harbor private warehouse summary

1, Introduction to Harbor

  • Harbor is an open source enterprise dockerregistry (warehouse) project of VMware. The project address is https://github.com/vmware/harbor.
  • Harbor's goal is to help users quickly build an enterprise level DockerRegistry service.
  • Based on docker's open source registry, Harbor provides functions required by enterprise users such as management UI, role-based access control, AD/LDAP integration, and audit logging. At the same time, it supports Chinese.
  • Each component of harbor is built in the form of Docker container, and Docker compose is used to deploy it. The Docker compose template for deploying harbor is located at / usr / local / bin / Harbor / Docker compose YML (custom)

1.1 basic characteristics of harbor

  • Role based control: users and Docker image warehouses are organized and managed through "projects". A user can have different permissions on multiple image warehouses in the unified namespace (projec)
  • Graphical user interface: users can browse through the browser, retrieve the current Docker image warehouse, and manage projects and namespaces
  • Audit management: all the mistakes in the angrily mirrored warehouse can be recorded and traced for audit management
  • Image based replication strategy: images can be replicated between multiple Harbor instances.
  • Support LDAP authentication: Harbor user authorization can use existing users.
  • image deletion and garbage collection: images can be deleted and the space occupied by images can be recycled.
  • Simple deployment function: harbor provides online and offline installation, as well as virtual appliance installation
  • Relationship between harbor and docker registry: Harbor essentially encapsulates docker registry and expands its own business template.

1.2 simple structure diagram of harbor

1.3 harbor profile parameters

  • Required parameters: these parameters need to be in the configuration file harbor Set in CFG. If the user updates them and runs install The SH script reinstalls Harbour and the parameters will take effect. Specific parameters are as follows:
hostname: Used to access the user interface and register Service. It should be the target machine IP Address or fully qualified domain name( FQDN),For example 192.168.195.128 or hub.kgc.cn. Do not use localhost Or 127.0.0.1 Is the host name.

ui_url_protocol: (http or https,Default to http)For access UI And token/Agreement for notification services. If notarization is enabled, this parameter must be https. 

max_job_workers: Mirror copy job thread.

db_password: be used for db_auth of MySQL database root User's password.

customize_crt: This property can be set to on or off. It is on by default. When this property is turned on, prepare the script to create the private key and root certificate for generation/Validate registry token.

Set this property to when the key and root certificate are provided by an external source off. 

ssl_cert: SSL Path to the certificate, only if the protocol is set to https Apply only when.

secretkey_path: Used to encrypt or decrypt remote data in a replication policy register The key path of the password.
  • Optional parameters: these parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor. If you enter Harbor CFG, which will only take effect when Harbor is started for the first time, and then update these parameters, Harbor CFG will be ignored.
auth_mode. When there are users in the system (except the default admin User), auth_mode Cannot be modified. Specific parameters are as follows:
Email: Harbor This parameter is required to send a "password reset" email to the user and only if this function is required.
## Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email should be enabled by setting_ ssl = TRUE. 
harbour_admin_password: The initial password of the administrator, only in Harbour Effective on first start-up. After that, this setting will be ignored and should be UI Set the administrator's password in.
## Note that the default username / password is admin/Harbor12345.
auth_mode: The authentication type used. By default, it is db_auth,That is, the credentials are stored in the database. about LDAP Authentication, please set it to ldap_auth. 
self_registration: Enable/Disable user registration. When disabled, new users can only be Admin Created by user, only administrator users can Harbour Create a new user in.
##Note: when auth_ Set mode to LDAP_ When auth, the self registration function will always be disabled, and this flag is ignored.
Token_expiration: The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
project_creation_restriction: Flag that controls which users have permission to create items. By default, everyone can create a project.
If its value is set to“ adminonly",So only admin You can create projects.
verify_remote_cert: On or off, on by default. This flag determines when Harbor With remote register Whether the instance is verified during communication SSL/TLS Certificate.
Set this property to off Will bypass SSL/TLS Authentication, which is often used when the remote instance has a self signed or untrusted certificate.
In addition, by default, Harbour Store the image on the local file system. In a production environment, you can consider using other storage back ends instead of local file systems,
as S3,Openstack Swif,Ceph Wait. But it needs to be updated common/templates/registry/config.yml Documents.

2, Installation and configuration of Harbor private warehouse

2.1 installation of harbor private warehouse

- prepare harbor-offline-installer-v1.2.2.tgz Installation package
[root@localhost ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz  -C /usr/local/
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# ls
common  docker-compose.clair.yml  docker-compose.notary.yml  docker-compose.yml  harbor_1_1_0_template  harbor.cfg  harbor.v1.2.2.tar.gz  install.sh  LICENSE  NOTICE  prepare  upgrade
[root@localhost harbor]# vim harbor.cfg 
hostname = 192.168.233.100    ## Change cost machine address
harbor_admin_password = Harbor12345    ## Administrator's default password Harbor12345
project_creation_restriction = everyone   ## Everyone is allowed to create projects. If it is changed to adminonly, only administrators can create projects

[root@localhost harbor]# sh install.sh   ## Docker and docker compose are required to start Harbor

2.2 view the image and container created by starting Harbor

[root@localhost harbor]# docker ps -a   ## View started containers
CONTAINER ID        IMAGE                              COMMAND                  CREATED              STATUS              PORTS                                                              NAMES
580791b938ce        vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   About a minute ago   Up About a minute                                                                      harbor-jobservice
547a4f956e3c        vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   About a minute ago   Up About a minute   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
ff5cf743205e        vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      About a minute ago   Up About a minute                                                                      harbor-ui
fd1c60bc3018        vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   About a minute ago   Up About a minute   3306/tcp                                                           harbor-db
6e143759221c        vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   About a minute ago   Up About a minute                                                                      harbor-adminserver
bd363e04d04b        vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   About a minute ago   Up About a minute   5000/tcp                                                           registry
335257d810e3        vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   About a minute ago   Up About a minute   127.0.0.1:1514->514/tcp                                            harbor-log
[root@localhost harbor]# docker images    ## View mirror
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-log           v1.2.2              36ef78ae27df        2 years ago         200MB
vmware/harbor-jobservice    v1.2.2              e2af366cba44        2 years ago         164MB
vmware/harbor-ui            v1.2.2              39efb472c253        2 years ago         178MB
vmware/harbor-adminserver   v1.2.2              c75963ec543f        2 years ago         142MB
vmware/harbor-db            v1.2.2              ee7b9fa37c5d        2 years ago         329MB
vmware/nginx-photon         1.11.13             6cc5c831fc7f        2 years ago         144MB
vmware/registry             2.6.2-photon        5d9100e4350e        3 years ago         173MB
vmware/postgresql           9.6.4-photon        c562762cbd12        3 years ago         225MB
vmware/clair                v2.0.1-photon       f04966b4af6c        3 years ago         297MB
vmware/harbor-notary-db     mariadb-10.1.10     64ed814665c6        3 years ago         324MB
vmware/notary-photon        signer-0.5.0        b1eda7d10640        3 years ago         156MB
vmware/notary-photon        server-0.5.0        6e2646682e3c        3 years ago         157MB
photon                      1.0                 e6e4e4a2ba1b        4 years ago         128MB

2.3 access to service sites

Visit service site 192.168.233.100   The default password is admin  and Harbor12345
 Create a new project on the site centos

2.4 downloading and uploading images

[root@localhost harbor]# docker pull centos:7      ## Download Image
[root@localhost harbor]# docker tag centos:7 192.168.233.100/centos/centos:v1 ## Image labeling
[root@localhost harbor]# docker push 192.168.233.100/centos/centos
[root@localhost harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1 ## login to docker
[root@localhost harbor]# docker push 127.0.0.1/centos/centos:v1  ## Upload image       ## If you use the ip address, 443 will be displayed to reject the connection. This is caused by the mismatch between http and https. You can modify the configuration file later
 Refresh the website and find centos There is a mirror image under the project

[root@localhost harbor]# docker logout 127.0.0.1     ## Exit docker login docker logout + login IP

2.5 when other nodes want to log in and upload users

[root@localhost ~]#  docker login  -u admin -p Harbor12345 http://192.168.233.100
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.233.100/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

[root@localhost ~]#  vim /usr/lib/systemd/system/docker.service
 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.233.100  --containerd=/run/containerd/containerd. Add in the sock ## 14 line -- secure registry 192.168.233.100. The address is the Harbor host address 
[root@localhost ~]#  systemctl daemon-reload     ## Restart daemon
[root@localhost ~]# systemctl restart docker     ## Restart docker  

[root@localhost ~]#  docker login  -u admin -p Harbor12345 http://192.168.233.100
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded    ## Login successful

2.6 downloading images from private warehouses

[root@localhost ~]# docker pull nginx
[root@localhost ~]# docker tag nginx:latest 192.168.233.100/centos/nginx:v1
[root@localhost ~]# docker push 192.168.233.100/centos/nginx:v1

[root@localhost ~]# docker pull  192.168.233.100/centos/centos:v1   ## Download Image from private warehouse
v1: Pulling from centos/centos
75f829a71a1c: Pull complete 
Digest: sha256:fe2347002c630d5d61bf2f28f21246ad1c21cc6fd343e70b4cf1e5102f8711a9
Status: Downloaded newer image for 192.168.233.100/centos/centos:v1
192.168.233.100/centos/centos:v1

  • Found that the number of downloads increased by 1

2.7 create a new member and add it to the project


2.9 startup and shutdown of arranged projects

docker-compose up -d       ## Start all orchestrated projects
docker-compose down -v     ## Close all choreographed items

Tags: Linux Operation & Maintenance Docker

Posted by sith717 on Sat, 14 May 2022 10:39:11 +0300