Construction and configuration of Docker image warehouse Harbor

Reprinted from: https://cloud.tencent.com/developer/article/1010619

1. Harbor introduction

The development and operation of Docker container applications are inseparable from reliable image management. Although Docker officially provides a public image warehouse, it is also very necessary to deploy the Registry in our private environment in terms of security and efficiency. Harbor is an enterprise level Docker Registry management project open source by VMware. It includes rights management (RBAC), LDAP, log audit, management interface, self registration, image replication and Chinese support.

2. Environment and software preparation

In this demonstration environment, I operate on the virtual machine Linux Centos7. The following is the installed software and version:

  1. Docker: version 1.12.6
  2. Docker-compose: version 1.13.0
  3. Harbor: version 1.1.2

Note: all service components of Harbor are deployed in Docker, so the official installation uses Docker compose for rapid deployment, so we need to install Docker and Docker compose. Since Harbor is based on Docker Registry V2 version, Docker version is required to be no less than 1.10.0 and Docker compose version no less than 1.6.0.

1) Docker installation

  • Official website installation Docker for CentOS
  • Install docker using yum or up2date
  1. Docker compose installation
1,Download the specified version of docker-compose
    $ curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
2,Assign executable permissions to binary files
    $ sudo chmod +x /usr/local/bin/docker-compose
3,Under test docker-compose Is the installation successful
    $ docker-compose --version
    docker-compose version 1.13.0, build 1719ceb

3. Harbor service setup

1) Download the Harbor installation file from the github harbor official website release Page to download the installation package of the specified version.

1,Online installation package
    $ wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgz
    $ tar xvf harbor-online-installer-v1.1.2.tgz
2,Offline installer 
    $ wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-offline-installer-v1.1.2.tgz
    $ tar xvf harbor-offline-installer-v1.1.2.tgz

2) After configuring Harbor decompression, the directory will generate Harbor Conf file, which is the configuration file of Harbor.

## Configuration file of Harbor

# hostname sets the access address. You can use ip and domain name, but not 127.0.0.1 or localhost
hostname = 10.236.63.76

# The default access protocol is http. https can also be set. If https is set, nginx ssl needs to be set to on
ui_url_protocol = http

# The default password of the root user of mysql database is root123, which can be modified in actual use
db_password = root123

max_job_workers = 3 
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA

# Mail settings, used when sending reset password mail
email_identity = 
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

# After starting Harbor, the login password of the administrator UI is Harbor 12345 by default
harbor_admin_password = Harbor12345

# Authentication mode. Multiple authentication modes are supported here, such as LADP, this storage and database authentication. The default is db_auth, mysql database authentication
auth_mode = db_auth

# LDAP authentication configuration item
#ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
#ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
#ldap_uid = uid 
#ldap_scope = 3 
#ldap_timeout = 5

# Enable self registration
self_registration = on

# The valid time of Token is 30 minutes by default
token_expiration = 30

# The user can create project permission control, which is everyone by default or adminonly
project_creation_restriction = everyone

verify_remote_cert = on

3) Start Harbor. After modifying the configuration file, execute it in the current directory/ install.sh, the Harbor service will be based on the docker compose YML starts to download the dependent images, detect and start the services in sequence. The image and start-up services that Harbor depends on are as follows:

# docker images
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-jobservice     v1.1.2              ac332f9bd31c        10 days ago         162.9 MB
vmware/harbor-ui             v1.1.2              803897be484a        10 days ago         182.9 MB
vmware/harbor-adminserver    v1.1.2              360b214594e7        10 days ago         141.6 MB
vmware/harbor-db             v1.1.2              6f71ee20fe0c        10 days ago         328.5 MB
vmware/registry              2.6.1-photon        0f6c96580032        4 weeks ago         150.3 MB
vmware/harbor-notary-db      mariadb-10.1.10     64ed814665c6        10 weeks ago        324.1 MB
vmware/nginx                 1.11.5-patched      8ddadb143133        10 weeks ago        199.2 MB
vmware/notary-photon         signer-0.5.0        b1eda7d10640        11 weeks ago        155.7 MB
vmware/notary-photon         server-0.5.0        6e2646682e3c        3 months ago        156.9 MB
vmware/harbor-log            v1.1.2              9c46a7b5e517        4 months ago        192.4 MB
photon                       1.0                 e6e4e4a2ba1b        11 months ago       127.5 MB

# docker-compose ps
       Name                     Command               State                                Ports                               
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                                                       
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp                                                         
harbor-jobservice    /harbor/harbor_jobservice        Up                                                                       
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp                                          
harbor-ui            /harbor/harbor_ui                Up                                                                       
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp 
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp           

After startup, we can access the hostname just set http://10.236.63.76/ The default is port 80. If the port is occupied, we can modify docker compose In the YML file, the port mapping of the corresponding service.

  1. Log in to Web Harbor, enter the user name admin, and log in to the system with the default password (or modified password).

We can see that each module of the system is as follows:

  • Project: Add / delete projects, view the image warehouse, add members to projects, view operation logs, copy projects, etc
  • Log: create, push, pull and other operation logs of each image in the warehouse
  • system management
    • User management: Add / delete users, set administrators, etc
    • Replication management: Add / delete slave database targets, create / delete / start / stop replication rules, etc
    • Configuration management: authentication mode, copy, mailbox setting, system setting, etc
  • Other settings
    • User name, mailbox information: modify
    • Modify password: modify the user password

Note: when non system administrator users log in, they can only see the items and logs with permission, and other modules are not visible.

5) New project we will create a new project named Wang Yang, which will not be made public. Note: when the project is set to public, anyone has the read permission of the image under this project. The command line user can pull the image under this project without "docker login".

After the new project is completed, we can submit the local image to the Harbor warehouse with the admin account. For example, we submit the local nginx image:

1,admin Sign in
$ docker login 10.236.63.76
Username: admin
Password:
Login Succeeded

2,Call the mirror tag
$ docker tag nginx 10.236.63.76/wanyang/nginx:latest
$ docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
nginx                              latest              958a7ae9e569        2 weeks ago         109 MB
10.236.63.76/wanyang/nginx         latest              958a7ae9e569        2 weeks ago         109 MB

3,push To the warehouse
$ docker push 10.236.63.76/wanyang/nginx
The push refers to a repository [10.236.63.76/wanyang/nginx]
a552ca691e49: Pushed
7487bf0353a7: Pushed
8781ec54ba04: Pushed
latest: digest: sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268 size: 948

After uploading, log in to Web Harbor and select the project. The project name is Wang Yang. You can view the nginx image just uploaded.

  1. Create users and assign permissions. We have just been operating with admin. In practical application, we log in with everyone's own account. Therefore, you need to create a new user. At the same time, in order for the user to have permission to operate the created project, you must also add the user to the project member. Create a test user with the user name of Wang Yang, click system management - user management - create user, and enter the user name, email, password and other information.

Add the wanyang user to the wanyang project member, click Project - "wanyang -" member - "new member, fill in the name and select the role.

Now we use the local simulation operation of Wang Yang account to pull the nginx image just uploaded.

1,Remove first tag(Because I just uploaded it locally nginx Mirror, direct pull´╝îIf the local presence is detected, it will not pull)
$ docker rmi -f 10.236.63.76/wanyang/nginx
Untagged: 10.236.63.76/wanyang/nginx:latest
Untagged: 10.236.63.76/wanyang/nginx@sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268

2,sign out admin Account, login wanyang account number
$ docker logout 10.236.63.76
Removing login credentials for 10.236.63.76
$ docker login 10.236.63.76
Username: wanyang
Password:
Login Succeeded

3,pull harbor Mirror to local
$ docker pull 10.236.63.76/wanyang/nginx:latest
latest: Pulling from wanyang/nginx
Digest: sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268
Status: Downloaded newer image for 10.236.63.76/wanyang/nginx:latest

7) To configure Docker image replication, we first configure at least two Harbor services:

  1. Harbor1: 10.236.63.76
  2. Harbor2: 10.236.63.62

We have push ed an image onto Harbor1, so take Harbor1 as the master node and Harbor2 as the replication node. We should automatically copy the image on Harbor1 to Harbor2.

Configure the replication rule, click item - "Wang Yang -" replication - "create a new replication rule, and fill in the name, target name, target URL and other information. Note: the target URL here is the address of the replication node Harbor2, http://10.236.63.62 , the user name and password are the admin account and password configured by Harbor2. Once it is checked and enabled, the image s that need to be synchronized will be detected immediately after the new replication rule is completed.

For better demonstration effect, now I push an image maven:3-jdk-8 under the wanyang project on Harbor1 to see if the newly uploaded image will be automatically synchronized to Harbor2.

After push ing, it shows that the copy to Harbor2 has been completed. Now log in to Harbor2 Web Harbor. We see that the image has been copied automatically, and the operation log will be copied together.

Now let's pull the maven image just synchronized from Harbor2. It's OK.

$ docker login 10.236.63.62
Username: admin
Password:
Login Succeeded

$ docker pull 10.236.63.62/wanyang/maven:3-jdk-8
3-jdk-8: Pulling from wanyang/maven
Digest: sha256:16e68f691322cd425d27c798f88df4eb3c4322fe294067f21325b36ec587fa06
Status: Downloaded newer image for 10.236.63.62/wanyang/maven:3-jdk-8

$ docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
nginx                              latest              958a7ae9e569        2 weeks ago         109 MB
10.236.63.76/wanyang/nginx         latest              958a7ae9e569        2 weeks ago         109 MB
10.236.63.62/wanyang/maven         3-jdk-8             c58c661bb6ad        5 weeks ago         653 MB
10.236.63.76/wanyang/maven         3-jdk-8             c58c661bb6ad        5 weeks ago         653 MB
maven                              3-jdk-8             c58c661bb6ad        5 weeks ago         653 MB

We are looking at the operation logs on Harbor1 and Harbor2, which are displayed in the order of our operations.

5,FAQ

  1. After configuring and starting Harbor, log in locally and report an error: docker login 10.236.63.76 Username: admin Password: Error response from daemon: Get https://10.236.63.76/v1/users/: Dial TCP 10.236.63.76:443: getsockopt: connection rejected this is because docker1 At the beginning of version 3.2, the default docker registry uses https. We set the default http mode of Harbor, so an error will be reported when operating a non https docker registry with docker login, pull, push and other commands. terms of settlement:
    1. If the system is MacOS, you can click "Advanced" in "Preference" and add 10.236.63.76 to "secure registry" to restart the Docker client.
    2. If the system is Ubuntu, modify the configuration file / lib / SYSTEMd / system / docker Service, modify the ExecStart parameter under [service] and add – secure registry 10.236.63.76.
    3. If the system is Centos, you can modify the configuration / etc/sysconfig/docker and add OPTIONS - secure registry 10.236.63.76.
  2. When using wanyang account to execute the docker pull command, an error of $docker pull 10.236.63.76/wanyang/nginx:latest Error response from daemon: repository 10.236.63.76/wanyang/nginx not found: does not exist or no pull access is reported. There may be two reasons: first, wanyang / nginx does not exist in Harbor warehouse; second, when the project is not set to be public, the account does not perform the login operation of docker login 10.236.63.76, Third, the account does not have permission for the 10.236.63.76/wanyang project. It is necessary to add wanyang members and select roles under the project.
  3. If you need to modify the configuration file of harbor CFG, because harbor is arranged based on docker compose service, we can restart harbor with docker compose command. Restart the harbor command without modifying the configuration file: docker compose start | stop | restart 1, stop harbor $docker compose down - V stopping nginx done Stopping harbor-jobservice ... done ...... Removing harbor-log ... done Removing network harbor_ Harbor 2. Start harbor $docker compose up - D creating network "harbor_harbor" with the default driver creating harbor log Creating nginx Creating harbor-jobservice ... done

reference material:

  1. github harbor installation_guide
  2. docker installation
  3. docker-compose install

Tags: harbor

Posted by wtf on Sun, 15 May 2022 16:41:59 +0300