Docker之Harbor私服的搭建及使用
文章来源: 陶老师运维笔记-微信公众号
1. 介绍
虽然Docker官方提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。本文介绍Harbor私服搭建及使用。
Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。 官方地址: github.com/goharbor/ha…
2. 环境准备
安装Harbor,需要提前安装docker,和docker-compose。
2.1 软件环境
| 软件 | 版本 | 备注 |
|---|---|---|
| 操作系统 | centos7 | - |
| docker | Docker version 18.06.1-ce | - |
| docker-compose | docker-compose version 1.24.1 | - |
2.2 硬件环境
略
3. Docker/DockerCompose安装
3.1 安装Docker
# yum 包更新
$yum update
# 卸载旧版本 Docker
$yum remove docker docker-common docker-selinux docker-engine
# 安装软件包
$yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加 Docker yum源
$yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 安装 Docker
$yum -y install docker-ce
# 启动 Docker
$systemctl start docker
# 查看 Docker 版本号
$docker --version
3.2 安装DockerCompose
# 安装 epel-release
yum install epel-release
# 安装 python-pip
yum install -y python-pip
# 安装 docker-compose
pip install docker-compose
# 安装 git
yum install git
# 查看 docker-compose 版本号
docker-compose -version
4. Harbor安装
主要步骤: 1.下载installer; 2.配置 harbor.yml; 3.运行 install.sh 及 start Harbor;
4.1 下载软件:
下载软件: github.com/goharbor/ha…
wget 'https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.4-rc1.tgz' .
#解压
tar -zxvf harbor-offline-installer-v1.8.4-rc1.tgz
4.2 修改配置
下载下来之后解压缩,目录下会有harbor.conf,就是Harbor的配置文件了。
- 安装配置说明: github.com/goharbor/ha…
- 配置https支持: github.com/goharbor/ha…
修改hostname,harbor_admin_password,结果如下。
#harbor.yml
cat harbor.yml |grep -v '#' |grep -v '^$'
hostname: registry.test.myop.com
http:
port: 80
harbor_admin_password: Harbor12345
database:
password: root123
data_volume: /data1/harbor
clair:
updaters_interval: 12
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,core,registry
jobservice:
max_job_workers: 10
chart:
absolute_url: disabled
log:
level: info
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 1.8.0
#修改docker-compose.yml, 把 ports改为5000.
vim docker-compose.yml,
dns_search:
ports:
- 5000:5000
hostname 这里设置本机的registry.test.myop.com,harbor_admin_password web页面的密码。
4.3 执行安装
执行安装脚本。
#执行安装脚本
sh ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 18.06.1
Note: docker-compose version: 1.24.1
[Step 1]: loading Harbor images ...
b80136ee24a4: Loading layer [==================================================>] 34.25MB/34.25MB
[Step 2]: preparing environment ...
prepare base dir is set to /data1/software/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-db ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating harbor-portal ... done
Creating nginx ... done
4.4 测试访问
安装完毕后可以测试访问页面: registry.test.myop.com 账号默认是admin,密码默认Harbor12345(就是你上班配置文件中配置的,如果没有改动的话就是这个)
5. Harbor运维
5.1 启停Harbor
如果想要停止,或者是服务器重启了,需要手动重启,在harbor的安装目录,里执行命令。
#Removing Harbor's containers while keeping the image data and Harbor's database files on the file system
$ sudo docker-compose down -v
$ vim harbor.yml
$ sudo prepare
$ sudo docker-compose up -d
5.2 重新安装
完全重新安装,可能想删除 Harbor's database and image data。(有风险!)
$ rm -r /data/database
$ rm -r /data/registry
修改安装配置: 安装说明: github.com/goharbor/ha…
5.3 修改端口
vim docker-compose.yml ,修改端口80为8888。
#vim docker-compose.yml
修改端口为
proxy:
image: goharbor/nginx-photon:v1.7.5
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
dns_search: .
ports:
- 8888:80
- 443:443
depends_on:
- postgresql
- registry
- core
- portal
- log
5.4 问题排查
docker-compose ps,然后可以登录到docker container中查问题。
cd /data1/harbor #harbor的安装目录
$docker-compose stop
$docker-compose start
$docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
5.5 Https配置
Harbor Https 配置: CentOS7 Harbor Https 配置 github.com/goharbor/ha…
Harbor是搭建完成了,在我们上传项目时可能会出现一些问题,在另外一个服务器(client)登录harbor,会出错!
$docker login registry.test.myop.com
Error response from daemon: Get https://registry.test.myop.com/v2/: dial tcp registry.test.myop.com:443: connect: connection refused
这是因为docker1.3.2版本开始默认docker registry使用的是https,我们设置Harbor默认http方式,所以当执行用docker login、pull、push等命令操作非https的docker regsitry的时就会报错。
解决办法:
- 编辑harbor及client机器的docker配置文件
- 若系统是Centos7,可以在/etc/docker/daemon.json 修改。
- 如果系统是MacOS,则可以点击“Preference”里面的“Advanced”在“Insecure Registry”里加上harbor_ip,重启Docker客户端就可以了。
vim /etc/docker/daemon.json
{
"insecure-registries": [
"harbor_ip or harbor_domain"
]
}
- 在harbor那台服务器,在harbor的安装目录
#修改harbor机器配置上docker-compose.yml的port
vim docker-compose.yml
dns_search:
ports:
- 5000:5000
3.重启或重装harbor
$docker-compose stop
$docker ps -a |grep harbor |awk '{print $1}'|xargs -I {} docker rm {}
#删除Removing Harbor's database and image data
$ rm -r /data1/database
$ rm -r /data1/registry
#重启docker-compose start
docker-compose start
#reload docker
systemctl daemon-reload
#docker ps |grep -v CONTAINER |awk '{print $1}'>docker_online.txt
#cat docker_online.txt |while read line; do echo "$line"; docker start $line; done;
#systemctl start docker #服务会停止,使用reload较好。
systemctl reload docker
systemctl status docker.service -l
4.登录仓库
- harbor机器测试登录
docker login registry.test.myop.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 远程机器登录 如果是远程登录的话,也会出现相同错误,处理如下。
vim /etc/docker/daemon.json
{
"insecure-registries": [
"harbor_ip or harbor_domain"
]
}
$systemctl daemon-reload
$docker ps
$systemctl reload docker
$systemctl status docker.service -l
说明: 有些文章说https登录出错,需要修改docker.service如下。不过在本测试环境 Docker version 18.06.1,harbor-1.8.4下并不需要修改docker.service 。
#vim /lib/systemd/system/docker.service
# 添加下面的配置。在本环境下不需要这样做docker 18.06.1
#ExecStart=/usr/bin/dockerd --insecure-registry=harbor_ip
6. Harbor使用
6.1 web界面
登录 https://harbor_ip来设置项目,用户等。
6.2 镜像pull/push
1、配置http镜像仓库可信任 vi /etc/docker/daemon.json {"insecure-registries":["registry.test.myop.com"]} systemctl restart docker 2、打标签 docker tag centos:6 registry.test.myop.com/library/centos:6 3、上传 docker push registry.test.myop.com/library/centos:6 4、下载 docker pull registry.test.myop.com/library/centos:6
示例:
#推送之前先登录Harbor
docker login docker login registry.test.myop.com
admin
Harbor12345
提示success登录成功
查看自己有哪些镜像;docker images
把需要上传到Harbor的镜像运行如下命令就可以了
#镜像打标签
docker tag 镜像名:标签 私服地址/仓库项目名/镜像名:标签
#推送到私服
docker push 私服地址/仓库项目名/镜像名:标签
#从私服拉取镜像
docker pull 私服地址/仓库项目名/镜像名:标签
7. Harbor权限
Harbor权限管理: blog.csdn.net/liumiaocn/a…
8. Harbor主从复制
参考:
- github.com/goharbor/ha…
- github.com/goharbor/ha…
- Docker之Harbor私服的搭建及使用 blog.csdn.net/weixin_4208…
- docker 镜像仓库Harbor blog.51cto.com/jacksoner/2…
- blog.csdn.net/jycjyc/arti…
