Harbor入门篇

1. Harbor简介

Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. As a CNCF Incubating project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.

更多内容参考Harbor官网。

2. 安装Harbor

2.1. 前置条件

参考Harbor Installation Prerequisites

1、硬件需求
硬件最小需求：2C4G40G。
硬件推荐需求：4C8G160G。

2、软件需求
Docker engine，Version 17.06.0-ce+ or higher
Docker Compose，Version 1.18.0 or higher
Openssl，Latest is preferred

3、网络端口
444、4443和80

2.2. 下载安装Harbor

harbor计划安装目录为/opt/harbor，数据目录为/opt/harbor_data

1、访问Harbor releases page，下载需要的harbor版本，这里选择下载 harbor-offline-installer-v1.10.1.tgz

cd ~
wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
# or
curl -C - -O -L https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz

2、解压

tar -xzvf harbor-offline-installer-v1.10.1.tgz
mv harbor /opt
cd /opt/harbor

3、配置harbor.yml

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.voidking.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
# https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# The default data volume
data_volume: /opt/harbor_data

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 100 for postgres.
  max_open_conns: 100

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor

配置说明：

• hostname: 指定harbor域名，这个域名的作用有两个：1）这是用来鉴权的域名，我们可以给harbor配置多个域名，但是在鉴权时只会请求这个域名；2）从页面拷贝docker pull命令时会使用这个域名作为前缀。
• https：建议注释掉，不要在这里配置证书，而是配置到nginx层。
• harbor_admin_password：harbor的admin用户密码。
• data_volume：存储镜像数据的路径。

更多配置内容，参考Configure the Harbor YML File

4、执行安装

./install.sh

如果安装完成发现配置错误，可以修改配置后再次执行脚本。
如果报错 ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule ，那么重启docker后再次执行脚本。

至此，harbor安装完成，没有配置https。

3. 修改Harbor配置

1、停止

docker-compose down -v

2、修改配置
修改harbor.yml后，执行

./prepare

3、启动

docker-compose up -d

注意：如果是修改harbor的hostname，harbor重新启动后，数据库内容和镜像内容是依然存在的，可以放心修改。

4. 验证Harbor安装

4.1. 浏览器验证

浏览器访问 http://192.168.56.200 ，可以看到harbor登录页面。
输入用户名密码，admin和Harbor12345，登录harbor控制台。

4.2. 登录验证

docker ps
docker login 192.168.56.200
docker login harbor.voidking.com

输入用户名密码，admin和Harbor12345，登录报错。

4.3. 登录验证报错处理

4.3.1. 报错connection refused

Error response from daemon: Get https://192.168.56.200/v2/: dial tcp 192.168.56.200:443: connect: connection refused

这是因为，docker1.3.x之后与registry交互，默认使用https协议。

1、修改/etc/docker/daemon.json，添加insecure-registries参数

{
  "registry-mirrors": [
    "https://mirror.ccs.tencentyun.com"
  ],
  "insecure-registries": [
    "http://192.168.56.200",
    "http://harbor.voidking.com"
  ]
}

2、重启docker和harbor

systemctl daemon-reload
systemctl restart docker
docker info

cd /opt/harbor
docker-compose up -d
docker-compose ps -a

4.3.2. 报错Service Unavailable

Error response from daemon: Get “https://192.168.56.200/v2/": Service Unavailable
或者
Error response from daemon: Get “http://192.168.56.200/v2/": received unexpected HTTP status: 503 Service Unavailable

这个错误，大概率是因为docker配置了代理，docker配置代理的方法参考《Linux配置网络代理》。

1、去掉docker代理，或者在代理配置的NO_PROXY变量中加入harbor的IP和域名

vim /etc/systemd/system/docker.service.d/http-proxy.conf

2、重启docker和harbor

systemctl daemon-reload
systemctl restart docker
docker info

cd harbor
docker-compose up -d

4.3.3. 报错no such host

Error response from daemon: Get “http://192.168.56.200/v2/": Get “http://harbor.voidking.com/service/token?account=admin&client_id=docker&offline_token=true&service=harbor-registry": dial tcp: lookup harbor.voidking.com: no such host

在/etc/hosts中添加解析：

harbor.voidking.com 192.168.56.200

重新登录，成功。

5. 使用Harbor

5.1. 启动和停止Harbor

参考文档Reconfigure Harbor and Manage the Harbor Lifecycle

cd /opt/harbor

# 查看容器状态
docker-compose ps -a

# 停止harbor
docker-compose stop

# 启动harbor
docker-compose start

5.2. 上传镜像

docker pull busybox:1.31
docker tag busybox:1.31 harbor.voidking.com/voidking/busybox:1.31
docker tag busybox:1.31 harbor.voidking.com/voidking/subpath/busybox:1.31

docker push harbor.voidking.com/voidking/busybox:1.31

docker push如果报错：
The push refers to repository [harbor.voidking.com/voidking/busybox]
a6d503001157: Preparing
denied: requested access to the resource is denied
这是因为，需要先创建项目。在web控制台创建项目 voidking，再次上传，成功。带有subpath的镜像，同样可以上传成功。

5.3. 下载镜像

docker pull harbor.voidking.com/voidking/busybox:1.31

5.4. 查找docker-compose.yml

如果不知道harbor docker-compose.yml的目录，就没有办法对harbor服务进行启停。
查找docker-compose.yml最好使用locate命令，速度快。

locate docker-compose.yml

5.5. 修改harbor数据库

参考文档：《PostgreSQL入门篇》

6. 错误排查

cd /var/log/harbor/
ls -l
tail -n 100 core.log

7. 配置Harbor自动启动

当docker发生了重启之后，需要手动执行docker-compose start启动harbor，比较麻烦，因此最好配置上harbor的自动启动。详情参考Docker 笔记 - 将 Harbor 设置为系统服务

1、准备systemd配置文件

vim /etc/systemd/system/harbor.service

harbor.service内容如下：

[Unit]
Description=harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f  /opt/harbor/docker-compose.yml start
ExecStop=/usr/local/bin/docker-compose -f  /opt/harbor/docker-compose.yml stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

2、设置开机自启动

systemctl daemon-reload
systemctl enable harbor.service
systemctl status harbor.service
docker-compose ps -a

3、测试重启docker后harbor自启动

systemctl restart docker
systemctl status harbor.service
docker-compose ps -a

8. 高可用

如果搭建高可用harbor，比如搭建两个实例的harbor，那么需要XSRFKey保持一致，在 common/config/core/app.conf 中配置。

9. Harbor同步配置

参考文档：

• Creating Replication Endpoints
• Creating a Replication Rule