使用harbor创建docker私有仓

0、环境准备

硬件

资源 最少 推荐
cpu 2 cpu 4cpu
内存 4G 8G
磁盘 40G 160G

软件

1、自己建服务器(CentOS7.4以上)

2、Docker 版本:docker 17.06.0-ce+

3、Docker-compose:1.18.0 +

4、Harbor:2.0.0

下载安装包

https://github.com/goharbor/harbor/releases

查看版本,选择安装 可以使用迅雷,这样加速下载 离线安装包

#解压
tar -zxf harbor-offline-installer-v2.0.0.tgz

安装docker-compose

#安装pip:
yum install -y python-pip
#安装docker-compose:
pip install docker-compose

1、配置harbor

harbor的模板配置文件

模板是harbor.yml.tmpl,拷贝一份 -> harbor.yml。

配置https

harbor默认工作方式是http,但是这只能在页面访问,默认harbor推送拉取镜像时走的是https,所以需要配置下https。

1.1、需要的文件:

  • harbor.tuling.com.crt:服务器端的证书文件
  • harbor.tuling.com.key:服务器端的秘钥
  • ca.crt:客户端的证书文件

1.2、生成秘钥和自签名证书:

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

这里的问题随便填写就行

1.3、生成证书签名请求

如果你是域名访问,就把common name的值写为域名

openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.tuling.com.key -out harbor.tuling.com.csr

1.4、生成服务器证书

openssl x509 -req -days 365 -in harbor.tuling.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.tuling.com.crt

1.5、安装证书

将服务器需要的文件拷贝到一个目录下,我放在了 /data/harbor

1.6、修改配置文件harbor.cfg

## Configuration file of Harbor
# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
hostname = 192.168.1.12   #这里配置自己的服务器IP地址
# 访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http
# mysql数据库root用户默认密码root123,实际使用时修改下
db_password = root123
#Maximum number of job workers in job service
max_job_workers = 3
#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/harbor/harbor.tuling.com.crt
ssl_cert_key = /data/harbor/harbor.tuling.com.key
#The path of secretkey storage
secretkey_path = /data
#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA
#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui
#************************BEGIN INITIAL PROPERTIES************************
#Email account settings for sending out password resetting emails.
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
# 启动Harbor后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345
# 认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth
#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com
#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#the password of the ldap_searchdn
#ldap_search_pwd = password
#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com
#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)
# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes de
pending on your LDAP/AD  ldap_uid = uid
#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3
#Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5
# 是否开启自注册
self_registration = on
# Token有效时间,默认30分钟
token_expiration = 30
# 用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员)
project_creation_restriction = everyone
#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on
#*

配置完成后,开始安装 Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动各个服务。

 ./install.sh

1.7、查看是否正常

[root@tuling harbor]# docker-compose ps
      Name                     Command                       State                              Ports                   
------------------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/entrypoint.sh            Up (health: starting)                                              
harbor-db           /docker-entrypoint.sh            Up (health: starting)   5432/tcp                                   
harbor-jobservice   /harbor/entrypoint.sh            Up (health: starting)                                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (health: starting)   127.0.0.1:1514->10514/tcp                  
harbor-portal       nginx -g daemon off;             Up (health: starting)   8080/tcp                                   
nginx               nginx -g daemon off;             Up (health: starting)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis               redis-server /etc/redis.conf     Up (health: starting)   6379/tcp                                   
registry            /home/harbor/entrypoint.sh       Up (health: starting)   5000/tcp                                   
registryctl         /home/harbor/start.sh            Up (health: starting)

2 、查看系统模块

项目:新增/删除项目,查看镜像仓库,给项目添加成员、查看操作日志、复制项目等 日志:仓库各个镜像create、push、pull等操作日志 系统管理 用户管理:新增/删除用户、设置管理员等 复制管理:新增/删除从库目标、新建/删除/启停复制规则等 配置管理:认证模式、复制、邮箱设置、系统设置等

其他设置 用户设置:修改用户名、邮箱、名称信息 修改密码:修改用户密码

注意:非系统管理员用户登录,只能看到有权限的项目和日志,其他模块不可见。

我们要尝试下能不能把自己 Docker 里面的镜像 push 到 Harbor 的 library 里来(默认这个 library 项目是公开的,所有人都可以有读的权限,都不需要 docker login 进来,就可以拉取里面的镜像)。

3、访问harbor

配置下host,打开浏览器就可以用https访问

默认账号是 admin 密码 Harbor12345

4、docker登录

首先配置host,然后在 /etc/docker/certs.d目录下创建目录,目录名称就是配置的hostname。然后将客户端证书放入该目录即可。

mkdir -p /etc/docker/certs.d/harbor.tuling.com
cp ca.crt /etc/docker/certs.d/harbor.tuling.com

修改dockerdaemon

"insecure-registries":["harbor.tuling.com"]

添加完了后重新启动 docker:

systemctl daemon-reload && systemctl enable docker && systemctl start docker

登陆harbor

[root@node4 system]# docker login harbor.tuling.com
Username: admin
Password: 
Login Succeeded

修改tag并push

docker  tag hello-world harbor.tuling.com/library/hello-world

[root@tuling harbor]# docker push harbor.tuling.com/library/hello-world
The push refers to repository [harbor.tuling.com/library/hello-world]
af0b15c8625b: Layer already exists 
latest: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524

harbor 扩展功能

  • 集成clair,漏洞扫描
–with-clair
  • helm-charts 仓库
--with-chartmuseum

results matching ""

    No results matching ""