Quickly understand the creation of harbor private warehouse

abstract

The development and operation of Docker container applications are inseparable from reliable image management. Although Docker officially provides a public image warehouse, it is also very necessary to deploy the Registry in our private environment in terms of security and efficiency. Harbor is an enterprise level Docker Registry management project open source by VMware. It includes rights management (RBAC), LDAP, log audit, management interface, self registration, image replication and Chinese support.

1, Install docker

1.1. Installation dependency package

1 [root@server1 yum.repos.d]# yum -y install yum-utils device-mapper-persistent-data lvm2
2 
3 #Yum config manager is available from Yum utils
4 #Device mapper storage driver requires device mapper persistent data and lvm2
5 #device mapper is Linux 2 The general device mapping mechanism supporting logical volume management in 6 kernel provides a highly modular kernel architecture for the implementation of block device driver for storage resource management

1.2. Set alicloud image source and rebuild metabase

1 [root@server1 yum.repos.d]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
2 
3 [root@server1 yum.repos.d]# yum clean all
4 
5 [root@server1 yum.repos.d]# yum makecache

1.3. Install docker CE and set the environment

1 [root@server1 yum.repos.d]# systemctl stop firewalld.service 
2 [root@server1 yum.repos.d]# setenforce 0
3 [root@server1 yum.repos.d]# yum -y install docker-ce
4 [root@server1 yum.repos.d]# systemctl start docker.service 
5 [root@server1 yum.repos.d]# systemctl enable docker.service 

1.4 network optimization

1 [root@server1 yum.repos.d]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf     #Enable routing function
2 [root@server1 yum.repos.d]# sysctl -p     #Configuration effective
3 net.ipv4.ip_forward = 1
4 [root@server1 yum.repos.d]# systemctl restart network
5 [root@server1 yum.repos.d]# systemctl restart docker

1.5. Image acceleration (go to Alibaba cloud image acceleration to find your own accelerator. For specific operations, see the basic operations of Docker)

1 [root@server1 yum.repos.d]# tee /etc/docker/daemon.json <<-'EOF' 
2 > {
3 > "registry-mirrors": ["https://......"]
4 > }
5 > EOF
6  
7 [root@server1 yum.repos.d]# systemctl daemon-reload 
8 [root@server1 yum.repos.d]# systemctl restart docker

2, Install docker compose

1 upload docker-compose reach/root Under the directory
2 
3 take docker-compose Move to/usr/local/bin
4 [root@server1 ~]# cp -p docker-compose /usr/local/bin/
5 [root@server1 ~]# chmod +x /usr/local/bin/docker-compose
6 [root@server1 ~]# mkdir compose

3, Install Harbor program

3.1. Upload Harbor to / root directory and unzip it

1 [root@server1 ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local

3.2. Configure Harbor parameter file

1 [root@server1 ~]# vim /usr/local/harbor/harbor.cfg 
2 hostname = 20.0.0.10     #The fifth line, modify the hostname

3.3,Harbor. Detailed explanation of CFG configuration file parameters

3.3.1 required parameters

① hostname: used to access the user interface and register service. It should be the IP address or fully qualified domain name (FQDN) of the target machine

For example, 192.168.195.128 or hub kgc. cn. Do not use localhost or 127.0.0.1 as the host name.

②ui_url_protocol: (http or https, the default is http) the protocol used to access the UI and token / notification services. If notarization is enabled, this parameter must be https.

③max_job_workers: mirror copy job thread.

④db_password: used for DB_ The password of the root user of auth's MySQL database.

⑤customize_crt: this attribute can be set to on or off. It is on by default. When this property is turned on, the preparation script creates a private key and root certificate for generating / verifying registry tokens.

Set this property to off when the key and root certificate are provided by an external source.

⑥ssl_cert: the path of the SSL certificate, which is only applied when the protocol is set to https.

⑦ssl_cert_key: the path of the SSL key, which is only applied when the protocol is set to https.

⑧secretkey_path: the key path used to encrypt or decrypt the remote register password in the replication policy.

3.2.2 optional parameters

These parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor. If you enter Harbor CFG, only

It takes effect when Harbor is started for the first time, and then these parameters are updated, Harbor CFG will be ignored.

Note: if you choose to set these parameters through the UI, make sure to do so immediately after starting Harbour. Specifically, any new user must be registered or created in Harbor

Set the required before the user

①auth_mode. When there are users in the system (except the default admin user), auth_mode cannot be modified. Specific parameters are as follows:

② Email: Harbor needs this parameter to send "password reset" email to users, and only when this function is required.

Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL should be enabled by setting

③email_ssl = TRUE.

④harbour_admin_password: the initial password of the administrator. It only takes effect when Harbour is started for the first time. After that, this setting will be ignored and the administrator should be set in the UI

Your password. Note that the default username / password is admin/Harbor12345.

⑤auth_mode: the authentication type used. By default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication, set it to

ldap_auth.

⑥self_registration: enables / disables the user registration function. When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour

Household. Note: when auth_ Set mode to LDAP_ When auth, the self registration function will always be disabled, and this flag is ignored.

⑦Token_expiration: the expiration time (minutes) of the token created by the token service. The default is 30 minutes.

⑧project_creation_restriction: flag used to control which users are authorized to create projects. By default, everyone can create a project.

If its value is set to "adminonly", only admin can create projects.

⑨verify_remote_cert: on or off. It is on by default. This flag determines whether to verify the SSL/TLS certificate when Harbor communicates with the remote register instance.

Setting this property to off bypasses SSL/TLS authentication, which is often used when the remote instance has a self signed or untrusted certificate.

3.4. Execute the installation script

 1 [root@server1 ~]# cd /usr/local/harbor/
 2 [root@server1 harbor]# ./install.sh
 3 ......
 4 Note: stopping existing Harbor instance ...
 5 Stopping harbor-jobservice  ... done
 6 Stopping harbor-ui          ... done
 7 Stopping harbor-db          ... done
 8 Stopping registry           ... done
 9 Stopping harbor-adminserver ... done
10 Stopping harbor-log         ... done
11 Removing nginx              ... done
12 Removing harbor-jobservice  ... done
13 Removing harbor-ui          ... done
14 Removing harbor-db          ... done
15 Removing registry           ... done
16 Removing harbor-adminserver ... done
17 Removing harbor-log         ... done
18 Removing network harbor_harbor
19 
20 
21 [Step 4]: starting Harbor ...
22 Creating network "harbor_harbor" with the default driver
23 Creating harbor-log ... done
24 Creating harbor-adminserver ... done
25 Creating harbor-db          ... done
26 Creating registry           ... done
27 Creating harbor-ui          ... done
28 Creating harbor-jobservice  ... done
29 Creating nginx              ... done
30 
31 ✔ ----Harbor has been installed and started successfully.----
32 
33 Now you should be able to visit the admin portal at http://20.0.0.10. 
34 For more details, please visit https://github.com/vmware/harbor .

3.5. Log in http//20.0.0.10 to view Harbor warehouse

 

 

The default user name / password is admin/Harbor12345

 

Posted by amycrystal123 on Wed, 04 May 2022 15:30:25 +0300