使用Harbor搭建私有镜像仓库
什么是Harbor:
Harbor是VMware公司开源的企业级Docker Registry项目,其目标是帮助用户迅速搭建一个企业级的Docker registry服务。
它以Docker公司开源的registry为基础,提供了管理UI,基于角色的访问控制(Role Based AccessControl),AD/LDAP集成、以及审计日志(Auditlogging) 等企业用户需求的功能,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源 Docker Distribution。
作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。
Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中,确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
Harbor 是由 VMware 中国研发团队负责开发的开源企业级 Docker Registry,不仅解决了我们直接使用 Docker Registry 的功能缺失,更解决了我们在生产使用 Docker Registry 面临的高可用、镜像仓库直接复制、镜像仓库性能等运维痛点。
为什么使用Harbor:
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker Hub也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。
搭建过程
环境准备
系统:Centos7.5
Docker:1.13.1(直接使用的yum install docker进行的安装)
IP地址:192.168.71.106
1、安装docker-compose
#方法一
[root@localhost ~]# curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@localhost ~]# chmod +x /usr/local/bin/docker-compose
[root@localhost ~]# docker-compose version #查看版本
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
-------------------------华丽分割线---------------------------------
方法二:
[root@localhost ~]# yum install epel-release -y
[root@localhost ~]# yum install python-pip -y
[root@localhost ~]# pip install -U -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
[root@localhost ~]# docker-compose version
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
2、Harbor私有仓库的安装
Harbor在github上的地址:https://github.com/goharbor/harbor/releases
这里我安装当前的最新包1.6.0,分为在线安装和离线安装,这里我使用离线安装包
先下载安装包:
[root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-offline-installer-v1.6.0.tgz
该版本可以从我的的百度云盘下载:https://pan.baidu.com/s/1kVQR4m_sO9LBzdOqPYGKUw 提取码:ghbz
解压安装包:
[root@localhost ~]# tar -zxf harbor-offline-installer-v1.6.0.tgz
配置文件修改:
#解压后,目录下会有harbor.cfg文件,这个文件就是Harbor的配置文件
[root@localhost ~]# cd harbor #进入解压后的目录
[root@localhost harbor]# vim harbor.cfg #对如下信息进行修改
# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
hostname = 192.168.71.106
# 访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http
# 启动Harbor后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345
修改后保存
启动Harbor:
#修改完配置文件后,在的当前目录执行./install.sh,Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并按照顺序依次启动
#执行安装的命名时,必须要保证docker是启动了的,否则使用systemctl start docker.service命令启动
[root@localhost harbor]# systemctl start docker.service
[root@localhost harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 1.13.1
Note: docker-compose version: 1.18.0
[Step 1]: loading Harbor images ...
dba693fc2701: Loading layer [==================================================>] 133.4 MB/133.4 MB
878010bacb23: Loading layer [==================================================>] 79.93 MB/79.93 MB
c4c61a50ede7: Loading layer [==================================================>] 3.584 kB/3.584 kB
1e49a723e40e: Loading layer [==================================================>] 3.072 kB/3.072 kB
fb6337483ced: Loading layer [==================================================>] 4.096 kB/4.096 kB
60f38216c4ce: Loading layer [==================================================>] 3.584 kB/3.584 kB
e3b0d280f39a: Loading layer [==================================================>] 9.728 kB/9.728 kB
Loaded image: goharbor/harbor-log:v1.6.0
3bf85c5983f2: Loading layer [==================================================>] 102.5 MB/102.5 MB
50aa89ad4e44: Loading layer [==================================================>] 6.656 kB/6.656 kB
b80f7e1741b5: Loading layer [==================================================>] 2.048 kB/2.048 kB
17bf2c1b99af: Loading layer [==================================================>] 7.68 kB/7.68 kB
c0db790e7c15: Loading layer [==================================================>] 2.56 kB/2.56 kB
f0f47321deb7: Loading layer [==================================================>] 2.56 kB/2.56 kB
75bb6c1ade7d: Loading layer [==================================================>] 2.56 kB/2.56 kB
Loaded image: goharbor/harbor-db:v1.6.0
7f04776a10d0: Loading layer [==================================================>] 11.97 MB/11.97 MB
Loaded image: goharbor/nginx-photon:v1.6.0
50d77e6a2857: Loading layer [==================================================>] 30.09 MB/30.09 MB
b90b584311f9: Loading layer [==================================================>] 12.16 MB/12.16 MB
1f52c884d120: Loading layer [==================================================>] 17.3 MB/17.3 MB
01157b9272f6: Loading layer [==================================================>] 11.26 kB/11.26 kB
c6ec89b9bee4: Loading layer [==================================================>] 3.072 kB/3.072 kB
a29fba8582ce: Loading layer [==================================================>] 29.46 MB/29.46 MB
Loaded image: goharbor/notary-server-photon:v0.5.1-v1.6.0
727598f48308: Loading layer [==================================================>] 165.3 MB/165.3 MB
dffcad4de2eb: Loading layer [==================================================>] 35.08 MB/35.08 MB
77b580f5f751: Loading layer [==================================================>] 2.56 kB/2.56 kB
64371d7db503: Loading layer [==================================================>] 35.08 MB/35.08 MB
Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.6.0
63c58fe8b7d8: Loading layer [==================================================>] 30.09 MB/30.09 MB
30bbfcbfec01: Loading layer [==================================================>] 26.88 MB/26.88 MB
0b2d02667ef8: Loading layer [==================================================>] 7.168 kB/7.168 kB
8d48f9a01718: Loading layer [==================================================>] 11.32 MB/11.32 MB
8e8ed61008d2: Loading layer [==================================================>] 26.87 MB/26.87 MB
Loaded image: goharbor/harbor-ui:v1.6.0
0f1e675ac92b: Loading layer [==================================================>] 30.09 MB/30.09 MB
c3d13e40dd6d: Loading layer [==================================================>] 21.15 MB/21.15 MB
ff52503cf64a: Loading layer [==================================================>] 21.15 MB/21.15 MB
Loaded image: goharbor/harbor-jobservice:v1.6.0
ca4735f7190a: Loading layer [==================================================>] 89.35 MB/89.35 MB
8bfe0f27a61a: Loading layer [==================================================>] 3.072 kB/3.072 kB
2fd2be246be1: Loading layer [==================================================>] 59.9 kB/59.9 kB
df931b8c35e0: Loading layer [==================================================>] 61.95 kB/61.95 kB
Loaded image: goharbor/redis-photon:v1.6.0
f7645fe0fbdf: Loading layer [==================================================>] 30.09 MB/30.09 MB
0dacd673d56f: Loading layer [==================================================>] 3.072 kB/3.072 kB
55da82f7d86c: Loading layer [==================================================>] 3.072 kB/3.072 kB
ae06c6ce3115: Loading layer [==================================================>] 2.048 kB/2.048 kB
9eea4f49263d: Loading layer [==================================================>] 22.8 MB/22.8 MB
e4cf200de771: Loading layer [==================================================>] 22.8 MB/22.8 MB
Loaded image: goharbor/registry-photon:v2.6.2-v1.6.0
8ca653623d2c: Loading layer [==================================================>] 10.95 MB/10.95 MB
2a38dcf15b1b: Loading layer [==================================================>] 17.3 MB/17.3 MB
adbe466a7b00: Loading layer [==================================================>] 11.26 kB/11.26 kB
277728fbd7a8: Loading layer [==================================================>] 3.072 kB/3.072 kB
ab7fedbe0009: Loading layer [==================================================>] 28.24 MB/28.24 MB
Loaded image: goharbor/notary-signer-photon:v0.5.1-v1.6.0
2ab359b90dfc: Loading layer [==================================================>] 165.3 MB/165.3 MB
cd62df6bfb75: Loading layer [==================================================>] 10.93 MB/10.93 MB
9631a256e10e: Loading layer [==================================================>] 2.048 kB/2.048 kB
2966d898e8ec: Loading layer [==================================================>] 48.13 kB/48.13 kB
adc1ea318ad2: Loading layer [==================================================>] 10.97 MB/10.97 MB
Loaded image: goharbor/clair-photon:v2.0.5-v1.6.0
d83c4f0ecdd6: Loading layer [==================================================>] 688.4 MB/688.4 MB
7e40246ee012: Loading layer [==================================================>] 7.68 kB/7.68 kB
dee9a998188b: Loading layer [==================================================>] 197.6 kB/197.6 kB
Loaded image: goharbor/harbor-migrator:v1.6.0
f67995faa82a: Loading layer [==================================================>] 30.09 MB/30.09 MB
a036802e8983: Loading layer [==================================================>] 15.58 MB/15.58 MB
7409e661529d: Loading layer [==================================================>] 15.36 kB/15.36 kB
cc39fb196651: Loading layer [==================================================>] 15.58 MB/15.58 MB
Loaded image: goharbor/harbor-adminserver:v1.6.0
[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
Creating harbor-log ... done
[Step 3]: checking existing instance of Harbor ...
Creating registry ... done
Creating harbor-ui ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating harbor-db ...
Creating registry ...
Creating redis ...
Creating harbor-adminserver ...
Creating harbor-ui ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://192.168.71.106.
For more details, please visit https://github.com/goharbor/harbor .
Harbor依赖的镜像:
[root@localhost harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/chartmuseum-photon v0.7.1-v1.6.0 99bfb7b3aa9c 5 weeks ago 357 MB goharbor/harbor-migrator v1.6.0 23ed5c5918a0 5 weeks ago 803 MB goharbor/redis-photon v1.6.0 745667dc5aa8 5 weeks ago 214 MB goharbor/clair-photon v2.0.5-v1.6.0 01cb5fff1728 5 weeks ago 308 MB goharbor/notary-server-photon v0.5.1-v1.6.0 11dfd338b15c 5 weeks ago 215 MB goharbor/notary-signer-photon v0.5.1-v1.6.0 08436cc747a3 5 weeks ago 212 MB goharbor/registry-photon v2.6.2-v1.6.0 1ec7d8d4f0fd 5 weeks ago 201 MB goharbor/nginx-photon v1.6.0 81df0f8a78c0 5 weeks ago 138 MB goharbor/harbor-log v1.6.0 0f474b9d4565 5 weeks ago 203 MB goharbor/harbor-jobservice v1.6.0 4e6a3afe6802 5 weeks ago 198 MB goharbor/harbor-ui v1.6.0 9cf3894e769e 5 weeks ago 221 MB goharbor/harbor-adminserver v1.6.0 14d9ee1bbda3 5 weeks ago 187 MB goharbor/harbor-db v1.6.0 5c39f18ce348 5 weeks ago 225 MB docker.io/nginx latest c82521676580 2 months ago 109 MB
Harbor启动的服务器(这里排版有点问题,可以复制出去到其他文本中查看):
[root@localhost harbor]# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/start.sh Up harbor-db /entrypoint.sh postgres Up 5432/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp harbor-ui /harbor/start.sh Up nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up 5000/tcp
以上启动成功后,可以访问:http://192.168.71.106/harbor/sign-in,界面如下:
使用admin/Harbor12345进行登录,密码是在配置文件中设置,登录成功后进入到管理界面:
从界面可以看出很多功能模块:
- 项目:新增/删除项目,查看镜像仓库,给项目添加成员、查看操作日志、复制项目等
- 日志:仓库各个镜像create、push、pull等操作日志
- 系统管理
- 用户管理:新增/删除用户、设置管理员等
- 仓库管理:新增/修改目标等
- 复制管理:新增/删除从库目标、新建/删除/启停复制规则等
- 配置管理:认证模式、复制、邮箱设置、系统设置等
注意:非系统管理员用户登录,只能看到有权限的项目和日志,其他模块不可见。
到此,Harbor就安装完成,现在我们可以使用docker login进行登录,这里我切换到另外一台服务器(Centos)去进行远程登录
{18-10-13 19:16}localhost:~ root# docker login 192.168.71.106 Username: admin Password: Error response from daemon: Get https://192.168.71.106/v1/users/: dial tcp 192.168.71.106:443: getsockopt: connection refused
上面请求的是https,因为docker1.3.2版本开始默认docker registry使用的是https,我们设置Harbor默认http方式。要解决上面的问题,就需要配置docker的damone.json配置:
#里面可以写多个IP地址,IP地址为我们搭建Harbor的仓库地址,如果有端口,可以加在后面
{18-10-13 19:12}localhost:~ root# echo '{ "insecure-registries":["192.168.71.106"] }' > /etc/docker/daemon.json
{18-10-13 19:15}localhost:~ root# systemctl daemon-reload
{18-10-13 19:15}localhost:~ root# systemctl restart docker.service
#上面操作完后,再次进行登录,成功
{18-10-13 19:20}localhost:~ root# docker login 192.168.71.106
Username: admin
Password:
Login Succeeded
提交本地镜像到Harbor仓库
# 首先从docker hub下载nginx镜像
{18-10-13 19:28}localhost:~ root# docker pull nginx
# 给镜像打tag
{18-10-13 19:32}localhost:~ root# docker tag docker.io/nginx 192.168.71.106/library/nginx:latest
{18-10-13 19:33}localhost:~ root# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.71.106/library/nginx latest be1f31be9a87 11 days ago 109 MB
docker.io/nginx latest be1f31be9a87 11 days ago 109 MB
# 提交镜像
{18-10-13 19:35}localhost:~ root# docker push 192.168.71.106/library/nginx
The push refers to a repository [192.168.71.106/library/nginx]
92b86b4e7957: Pushed
94ad191a291b: Pushed
8b15606a9e3e: Pushed
latest: digest: sha256:204a9a8e65061b10b92ad361dd6f406248404fe60efd5d6a8f2595f18bb37aad size: 948
上面提交成功后,如果是公开项目,那么就可以直接使用下面的命令直接拉取下来:
{18-10-13 19:52}localhost:~ root# docker pull 192.168.71.106/library/nginx
如果是私有项目不是该项目的成员就不能进行拉取,会提示不存在或没有权限:
{18-10-13 19:52}localhost:~ root# docker pull 192.168.71.106/library/nginx #没有登录的用户或该用户不是该项目的成员,就拉取不了 Using default tag: latest Trying to pull repository 192.168.71.106/library/nginx ... repository 192.168.71.106/library/nginx not found: does not exist or no pull access
如果要拉取就需要设置项目对应的成员,那么设置了的成员就可以进行拉取了。
好了!整个Harbor的搭建之旅就暂告一段落。夜深人静可以休息了,后续还有什么新的知识再做补充。