Reprinted from: https://cloud.tencent.com/developer/article/1010619
1. Harbor introduction
The development and operation of Docker container applications are inseparable from reliable image management. Although Docker officially provides a public image warehouse, it is also very necessary to deploy the Registry in our private environment in terms of security and efficiency. Harbor is an enterprise level Docker Registry management project open source by VMware. It includes rights management (RBAC), LDAP, log audit, management interface, self registration, image replication and Chinese support.
2. Environment and software preparation
In this demonstration environment, I operate on the virtual machine Linux Centos7. The following is the installed software and version:
- Docker: version 1.12.6
- Docker-compose: version 1.13.0
- Harbor: version 1.1.2
Note: all service components of Harbor are deployed in Docker, so the official installation uses Docker compose for rapid deployment, so we need to install Docker and Docker compose. Since Harbor is based on Docker Registry V2 version, Docker version is required to be no less than 1.10.0 and Docker compose version no less than 1.6.0.
1) Docker installation
- Official website installation Docker for CentOS
- Install docker using yum or up2date
- Docker compose installation
1,Download the specified version of docker-compose $ curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 2,Assign executable permissions to binary files $ sudo chmod +x /usr/local/bin/docker-compose 3,Under test docker-compose Is the installation successful $ docker-compose --version docker-compose version 1.13.0, build 1719ceb
3. Harbor service setup
1) Download the Harbor installation file from the github harbor official website release Page to download the installation package of the specified version.
1,Online installation package $ wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgz $ tar xvf harbor-online-installer-v1.1.2.tgz 2,Offline installer $ wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-offline-installer-v1.1.2.tgz $ tar xvf harbor-offline-installer-v1.1.2.tgz
2) After configuring Harbor decompression, the directory will generate Harbor Conf file, which is the configuration file of Harbor.
## Configuration file of Harbor # hostname sets the access address. You can use ip and domain name, but not 127.0.0.1 or localhost hostname = 10.236.63.76 # The default access protocol is http. https can also be set. If https is set, nginx ssl needs to be set to on ui_url_protocol = http # The default password of the root user of mysql database is root123, which can be modified in actual use db_password = root123 max_job_workers = 3 customize_crt = on ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA # Mail settings, used when sending reset password mail email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = firstname.lastname@example.org email_password = abc email_from = admin <email@example.com> email_ssl = false # After starting Harbor, the login password of the administrator UI is Harbor 12345 by default harbor_admin_password = Harbor12345 # Authentication mode. Multiple authentication modes are supported here, such as LADP, this storage and database authentication. The default is db_auth, mysql database authentication auth_mode = db_auth # LDAP authentication configuration item #ldap_url = ldaps://ldap.mydomain.com #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #ldap_search_pwd = password #ldap_basedn = ou=people,dc=mydomain,dc=com #ldap_filter = (objectClass=person) #ldap_uid = uid #ldap_scope = 3 #ldap_timeout = 5 # Enable self registration self_registration = on # The valid time of Token is 30 minutes by default token_expiration = 30 # The user can create project permission control, which is everyone by default or adminonly project_creation_restriction = everyone verify_remote_cert = on
3) Start Harbor. After modifying the configuration file, execute it in the current directory/ install.sh, the Harbor service will be based on the docker compose YML starts to download the dependent images, detect and start the services in sequence. The image and start-up services that Harbor depends on are as follows:
# docker images REPOSITORY TAG IMAGE ID CREATED SIZE vmware/harbor-jobservice v1.1.2 ac332f9bd31c 10 days ago 162.9 MB vmware/harbor-ui v1.1.2 803897be484a 10 days ago 182.9 MB vmware/harbor-adminserver v1.1.2 360b214594e7 10 days ago 141.6 MB vmware/harbor-db v1.1.2 6f71ee20fe0c 10 days ago 328.5 MB vmware/registry 2.6.1-photon 0f6c96580032 4 weeks ago 150.3 MB vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 10 weeks ago 324.1 MB vmware/nginx 1.11.5-patched 8ddadb143133 10 weeks ago 199.2 MB vmware/notary-photon signer-0.5.0 b1eda7d10640 11 weeks ago 155.7 MB vmware/notary-photon server-0.5.0 6e2646682e3c 3 months ago 156.9 MB vmware/harbor-log v1.1.2 9c46a7b5e517 4 months ago 192.4 MB photon 1.0 e6e4e4a2ba1b 11 months ago 127.5 MB # docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/harbor_adminserver Up harbor-db docker-entrypoint.sh mysqld Up 3306/tcp harbor-jobservice /harbor/harbor_jobservice Up harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp harbor-ui /harbor/harbor_ui Up nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
After startup, we can access the hostname just set http://10.236.63.76/ The default is port 80. If the port is occupied, we can modify docker compose In the YML file, the port mapping of the corresponding service.
- Log in to Web Harbor, enter the user name admin, and log in to the system with the default password (or modified password).
We can see that each module of the system is as follows:
- Project: Add / delete projects, view the image warehouse, add members to projects, view operation logs, copy projects, etc
- Log: create, push, pull and other operation logs of each image in the warehouse
- system management
- User management: Add / delete users, set administrators, etc
- Replication management: Add / delete slave database targets, create / delete / start / stop replication rules, etc
- Configuration management: authentication mode, copy, mailbox setting, system setting, etc
- Other settings
- User name, mailbox information: modify
- Modify password: modify the user password
Note: when non system administrator users log in, they can only see the items and logs with permission, and other modules are not visible.
5) New project we will create a new project named Wang Yang, which will not be made public. Note: when the project is set to public, anyone has the read permission of the image under this project. The command line user can pull the image under this project without "docker login".
After the new project is completed, we can submit the local image to the Harbor warehouse with the admin account. For example, we submit the local nginx image:
1,admin Sign in $ docker login 10.236.63.76 Username: admin Password: Login Succeeded 2,Call the mirror tag $ docker tag nginx 10.236.63.76/wanyang/nginx:latest $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 958a7ae9e569 2 weeks ago 109 MB 10.236.63.76/wanyang/nginx latest 958a7ae9e569 2 weeks ago 109 MB 3,push To the warehouse $ docker push 10.236.63.76/wanyang/nginx The push refers to a repository [10.236.63.76/wanyang/nginx] a552ca691e49: Pushed 7487bf0353a7: Pushed 8781ec54ba04: Pushed latest: digest: sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268 size: 948
After uploading, log in to Web Harbor and select the project. The project name is Wang Yang. You can view the nginx image just uploaded.
- Create users and assign permissions. We have just been operating with admin. In practical application, we log in with everyone's own account. Therefore, you need to create a new user. At the same time, in order for the user to have permission to operate the created project, you must also add the user to the project member. Create a test user with the user name of Wang Yang, click system management - user management - create user, and enter the user name, email, password and other information.
Add the wanyang user to the wanyang project member, click Project - "wanyang -" member - "new member, fill in the name and select the role.
Now we use the local simulation operation of Wang Yang account to pull the nginx image just uploaded.
1,Remove first tag(Because I just uploaded it locally nginx Mirror, direct pull，If the local presence is detected, it will not pull) $ docker rmi -f 10.236.63.76/wanyang/nginx Untagged: 10.236.63.76/wanyang/nginx:latest Untagged: 10.236.63.76/wanyang/nginx@sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268 2,sign out admin Account, login wanyang account number $ docker logout 10.236.63.76 Removing login credentials for 10.236.63.76 $ docker login 10.236.63.76 Username: wanyang Password: Login Succeeded 3,pull harbor Mirror to local $ docker pull 10.236.63.76/wanyang/nginx:latest latest: Pulling from wanyang/nginx Digest: sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268 Status: Downloaded newer image for 10.236.63.76/wanyang/nginx:latest
7) To configure Docker image replication, we first configure at least two Harbor services:
- Harbor1: 10.236.63.76
- Harbor2: 10.236.63.62
We have push ed an image onto Harbor1, so take Harbor1 as the master node and Harbor2 as the replication node. We should automatically copy the image on Harbor1 to Harbor2.
Configure the replication rule, click item - "Wang Yang -" replication - "create a new replication rule, and fill in the name, target name, target URL and other information. Note: the target URL here is the address of the replication node Harbor2, http://10.236.63.62 , the user name and password are the admin account and password configured by Harbor2. Once it is checked and enabled, the image s that need to be synchronized will be detected immediately after the new replication rule is completed.
For better demonstration effect, now I push an image maven:3-jdk-8 under the wanyang project on Harbor1 to see if the newly uploaded image will be automatically synchronized to Harbor2.
After push ing, it shows that the copy to Harbor2 has been completed. Now log in to Harbor2 Web Harbor. We see that the image has been copied automatically, and the operation log will be copied together.
Now let's pull the maven image just synchronized from Harbor2. It's OK.
$ docker login 10.236.63.62 Username: admin Password: Login Succeeded $ docker pull 10.236.63.62/wanyang/maven:3-jdk-8 3-jdk-8: Pulling from wanyang/maven Digest: sha256:16e68f691322cd425d27c798f88df4eb3c4322fe294067f21325b36ec587fa06 Status: Downloaded newer image for 10.236.63.62/wanyang/maven:3-jdk-8 $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 958a7ae9e569 2 weeks ago 109 MB 10.236.63.76/wanyang/nginx latest 958a7ae9e569 2 weeks ago 109 MB 10.236.63.62/wanyang/maven 3-jdk-8 c58c661bb6ad 5 weeks ago 653 MB 10.236.63.76/wanyang/maven 3-jdk-8 c58c661bb6ad 5 weeks ago 653 MB maven 3-jdk-8 c58c661bb6ad 5 weeks ago 653 MB
We are looking at the operation logs on Harbor1 and Harbor2, which are displayed in the order of our operations.
- After configuring and starting Harbor, log in locally and report an error: docker login 10.236.63.76 Username: admin Password: Error response from daemon: Get https://10.236.63.76/v1/users/: Dial TCP 10.236.63.76:443: getsockopt: connection rejected this is because docker1 At the beginning of version 3.2, the default docker registry uses https. We set the default http mode of Harbor, so an error will be reported when operating a non https docker registry with docker login, pull, push and other commands. terms of settlement:
- If the system is MacOS, you can click "Advanced" in "Preference" and add 10.236.63.76 to "secure registry" to restart the Docker client.
- If the system is Ubuntu, modify the configuration file / lib / SYSTEMd / system / docker Service, modify the ExecStart parameter under [service] and add – secure registry 10.236.63.76.
- If the system is Centos, you can modify the configuration / etc/sysconfig/docker and add OPTIONS - secure registry 10.236.63.76.
- When using wanyang account to execute the docker pull command, an error of $docker pull 10.236.63.76/wanyang/nginx:latest Error response from daemon: repository 10.236.63.76/wanyang/nginx not found: does not exist or no pull access is reported. There may be two reasons: first, wanyang / nginx does not exist in Harbor warehouse; second, when the project is not set to be public, the account does not perform the login operation of docker login 10.236.63.76, Third, the account does not have permission for the 10.236.63.76/wanyang project. It is necessary to add wanyang members and select roles under the project.
- If you need to modify the configuration file of harbor CFG, because harbor is arranged based on docker compose service, we can restart harbor with docker compose command. Restart the harbor command without modifying the configuration file: docker compose start | stop | restart 1, stop harbor $docker compose down - V stopping nginx done Stopping harbor-jobservice ... done ...... Removing harbor-log ... done Removing network harbor_ Harbor 2. Start harbor $docker compose up - D creating network "harbor_harbor" with the default driver creating harbor log Creating nginx Creating harbor-jobservice ... done