企业级镜像仓库Harbor的安装与配置
- Harbor
- Harbor概述
- 安装Harbor
- 配置 Harbor
- 运行安装程序脚本
- 登录
- 启动与停止Harbor
- 登录Harbor仓库
- 登录异常
- 解决方案
- 登录
- 退出
- 推送拉取Harbor镜像
- 镜像命名规范
- 创建项目
- 推送镜像
- 拉取镜像
Harbor
Harbor概述
Harbor是一个开源的容器镜像仓库管理系统,具有丰富的安全和管理功能。它可以在企业环境中搭建私有仓库,并提供可信度、多租户支持、定制性等特点。
官网:https://goharbor.io/
GitHub:https://github.com/goharbor/harbor
Harbor旨在提供企业级的镜像管理解决方案,具有以下特点和功能:
安全性:
Harbor提供了一套丰富的安全性功能,包括用户身份验证和授权、镜像签名验证、访问控制、漏洞扫描等。这可以帮助你保护你的镜像免受恶意攻击和漏洞利用。
可信度:
Harbor支持对镜像进行数字签名和验证,确保其完整性和来源可信。你可以使用自定义或第三方证书来签名和验证镜像的真实性。
多租户支持:
Harbor支持多个项目和多个仓库,可以根据不同的组织、团队或项目来进行分组和管理。每个项目都可以有自己的用户权限和访问控制策略。
可定制性:
Harbor提供了灵活的配置选项和扩展机制,可以根据你的需求进行自定义设置。你可以调整存储、网络和认证等配置,以适应不同的环境和需求。
高性能:
Harbor使用了缓存和复制策略来提高镜像的访问速度和可用性。它支持多个镜像存储后端,包括本地存储、S3存储等。
用户友好的界面:
Harbor提供了直观且易于使用的Web界面,可以方便地管理镜像、项目、用户和访问权限等。
安装Harbor
下载Harbor的二进制文件进行安装,Harbor安装与配置参考:
https://goharbor.io/docs/2.9.0/install-config/
下载离线安装包
wget https://github.com/goharbor/harbor/releases/download/v2.7.3/harbor-offline-installer-v2.7.3.tgz
解压安装包
tar -zxvf harbor-offline-installer-v2.7.3.tgz
[root@master harbor]# ls
common.sh harbor.v2.7.3.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
进入Harbor目录
cd harbor
配置 Harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml
# 当前节点主机名或IP
hostname: 112.74.96.150
# http端口配置
http:
port: 8080
# 这里不使用https,注释该配置
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# Harbor UI的初始密码
harbor_admin_password: Harbor12345
# The default data volume
data_volume: /usr/local/program/harbor/data
运行安装程序脚本
当配置harbor.yml完成后,可以使用install.sh脚本安装并启动 Harbor
./install.sh
安装成功,将输出如下日志:
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.1s
✔ Container registryctl Started 0.2s
✔ Container harbor-db Started 0.1s
✔ Container redis Started 0.1s
✔ Container registry Started 0.1s
✔ Container harbor-portal Started 0.2s
✔ Container harbor-core Started 0.1s
✔ Container harbor-jobservice Started 0.1s
✔ Container nginx Started 0.1s
✔ ----Harbor has been installed and started successfully.----
查看docker镜像,将出现与hardor相关的的镜像列表
[root@master harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
62343618f630 goharbor/nginx-photon:v2.7.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:8080->8080/tcp nginx
a39ecd6eddf1 goharbor/harbor-jobservice:v2.7.3 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
f0c1a4957d04 goharbor/harbor-core:v2.7.3 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
f64062148ccf goharbor/harbor-registryctl:v2.7.3 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
6fc3d92cc65f goharbor/harbor-db:v2.7.3 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
fc9917cad78e goharbor/harbor-portal:v2.7.3 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
8622fab2670f goharbor/registry-photon:v2.7.3 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
27e3ba43f9f8 goharbor/redis-photon:v2.7.3 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
feef079dcbd4 goharbor/harbor-log:v2.7.3 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
登录
浏览器访问 http://IP:8080
使用用户名:admin、配置的密码:Harbor12345进行登录
启动与停止Harbor
停止Harbor
[root@master harbor]# docker-compose stop
[+] Running 9/9
⠿ Container harbor-jobservice Stopped 0.0s
⠿ Container nginx Stopped 0.0s
⠿ Container registryctl Stopped 10.2s
⠿ Container harbor-portal Stopped 0.3s
⠿ Container harbor-core Stopped 0.0s
⠿ Container harbor-db Stopped 0.4s
⠿ Container registry Stopped 0.2s
⠿ Container redis Stopped 0.5s
⠿ Container harbor-log Stopped 10.2s
启动Harbor
[root@master harbor]# docker-compose start
[+] Running 9/9
⠿ Container harbor-log Started 0.3s
⠿ Container redis Started 0.9s
⠿ Container registryctl Started 0.7s
⠿ Container harbor-portal Started 1.0s
⠿ Container harbor-db Started 0.8s
⠿ Container registry Started 1.0s
⠿ Container harbor-core Started 0.3s
⠿ Container nginx Started 0.5s
⠿ Container harbor-jobservice Started
登录Harbor仓库
要登录到Harbor私有仓库,执行以下命令来登录到Harbor仓库:
docker login <Harbor仓库地址>
登录异常
[root@master harbor]# docker login 112.74.96.150:8080
Username: admin
Password:
Error response from daemon: Get "https://112.74.96.150:8080/v2/": http: server gave HTTP response to HTTPS client
原因:
默认通过 HTTPS 协议与 Harbor 仓库进行通信,但是 Harbor 仓库只配置了 HTTP 服务而没有启用 HTTPS 服务。
解决方案
方案一:
查找docker.service所在目录
[root@master harbor]# find / -name docker.service -type f
/usr/lib/systemd/system/docker.service
编辑 vim /usr/lib/systemd/system/docker.service
修改这行配置:
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
使用--insecure选项来跳过https证书验证,改成如下这样:
ExecStart=/usr/bin/dockerd --insecure-registry 112.74.96.150:8080 -H fd:// --containerd=/run/containerd/containerd.sock
方案二:
修改
/etc/docker/daemon.json文件,添加配置,指定镜像仓库IP地址
{
"insecure-registries": ["112.74.96.150"]
}
登录
重新加载配置、重启docker
systemctl daemon-reload
systemctl restart docker
再次登录
注意:可能需要重启Harbor
[root@master harbor]# docker login 112.74.96.150:8080
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
退出
退出Harbor私有仓库的登录状态
docker logout <Harbor仓库地址>
[root@master ~]# docker login 112.74.96.150:8080
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
推送拉取Harbor镜像
镜像命名规范
Harbor的镜像名称,存在一定命名规范,差异之处在于:必须以项目名称作为镜像名称的一部分,具体参考如下示例说明
构建镜像
docker build -t <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签> .
将镜像推送到Harbor仓库
docker push <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签>
拉取Harbor镜像
docker pull <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签>
创建项目
在Harbor仓库的界面或使用Harbor API来创建项目
界面创建
Harbor API创建
curl -X POST -u username:password -H "Content-Type: application/json" -d '{
"project_name": "projectname",
"public": 1,
"content_trust": "disabled"
}' https://<Harbor仓库地址>/api/projects
推送镜像
拉取一个测试镜像
[root@master ~]# docker pull testcontainers/helloworld
查看该镜像
[root@master ~]# docker images | grep hello
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB
标记本地镜像, 将其归入Harbor仓库
注意:需要多一级,作为项目名
[root@master harbor]# docker tag testcontainers/helloworld:latest 112.74.96.150:8080/projectname/helloworld:v1
再次查看镜像
[root@master harbor]# docker images | grep hello
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB
将本地镜像推送到镜像仓库(需先登录镜像仓库)
[root@master harbor]# docker push 112.74.96.150:8080/projectname/helloworld:v1
The push refers to repository [112.74.96.150:8080/projectname/helloworld]
802cca11a560: Pushing [============================================> ] 6.194MB/7.019MB
80b7fe966245: Pushed
50644c29ef5a: Pushing [=============================================> ] 5.068MB/5.575MB
登录Harbor,查看新建项目projectname下,已成功推送1个镜像
拉取镜像
删除已存在镜像
[root@master harbor]# docker images | grep hello
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB
[root@master harbor]# docker rmi 112.74.96.150:8080/projectname/helloworld:v1
Untagged: 112.74.96.150:8080/projectname/helloworld:v1
Untagged: 112.74.96.150:8080/projectname/helloworld@sha256:4ee5a832ef6eee533df7224b80d4cceb9ab219599014f408d0b69690be94c396
[root@master harbor]# docker rmi testcontainers/helloworld:latest
Untagged: testcontainers/helloworld:latest
Untagged: testcontainers/helloworld@sha256:4ee5a832ef6eee533df7224b80d4cceb9ab219599014f408d0b69690be94c396
从Harbor拉取镜像
[root@master harbor]# docker pull 112.74.96.150:8080/projectname/helloworld:v1
v1: Pulling from projectname/helloworld
df20fa9351a1: Downloading [==========> ] 614.1kB/2.798MB
7d694ce25b07: Download complete
99f5116afda5: Downloading [================================> ]
2.389MB/3.655MB
查看拉取的镜像
[root@master harbor]# docker images | grep hell
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB
