Deploy Harbor private warehouse
1. Install and deploy harbor private warehouse
Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker.
The server host needs to install Python, Docker and Docker Compose.
1. Download Harbor installer
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
2. to configure Harbor Parameter file
vim /usr/local/harbor/harbor.cfg
//5 hostname = 192.168.195.128
about Harbor.cfg There are two types of parameters in the configuration file: required parameters and optional parameters
(1)Required parameters these parameters need to be in the configuration file Harbor.cfg Set in.
If the user updates them and runs install.sh Script reinstallation Harbour,
The parameter will take effect. Specific parameters are as follows:
hostname: Used to access the user interface and register Service. It should be the target machine IP Address or fully qualified domain name( FQDN)
For example 192.168.195.128 or hub.kgc.cn. Do not use localhost Or 127.0.0.1 Is the host name.
ui_url_protocol: (http or https,Default to http)For access UI And token/Agreement for notification services. If notarization is enabled, this parameter must be https.
max_job_workers: Mirror copy job thread.
db_password: be used for db_auth of MySQL database root User's password.
customize_crt: This property can be set to on or off. It is on by default. When this property is turned on, prepare the script to create the private key and root certificate for generation/Validate registry token.
Set this property to when the key and root certificate are provided by an external source off.
ssl_cert: SSL Path to the certificate, only if the protocol is set to https Apply only when.
ssl_cert_key: SSL The path of the key, only if the protocol is set to https Apply only when.
secretkey_path: Used to encrypt or decrypt remote data in a replication policy register The key path of the password.
(2)Optional parameters
These parameters are optional for updates, i.e. users can leave them as default values and update them at startup Harbor Later in Web UI Update on.
If enter Harbor.cfg,It will only start the first time Harbor Take effect when, and then update these parameters, Harbor.cfg Will be ignored.
Note: if you choose to pass UI To set these parameters, make sure you start Harbour Do this immediately after. Specifically, you must register or Harbor Set the required before creating any new users in
auth_mode. When there are users in the system (except the default admin User), auth_mode Cannot be modified. Specific parameters are as follows:
Email: Harbor This parameter is required to send a "password reset" email to the user and only if this function is required.
Note that by default SSL Not enabled when connecting. If SMTP Server needs SSL,But not supported STARTTLS,Then it should be enabled by setting SSL email_ssl = TRUE.
harbour_admin_password: The initial password of the administrator, only in Harbour Effective on first start-up. After that, this setting will be ignored and should be UI Set the administrator's password in.
Note that the default user name is/The password is admin/Harbor12345.
auth_mode: The authentication type used. By default, it is db_auth,That is, the credentials are stored in the database. about LDAP Authentication, please set it to ldap_auth.
self_registration: Enable/Disable user registration. When disabled, new users can only be Admin Created by user, only administrator users can Harbour Create a new user in.
Note: when auth_mode Set to ldap_auth When, the self registration function will always be disabled and this flag is ignored.
Token_expiration: The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
project_creation_restriction: Flag that controls which users have permission to create items. By default, everyone can create a project.
If its value is set to“ adminonly",So only admin You can create projects.
verify_remote_cert: On or off, on by default. This flag determines when Harbor With remote register Whether the instance is verified during communication SSL/TLS Certificate.
Set this property to off Will bypass SSL/TLS Authentication, which is often used when the remote instance has a self signed or untrusted certificate.
In addition, by default, Harbour Store the image on the local file system. In a production environment, you can consider using other storage back ends instead of local file systems,
as S3,Openstack Swif,Ceph Wait. But it needs to be updated common/templates/registry/config.yml Documents.
3. start-up Harbor
sh /usr/local/harbor/install.sh
4. see Harbor Start mirroring
//View mirror
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 2 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 2 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 2 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 2 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 2 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 2 years ago 157MB
photon 1.0 e6e4e4a2ba1b 3 years ago 128MB
//View container
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aee770c69872 vmware/nginx-photon:1.11.13 "nginx -g 'daemon of..." About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
74e21da53cdd vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs..." About a minute ago Up About a minute harbor-jobservice
0a37b29881e9 vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" About a minute ago Up About a minute harbor-ui
f77d9c7cf595 vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi..." About a minute ago Up About a minute harbor-adminserver
5dad74ff8d31 vmware/harbor-db:v1.2.2 "docker-entrypoint.s..." About a minute ago Up About a minute 3306/tcp harbor-db
d09a85bb8da1 vmware/registry:2.6.2-photon "/entrypoint.sh serv..." About a minute ago Up About a minute 5000/tcp registry
041184a34344 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &..." About a minute ago Up About a minute 127.0.0.1:1514->514/tcp harbor-log
cd /usr/local/harbor/
docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp,
0.0.0.0:4443->4443/tcp,
0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
- If everything is normal, you should be able to open the browser to access it http://192.168.195.128 The default administrator user name and password is admin/Harbor12345. Note: restart the container several times. If you cannot access the harbor page, use HTTP
//Add the item and fill in the item name
At this time, you can use the Docker command to log in and push the image locally through 127.0.0.1. By default,
The Register server listens on port 80.
//Login
docker login -u admin -p Harbor12345 http://127.0.0.1
//Download the image for testing
docker pull cirros
//Image labeling
docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1
//Upload image to Harbor
docker push 127.0.0.1/myproject-kgc/cirros:v1
The above operations are performed locally on the Harbor server. If other clients upload images to Harbor, they will report
The following error. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but a private mirror is built
For example, HTTP service is used by default, so the following error occurs when interacting with private image.
[root@client ~]# docker login -u admin -p Harbor12345 http://192.168.195.128 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://192.168.195.128/v2/: EOF //solve: [root@client ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.195.128 --containerd=/run/containerd/containerd.sock [root@client ~]# systemctl daemon-reload [root@client ~]# systemctl restart docker [root@client ~]# docker login -u admin -p Harbor12345 http://192.168.195.128 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@client ~]# docker pull cirros Using default tag: latest latest: Pulling from library/cirros 3d6427f49fe3: Pull complete 1915bfe8159b: Pull complete d0ec9ef25b96: Pull complete Digest: sha256:8654d33ecbcdc8fd65c80325c3ec3b1bc938dfad9f20d1a2e3cf21e521ab70e6 Status: Downloaded newer image for cirros:latest docker.io/library/cirros:latest [root@client ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE cirros latest bc94bceaae77 11 months ago 10.3MB [root@client ~]# docker tag cirros 192.168.195.128/myproject-kgc/cirros:v2 [root@client ~]# docker push 192.168.195.128/myproject-kgc/cirros:v2 The push refers to repository [192.168.195.128/myproject-kgc/cirros] abbd6d6ac643: Layer already exists 75b99987219d: Layer already exists 0cc237193a30: Layer already exists v2: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
- Maintain and manage Harbor. You can use docker compose to manage Harbor. Some useful commands are shown below, which must be used with docker compose YML runs in the same directory.
- Modify harbor CFG configuration file to change the configuration file of harbor, please stop the existing harbor instance and update harbor cfg; Then run the prepare script to fill in the configuration; Finally, recreate and start the instance of Harbour.
docker-compose down -v Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-ui ... done Stopping harbor-adminserver ... done Stopping harbor-db ... done Stopping registry ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-ui ... done Removing harbor-adminserver ... done Removing harbor-db ... done Removing registry ... done Removing harbor-log ... done Removing network harbor_harbor vim harbor.cfg ./prepare Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/ui/env Clearing the configuration file: ./common/config/ui/app.conf Clearing the configuration file: ./common/config/ui/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/app.conf Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/nginx/nginx.conf loaded secret from file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/app.conf Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. //report errors: docker-compose up -d Creating network "harbor_harbor" with the default driver ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name. (exit status 1)) //Solution: after closing the firewall, the docker needs to be restarted systemctl restart docker docker-compose up -d Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating harbor-adminserver ... done Creating registry ... done Creating harbor-ui ... done Creating harbor-jobservice ... done Creating nginx ... done establish Harbor user
//Create project developer
//Operate on client [root@client ~]# docker rmi 192.168.195.128/myproject-kgc/cirros:v2 Untagged: 192.168.195.128/myproject-kgc/cirros:v2 Untagged: 192.168.195.128/myproject-kgc/cirros@sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd //Logout login [root@client ~]# docker logout 192.168.195.128 Removing login credentials for 192.168.195.128 [root@client ~]# docker login 192.168.195.128 Username: kgc-zhangsan Password: //Complete harbor 1234 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@client ~]# docker pull 192.168.195.128/myproject-kgc/cirros:v1 v1: Pulling from myproject-kgc/cirros Digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd Status: Downloaded newer image for 192.168.195.128/myproject-kgc/cirros:v1 192.168.195.128/myproject-kgc/cirros:v1 [root@client ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.195.128/myproject-kgc/cirros v1 bc94bceaae77 11 months ago 10.3MB cirros latest bc94bceaae77 11 months ago 10.3MB remove Harbor The service container retains the mirrored data at the same time/database //Operate on Harbor server docker-compose down -v Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-ui ... done Stopping registry ... done Stopping harbor-db ... done Stopping harbor-adminserver ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-ui ... done Removing registry ... done Removing harbor-db ... done Removing harbor-adminserver ... done Removing harbor-log ... done Removing network harbor_harbor If redeployment is required, it needs to be removed Harbor All data of service container Persistent data, such as image and database, are stored in the host computer/data/Under the directory,Log on host /var/log/Harbor/Directory. rm -rf /data/database/ rm -rf /data/registry/