Harbor介绍与安装部署,并实现通过http和https协议【自签发SSL证书】访问,客户端如何通过Harbor镜像仓库实现镜像的上传【推送】与下载【拉取】。
Harbor介绍
Harbor,是一个英文单词,意思是港湾,港湾是干什么的呢,就是停放货物的,而货物呢,是装在集装箱中的,说到集装箱,就不得不提到Docker容器,因为docker容器的技术正是借鉴了集装箱的原理。所以,Harbor正是一个用于存储Docker镜像的企业级Registry服务。
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
机器规划
| 服务器名称(hostname) | 操作系统版本 | 内网IP | 外网IP(模拟) | 安装软件 |
|---|---|---|---|---|
| docker01 | CentOS7.7 | 172.16.1.31 | 10.0.0.31 | docker、Harbor |
| docker02 | CentOS7.7 | 172.16.1.32 | 10.0.0.32 | docker |
SSL证书创建
如果要使用https访问Harbor。那么请按照如下生成SSL证书。
创建根证书
## 创建CA私钥openssl genrsa -out ca.key 2048## 制作CA公钥openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=zhang/emailAddress=ca@test.com"
选项参数说明:
genrsa 生成私钥
-out filename 标准输出到filename文件
req 生成证书请求
-new 生成新证书签署请求
-x509 专用于CA生成自签证书;不自签的时候不要加该选项
-days num 证书的有效期限
-key file 生成请求时用到的私钥文件
-out filename 标准输出到filename文件
subj内容详解:
C = 国家ST = 省/州L = 城市O = Organization NameOU = Organizational Unit NameCN = Common NameemailAddress = test@email.address
证书签发
## 创建私钥openssl genrsa -out httpd.key 1024## 生成签发请求openssl req -new -key httpd.key -out httpd.csr -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=OPS/CN=zhang/emailAddress=zhang@test.com"## 使用CA证书进行签发openssl x509 -req -sha256 -in httpd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 36500 -out httpd.crt## 验证签发证书是否有效openssl verify -CAfile ca.crt httpd.crt
生成结果如下图:
然后将httpd.key和httpd.crt,放到/etc/harbor/cert/目录下,后面会用到。
安装docker-ce
安装脚本如下
[root@docker01 harbor]# pwd/root/harbor[root@docker01 harbor]# cat install_docker-ce.sh#!/bin/sh# 加载环境变量. etc/profile. etc/bashrc## 设置 docker yum repositoryyum install -y yum-utils device-mapper-persistent-data lvm2yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo## 安装dockeryum install -y docker-ce# yum install -y docker-ce-19.03.8## 启动docker服务,这样可以创建/etc/docker目录systemctl start docker## 配置daemon## 1、修改docker Cgroup Driver为systemd;2、日志格式设定## 如果不修改,可能会碰到如下错误## [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd".## Please follow the guide at https://kubernetes.io/docs/setup/cri/cat > etc/docker/daemon.json << EOF{"exec-opts": ["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"}}EOF## 开机自启动systemctl stop docker && systemctl daemon-reload && systemctl enable docker && systemctl start docker
安装docker-compose
下载地址:
https://github.com/docker/compose
此次,我们使用的是 1.25.5 版本。
[root@docker01 harbor]# lltotal 17180-rw-r--r-- 1 root root 17586312 May 12 23:16 docker-compose-Linux-x86_64-rw-r--r-- 1 root root 958 May 12 23:00 install_docker-ce.sh[root@docker01 harbor]# chmod +x docker-compose-Linux-x86_64 # 添加执行权限[root@docker01 harbor]# mv docker-compose-Linux-x86_64 usr/local/sbin/docker-compose # 移到指定目录[root@docker01 harbor]# docker-compose version # 版本查看docker-compose version 1.25.5, build 8a1c60f6docker-py version: 4.1.0CPython version: 3.7.5OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
安装Harbor私有仓库
官网下载地址
https://github.com/goharbor/harbor
此次,我们使用的是 v1.10.1 版本。
[root@docker01 harbor]# lltotal 658284-rw-r--r-- 1 root root 674078519 May 12 17:25 harbor-offline-installer-v1.10.1.tgz-rw-r--r-- 1 root root 958 May 12 23:00 install_docker-ce.sh[root@docker01 harbor]#[root@docker01 harbor]# tar xf harbor-offline-installer-v1.10.1.tgz # 解压包[root@docker01 harbor]# cd harbor/[root@docker01 harbor]# lltotal 662120-rw-r--r-- 1 root root 3398 Feb 10 14:18 common.sh-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz-rw-r--r-- 1 root root 5882 Feb 10 14:18 harbor.yml-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh-rw-r--r-- 1 root root 11347 Feb 10 14:18 LICENSE-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare
harbor.yml配置文件修改内容【http访问】
# 这里的hostname怎么配置# 1、如果所有机器都在一个局域网,那么配置内网IP# 2、如果机器跨网络,只能通过公网访问,那么配置本机外网IP或域名hostname: 172.16.1.31# http端口改为了5000,默认80端口http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 5000# 将https注释掉,不然会报 ERROR:root:Error: The protocol is https but attribute ssl_cert is not set# https related config#https:# https port for harbor, default is 443#port: 443# The path of cert and key files for nginx#certificate: your/certificate/path#private_key: your/private/key/path# admin用户的免密harbor_admin_password: Harbor12345# 数据存储路径data_volume: data
harbor.yml配置文件修改内容【https访问】
放开了https配置,证书是自签发的。
# 这里的hostname怎么配置# 1、如果所有机器都在一个局域网,那么配置内网IP# 2、如果机器跨网络,只能通过公网访问,那么配置本机外网IP或域名hostname: 172.16.1.31# http端口改为了5000,默认80端口http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 5000# https related confighttps:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: etc/harbor/cert/httpd.crtprivate_key: etc/harbor/cert/httpd.key# admin用户的免密harbor_admin_password: Harbor12345# 数据存储路径data_volume: data
如果使用了https协议且端口是443,那么当使用http访问时,会自动跳转到https。
部署Harbor
修改完配置文件后,在的当前目录执行./install.sh,Harbor服务就会根据当前目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动。
[root@docker01 harbor]# lltotal 662120drwxr-xr-x 3 root root 20 May 12 23:47 common-rw-r--r-- 1 root root 3398 Feb 10 14:18 common.sh-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz-rw-r--r-- 1 root root 5921 May 12 23:54 harbor.ymldrwxr-xr-x 2 root root 24 May 12 23:47 input-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh-rw-r--r-- 1 root root 11347 Feb 10 14:18 LICENSE-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare[root@docker01 harbor]#[root@docker01 harbor]# ./install.sh # 启动harbor
启动结果如下图
停止与启动Harbor
如果修改了Harbor的配置文件harbor.yml,因为Harbor是基于docker-compose服务编排的,我们可以使用docker-compose命令重启Harbor。
未修改配置文件,重启Harbor命令:docker-compose start | stop | restart
当然个人建议:如果修改了harbor.yml文件,那么停止使用docker-compose down,启动使用 ./install.sh 。
##### 停止Harbor[root@docker01 harbor]# docker-compose downStopping harbor-jobservice ... doneStopping nginx ... doneStopping harbor-core ... doneStopping registryctl ... doneStopping redis ... doneStopping harbor-portal ... doneStopping harbor-db ... doneStopping registry ... doneStopping harbor-log ... doneRemoving harbor-jobservice ... doneRemoving nginx ... doneRemoving harbor-core ... doneRemoving registryctl ... doneRemoving redis ... doneRemoving harbor-portal ... doneRemoving harbor-db ... doneRemoving registry ... doneRemoving harbor-log ... doneRemoving network harbor_harbor##### 启动Harbor[root@docker01 harbor]# docker-compose up -dCreating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registryctl ... doneCreating harbor-db ... doneCreating redis ... doneCreating registry ... doneCreating harbor-portal ... doneCreating harbor-core ... doneCreating nginx ... doneCreating harbor-jobservice ... done
镜像信息和容器信息
镜像信息和容器信息如下
[root@docker01 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEgoharbor/chartmuseum-photon v0.9.0-v1.10.1 0245d66323de 3 months ago 128MBgoharbor/harbor-migrator v1.10.1 a4f99495e0b0 3 months ago 364MBgoharbor/redis-photon v1.10.1 550a58b0a311 3 months ago 111MBgoharbor/clair-adapter-photon v1.0.1-v1.10.1 2ec99537693f 3 months ago 61.6MBgoharbor/clair-photon v2.1.1-v1.10.1 622624e16994 3 months ago 171MBgoharbor/notary-server-photon v0.6.1-v1.10.1 e4ff6d1f71f9 3 months ago 143MBgoharbor/notary-signer-photon v0.6.1-v1.10.1 d3aae2fc17c6 3 months ago 140MBgoharbor/harbor-registryctl v1.10.1 ddef86de6480 3 months ago 104MBgoharbor/registry-photon v2.7.1-patch-2819-2553-v1.10.1 1a0c5f22cfa7 3 months ago 86.5MBgoharbor/nginx-photon v1.10.1 01276d086ad6 3 months ago 44MBgoharbor/harbor-log v1.10.1 1f5c9ea164bf 3 months ago 82.3MBgoharbor/harbor-jobservice v1.10.1 689368d30108 3 months ago 143MBgoharbor/harbor-core v1.10.1 14151d58ac3f 3 months ago 130MBgoharbor/harbor-portal v1.10.1 8a9856c37798 3 months ago 52.1MBgoharbor/harbor-db v1.10.1 18548720d8ad 3 months ago 148MBgoharbor/prepare v1.10.1 897a4d535ced 3 months ago 192MB[root@docker01 ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES6f57ce1d6a27 goharbor/nginx-photon:v1.10.1 "nginx -g 'daemon of…" 29 seconds ago Up 28 seconds (health: starting) 0.0.0.0:5000->8080/tcp nginxbd441d18ae54 goharbor/harbor-jobservice:v1.10.1 "/harbor/harbor_jobs…" 29 seconds ago Up 28 seconds (health: starting) harbor-jobservice374fad48780e goharbor/harbor-core:v1.10.1 "/harbor/harbor_core" 30 seconds ago Up 29 seconds (health: starting) harbor-core89f8f4312c24 goharbor/harbor-portal:v1.10.1 "nginx -g 'daemon of…" 31 seconds ago Up 29 seconds (health: starting) 8080/tcp harbor-portal4d0b294a38c4 goharbor/redis-photon:v1.10.1 "redis-server etc/r…" 31 seconds ago Up 29 seconds (health: starting) 6379/tcp rediscd9fafa019f5 goharbor/harbor-registryctl:v1.10.1 "/home/harbor/start.…" 31 seconds ago Up 29 seconds (health: starting) registryctla62616384f6c goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1 "/home/harbor/entryp…" 31 seconds ago Up 29 seconds (health: starting) 5000/tcp registrydc453165b1fb goharbor/harbor-db:v1.10.1 "/docker-entrypoint.…" 31 seconds ago Up 29 seconds (health: starting) 5432/tcp harbor-db8256f54e69ee goharbor/harbor-log:v1.10.1 "/bin/sh -c /usr/loc…" 31 seconds ago Up 30 seconds (healthy) 127.0.0.1:1514->10514/tcp harbor-log
浏览器访问
访问地址如下:
http 访问:http://10.0.0.31:5000/ 或则 http://172.16.1.31:5000/https访问:https://10.0.0.31/ 或者 https://172.16.1.31/
备注:
1、由于我使用的Vmware虚拟机,因此10.0.0.0/24网段【模拟外网】和172.16.1.0/24网络【内网】都可以访问。生产环境是访问内网还是外网,视具体情况而定。
2、这里的访问地址和harbor.yml中配置的hostname值无关。
登录后页面
Harbor实现Docker镜像上传与下载
新建项目
根据你的项目名新建项目,这样才能将镜像推动到harbor镜像中心。
客户端http设置
Docker 默认不允许非 HTTPS 方式推送镜像。我们可以通过 Docker 的配置选项来取消这个限制。
如果直接【上传】或【拉取】镜像会失败,因为默认为https方式。
所有客户端都需要添加这个配置,然后重启 docker 服务。
[root@docker01 ~]# vim etc/docker/daemon.json{"exec-opts": ["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"},"insecure-registries": ["172.16.1.31:5000"]}[root@docker01 ~]# systemctl restart docker # 重启docker服务
添加了 “insecure-registries”: [“172.16.1.31:5000”] 这行,其中172.16.1.31为内网IP地址。该文件必须符合 json 规范,否则 Docker 将不能启动。
如果在Harbor所在的机器重启了docker服务,记得要重新启动Harbor。
客户端登录Harbor
客户端登录Harbor。
docker login 172.16.1.31:5000 -u admin -p Harbor12345
查看登录信息,这样客户端就可以直接拉取或者推送镜像了。
[root@docker01 ~]# cat ~/.docker/config.json{"auths": {"172.16.1.31:5000": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}},"HttpHeaders": {"User-Agent": "Docker-Client/19.03.8 (linux)"}}
Docker push镜像上传
[root@docker02 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE172.16.1.31:5000/zhang/nginx 1.17 ed21b7a8aee9 6 weeks ago 127MB[root@docker02 ~]# docker push 172.16.1.31:5000/zhang/nginx:1.17 # 上传镜像The push refers to repository [172.16.1.31:5000/zhang/nginx]d37eecb5b769: Pushed99134ec7f247: Pushedc3a984abe8a8: Pushed1.17: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948
说明:注意镜像名格式
Harbor页面信息
Docker pull镜像拉取
[root@docker01 ~]# docker images | grep 'zhang/nginx'[root@docker01 ~]# docker pull 172.16.1.31:5000/zhang/nginx:1.17 # 镜像拉取1.17: Pulling from zhang/nginxc499e6d256d6: Pull complete74cda408e262: Pull completeffadbd415ab7: Pull completeDigest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266Status: Downloaded newer image for 172.16.1.31:5000/zhang/nginx:1.17172.16.1.31:5000/zhang/nginx:1.17[root@docker01 ~]# docker images | grep 'zhang/nginx'172.16.1.31:5000/zhang/nginx 1.17 ed21b7a8aee9 6 weeks ago 127MB
Harbor页面信息
完毕!
———END———
如果觉得不错就关注下呗 (-^O^-) !
文章转载自OpenInfo,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
