Harbor, an enterprise private warehouse deploying Docker warehouse

1, Overview

Harbor is an enterprise Registry server used to store and distribute Docker images. It extends the open source Docker Distribution by adding some necessary functional features for enterprises, such as security, identification and management. As an enterprise private Registry server, harbor provides better performance and security. Improve the efficiency of users using Registry to build and run the environment to transfer images. Harbor supports the replication of image resources installed in multiple Registry nodes. All images are saved in private Registry to ensure that data and intellectual property rights are controlled in the company's internal network. In addition, harbor also provides advanced security features, such as user management, access control and activity audit.

2, Characteristics

1. Role based access control - users and Docker image warehouses are organized and managed through "projects". A user can have different permissions on multiple image warehouses in the same namespace (project).

2. Mirror replication - a mirror can be replicated (synchronized) in multiple registries. It is especially suitable for load balancing, high availability, mixed cloud and cloudy scenarios.

3. Graphical user interface - users can browse through the browser, retrieve the current Docker image warehouse, and manage projects and namespaces.

4. AD/LDAP support - Harbor can inherit the existing AD/LDAP in the enterprise for authentication management.

5. Audit management - all operations on the mirror warehouse can be recorded and traced for audit management.

6. Internationalization - has localized versions in English, Chinese, German, Japanese and Russian. More languages will be added.

7. RESTful API - RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.

8. Simple deployment - online and offline installation tools are provided, and can also be installed on vSphere platform (OVA mode) virtual devices.

3, Harbor warehouse structure

Harbor probably consists of the following containers:

  • ui: Harbor's core service
  • Log: the container running rsyslog for log collection
  • mysql: a database container composed of official mysql images
  • Nginx: use nginx as reverse proxy
  • Registry: the official Docker registry
  • adminserver: configuration data manager of Harbor
  • Job service: Harbor's task management service
  • Used to store: redis session

4, Deploy Harbor

1. Environmental preparation

Software: harbor-offline-installer-v1 2.2. tgz

Harbor: 192.168.245.209
Verification host: 192.168.245.210

Note: all service components of Harbor are deployed in Docker, so the official installation uses Docker compose for rapid deployment, so we need to install Docker and Docker compose. Since Harbor is based on Docker Registry V2 version, Docker version is required to be no less than 1.10.0 and Docker compose version no less than 1.6.0.

Put docker compose in / usr/local/bin / directory and add execution permission

[root@localhost ~]# cd /usr/local/bin/
[root@localhost bin]# chmod +x docker-compose 

2. Install harbor

[root@harbor ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common                    docker-compose.notary.yml  harbor_1_1_0_template  harbor.v1.2.2.tar.gz  LICENSE  prepare
docker-compose.clair.yml  docker-compose.yml         harbor.cfg             install.sh            NOTICE   upgrade
[root@harbor harbor]# 

3. Modify profile

[root@harbor harbor]# vim harbor.cfg 

5 hostname = 192.168.245.209
//hostname sets the access address. You can use ip and domain name, but not 127.0.0.1 or localhost

4. Start Harbor

After modifying the configuration file, execute it in the current directory/ install.sh, the Harbor service will be based on the docker compose YML starts downloading dependent images, detects and starts each service in sequence

[root@harbor harbor]# sh install.sh

[Step 0]: checking installation environment ...

Note: docker version: 19.03.13

Note: docker-compose version: 1.21.1
......
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.245.209. 
For more details, please visit https://github.com/vmware/harbor .

All Harbor services should be in the up state

[root@harbor harbor]# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                                              NAMES
0cc23da70eee        vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   2 minutes ago       Up 2 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
f261f9d42963        vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   2 minutes ago       Up 2 minutes                                                                           harbor-jobservice
053a2d713176        vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      2 minutes ago       Up 2 minutes                                                                           harbor-ui
cf14e259e502        vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   2 minutes ago       Up 2 minutes        5000/tcp                                                           registry
ada21113ee19        vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   2 minutes ago       Up 2 minutes                                                                           harbor-adminserver
ff078a1d03d0        vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   2 minutes ago       Up 2 minutes        3306/tcp                                                           harbor-db
efca0ac37509        vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   2 minutes ago       Up 2 minutes        127.0.0.1:1514->514/tcp                                            harbor-log
[root@harbor harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-log           v1.2.2              36ef78ae27df        2 years ago         200MB
vmware/harbor-jobservice    v1.2.2              e2af366cba44        2 years ago         164MB
vmware/harbor-ui            v1.2.2              39efb472c253        2 years ago         178MB
vmware/harbor-adminserver   v1.2.2              c75963ec543f        2 years ago         142MB
vmware/harbor-db            v1.2.2              ee7b9fa37c5d        2 years ago         329MB
vmware/nginx-photon         1.11.13             6cc5c831fc7f        2 years ago         144MB
vmware/registry             2.6.2-photon        5d9100e4350e        3 years ago         173MB
vmware/postgresql           9.6.4-photon        c562762cbd12        3 years ago         225MB
vmware/clair                v2.0.1-photon       f04966b4af6c        3 years ago         297MB
vmware/harbor-notary-db     mariadb-10.1.10     64ed814665c6        3 years ago         324MB
vmware/notary-photon        signer-0.5.0        b1eda7d10640        3 years ago         156MB
vmware/notary-photon        server-0.5.0        6e2646682e3c        3 years ago         157MB
photon                      1.0                 e6e4e4a2ba1b        4 years ago         128MB
[root@harbor harbor]# 

If Harbor cannot be accessed here, it is recommended to restart docker and restart the service

[root@harbor harbor]# systemctl restart docker

5. Landing Harbor

Real machine authentication access http://192.168.245.209 The login interface will appear

Because Harbor's Web service uses port 80 of the host computer, you can directly enter the IP address of the host computer in the browser to access Harbor's web management page


The account number is admin and the password is harbor set above_ admin_ Value of password (harbor12345 by default)

6. New project


7. Upload image to private database

Log in to Harbor server with administrator

[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Download an nginx image and edit a label again. The name is 127.0.0.1/sheng/nginx and the label is v1

[root@harbor harbor]# docker pull nginx
[root@harbor harbor]# docker tag nginx:latest 127.0.0.1/sheng/nginx:v1
[root@harbor harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
127.0.0.1/sheng/nginx       v1                  7e4d58f0e5f3        13 days ago         133MB
nginx                       latest              7e4d58f0e5f3        13 days ago         133MB

Upload image

[root@harbor harbor]# docker push 127.0.0.1/sheng/nginx
The push refers to repository [127.0.0.1/sheng/nginx]
908cf8238301: Pushed 
eabfa4cd2d12: Pushed 
60c688e8765e: Pushed 
f431d0917d41: Pushed 
07cab4339852: Pushed 
v1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362

Go to the web page to check the items of sheng. There are many nginx images we just uploaded

8. Upload images from other hosts to private database

Log in to the private database with the administrator user on the authentication host

[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.245.209
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.245.209/v2/: dial tcp 192.168.245.209:443: connect: connection refused
[root@localhost ~]# 

resolvent:
First:

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service 
[root@localhost ~]# 

14 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.245.209 --containerd=/run/containerd/containerd.s    ock

[root@localhost ~]# systemctl daemon-reload 
[root@localhost ~]# systemctl restart docker

Second:

[root@docker ~]# vim /etc/docker/daemon.json
{
    "insecure-registries": ["192.168.245.209:5000"]
}

Restart docker

[root@docker ~]# systemctl restart docker

Log in again

[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.245.209
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

First pull an image to the local

[root@localhost ~]# docker pull centos:7
7: Pulling from library/centos
75f829a71a1c: Pull complete 
Digest: sha256:19a79828ca2e505eaee0ff38c2f3fd9901f4826737295157cc5212b7a372cd2b
Status: Downloaded newer image for centos:7
docker.io/library/centos:7

Re label the image

[root@localhost ~]# docker tag centos:7 192.168.245.209/sheng/centos7:v1
[root@localhost ~]# docker images
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
192.168.245.209/sheng/centos7   v1                  7e6257c9f8d8        6 weeks ago         203MB
centos                          7                   7e6257c9f8d8        6 weeks ago         203MB

Upload to private library

[root@localhost ~]# docker push 192.168.245.209/sheng/centos7
The push refers to repository [192.168.245.209/sheng/centos7]
613be09ab3c0: Pushed 
v1: digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9 size: 529
[root@localhost ~]# 

A centos7 image is verified on the web page

9. Download Image

Download the image on the harbor server (other hosts). Because the private database is local, you need to use the loopback address

[root@harbor harbor]# docker pull 127.0.0.1/sheng/centos7:v1
v1: Pulling from sheng/centos7
75f829a71a1c: Pull complete 
Digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9
Status: Downloaded newer image for 127.0.0.1/sheng/centos7:v1
127.0.0.1/sheng/centos7:v1
[root@harbor harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
127.0.0.1/sheng/nginx       v1                  7e4d58f0e5f3        13 days ago         133MB
nginx                       latest              7e4d58f0e5f3        13 days ago         133MB
127.0.0.1/sheng/centos7     v1                  7e6257c9f8d8        6 weeks ago         203MB

10. New user

Create a new developer user zhangsan with password Harbor12345 for the project on the web page







Log in as zhangsan on the host and log out of the administrator first

[root@localhost ~]# docker logout 192.168.245.209
Removing login credentials for 192.168.245.209

[root@localhost ~]# docker login 192.168.245.209
Username: zhangsan
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

11. Delete mirror

Note: the local image is deleted here

[root@localhost ~]# docker rmi 192.168.245.209/sheng/centos7:v1 
Untagged: 192.168.245.209/sheng/centos7:v1
Untagged: 192.168.245.209/sheng/centos7@sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9
[root@localhost ~]# 
[root@localhost ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              7                   7e6257c9f8d8        6 weeks ago         203MB

12. Stop and start mode

[root@harbor harbor]# Docker compose down - V / / - V: delete the data volume that has been defined in the compose file and attached to the container anonymously while stopping the container
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing harbor-log         ... done
Removing network harbor_harbor
[root@harbor harbor]# Docker compose up - D / / specifies to run the service container as a daemon in the background
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ... done

Note: when the project is set to public, anyone has the read permission of the image under this project. The command line user can pull the image under this project without "docker login".

If you need to modify the configuration file of Harbor CFG, because Harbor is arranged based on docker compose service, we can restart Harbor with docker compose command.

Tags: Docker harbor

Posted by rhiza on Sun, 15 May 2022 11:07:54 +0300