环境准备
均需要提前准备docker,docker-compose环境
| IP | 主机名 | 配置 |
|---|---|---|
| 10.0.0.20 | harbor01 | 2C4G |
| 10.0.0.21 | harbor02 | 2C4G |
一、Harbor 介绍
1. 什么是 Harbor?
Harbor 是一个开源的云原生镜像仓库,主要用于存储、管理和分发容器镜像。它基于 Docker Registry 进行了增强,提供了更强的安全性、身份管理和访问控制功能,使企业能够更高效地管理容器镜像。
2. Harbor 的主要功能
✅ 镜像管理: 支持 Docker 和 OCI 镜像格式,支持多项目管理
🔐 安全与访问控制: 支持 RBAC 访问控制、LDAP/OIDC 认证、Notary 镜像签名
🔄 镜像复制: 支持跨数据中心镜像同步
📊 日志与审计: 记录用户操作,支持 ELK 集成
🚀 高可用性: 支持集群部署、镜像拉取加速
3. Harbor 典型应用场景
企业级镜像仓库: 用于企业内部存储、管理和分发容器镜像
DevOps CI/CD: 结合 Jenkins、GitLab CI/CD,自动化构建、扫描和发布镜像
跨数据中心同步: 在不同区域的数据中心之间同步镜像,提升可用性
镜像安全管理: 防止恶意镜像进入生产环境,确保部署的安全性
4. Harbor 部署方式
- Docker Compose 部署(适用于测试环境)
- Helm Chart 部署(适用于 Kubernetes 环境)
- Harbor Operator 部署(适用于自动化管理)
二、harbor 环境部署(基于Docker Compose )
1. 下载 Harbor 安装包
[root@harbor01:~]# wget https://github.com/goharbor/harbor/releases/download/v2.7.2/harbor-offline-installer-v2.7.2.tgz
2. 解压软件包
[root@harbor01:~]# mkdir -p /caixiangjia/softwares
[root@harbor01:~]# tar xf harbor-offline-installer-v2.7.2.tgz -C /caixiangjia/softwares/
[root@harbor01:~]# cd /caixiangjia/softwares/harbor/
3. 配置 Harbor
[root@harbor01:harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor01:harbor]# ll harbor.yml*
-rw-r--r-- 1 root root 11567 Dec 14 21:13 harbor.yml
-rw-r--r-- 1 root root 11567 Apr 24 2023 harbor.yml.tmpl
修改配置:
hostname: 10.0.0.20
data_volume: /caixiangjia/data/harbor
harbor_admin_password: 1
# 此处方便后期prometheus监控
metric:
enabled: true
port: 9099
path: /metrics
4. 安装 harbor
[root@harbor01:harbor]# ./install.sh --with-chartmuseum
5. 访问 Harbor Web UI
- 地址:
http://10.0.0.20/ - 账号:
admin - 密码:
1
三、harbor 的基本使用
1. 配置 Docker 信任 Harbor
[root@harbor01:~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["10.0.0.20"]
}
[root@harbor01:~]# systemctl restart docker.service
2. Harbor 创建仓库
3. 给镜像打 tag
[root@harbor01:~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest d2c94e258dcb 19 months ago 13.3kB
[root@harbor01:~]# docker tag hello-world:latest 10.0.0.20/test/hello-world-latest
4. 推送镜像到 Harbor 仓库
# 未登录之前
[root@harbor01:~]# docker push 10.0.0.20/test/hello-world
Using default tag: latest
The push refers to repository [10.0.0.20/test/hello-world]
ac28800ec8bb: Preparing
unauthorized: unauthorized to access repository: test/hello-world, action: push: unauthorized to access repository: test/hello-world, action: push
[root@harbor01:~]# docker login 10.0.0.20
Username: admin # 输入用户名
Password: # 输入密码,输入密码时看不见输入字符!
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 登录成功后会保存登录信息
[root@harbor01:~]# more /root/.docker/config.json
{
"auths": {
"10.0.0.20": {
"auth": "YWRtaW46MQ=="
}
}
}
# 通过 base64 -d 查看你的密码
[root@harbor01:~]# echo YWRtaW46MQ== | base64 -d | more
admin:1
#登录之后
[root@harbor01:~]# docker push 10.0.0.20/test/hello-world
Using default tag: latest
The push refers to repository [10.0.0.20/test/hello-world]
ac28800ec8bb: Pushed
latest: digest: sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7 size: 524
5.web页面查看
6. 推送镜像完成后立刻退出(避免密码泄露)
[root@harbor01:~]# docker logout 10.0.0.20
Removing login credentials for 10.0.0.20
[root@harbor01:~]# more /root/.docker/config.json
{
"auths": {}
}
[r
7. 其他客户端拉取镜像,【需要配置信任仓库】
[root@harbor02:~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["10.0.0.20"]
}
[root@harbor02:~]# systemctl restart docker.service
[root@harbor02:~]# docker pull 10.0.0.20/test/hello-world:latest
latest: Pulling from test/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
Status: Downloaded newer image for 10.0.0.20/test/hello-world:latest
10.0.0.20/test/hello-world:latest
四、Harbor 高可用环境搭建
1. 将 Harbor 发送到 10.0.0.21 节点
[root@harbor01:~]# scp harbor-offline-installer-v2.7.2.tgz 10.0.0.21:/root
2. 解压软件包
[root@harbor02:~]# tar xf harbor-offline-installer-v2.7.2.tgz -C /caixiangjia/softwares/
3. 将 Harbor 配置文件发送到 10.0.0.21 节点
[root@harbor01:harbor]# scp harbor.yml 10.0.0.21:/caixiangjia/softwares/harbor/
4. 安装 Harbor
# 修改harbor配置文件
[root@harbor02:harbor]# vim harbor.yml
...
hostname: 10.0.0.21
...
[root@harbor02:harbor]# ./install.sh --with-chartmuseum
5. 访问 Harbor 的Web Ui
- 地址:
http://10.0.0.21/ - 账号:
admin - 密码:
1
6. 10.0.0.20节点新建仓库
7. 10.0.0.20节点新建复制规则
8. 10.0.0.21节点新建仓库
9. 10.0.0.21节点新建复制规则
10. 测试验证效果
推送镜像到 20 节点,观察 21 是否有同步数据
[root@harbor01:~]# docker push 10.0.0.20/wordpress/wordpress:latest
推送镜像到 21 节点,观察 20 是否有同步数据
[root@harbor02:~]# docker push 10.0.0.21/mysql/mysql:8.0.36-oracle
11. 配置keepalived
1. 分别安装keepalived
[root@harbor01:~]# apt -y install keepalived
[root@harbor02:~]# apt -y install keepalived
2. 修改 keepliaved 的配置文件
[root@harbor01:~]# cat > /etc/keepalived/keepalived.conf <<EOF
! Configuration File for keepalived
global_defs {
router_id 10.0.0.20
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 80"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 100
priority 100
advert_int 1
mcast_src_ip 10.0.0.20
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.99
}
}
EOF
[root@harbor02:~]# cat > /etc/keepalived/keepalived.conf <<EOF
! Configuration File for keepalived
global_defs {
router_id 10.0.0.21
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 80"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 100
priority 100
advert_int 1
mcast_src_ip 10.0.0.21
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.99
}
}
EOF
3. 启动 keepalived
[root@harbor01:~]# systemctl enable --now keepalived
[root@harbor02:~]# systemctl enable --now keepalived
4. 检查VIP地址
[root@harbor01:~]# ip a
...
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:b2:85:39 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 10.0.0.20/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet 10.0.0.99/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb2:8539/64 scope link
valid_lft forever preferred_lft forever
[root@harbor02:~]# ip a
...
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c3:05:1b brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 10.0.0.21/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec3:51b/64 scope link
valid_lft forever preferred_lft forever
5. 使用VIP地址登录
http://10.0.0.99/
6. 让10.0.0.21节点宕机,观察VIP是否漂移
[root@harbor01:~]# init 0
[root@harbor02:~]# ip a
...
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c3:05:1b brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 10.0.0.21/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet 10.0.0.99/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec3:51b/64 scope link
valid_lft forever preferred_lft forever
harbor仓库正常访问
五、Prometheus监控 Harbor
1. 修改 Prometheus 的配置文件
vim prometheus.yml
...
- job_name: "harbor-exporter"
static_configs:
- targets:
- 10.0.0.99:9099
2. 热加载配置文件
curl -X POST 10.0.0.31:9090/-/reload
3. 验证是否监控成功
http://10.0.0.31:9090/targets
4. Grafana导入模板ID
16686
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
