containerd.sock
[root@client ~]# systemctl daemon-reload
[root@client ~]# systemctl restart docker
[root@client ~]# docker login -u admin -p Harbor12345 http://192.168.195.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@client ~]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
3d6427f49fe3: Pull complete
1915bfe8159b: Pull complete
d0ec9ef25b96: Pull complete
Digest: sha256:8654d33ecbcdc8fd65c80325c3ec3b1bc938dfad9f20d1a2e3cf21e521ab70e6
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cirros latest bc94bceaae77 11 months ago 10.3MB
[root@client ~]# docker tag cirros 192.168.195.128/myproject-kgc/cirros:v2
[root@client ~]# docker push 192.168.195.128/myproject-kgc/cirros:v2
The push refers to repository [192.168.195.128/myproject-kgc/cirros]
abbd6d6ac643: Layer already exists
75b99987219d: Layer already exists
0cc237193a30: Layer already exists
v2: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
- 维护管理Harbor可以使用 docker-compose 来管理 Harbor。一些有用的命令如下所示,必须在与 docker-compose.yml相同的目录中运行。
- 修改 Harbor.cfg 配置文件要更改 Harbour 的配置文件时,请先停止现有的 Harbour 实例并更新 Harbor.cfg;然后运行 prepare 脚本来填充配置;最后重新创建并启动 Harbour 的实例。
docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing harbor-db ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
vim harbor.cfg
./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
//报错:
docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))
//解决:关闭防火墙后,docker需要重启
systemctl restart docker
docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
创建 Harbor 用户
//创建项目开发人员
//在客户端上操作
[root@client ~]# docker rmi 192.168.195.128/myproject-kgc/cirros:v2
Untagged: 192.168.195.128/myproject-kgc/cirros:v2
Untagged: 192.168.195.128/myproject-kgc/cirros@sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd
//注销登录
[root@client ~]# docker logout 192.168.195.128
Removing login credentials for 192.168.195.128
[root@client ~]# docker login 192.168.195.128
Username: kgc-zhangsan
Password: //填写Harbor1234
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@client ~]# docker pull 192.168.195.128/myproject-kgc/cirros:v1
v1: Pulling from myproject-kgc/cirros
Digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd
Status: Downloaded newer image for 192.168.195.128/myproject-kgc/cirros:v1
192.168.195.128/myproject-kgc/cirros:v1
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.195.128/myproject-kgc/cirros v1 bc94bceaae77 11 months ago 10.3MB
cirros latest bc94bceaae77 11 months ago 10.3MB
移除 Harbor 服务容器同时保留镜像数据/数据库
//在Harbor服务器上操作
docker-compose down -v
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-adminserver ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing registry ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing harbor-log ... done
Removing network harbor_harbor
如需重新部署,需要移除 Harbor 服务容器全部数据
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的
/var/log/Harbor/目录下。
rm -rf /data/database/
rm -rf /data/registry/
GitHub 加速计划 / ha / harbor
23.24 K
4.68 K
下载
Harbor 是一个开源的容器镜像仓库,用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点:支持多种镜像格式、易于使用、安全性和访问控制
最近提交(Master分支:2 个月前 )
9e55afbb
pull image from registry.goharbor.io instead of dockerhub
Update testcase to support Docker Image Can Be Pulled With Credential
Change gitlab project name when user changed.
Update permissions count and permission count total
Change webhook_endpoint_ui
Signed-off-by: stonezdj <stone.zhang@broadcom.com>
Co-authored-by: Wang Yan <wangyan@vmware.com> 8 天前
3dbfd422
Signed-off-by: wang yan <wangyan@vmware.com> 8 天前
旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)