Harbor 介绍
Harbor是一个用于存储和分发Docker 镜像的企业级Registry 服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor 支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
github:https://github.com/goharbor/harbor
安装文档:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
环境说明
- 系统:centos7.6
- docker版本:18.09.0 客户端和服务器版本一致
- compose:1.23.2
- Harbor版本:1.7
Harbor服务搭建
1.安装Docker Compose
Harbor是通过docker的compose项目部署的,需要安装compose
# curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
或者
# pip install docker-compose
2.自签TLS证书
创建证书存放目录
# mkdir /data/cert
# cd /data/cert/
1)创建CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=reg.harbor.com" \
-key ca.key \
-out ca.crt
2)生成证书签名请求
openssl genrsa -out reg.harbor.com.key 4096
openssl req -sha512 -new \
-subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=reg.harbor.com" \
-key reg.harbor.com.key \
-out reg.harbor.com.csr
3)生成注册表主机的证书:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=reg.harbor.com
DNS.2=reg.harbor
DNS.3=192.168.20.201
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in reg.harbor.com.csr \
-out reg.harbor.com.crt
3.Harbor安装配置
下载地址:https://github.com/goharbor/harbor/releases
1)下载离线安装包,解压文件:
# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz
# tar xf harbor-offline-installer-v1.7.1.tgz
2)解压完成后:修改配置文件harbor.conf:
vim harbor.cfg
hostname = reg.harbor.com (与证书签发的域名一致)
ui_url_protocol = https
ssl_cert = /data/cert/reg.harbor.com.crt
ssl_cert_key = /data/cert/reg.harbor.com.key
3)为Harbor生成配置文件:
# ./prepare
4)启动harbor,修改完配置文件就可以执行该目录下的install.sh文件即可,程序会自动启动相关镜像
# ./install.sh
5)查看运行的容器:
# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-core /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
Harbor启动和停止:
启动Harbor
# docker-compose start
停止Harbor
# docker-comose stop
重启Harbor
# docker-compose restart
# docker-compose -f docker-compose.yml up -d
6)访问harbor:
https://reg.harbor.com 或者 https://192.168.20.201
默认账户密码为:admin/Harbor12345
harbor.cfg配置文件中harbor_admin_password = Harbor12345定义
7)创建一个名为k8s的私有项目:
当项目设为公开后,任何人都有此项目下镜像的读权限,命令行用户不需要“
docker login”就可以拉取此项目下的镜像
client 配置
1)设置域名解析
echo "192.168.20.201 reg.harbor.com" >>/etc/hosts
2)客户端创建证书目录
mkdir /etc/docker/certs.d/reg.harbor.com/ -p
拷贝Harbor server端的reg.harbor.com.crt 文件到当前目录下
scp /data/cert/reg.harbor.com.crt 192.168.20.202:/etc/docker/certs.d/reg.harbor.com/
3)重启服务
systemctl restart docker
4)登录
docker login -u admin -p Harbor12345 reg.harbor.com
5)上传镜像
docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.8.3 reg.harbor.com/k8s/kubernetes-dashboard-amd64:v1.8.3
docker push reg.harbor.com/k8s/kubernetes-dashboard-amd64:v1.8.3
注意一定要加上项目名称,否则不能提交
扫一扫
167
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
