好好学习,天天向上!

0%

Harbor入门篇

发表于 分类于

Harbor简介

Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. As a CNCF Incubating project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.

更多内容参考Harbor官网

安装Harbor

前置条件

参考Harbor Installation Prerequisites

1、硬件需求
硬件最小需求:2C4G40G。
硬件推荐需求:4C8G160G。

2、软件需求
Docker engine,Version 17.06.0-ce+ or higher
Docker Compose,Version 1.18.0 or higher
Openssl,Latest is preferred

3、网络端口
444、4443和80

下载安装Harbor

1、访问Harbor releases page,下载需要的harbor版本,这里选择下载 harbor-offline-installer-v1.10.1.tgz

或者使用curl命令下载:

1
curl -C - -O -L https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz

2、解压

1
2
tar -xzvf harbor-offline-installer-v1.10.1.tgz
cd harbor

3、配置harbor.yml
安装前修改harbor.yaml,参考Configure the Harbor YML File,按需要修改如下几个字段:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.voidking.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
# https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# The default data volume
data_volume: /data

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 100 for postgres.
  max_open_conns: 100

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor

4、执行安装
./install.sh

如果安装完成发现配置错误,可以修改配置后再次执行脚本。
如果报错 ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule ,那么重启docker后再次执行脚本。

至此,harbor安装完成,没有配置https。

验证安装

浏览器验证

浏览器访问 http://192.168.56.200 ,可以看到harbor登录页面。
输入用户名密码,admin和Harbor12345,登录harbor控制台。

命令行验证

1
2
docker ps
docker login 192.168.56.200

输入用户名密码,admin和Harbor12345,登录报错:
Error response from daemon: Get https://192.168.56.200/v2/: dial tcp 192.168.56.200:443: connect: connection refused。

这是因为,docker1.3.x之后与registry交互,默认使用https协议。
修改/etc/docker/daemon.json,添加insecure-registries参数:

1
2
3
4
5
6
7
8
9
{
  "registry-mirrors": [
    "https://mirror.ccs.tencentyun.com"
  ],
  "insecure-registries": [
    "http://192.168.56.200",
    "http://harbor.voidking.com"
  ]
}

然后重启docker:

1
2
systemctl daemon-reload
systemctl restart docker

重新登录,成功。

使用

启动和停止

1、停止
docker-compose down -v

2、修改配置
修改harbor.yml后,执行./prepare

3、启动
docker-compose up -d

上传镜像

1
2
3
4
docker pull busybox:1.31
docker tag busybox:1.31 harbor.voidking.com/voidking/busybox:1.31
docker tag busybox:1.31 harbor.voidking.com/voidking/subpath/busybox:1.31
docker push harbor.voidking.com/voidking/busybox:1.31

报错:
The push refers to repository [harbor.voidking.com/voidking/busybox]
a6d503001157: Preparing
denied: requested access to the resource is denied

这是因为,需要先创建项目。在web控制台创建项目 voidking,再次上传,成功。带有subpath的镜像,同样可以上传成功。

下载镜像

1
docker pull harbor.voidking.com/voidking/busybox:1.31

高可用

如果搭建高可用harbor,比如搭建两个实例的harbor,那么需要XSRFKey保持一致,在 common/config/core/app.conf 中配置。