Docker基础知识 (5) - 搭建 Harbor 仓库
Harbor 是一个基于 Apache 协议的开源软件,主要开发语言为 Go。Harbor 是由 VMware 公司开源的企业级的Docker Registry 管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能,具有 web 管理功能。
Docker 容器应用的开发和运行离不开可靠的镜像管理,虽然 Docker 官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署私有环境内的 Registry 也是非常必要的。
Harbor 的所有服务组件都是在 Docker 中部署的,所以官方安装使用 Docker-compose 快速部署,所以需要安装Docker、Docker-compose。由于 Harbor 是基于 Docker Registry V2 版本,所以就要求 Docker 版本不小于 1.10.0,Docker-compose 版本不小于 1.6.0。
Harbor GitHub: https://github.com/goharbor/harbor
本文以 Harbor v2.5.2 为例,演示 CentOS 7.9 下安装和运行 Harbor,步骤如下。
1. 安装 Docker
参考 “Docker基础知识 (1) - Docker 架构、Docker 安装、Docker 镜像加速”。
2. 安装 Docker-compose
参考 “Docker基础知识 (4) - Docker Compose”。
3. 安装 Harbor
1) 下载安装包
$ cd ~/apps
$ wget https://github.com/goharbor/harbor/releases/download/v2.5.2/harbor-online-installer-v2.5.2.tgz
$ tar -zxf harbor-online-installer-v2.5.2.tgz
解压后生成 ~/apps/harbor 目录,目录结构如下:
harbor
|- common.sh
|- harbor.yml.tmpl
|- docker-compose.yml
|- install.sh
|- LICENSE
|- prepare
2) 修改 harbor.yml
修改 hostname 为主机 IP,本文安装的测试 Harbor 使用 http,注释掉 https 部分。
$ cd ~/apps/harbor
$ cp harbor.yml.tmpl harbor.yml
$ vim harbor.yml # 或 vi harbor.yml
hostname: 192.168.0.10
...
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
...
3) 安装运行
$ ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.7
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.6.1
[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...
prepare base dir is set to /home/xxx/apps/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
[+] Running 7/7put dir
⠿ jobservice Pulled 310.7s
⠿ 799908ee0f14 Already exists 0.0s
⠿ 0659cdd20fa6 Pull complete 5.3s
⠿ c6244b59a52b Pull complete 5.4s
⠿ dba965b8fb89 Pull complete 5.5s
⠿ 48d3b32aaf78 Pull complete 22.1s
⠿ d28670add125 Pull complete 306.1s
[+] Running 10/10 Pull complete 5.3s
⠿ Network harbor_harbor Created 0.0s
⠿ Container harbor-log Started 0.6s
⠿ Container redis Started 1.1s
⠿ Container registryctl Started 1.2s
⠿ Container harbor-db Started 1.5s
⠿ Container harbor-portal Started 1.5s
⠿ Container registry Started 1.4s
⠿ Container harbor-core Started 1.8s
⠿ Container nginx Started 2.5s
⠿ Container harbor-jobservice Started 2.5s
✔ ----Harbor has been installed and started successfully.----
$ docker-compose -f docker-compose.yml ps # 查看镜像运行情况
NAME COMMAND SERVICE STATUS PORTS
harbor-core "/harbor/entrypoint.…" core running (healthy)
harbor-db "/docker-entrypoint.…" postgresql running (healthy)
harbor-jobservice "/harbor/entrypoint.…" jobservice running (healthy)
harbor-log "/bin/sh -c /usr/loc…" log running (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal "nginx -g 'daemon of…" portal running (healthy)
nginx "nginx -g 'daemon of…" proxy running (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp
redis "redis-server /etc/r…" redis running (healthy)
registry "/home/harbor/entryp…" registry running (healthy)
registryctl "/home/harbor/start.…" registryctl running (healthy)
启动完成后,访问 harbor.yml 里设置的 hostname 即可,默认是 80 端口,如果端口占用,可以去修改 docker-compose.yml 文件,对应服务的端口映射。
这里访问 https://192.168.0.10,显示 Harbor 的 Web 管理页面,默认管理账户为 admin,密码为 Harbor12345,该密码的初始配置在 harbor.yml 文件里。
4) 配置 LDAP 认证模式 (可选项)
LDAP(Lightweight Directory Access Protocol)即轻量级目录访问协议,它是一种应用协议,用于在 IP 网络上访问和维护分布式目录的信息服务。
LDAP 目录服务器是基于客户端/服务器模式的,LDAP 服务器包含目录数据,客户端连接到服务器后发送请求,在服务器上获取目录数据,从而实现全局目录数据管理。
要使用 LDAP 认证模式,需要先安装 LDAP 目录服务器,一般使用 OpenLDAP (https://openldap.org/)。
5) 创建 https 证书 (可选项)
如果需要使用 https,使用如下方式创建 https 证书,再恢复并修改 harbor.yml 里的 https 部分。
$ cd ~/apps/harbor
$ mkdir certs
$ openssl genrsa -out ca.key 2048
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=yourdns.com" -days 365 -out ca.crt
$ openssl genrsa -out server.key 2048
$ openssl req -new -nodes -key server.key -subj "/CN=yourdns.com" -out server.csr
$ echo subjectAltName = IP:192.168.0.10 > extfile.cnf
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out server.crt -days 365
4. Harbor 仓库使用
1) 创建项目
访问 https://192.168.0.10,显示 Harbor 的 Web 管理页面,默认管理账户为 admin,密码为 Harbor12345,该密码的初始配置在 harbor.yml 文件里。
项目 -> 新建项目 -> 在 “新建项目” 对话框输入如下内容:
项目名称:testprj
访问级别:公开 (测试项目选择公开)
存储容量:-1 GB (不限容量)
镜像代理:无
-> 点击 “确定”
2) 定制镜像
下面以定制一个 nginx 镜像为例
$ sudo docker pull nginx
给 nginx 镜像打标签
$ sudo docker tag nginx 192.168.0.10/testprj/nginx:local_v1
查看镜像列表
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.10/testprj/nginx local_v1 2b7d6430f78d 50 seconds ago 142MB
nginx latest 2b7d6430f78d 5 days ago 142MB
...
3) 登录 Harbor
使用 docker login 命令登录
$ sudo docker login 192.168.0.10
Username: admin
Password: Harbor12345
Error response from daemon: Get https://192.168.0.10/v2/: dial tcp 192.168.0.10:443: connect: connection refused
注:docker 找不到新建的本地 Harbor 仓库,可以修改 /etc/docker/daemon.json 文件,把 “192.168.0.10” 添加到 "insecure-registries"。
$ sudo vi /etc/docker/daemon.json
{
"registry-mirrors":[
"https://docker.mirrors.ustc.edu.cn/",
"https://hub-mirror.c.163.com/",
"https://reg-mirror.qiniu.com"
],
"insecure-registries":[
"192.168.0.10"
]
}
重启 Docker 服务
# sudo systemctl daemon-reload
# sudo systemctl restart docker
再次进行登录
$ sudo docker login 192.168.0.10
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
注:如果还是无法登录,重启 CentOS 系统,或重新执行 Harbor 的安装命令 ./install.sh
4) 提交定制镜像到本地 Harbor 仓库
$ sudo docker push 192.168.0.10/testprj/nginx:local_v1
The push refers to repository [192.168.0.10/testprj/nginx]
73993eeb8aa2: Pushed
2c31eef17db8: Pushed
7b9055fc8058: Pushed
04ab349b7b3b: Pushed
226117031573: Pushed
6485bed63627: Pushed
local_v1: digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc size: 1570
访问 https://192.168.0.10,在项目 testprj 下,就可以查看刚上传的 nginx 镜像。
5) 拉取定制镜像到本地
删除本地定制镜像
$ sudo docker rmi 192.168.0.10/testprj/nginx:local_v1
Untagged: 192.168.0.10/testprj/nginx:local_v1
Untagged: 192.168.0.10/testprj/nginx@sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 2b7d6430f78d 5 days ago 142MB
...
退出 docker 登录状态
$ sudo docker logout 192.168.0.10
Removing login credentials for 192.168.0.10
拉取镜像
$ sudo docker pull 192.168.0.10/testprj/nginx:local_v1
local_v1: Pulling from testprj/nginx
Digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
Status: Downloaded newer image for 192.168.0.10/testprj/nginx:local_v1
192.168.0.10/testprj/nginx:local_v1
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.10/testprj/nginx local_v1 2b7d6430f78d 5 days ago 142MB
nginx latest 2b7d6430f78d 5 days ago 142MB
...
浙公网安备 33010602011771号