Deploy Harbor private warehouse

Deploy Harbor private warehouse

1. Install and deploy harbor private warehouse

Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker.
The server host needs to install Python, Docker and Docker Compose.

1. Download Harbor installer

wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz

tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

2. to configure Harbor Parameter file

vim /usr/local/harbor/harbor.cfg

//5 hostname = 192.168.195.128

about Harbor.cfg There are two types of parameters in the configuration file: required parameters and optional parameters
(1)Required parameters these parameters need to be in the configuration file Harbor.cfg Set in.
If the user updates them and runs install.sh Script reinstallation Harbour,
The parameter will take effect. Specific parameters are as follows:

hostname: Used to access the user interface and register Service. It should be the target machine IP Address or fully qualified domain name( FQDN)
For example 192.168.195.128 or hub.kgc.cn. Do not use localhost Or 127.0.0.1 Is the host name.

ui_url_protocol: (http or https,Default to http)For access UI And token/Agreement for notification services. If notarization is enabled, this parameter must be https. 

max_job_workers: Mirror copy job thread.

db_password: be used for db_auth of MySQL database root User's password.

customize_crt: This property can be set to on or off. It is on by default. When this property is turned on, prepare the script to create the private key and root certificate for generation/Validate registry token.
Set this property to when the key and root certificate are provided by an external source off. 

ssl_cert: SSL Path to the certificate, only if the protocol is set to https Apply only when.

ssl_cert_key: SSL The path of the key, only if the protocol is set to https Apply only when.

secretkey_path: Used to encrypt or decrypt remote data in a replication policy register The key path of the password.

(2)Optional parameters

These parameters are optional for updates, i.e. users can leave them as default values and update them at startup Harbor Later in Web UI Update on.
If enter Harbor.cfg,It will only start the first time Harbor Take effect when, and then update these parameters, Harbor.cfg Will be ignored.

Note: if you choose to pass UI To set these parameters, make sure you start Harbour Do this immediately after. Specifically, you must register or Harbor Set the required before creating any new users in
auth_mode. When there are users in the system (except the default admin User), auth_mode Cannot be modified. Specific parameters are as follows:

Email: Harbor This parameter is required to send a "password reset" email to the user and only if this function is required.
Note that by default SSL Not enabled when connecting. If SMTP Server needs SSL,But not supported STARTTLS,Then it should be enabled by setting SSL email_ssl = TRUE. 

harbour_admin_password: The initial password of the administrator, only in Harbour Effective on first start-up. After that, this setting will be ignored and should be UI Set the administrator's password in.
Note that the default user name is/The password is admin/Harbor12345. 

auth_mode: The authentication type used. By default, it is db_auth,That is, the credentials are stored in the database. about LDAP Authentication, please set it to ldap_auth. 

self_registration: Enable/Disable user registration. When disabled, new users can only be Admin Created by user, only administrator users can Harbour Create a new user in.
Note: when auth_mode Set to ldap_auth When, the self registration function will always be disabled and this flag is ignored.

Token_expiration: The expiration time (minutes) of the token created by the token service. The default is 30 minutes.

project_creation_restriction: Flag that controls which users have permission to create items. By default, everyone can create a project.
If its value is set to“ adminonly",So only admin You can create projects.

verify_remote_cert: On or off, on by default. This flag determines when Harbor With remote register Whether the instance is verified during communication SSL/TLS Certificate.
Set this property to off Will bypass SSL/TLS Authentication, which is often used when the remote instance has a self signed or untrusted certificate.

In addition, by default, Harbour Store the image on the local file system. In a production environment, you can consider using other storage back ends instead of local file systems,
as S3,Openstack Swif,Ceph Wait. But it needs to be updated common/templates/registry/config.yml Documents.

3. start-up Harbor

sh /usr/local/harbor/install.sh


4. see Harbor Start mirroring

//View mirror
docker images

REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-log           v1.2.2              36ef78ae27df        2 years ago         200MB
vmware/harbor-jobservice    v1.2.2              e2af366cba44        2 years ago         164MB
vmware/harbor-ui            v1.2.2              39efb472c253        2 years ago         178MB
vmware/harbor-adminserver   v1.2.2              c75963ec543f        2 years ago         142MB
vmware/harbor-db            v1.2.2              ee7b9fa37c5d        2 years ago         329MB
vmware/nginx-photon         1.11.13             6cc5c831fc7f        2 years ago         144MB
vmware/registry             2.6.2-photon        5d9100e4350e        2 years ago         173MB
vmware/postgresql           9.6.4-photon        c562762cbd12        2 years ago         225MB
vmware/clair                v2.0.1-photon       f04966b4af6c        2 years ago         297MB
vmware/harbor-notary-db     mariadb-10.1.10     64ed814665c6        2 years ago         324MB
vmware/notary-photon        signer-0.5.0        b1eda7d10640        2 years ago         156MB
vmware/notary-photon        server-0.5.0        6e2646682e3c        2 years ago         157MB
photon                      1.0                 e6e4e4a2ba1b        3 years ago         128MB


//View container

docker ps -a

CONTAINER ID        IMAGE                              COMMAND                  CREATED              STATUS              PORTS                                                              NAMES
aee770c69872        vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   About a minute ago   Up About a minute   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
74e21da53cdd        vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   About a minute ago   Up About a minute                                                                      harbor-jobservice
0a37b29881e9        vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      About a minute ago   Up About a minute                                                                      harbor-ui
f77d9c7cf595        vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   About a minute ago   Up About a minute                                                                      harbor-adminserver
5dad74ff8d31        vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   About a minute ago   Up About a minute   3306/tcp                                                           harbor-db
d09a85bb8da1        vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   About a minute ago   Up About a minute   5000/tcp                                                           registry
041184a34344        vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   About a minute ago   Up About a minute   127.0.0.1:1514->514/tcp                                            harbor-log

cd /usr/local/harbor/
docker-compose ps
       Name                     Command               State                  Ports               
-------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                         
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp                           
harbor-jobservice    /harbor/harbor_jobservice        Up                                         
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp            
harbor-ui            /harbor/harbor_ui                Up                                         
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp,              
                                                              0.0.0.0:4443->4443/tcp,            
                                                              0.0.0.0:80->80/tcp                 
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp     

  • If everything is normal, you should be able to open the browser to access it http://192.168.195.128 The default administrator user name and password is admin/Harbor12345. Note: restart the container several times. If you cannot access the harbor page, use HTTP


//Add the item and fill in the item name



At this time, you can use the Docker command to log in and push the image locally through 127.0.0.1. By default,
The Register server listens on port 80.

//Login
docker login -u admin -p Harbor12345 http://127.0.0.1

//Download the image for testing
docker pull cirros

//Image labeling
docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1

//Upload image to Harbor
docker push 127.0.0.1/myproject-kgc/cirros:v1


The above operations are performed locally on the Harbor server. If other clients upload images to Harbor, they will report
The following error. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but a private mirror is built
For example, HTTP service is used by default, so the following error occurs when interacting with private image.

[root@client ~]# docker login  -u admin -p Harbor12345 http://192.168.195.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.195.128/v2/: EOF

//solve:
[root@client ~]# vim /usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.195.128 --containerd=/run/containerd/containerd.sock

[root@client ~]# systemctl daemon-reload 
[root@client ~]# systemctl restart docker
[root@client ~]# docker login  -u admin -p Harbor12345 http://192.168.195.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@client ~]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
3d6427f49fe3: Pull complete 
1915bfe8159b: Pull complete 
d0ec9ef25b96: Pull complete 
Digest: sha256:8654d33ecbcdc8fd65c80325c3ec3b1bc938dfad9f20d1a2e3cf21e521ab70e6
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@client ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
cirros              latest              bc94bceaae77        11 months ago       10.3MB

[root@client ~]# docker tag cirros 192.168.195.128/myproject-kgc/cirros:v2


[root@client ~]# docker push 192.168.195.128/myproject-kgc/cirros:v2
The push refers to repository [192.168.195.128/myproject-kgc/cirros]
abbd6d6ac643: Layer already exists 
75b99987219d: Layer already exists 
0cc237193a30: Layer already exists 
v2: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943

  • Maintain and manage Harbor. You can use docker compose to manage Harbor. Some useful commands are shown below, which must be used with docker compose YML runs in the same directory.
  • Modify harbor CFG configuration file to change the configuration file of harbor, please stop the existing harbor instance and update harbor cfg; Then run the prepare script to fill in the configuration; Finally, recreate and start the instance of Harbour.
docker-compose down -v
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor

vim harbor.cfg

./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

//report errors:
docker-compose up -d
Creating network "harbor_harbor" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-25094fc09b3c -j RETURN: iptables: No chain/target/match by that name.
 (exit status 1))
//Solution: after closing the firewall, the docker needs to be restarted
systemctl restart docker
docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db          ... done
Creating harbor-adminserver ... done
Creating registry           ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done
 establish Harbor user


//Create project developer


//Operate on client

[root@client ~]# docker rmi 192.168.195.128/myproject-kgc/cirros:v2
Untagged: 192.168.195.128/myproject-kgc/cirros:v2
Untagged: 192.168.195.128/myproject-kgc/cirros@sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd

//Logout login

[root@client ~]# docker logout 192.168.195.128
Removing login credentials for 192.168.195.128

[root@client ~]# docker login 192.168.195.128
Username: kgc-zhangsan
Password:    //Complete harbor 1234
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@client ~]# docker pull 192.168.195.128/myproject-kgc/cirros:v1
v1: Pulling from myproject-kgc/cirros
Digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd
Status: Downloaded newer image for 192.168.195.128/myproject-kgc/cirros:v1
192.168.195.128/myproject-kgc/cirros:v1
[root@client ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
192.168.195.128/myproject-kgc/cirros   v1                  bc94bceaae77        11 months ago       10.3MB
cirros                                 latest              bc94bceaae77        11 months ago       10.3MB

remove Harbor The service container retains the mirrored data at the same time/database
//Operate on Harbor server
docker-compose down -v
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-db          ... done
Stopping harbor-adminserver ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-db          ... done
Removing harbor-adminserver ... done
Removing harbor-log         ... done
Removing network harbor_harbor
 If redeployment is required, it needs to be removed Harbor All data of service container
 Persistent data, such as image and database, are stored in the host computer/data/Under the directory,Log on host 
/var/log/Harbor/Directory.
rm -rf /data/database/
rm -rf /data/registry/


Posted by misty on Thu, 12 May 2022 07:15:09 +0300