harbor私有仓库部署

介绍

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，通过添加一些企业必需的功能特性，例如安全、标识和管理等，扩展了开源Docker Distribution。作为一个企业级私有Registry服务器，Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制，镜像全部保存在私有Registry中，确保数据和知识产权在公司内部网络中管控。另外，Harbor也提供了高级的安全特性，诸如用户管理，访问控制和活动审计等。

部署环境准备

服务器配置

系统	配置	ip
centos 7.4	4/8G/200G	172.21.16.90

下载所需文件

docker-compose 下载

docker compose 发布页面下载最新的 docker-compose 二进制文件

1
2
3

# wget https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64
# mv ~/docker-compose-Linux-x86_64 /usr/bin/docker-compose 
# chmod a+x  /usr/bin/docker-compose

官方的安装

1 2	# curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose # chmod +x /usr/local/bin/docker-compose

harbor 下载

harbor 安装方式有两种，一种是在线安装，一种是离线安装，这里由于网络不好，使用的是离线安装，harbor发布页面下载最新的 harbor 离线安装包

1
2
3

# wget https://storage.googleapis.com/harbor-releases/release-1.9.0/harbor-offline-installer-v1.9.0.tgz
# tar -zxvf harbor-offline-installer-v1.9.0.tgz
#

开始安装

docker 安装

# yum-config-manager   --add-repo   https://download.docker.com/linux/centos/docker-ce.repo
# sudo yum -y install docker-ce-18.09.6-3.el7.x86_64

# cat >/etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
EOF

# sysctl -p /etc/sysctl.d/k8s.conf
# systemctl  start docker

注意: 不添加/etc/sysctl.d/k8s.conf 启动docker会提示WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled

导入 docker images

导入离线安装包中harbor相关的 docker images：

# cd harbor
# docker load -i harbor.v1.9.0.tar.gz 
# docker images
REPOSITORY                      TAG                        IMAGE ID            CREATED             SIZE
goharbor/chartmuseum-photon     v0.9.0-v1.9.0              00c12627cbd7        2 weeks ago         131MB
goharbor/harbor-migrator        v1.9.0                     75d4de5e0f16        2 weeks ago         362MB
goharbor/redis-photon           v1.9.0                     3249afaa9965        2 weeks ago         109MB
goharbor/clair-photon           v2.0.9-v1.9.0              e54ad567c58f        2 weeks ago         165MB
goharbor/notary-server-photon   v0.6.1-v1.9.0              2cdecba59f38        2 weeks ago         138MB
goharbor/notary-signer-photon   v0.6.1-v1.9.0              973378593def        2 weeks ago         135MB
goharbor/harbor-registryctl     v1.9.0                     30a01bf0f4df        2 weeks ago         99.6MB
goharbor/registry-photon        v2.7.1-patch-2819-v1.9.0   32571099a9fe        2 weeks ago         82.3MB
goharbor/nginx-photon           v1.9.0                     f933d62f9952        2 weeks ago         43.9MB
goharbor/harbor-log             v1.9.0                     28e27d511335        2 weeks ago         82.6MB
goharbor/harbor-jobservice      v1.9.0                     f3cd0b181a89        2 weeks ago         141MB
goharbor/harbor-core            v1.9.0                     f2814ed8aadd        2 weeks ago         155MB
goharbor/harbor-portal          v1.9.0                     0778d4c5d27e        2 weeks ago         51.3MB
goharbor/harbor-db              v1.9.0                     a809e14d2d49        2 weeks ago         147MB
goharbor/prepare                v1.9.0                     aa594772c1e8        2 weeks ago         147MB

修改 harbor.yml 文件

# vim harbor.yml
hostname: reg.xxlaila.cn

# email configure
email_server: smtp.exmail.qq.com
email_server_port: 465
email_username: admin@xxlaila.cn
email_password: 123
email_from: admin<admin@xxlaila.cn>
email_ssl: true

# User registration is prohibited
self_registration: off

# LDAP authentication configuration item
#ldap_url: ldaps://ldap.xxlaila.cn
#ldap_searchdn: uid=username,ou=people,dc=xxlaila,dc=com
#ldap_search_pwd: password
#ldap_basedn: ou=people,dc=xxlaila,dc=com
#ldap_filter: (objectClass=person)
#ldap_uid: uid 
#ldap_scope: 3 
#ldap_timeout: 5

注: 新版本的邮箱、ldap现在都不需要在配置文件里面来添加配置了，直接通过web界面来进行配置即可，这里我只是添加进来，保留，😁😁😁

加载和启动 harbor 镜像

# mkdir /data
# chmod 777 /var/run/docker.sock /data
# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 19.03.2

Note: docker-compose version: 1.24.1

[Step 1]: loading Harbor images ...
Loaded image: goharbor/harbor-portal:v1.9.0
Loaded image: goharbor/harbor-core:v1.9.0
Loaded image: goharbor/nginx-photon:v1.9.0
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.9.0
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.9.0
Loaded image: goharbor/harbor-migrator:v1.9.0
Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.9.0
Loaded image: goharbor/prepare:v1.9.0
Loaded image: goharbor/harbor-log:v1.9.0
Loaded image: goharbor/harbor-db:v1.9.0
Loaded image: goharbor/clair-photon:v2.0.9-v1.9.0
Loaded image: goharbor/harbor-jobservice:v1.9.0
Loaded image: goharbor/harbor-registryctl:v1.9.0
Loaded image: goharbor/redis-photon:v1.9.0
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.9.0


[Step 2]: preparing environment ...
prepare base dir is set to /opt/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir



[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl   ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating registry      ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://reg.xxlaila.cn. 
For more details, please visit https://github.com/goharbor/harbor .

访问管理界面

确认所有组件都工作正常：

# docker-compose  ps
      Name                     Command                       State                     Ports          
------------------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up (healthy)                                     
harbor-db           /docker-entrypoint.sh            Up (healthy)            5432/tcp                 
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (health: starting)                            
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)            127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)            8080/tcp                 
nginx               nginx -g daemon off;             Up (healthy)            0.0.0.0:80->8080/tcp     
redis               redis-server /etc/redis.conf     Up (healthy)            6379/tcp                 
registry            /entrypoint.sh /etc/regist ...   Up (healthy)            5000/tcp                 
registryctl         /harbor/start.sh                 Up (healthy)

harbor 组建介绍

harbor-core: Harbor的核心功能，主要提供以下服务：
- UI：提供图形化界面，帮助用户管理registry上的镜像（image）, 并对用户进行授权。
- webhook：为了及时获取registry 上image状态变化的情况，在Registry上配置webhook，把状态变化传递给UI模块。
- token 服务：负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token，会被重定向到这里，获得token后再重新向Registry进行请求。
harbor-db: 为core services提供数据库服务，负责储存用户权限、审计日志、Docker image分组信息等数据。
harbor-jobservice: harbor-jobservice 是harbor的job管理模块，job在harbor里面主要是为了镜像仓库之前同步使用的;
harbor-log: 为了帮助监控Harbor运行，负责收集其他组件的log，供日后进行分析。
nginx: nginx负责流量转发和安全验证，对外提供的流量都是从nginx中转，所以开放https的443端口，它将流量分发到后端的ui和正在docker镜像存储的docker registry。
redis: 存储缓存session信息
registry: 官方的Docker registry ，负责储存Docker镜像
registryctl: 负责储存Docker镜像，并处理docker push/pull 命令。由于我们要对用户进行访问控制，即不同用户对Docker image有不同的读写权限，Registry会指向一个token服务，强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。

在浏览器访问http://reg.xxlaila.cn，用账号 admin 和 harbor.yml 配置文件中的默认密码 Harbor12345 登陆系统

harbor 运行时产生的文件、目录

harbor 将日志打印到 /var/log/harbor 的相关目录下，传统的docker logs XXX 或 docker-compose logs XXX 看不到容器的日志。只有使用常用系统命令来进行日志的查看

# # 日志目录
# ls /var/log/harbor
core.log  jobservice.log  portal.log  postgresql.log  proxy.log  redis.log  registryctl.log  registry.log

# # 数据目录，包括数据库、镜像仓库
# ls /data/
ca_download  database  job_logs  psc  redis  registry  secret

其它操作

下列操作的工作目录均为解压离线安装文件后生成的 harbor 目录。

# # 停止 harbor
# docker-compose down -v

# # 启动 harbor
# docker-compose up -d

# # 更修改的配置更新到 docker-compose.yml 文件
# ./prepare
prepare base dir is set to /opt/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir