harbor搭建docker私有镜像仓库 | 国家一级保护废物

参考文档：

Harbor官方文档

一、Harbor简介

Harbor是VMWare开源的企业级容器镜像仓库，在Docker Registry基础上增加了Web UI、基于角色的访问控制、日志审计、扫描镜像漏洞等功能从而使其应用更加广泛。

其中大致包括以下组件，对其组件的功能及修改在之后使用过程中了解：

harbor-jobservice
nginx
harbor-ui
harbor-db
registry
harbor-adminserver
harbor-log

二、Harbor私有镜像仓库搭建

1、环境准备

1 2	docker 版本17.06.0+ docker-compose 版本高于1.6.0

本次环境配置如下：

2、搭建过程

目前Harbor最新版本为1.10.1，可点击此处下载该版本安装包

1、下载解压

[root@xxxx harbor]# ll -h
total 643M
-rw-r--r-- 1 root root 643M Mar 26 00:24 harbor-offline-installer-v1.10.1.tgz
# 解压该安装包
[root@xxxx harbor]# tar zxvf harbor-offline-installer-v1.10.1.tgz 
harbor/harbor.v1.10.1.tar.gz
harbor/prepare				# 执行一些创建目录等准备工作的脚本
harbor/LICENSE
harbor/install.sh			# harbor安装脚本，配置文件修改完成后直接执行该脚本，若无报错，即可安装完成
harbor/common.sh			# 安装前检查docker、docker-compose等基础环境是否符合安装要求脚本,install.sh脚本中将该脚本先执行
harbor/harbor.yml			# harbor的配置文件

2、harbor配置

# 若不需要进行变动，则修改hostname即可
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: x.x.x.x				# 修改为自己搭建主机的ip即可

3、harbor.yml相关配置解释

[root@xxxx harbor]# vim harbor.yml
# hostname: 指定主机名，不能指定为127.0.0.1或localhost或0.0.0.0
hostname: reg.mydomain.com

# http配置：但为了安全，业务生产环境中官方不建议使用http协议，会容易遭到中间人攻击
http:
  # 配置http端口，默认为80
  port: 80
  
# https配置，后面会描述如何开启harbor的https配置
https:
  # https端口配置，默认为443，可用于访问harbor以及其中的docker push等命令
  port: 443
  # ssl证书的路径
  certificate: /your/certificate/path
  # ssl密钥路径
  private_key: /your/private/key/path

# 是否开启外部代理，启用后，将不使用前面配置的hostname访问，默认未开启
external_url: https://reg.mydomain.com:8433

# harbor默认管理员密码，可用于web页面登录，默认用户名为admin，密码为Harbor12345
harbor_admin_password: Harbor12345

# Harbor DB配置，harbor中默认提供了数据库组件，也可以去掉默认数据库组件，使用外部数据库，但官方文档描述说仅支持PostgreSQL数据库，使用外部数据库需要启动external_database参数并进行配置，也可启用外部redis服务
database:
  # 数据库密码
  password: root123
  # 空闲连接池最大连接数，该值小于等于0时，空闲连接池将不会保留任何连接
  max_idle_conns: 50
  # 与数据库的最大打开的连接数，该值小于等于0时，表示无限制
  max_open_conns: 100
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   clair:
#     host: clair_db_host
#     port: clair_db_port
#     db_name: clair_db_name
#     username: clair_db_username
#     password: clair_db_password
#     ssl_mode: disable
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# external_redis:
#   host: redis
#   port: 6379
#   password:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   clair_db_index: 4

# 主机上存储harbor数据的位置
data_volume: /data

# harbor默认将图像和图表数据存储在本地上，storage_service配置其可以使用其他的存储后端存储，其中可以配置CA证书路径、filesystem等配置
# storage_service:
#   ca_bundle:
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Clair镜像扫描配置，检查容器基础框架的安全性，其原理还未研究，之后补充。harbor默认检查时间间隔为12h，设置为0表示禁止扫描
clair:
  # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
  updaters_interval: 12

# jobservice是harbor的其中一个组件，主要负责镜像复制，具体原理后续补充
jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10
  
chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: disabled
  
# 日志配置，harbor默认使用rsyslog来收集日志
log:
  # 设置日志级别，options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # 日志大小，可使用k，M，G作为单位
    rotate_size: 200M
    # 日志存储路径
    location: /var/log/harbor

  # 启用该选项可将日志转发到rsyslog服务器
  # external_endpoint:
  #   # protocol used to transmit log to external endpoint, options is tcp or udp
  #   protocol: tcp
  #   # The host of external endpoint
  #   host: localhost
  #   # Port of external endpoint
  #   port: 5140

# 代理配置
proxy:
  http_proxy:
  https_proxy:
  # no_proxy endpoints will appended to 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair,chartmuseum,notary-server
  no_proxy:
  components:
    - core
    - jobservice
    - clair

4、配置启动

这里仅先作为测试使用，所以仅修改了hostname、data、log目录，并关闭了https服务，使用默认的http服务以便于测试查看，修改记录如下：

[root@xxx harbor]# vim harbor/harbor.yml
hostname: 10.162.17.78
data_volume: /work/docker/harbor/data
log:
  level: info
  rotate_count: 50
  rotate_size: 200M
  location: /work/docker/harbor/log

配置文件修改完成后，执行install.sh文件进行安装

# 执行安装脚本，以下哪一步报错对应解决即可
[root@xxxx harbor]# ./install.sh 
## 1. 检查docker是否安装及docker版本
[Step 0]: checking if docker is installed ...

Note: docker version: 18.03.1
## 2. 检查docker-compose是否安装及对应版本
[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.25.4
## 3. 加载harbor相关镜像
[Step 2]: loading Harbor images ...
47a4bb1cfbc7: Loading layer [==================================================>]  34.26MB/34.26MB
c2d9cf7a4eaf: Loading layer [==================================================>]  9.056MB/9.056MB
...
54b809bfb5ec: Loading layer [==================================================>]  10.24kB/10.24kB
Loaded image: goharbor/harbor-db:v1.10.1

## 4. 准备环境,查看config.yml其中的hostname是否配置正确
[Step 3]: preparing environment ...
## 5. 准备配置文件
[Step 4]: preparing harbor configs ...
prepare base dir is set to /work/docker/harbor/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir


## 6. 启动harbor
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating registryctl   ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating redis         ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

# 可看出，最终harbor启动了nginx、redis、registry、db、log等模块
[root@xxx harbor]# docker ps
CONTAINER ID        IMAGE                                                     COMMAND                  CREATED             STATUS                   PORTS                       NAMES
b2a00d220528        goharbor/harbor-jobservice:v1.10.1                        "/harbor/harbor_jobs…"   4 minutes ago       Up 4 minutes (healthy)                               harbor-jobservice
3bbf43ca6e63        goharbor/nginx-photon:v1.10.1                             "nginx -g 'daemon of…"   4 minutes ago       Up 4 minutes (healthy)   0.0.0.0:80->8080/tcp        nginx
f3024394558d        goharbor/harbor-core:v1.10.1                              "/harbor/harbor_core"    4 minutes ago       Up 4 minutes (healthy)                               harbor-core
a2a1f9f07e4e        goharbor/redis-photon:v1.10.1                             "redis-server /etc/r…"   4 minutes ago       Up 4 minutes (healthy)   6379/tcp                    redis
042965f58cf7        goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1   "/home/harbor/entryp…"   4 minutes ago       Up 4 minutes (healthy)   5000/tcp                    registry
cbd4a760d1ee        goharbor/harbor-portal:v1.10.1                            "nginx -g 'daemon of…"   4 minutes ago       Up 4 minutes (healthy)   8080/tcp                    harbor-portal
a2e008d5258d        goharbor/harbor-registryctl:v1.10.1                       "/home/harbor/start.…"   4 minutes ago       Up 4 minutes (healthy)                               registryctl
f8a3567b9172        goharbor/harbor-db:v1.10.1                                "/docker-entrypoint.…"   4 minutes ago       Up 4 minutes (healthy)   5432/tcp                    harbor-db
84343b0a3fb5        goharbor/harbor-log:v1.10.1                               "/bin/sh -c /usr/loc…"   4 minutes ago       Up 4 minutes (healthy)   127.0.0.1:1514->10514/tcp   harbor-log

## 配置文件中设置的数据及日志目录都分别有各个模块的数据
[root@xxx harbor]# ls data/
ca_download  database  job_logs  psc  redis  registry  secret
[root@xxx harbor]# ls log/
core.log  jobservice.log  portal.log  postgresql.log  proxy.log  redis.log  registryctl.log  registry.log

三、镜像上传及拉取测试

目前，Harbor服务已经启动，可通过web登录进入并搭建私有镜像仓库

1、登陆

2、新建私有镜像仓库

3、客户端免https登陆

# 此时直接使用docker login登陆到harbor中，会报错，下面hostname和port是harbor的配置文件中设置的名称及端口
[root@xxxx harbor]# docker login [hostname]:[port]
Username: admin
Password: 
Error response from daemon: Get https://[hostname:port]/v2/: http: server gave HTTP response to HTTPS client
# 这是由于虽然harbor配置的是http端口启动，但客户端默认使用的是https协议，所以需要对docker做以下修改,在文件末尾添加insecure-registries
[root@xxxx harbor]# vim /etc/docker/daemon.json
{
    "graph": "/work/docker/data",
    "insecure-registries": [ "hostname:port" ]
}
# 修改后，重启docker使其生效
[root@xxxx harbor]# systemctl restart docker.service
# 利用docker info查看是否添加上
[root@xxxx harbor]# docker info
Containers: 10
 Running: 1
 Paused: 0
 Stopped: 9
Images: 37
...
Experimental: false
Insecure Registries:
 hostname:port
 127.0.0.0/8
Live Restore Enabled: false

上面类似CentOs、ubuntu的设置客户端免https登陆的方法，但mac等安装了docker desktop主机上并没有这个文件，需要在desktop中修改，完成后重启docker

4、上传镜像

[root@xxxx harbor]# docker login hostname:port
Username: admin
Password: 
Login Succeeded
[root@xxxx harbor]# docker tag clickhouse-server-demo:1.0 hostname:port/clickhouse/clickhouse-server-demo:1.0
[root@xxxx harbor]# docker push hostname:port/clickhouse/clickhouse-server-demo:1.0
The push refers to repository [hostname:port/clickhouse/clickhouse-server-demo]
4e418dcae3b7: Pushed 
e6fad812466e: Pushed 
b05b15db2cd1: Pushed 
1c79e943c270: Pushed 
0dbb638d17fd: Pushed 
a5c6f2a2f0f4: Pushed 
e0367eb23283: Pushed 
16542a8fc3be: Pushed 
6597da2e2e52: Pushed 
977183d4e999: Pushed 
c8be1b8f4d60: Pushed 
1.0: digest: sha256:6247b85f528c16e534a6f8c3be2b7baa70054d0be0a4ffa42b256259034c3268 size: 2617

5、下载镜像

1 2	# 用另外一个机器当测试机，拉取镜像，从harbor web页面也可发现下载数变为了1 [root@xx ~]# docker pull hostname:port/clickhouse/clickhouse-server-demo:1.0