大兵是
一个想全能的运维

Docker仓库Harbor

为什么要是用harbor仓库呢?

    Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

    Harbor是可靠的企业级Registry服务器。企业用户可使用Harbor搭建私有容器Registry服务,提高生产效率和安全度,既可应用于生产环境,也可以在开发环境中使用。

    官网地址:http://vmware.github.io/harbor/index_cn.html

    git仓库:https://github.com/vmware/harbor

一、环境准备:

[root@harborcache ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@harborcache ~]# uname -r
3.10.0-327.el7.x86_64
[root@harborcache ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
[root@harborcache ~]# getenforce 
Disabled
[root@harborcache ~]# hostname -I
10.0.0.201
[root@harborcache ~]# ntpdate ntp1.aliyun.com 
14 Apr 10:05:53 ntpdate[3880]: step time server 182.92.12.11 offset 577708.368607 sec
#时间一定要同步,否则会因为时间的关系导致认证失败,可使用定时任务

二、安装docker及下载harbor安装包

#当然,你是需要安装docker的。
[root@harborcache ~]# yum install docker python-pip -y 
[root@harborcache ~]# systemctl enable docker 
[root@harborcache ~]# systemctl start docker
#下载软件包,0.5.0离线版本,下载速度较慢
[root@harborcache ~]# cd /usr/local/src/
[root@harborcache src]# wget 
https://github.com/vmware/harbor/releases/download/0.5.0/harbor-offline-installer-0.5.0.tgz
[root@harborcache src]# ll 
total 310440
-rw-r--r-- 1 root root 317888971 Apr  4 09:28 harbor-offline-installer-0.5.0.tgz

三、配置

[root@harborcache src]# pwd
/usr/local/src
[root@harborcache src]# tar xf harbor-offline-installer-0.5.0.tgz
[root@harborcache src]# cd harbor/
[root@harborcache harbor]# egrep "^[a-Z]" harbor.cfg 
hostname = 10.0.0.201 
ui_url_protocol = http #还没有配置https
email_identity = 
email_server = smtp.qq.com
email_server_port = 25
email_username = example
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
harbor_admin_password = Harbor12345 #管理仓库的密码
auth_mode = db_auth #认证方式
ldap_url = ldaps://ldap.mydomain.com

四、安装

[root@harborcache harbor]# ./prepare 
generated and saved secret key
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/ui/app.conf
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/private_key.pem
Generated configuration file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@harborcache harbor]# ./install.sh #报错提醒,我们使用下面的方法进行安装

[Step 0]: checking installation environment ...

Note: docker version: 1.12.6
✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
[root@harborcache harbor]# pip install --upgrade pip #升级pip
[root@harborcache harbor]# pip install docker-compose #安装docker-compose
[root@harborcache harbor]# docker-compose up -d 

五、完成安装及访问

[root@harborcache harbor]# docker images 
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
docker.io/vmware/harbor-log          0.5.0               eebc987a891b        4 months ago        190.5 MB
docker.io/vmware/harbor-jobservice   0.5.0               995368e96860        4 months ago        169.4 MB
docker.io/vmware/harbor-ui           0.5.0               232a8664541a        4 months ago        233 MB
docker.io/vmware/harbor-db           0.5.0               84c4ce8e9b6c        4 months ago        326.8 MB
docker.io/nginx                      1.11.5              05a60462f8ba        5 months ago        181.4 MB
docker.io/registry                   2.5.0               c6c14b3960bd        8 months ago        33.28 MB

    利用IP地址访问。

    使用本地仓库需要修改配置文件。

[root@harborcache harbor]# vim /etc/sysconfig/docker 
 1 # /etc/sysconfig/docker
  2 
  3 # Modify these options if you want to change the way the docker daemon runs
  4 OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.0.0.201' #增加了内容

    重启docker。

[root@harborcache harbor]# systemctl restart docker 
[root@harborcache harbor]# systemctl status docker 
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-04-14 11:40:56 CST; 8s ago

    登录,创建一个仓库。

[root@harborcache harbor]# docker tag 05a60462f8ba 10.0.0.201/dabing/nginx:v1
[root@harborcache harbor]# docker login 10.0.0.201
Username: admin
Password: 
Login Succeeded
[root@harborcache harbor]# docker push 10.0.0.201/dabing/nginx:v1
The push refers to a repository [10.0.0.201/dabing/nginx]
3f117c44afbb: Pushed 
c4a8b7411af4: Pushed 
fe4c16cbf7a4: Pushed 
v1: digest: sha256:e5c82328a509aeb7c18c1d7fb36633dc638fcf433f651bdcda59c1cc04d3ee55 size: 948

    现在可以看到我们上传的镜像的了。

    如果我们要在其他的服务器使用仓库的话,docker的配置完成还是需要修改的,这里我们使用docker1服务器

[root@docker1 /]# vim /etc/sysconfig/docker 
 1 # /etc/sysconfig/docker
  2 
  3 # Modify these options if you want to change the way the docker daemon runs
  4 OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.0.0.201' #增加了内容
#重启
[root@docker1 /]# systemctl restart docker

    之后我们就可拉取了。

[root@docker1 /]# docker login 10.0.0.201
Username: admin
Password: 
Login Succeeded
[root@docker1 /]# docker push 10.0.0.201/dabing/nginx:v1

六、HTTPS认证

    这种修改配置的文件的方法是挺麻烦的,现在我们来分享https的认证。域名使用harbor.dabing.com,自制证书。

[root@harborcache ~]# mkdir /data/keys
[root@harborcache ~]# cd /data/keys/
[root@harborcache keys]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:dabing
Organizational Unit Name (eg, section) []:dabing
Common Name (eg, your name or your server's hostname) []:harbor.dabing.com
Email Address []:55@qq.com
[root@harborcache keys]# openssl req  -newkey rsa:4096 -nodes -sha256 -keyout harbor.dabing.com.key -out harbor.dabing.com.csr
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:it 
[root@harborcache keys]# openssl x509 -req -days 365 -in harbor.dabing.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -out harbor.dabing.com.crt
Signature ok
subject=/C=BJ/ST=BJ/L=BJ/O=dabing/OU=dabing/CN=harbor.dabing.com/emailAddress=55@qq.com
Getting CA Private Key
[root@harborcache keys]# ll
total 24
-rw-r--r-- 1 root root 2078 Apr 14 13:22 ca.crt #ca自签名证书
-rw-r--r-- 1 root root 3272 Apr 14 13:22 ca.key #ca的私钥
-rw-r--r-- 1 root root   17 Apr 14 13:26 ca.srl #自动生成的文件
-rw-r--r-- 1 root root 1960 Apr 14 13:26 harbor.dabing.com.crt #ca签名后的用于配置nginx https的crt证书
-rw-r--r-- 1 root root 1785 Apr 14 13:24 harbor.dabing.com.csr #申请签名的csr证书,此文件主要用于用户申请crt证书
-rw-r--r-- 1 root root 3268 Apr 14 13:24 harbor.dabing.com.key #域名的私钥

    启用https并配置。

[root@harborcache ~]# cd /usr/local/src/harbor/
[root@harborcache harbor]# vim harbor.cfg 
  1 ## Configuration file of Harbor
  2 
  3 #The IP address or hostname to access admin UI and registry service.
  4 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
  5 hostname = harbor.dabing.com
  6 
  7 #The protocol for accessing the UI and token/notification service, by default it is http.
  8 #It can be set to https if ssl is enabled on nginx.
  9 ui_url_protocol = https
...
 82 crt_country = BJ
 83 crt_state = BJ
 84 crt_location = BJ
 85 crt_organization = dabing
 86 crt_organizationalunit = dabing
 87 crt_commonname = harbor.dabing.com #*
 88 crt_email = 55@qq.com
...
 95 ssl_cert = /data/keys/harbor.dabing.com.crt
 96 ssl_cert_key = /data/keys/harbor.dabing.com.key

    修改docker配置与重启。

[root@harborcache harbor]# vim /etc/sysconfig/docker
  1 # /etc/sysconfig/docker
  2 
  3 # Modify these options if you want to change the way the docker daemon runs
  4 OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'
#删掉 第四行中的"--insecure-registry 10.0.0.201"
[root@harborcache harbor]# systemctl restart docker 

    更新harbor配置并重启。

[root@harborcache harbor]# ./prepare
loaded secret key
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/ui/app.conf
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/private_key.pem
Generated configuration file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@harborcache harbor]# docker-compose down 
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing registry ... done
Removing harbor-db ... done
Removing harbor-ui ... done
Removing harbor-log ... done
Removing network harbor_default
[root@harborcache harbor]# docker-compose up -d
Creating network "harbor_default" with the default driver
Creating harbor-log
Creating harbor-db
Creating registry
Creating harbor-ui
Creating harbor-jobservice
Creating nginx

    访问,需要做解析。

    登录,也是需要解析的。

[root@harborcache harbor]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.201  harbor.dabing.com
[root@harborcache harbor]# mkdir /etc/docker/certs.d/harbor.dabing.com
[root@harborcache harbor]# cp /data/keys/ca.crt /etc/docker/certs.d/harbor.dabing.com/
[root@harborcache harbor]# docker login harbor.dabing.com
Username: admin
Password: 
Login Succeeded

    push镜像。

[root@harborcache tmp]# docker tag 67591570dd29 harbor.dabing.com/dabing/centos:v1 #也是需要tag打标签的,harbor.dabing.com
[root@harborcache tmp]# docker push harbor.dabing.com/dabing/centos:v1
The push refers to a repository [harbor.dabing.com/dabing/centos]
34e7b85d83e4: Pushed 
v1: digest: sha256:f271819dacd9bc9ea710298054c5beb2ee7ef9b46391aae778c061ed439378b6 size: 529

    ok,docker仓库已经配置好了,其他的服务器进行操作的时候都需要拷贝证书和hosts解析,删掉docker配置中的那一行,并重启docker。

打赏

未经允许不得转载: » Docker仓库Harbor

分享到:更多 ()

评论 3

  • 昵称 (必填)
  1. #1

    必须得用centos7吗? 用6.8的操作过吗?

    2年前 (2017-06-01)回复
    • 没有测试过,应该是可以,但是这些虚拟化的东西还是建议在7以上的版本玩。

      bigd2年前 (2017-06-05)回复
      • 好的。

        2年前 (2017-06-05)回复