1, Introduction to Harbor
- Harbor is an open source enterprise dockerregistry (warehouse) project of VMware. The project address is https://github.com/vmware/harbor.
- Harbor's goal is to help users quickly build an enterprise level DockerRegistry service.
- Based on docker's open source registry, Harbor provides functions required by enterprise users such as management UI, role-based access control, AD/LDAP integration, and audit logging. At the same time, it supports Chinese.
- Each component of harbor is built in the form of Docker container, and Docker compose is used to deploy it. The Docker compose template for deploying harbor is located at / usr / local / bin / Harbor / Docker compose YML (custom)
1.1 basic characteristics of harbor
- Role based control: users and Docker image warehouses are organized and managed through "projects". A user can have different permissions on multiple image warehouses in the unified namespace (projec)
- Graphical user interface: users can browse through the browser, retrieve the current Docker image warehouse, and manage projects and namespaces
- Audit management: all the mistakes in the angrily mirrored warehouse can be recorded and traced for audit management
- Image based replication strategy: images can be replicated between multiple Harbor instances.
- Support LDAP authentication: Harbor user authorization can use existing users.
- image deletion and garbage collection: images can be deleted and the space occupied by images can be recycled.
- Simple deployment function: harbor provides online and offline installation, as well as virtual appliance installation
- Relationship between harbor and docker registry: Harbor essentially encapsulates docker registry and expands its own business template.
1.2 simple structure diagram of harbor
1.3 harbor profile parameters
- Required parameters: these parameters need to be in the configuration file harbor Set in CFG. If the user updates them and runs install The SH script reinstalls Harbour and the parameters will take effect. Specific parameters are as follows:
hostname: Used to access the user interface and register Service. It should be the target machine IP Address or fully qualified domain name( FQDN)，For example 192.168.195.128 or hub.kgc.cn. Do not use localhost Or 127.0.0.1 Is the host name. ui_url_protocol: (http or https，Default to http)For access UI And token/Agreement for notification services. If notarization is enabled, this parameter must be https. max_job_workers: Mirror copy job thread. db_password: be used for db_auth of MySQL database root User's password. customize_crt: This property can be set to on or off. It is on by default. When this property is turned on, prepare the script to create the private key and root certificate for generation/Validate registry token. Set this property to when the key and root certificate are provided by an external source off. ssl_cert: SSL Path to the certificate, only if the protocol is set to https Apply only when. secretkey_path: Used to encrypt or decrypt remote data in a replication policy register The key path of the password.
- Optional parameters: these parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor. If you enter Harbor CFG, which will only take effect when Harbor is started for the first time, and then update these parameters, Harbor CFG will be ignored.
auth_mode. When there are users in the system (except the default admin User), auth_mode Cannot be modified. Specific parameters are as follows: Email: Harbor This parameter is required to send a "password reset" email to the user and only if this function is required. ## Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email should be enabled by setting_ ssl = TRUE. harbour_admin_password: The initial password of the administrator, only in Harbour Effective on first start-up. After that, this setting will be ignored and should be UI Set the administrator's password in. ## Note that the default username / password is admin/Harbor12345. auth_mode: The authentication type used. By default, it is db_auth，That is, the credentials are stored in the database. about LDAP Authentication, please set it to ldap_auth. self_registration: Enable/Disable user registration. When disabled, new users can only be Admin Created by user, only administrator users can Harbour Create a new user in. ##Note: when auth_ Set mode to LDAP_ When auth, the self registration function will always be disabled, and this flag is ignored. Token_expiration: The expiration time (minutes) of the token created by the token service. The default is 30 minutes. project_creation_restriction: Flag that controls which users have permission to create items. By default, everyone can create a project. If its value is set to“ adminonly"，So only admin You can create projects. verify_remote_cert: On or off, on by default. This flag determines when Harbor With remote register Whether the instance is verified during communication SSL/TLS Certificate. Set this property to off Will bypass SSL/TLS Authentication, which is often used when the remote instance has a self signed or untrusted certificate. In addition, by default, Harbour Store the image on the local file system. In a production environment, you can consider using other storage back ends instead of local file systems, as S3,Openstack Swif,Ceph Wait. But it needs to be updated common/templates/registry/config.yml Documents.
2, Installation and configuration of Harbor private warehouse
2.1 installation of harbor private warehouse
- prepare harbor-offline-installer-v1.2.2.tgz Installation package [root@localhost ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/ [root@localhost ~]# cd /usr/local/harbor/ [root@localhost harbor]# ls common docker-compose.clair.yml docker-compose.notary.yml docker-compose.yml harbor_1_1_0_template harbor.cfg harbor.v1.2.2.tar.gz install.sh LICENSE NOTICE prepare upgrade [root@localhost harbor]# vim harbor.cfg hostname = 192.168.233.100 ## Change cost machine address harbor_admin_password = Harbor12345 ## Administrator's default password Harbor12345 project_creation_restriction = everyone ## Everyone is allowed to create projects. If it is changed to adminonly, only administrators can create projects [root@localhost harbor]# sh install.sh ## Docker and docker compose are required to start Harbor
2.2 view the image and container created by starting Harbor
[root@localhost harbor]# docker ps -a ## View started containers CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 580791b938ce vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs..." About a minute ago Up About a minute harbor-jobservice 547a4f956e3c vmware/nginx-photon:1.11.13 "nginx -g 'daemon of..." About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx ff5cf743205e vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" About a minute ago Up About a minute harbor-ui fd1c60bc3018 vmware/harbor-db:v1.2.2 "docker-entrypoint.s..." About a minute ago Up About a minute 3306/tcp harbor-db 6e143759221c vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi..." About a minute ago Up About a minute harbor-adminserver bd363e04d04b vmware/registry:2.6.2-photon "/entrypoint.sh serv..." About a minute ago Up About a minute 5000/tcp registry 335257d810e3 vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &..." About a minute ago Up About a minute 127.0.0.1:1514->514/tcp harbor-log [root@localhost harbor]# docker images ## View mirror REPOSITORY TAG IMAGE ID CREATED SIZE vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB vmware/registry 2.6.2-photon 5d9100e4350e 3 years ago 173MB vmware/postgresql 9.6.4-photon c562762cbd12 3 years ago 225MB vmware/clair v2.0.1-photon f04966b4af6c 3 years ago 297MB vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MB photon 1.0 e6e4e4a2ba1b 4 years ago 128MB
2.3 access to service sites
Visit service site 192.168.233.100 The default password is admin and Harbor12345 Create a new project on the site centos
2.4 downloading and uploading images
[root@localhost harbor]# docker pull centos:7 ## Download Image [root@localhost harbor]# docker tag centos:7 192.168.233.100/centos/centos:v1 ## Image labeling [root@localhost harbor]# docker push 192.168.233.100/centos/centos [root@localhost harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1 ## login to docker [root@localhost harbor]# docker push 127.0.0.1/centos/centos:v1 ## Upload image ## If you use the ip address, 443 will be displayed to reject the connection. This is caused by the mismatch between http and https. You can modify the configuration file later Refresh the website and find centos There is a mirror image under the project [root@localhost harbor]# docker logout 127.0.0.1 ## Exit docker login docker logout + login IP
2.5 when other nodes want to log in and upload users
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.233.100 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://192.168.233.100/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) [root@localhost ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.233.100 --containerd=/run/containerd/containerd. Add in the sock ## 14 line -- secure registry 192.168.233.100. The address is the Harbor host address [root@localhost ~]# systemctl daemon-reload ## Restart daemon [root@localhost ~]# systemctl restart docker ## Restart docker [root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.233.100 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded ## Login successful
2.6 downloading images from private warehouses
[root@localhost ~]# docker pull nginx [root@localhost ~]# docker tag nginx:latest 192.168.233.100/centos/nginx:v1 [root@localhost ~]# docker push 192.168.233.100/centos/nginx:v1 [root@localhost ~]# docker pull 192.168.233.100/centos/centos:v1 ## Download Image from private warehouse v1: Pulling from centos/centos 75f829a71a1c: Pull complete Digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9 Status: Downloaded newer image for 192.168.233.100/centos/centos:v1 192.168.233.100/centos/centos:v1
- Found that the number of downloads increased by 1
2.7 create a new member and add it to the project
2.9 startup and shutdown of arranged projects
docker-compose up -d ## Start all orchestrated projects docker-compose down -v ## Close all choreographed items