系列文章目录
docker之harbor仓库8一、harbor仓库(最小化安装)的搭建及用法
harbor仓库作为企业级仓库:提供了镜像扫描、病毒扫描、签名
harbor仓库每次启动时会开启许多容器,可以提供web操作页面
docker-compose负责单个节点控制多个容器
软件下载位置:https://github.com/goharbor/harbor/releases
解压后里面的压缩包是所有harbor仓库的镜像,其余的是配置文件
[root@docker1 /]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@docker1 /]# cd harbor/
[root@docker1 harbor]# ls
common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
修改harbor配置文件
[root@docker1 harbor]# vim harbor.yml
可以看见它默认的数据目录在/data
[root@docker1 harbor]# mkdir /data
[root@docker1 harbor]# cp -r /root/certs/ /data/
[root@docker1 harbor]# vim harbor.yml
默认会开启80和443去发布,但是80是默认端口,如果443开启了会重定向到443
主机名必须与仓库生成证书的主机名保持一致
reg.yan.org就是服务器docker1,添加域名方便访问
设置一个管理员登陆的密码
安装harbor,提醒缺少docker-compose依赖性
[root@docker1 harbor]# ./install.sh
✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again.
[root@docker1 /]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@docker1 /]# chmod +x /usr/local/bin/docker-compose
查看一下安装的参数
[root@docker1 harbor]# ./install.sh --help
--with-notary 镜像签名,只有签名过的镜像能部署,如果没有签名,拉取镜像是失败的(镜像安全)
--with-clair 镜像扫描器,扫描镜像里面的漏洞与缺陷
--with-chartmuseum k8s中的软件包管理,可以存放镜像还可以存放k8s的软件包。k8s有个应用ham应用专门把软件打成软件包来进行维护
最小化安装
[root@docker1 harbor]# ./install.sh
安装好以后,之后的管理都在/harbor(安装harbor的目录)交给docker-compose来管理
docker-compose会在/harbor读取.yml文件,它会通过脚本解析harbor.yml来生成docker-compose.yml
[root@docker1 harbor]# ls
docker-compose.yml harbor.yml
因为一共开启了9个容器,不好管理,也不知道容器之间的关系,所以用docker-compose来管理
[root@docker1 harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56f638dce977 goharbor/nginx-photon:v1.10.1 "nginx -g 'daemon of…" 19 seconds ago Up 12 seconds (health: starting) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
8d7514279f86 goharbor/harbor-jobservice:v1.10.1 "/harbor/harbor_jobs…" 19 seconds ago Up 14 seconds (health: starting) harbor-jobservice
eba94647a312 goharbor/harbor-core:v1.10.1 "/harbor/harbor_core" 21 seconds ago Up 18 seconds (health: starting) harbor-core
85c0de195cd0 goharbor/harbor-db:v1.10.1 "/docker-entrypoint.…" 28 seconds ago Up 25 seconds (health: starting) 5432/tcp harbor-db
ca1121fe1d31 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1 "/home/harbor/entryp…" 28 seconds ago Up 20 seconds (health: starting) 5000/tcp registry
89cf045cb2ea goharbor/redis-photon:v1.10.1 "redis-server /etc/r…" 28 seconds ago Up 23 seconds (health: starting) 6379/tcp redis
807ff92faad0 goharbor/harbor-registryctl:v1.10.1 "/home/harbor/start.…" 28 seconds ago Up 22 seconds (health: starting) registryctl
1fb2951ae681 goharbor/harbor-portal:v1.10.1 "nginx -g 'daemon of…" 28 seconds ago Up 20 seconds (health: starting) 8080/tcp harbor-portal
604de693ca95 goharbor/harbor-log:v1.10.1 "/bin/sh -c /usr/loc…" 30 seconds ago Up 28 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
[root@docker1 harbor]# docker ps -aq
56f638dce977
8d7514279f86
eba94647a312
85c0de195cd0
ca1121fe1d31
89cf045cb2ea
807ff92faad0
1fb2951ae681
604de693ca95
[root@docker1 harbor]# docker ps -aq | wc -l
9
docker-compose管理
[root@docker1 harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobserv Up (healthy)
ice ...
harbor-log /bin/sh -c Up (healthy) 127.0.0.1:1514->10514
/usr/local/bin/ ... /tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,
0.0.0.0:443->8443/tcp
redis redis-server Up (healthy) 6379/tcp
/etc/redis.conf
registry /home/harbor/entrypoin Up (healthy) 5000/tcp
t.sh
registryctl /home/harbor/start.sh Up (healthy)
如果在启动的时候有容器没有启动起来
[root@docker1 harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
使用web管理harbor
这个仓库,library是默认项目(仓库分类),可以匿名拉取的
给仓库上传镜像,先给解析
[root@docker1 harbor]# cat /etc/hosts
172.25.254.1 docker1 reg.yan.org
证书有问题给docker1添加一个证书
[root@docker1 harbor]# docker login reg.yan.org
Username: admin
Password:
Error response from daemon: Get https://reg.yan.org/v2/: x509: certificate signed by unknown authority
[root@docker1 harbor]# cd /etc/docker/
[root@docker1 docker]# mkdir certs.d
[root@docker1 docker]# cd certs.d/
[root@docker1 certs.d]# mkdir reg.yan.org
[root@docker1 certs.d]# cd reg.yan.org/
[root@docker1 reg.yan.org]# cp /data/certs/yan.org.crt ca.crt
所有harbor仓库的数据都持久化到/data了,添加不同的模块这个目录就记录下来了,可以看出harbor用了registry官方镜像
[root@docker1 reg.yan.org]# cd /data/
[root@docker1 data]# ls
ca_download certs database job_logs psc redis registry secret
[root@docker1 data]# docker login reg.yan.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传成功,上传的时候必须添加仓库的url+仓库的项目+镜像的名字+版本号
不加版本号的话,签名是不生效的,签名只针对你的标签(版本号)
[root@docker1 data]# docker tag busybox:latest reg.yan.org/library/busybox:latest
[root@docker1 data]# docker push reg.yan.org/library/busybox:latest
便可以在日志查看到上传成功
新建一个私有的项目
向私有项目上传镜像
[root@docker1 data]# docker tag yakexi007/game2048:latest reg.yan.org/yan/game2048:latest
[root@docker1 data]# docker push reg.yan.org/yan/game2048:latest
远程用户拉取本地仓库
由于docker2的指向仓库不是reg.yan.org所以拉取必须要加仓库名字,并且给docker2加解析拉取变快
[root@docker2 ~]# docker info
[root@docker2 ~]# docker pull reg.yan.org/library/busybox:latest
可以查看日志,匿名用户(docker2)拉取镜像了
太麻烦了,拉取镜像还得加仓库名字
修改docker2仓库定向(和阿里云加速器重定向修改一样,把阿里云加速器的地址换成自己的仓库的地址就行了)
[root@docker2 ~]# cd /etc/docker/
[root@docker2 docker]# vim daemon.json
[root@docker2 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.yan.org"]
}
[root@docker2 docker]# systemctl daemon-reload
[root@docker2 docker]# systemctl restart docker
[root@docker2 docker]# docker info
重定向生效
直接到本地仓库的默认library拉取,默认情况都会找library项目
[root@docker2 docker]# docker pull busybox
需要认证,因为不是公开的,不支持匿名下载。
[root@docker2 docker]# docker pull yan/game2048:latest
Error response from daemon: pull access denied for yan/game2048, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
创建用户
将用户添加到yan(私有仓库里)
拉取成功,并且私有仓库不暴露对外,不加本地仓库名字这个时候是去docker官方仓库拉取
[root@docker2 docker]# docker login reg.yan.org
Username: ywq
Password:
Login Succeeded
[root@docker2 docker]# docker pull yan/game2048:latest
[root@docker2 docker]# docker pull reg.yan.org/yan/game2048:latest
latest: Pulling from yan/game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.yan.org/yan/game2048:latest
reg.yan.org/yan/game2048:latest
[root@docker2 docker]# docker pull yan/game2048:latest
Error response from daemon: pull access denied for yan/game2048, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
二、 harbor仓库添加功能模板(安全模块签名和扫描)
扫描配合是否阻止潜在漏洞镜像来使用
官方文档地址:https://goharbor.io/docs/1.10/working-with-projects/working-with-images/pulling-pushing-images/
先停掉所有容器,并且删掉
由于之前导入过镜像,我们只删掉容器了,没有删镜像,所有这次加载快,因为镜像都导入过了
[root@docker1 docker]# cd /harbor
[root@docker1 harbor]# docker-compose stop
[root@docker1 harbor]# docker-compose rm
Are you sure? [yN] y
[root@docker1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@docker1 harbor]# docker ps -aq|wc -l
14
这一次容器更多了,添加功能了
扫描镜像
项目配置里面有自动扫描,但是最好不开
它是会自动扫描的,每扫描一次相当于在虚拟机里面做了变更,虚拟机是属于copy-on-write的机制
它的一个子镜像,每次在子镜像做一次扫描,它的数据是变更的,一旦变更后它会大量复制母镜像的数据,只要会导致你子镜像越来越大,很快就塞满磁盘了,我的虚拟机设置是20G,一旦到了20G这个子镜像就不能使用了。这个扫描功能是你服务重启的时候,比如你重启你的虚拟机,这个扫描就会重新扫描一遍
[kiosk@foundation38 Pictures]$ cd /var/lib/libvirt/images/
[kiosk@foundation38 images]$ qemu-img info docker3
image: docker3
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 52M
cluster_size: 65536
backing file: new.qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
corrupt: false
Helm Charts在k8s,由于在k8s要写大量的配置文件,为了便于管理Helm Charts将配置文件打包管理,类似操作系统的yum
删除镜像时候要垃圾清理,不然实际不会删掉的
镜像的签名部署
部署根证书,在/etc/docker,docker引擎就能识别到
开启docker内容信任变量后,上传下载镜像都要认证
[root@docker1 ~]# cd .docker/
[root@docker1 .docker]# ls
config.json
[root@docker1 .docker]# mkdir -p tls/reg.yan.org:4443/
[root@docker1 .docker]# cd tls/
[root@docker1 tls]# cd reg.yan.org\:4443/
[root@docker1 reg.yan.org:4443]# cp /etc/docker/certs.d/reg.yan.org/ca.crt .
[root@docker1 reg.yan.org:4443]# export DOCKER_CONTENT_TRUST=1
[root@docker1 reg.yan.org:4443]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.yan.org:4443
开启认证功能后,必须带标签,因为签名就看标签
两个密码,如果镜像名字变更了,root key变更,镜像名不变,版本号变更,根key就不需要输入
每次只是变更v1 v2版本标签,你只需要输入仓库密码就行
[root@docker1 reg.yan.org:4443]# docker push reg.yan.org/library/busybox:latest
Enter passphrase for new root key with ID c9c5ba5:
Repeat passphrase for new root key with ID c9c5ba5:
Enter passphrase for new repository key with ID 38e3345:
Repeat passphrase for new repository key with ID 38e3345:
Successfully signed reg.yan.org/library/busybox:latest
远程部署:没有签名不能部署
[root@docker2 reg.yan.org]# docker pull reg.yan.org/library/webserver:v3
Error response from daemon: unknown: The image is not signed in Notary.
签名
[root@docker1 reg.yan.org:4443]# docker push reg.yan.org/library/webserver:v3
Enter passphrase for root key with ID c9c5ba5:
Enter passphrase for new repository key with ID 8b13ceb:
Repeat passphrase for new repository key with ID 8b13ceb:
Finished initializing "reg.yan.org/library/webserver"
Successfully signed reg.yan.org/library/webserver:v3
部署成功
[root@docker2 reg.yan.org]# docker pull reg.yan.org/library/webserver:v3
删除签名
[root@docker1 reg.yan.org:4443]# docker trust revoke reg.yan.org/library/webserver:v3
Enter passphrase for repository key with ID 8b13ceb:
Successfully deleted signature for reg.yan.org/library/webserver:v3
重新安装harbor签名和认证功能不加了,加了消耗内存,只加chartmuseum为了以后的k8s实验
[root@docker1 reg.yan.org:4443]# cd /harbor/
[root@docker1 harbor]# docker-compose stop
[root@docker1 harbor]# docker-compose rm
[root@docker1 harbor]# unset DOCKER_CONTENT_TRUST 取消内容信任
[root@docker1 harbor]# ./install.sh --with-chartmuseum
但是不是所有的东西都被删除了,认证还有
[root@docker1 ~]# cd /data/
[root@docker1 data]# ls
ca_download chart_storage job_logs redis secret
certs database psc registry
如果要变更harbor的yml文件,在安装的时候要./prepare,重新生成docker-compose.yml文件
[root@docker1 data]# cd /harbor/
[root@docker1 harbor]# ls
docker-compose.yml harbor.yml
[root@docker1 harbor]# vim harbor.yml
[root@docker1 harbor]# ./prepare
END
扫一扫
4万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
