云野 Docker-企业级私有仓库harbor
官方软件下载地址:https://github.com/goharbor/harbor/releases
1 . harbor的安装部署
部署前一定要删除正在运行的容器,否则会因为端口冲突,安装部署失败
1.1. harbor解压
[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0 harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# tar zxf harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0 harbor harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# ls
common.sh harbor.v2.5.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
1.2 harbor配置
[root@lnmp0 harbor]# cp harbor.yml.tmpl harbor.yml ##从模板复制一份配置文件
[root@lnmp0 harbor]# vim harbor.yml
1 # Configuration file of Harbor
2
3 # The IP address or hostname to access admin UI and registry service.
4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 hostname: reg.westos.org ##指定仓库的域名
6
7 # http related config
8 http:
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 port: 80
11
12 # https related config
13 https:
14 # https port for harbor, default is 443
15 port: 443
16 # The path of cert and key files for nginx
17 certificate: /data/certs/westos.org.crt ##指定仓库的证书
18 private_key: /data/certs/westos.org.key ##指定仓库的证书
19
20 # # Uncomment following will enable tls communication between all harbor com ponents
21 # internal_tls:
22 # # set enabled to true means internal tls is enabled
23 # enabled: true
24 # # put your cert and key files on dir
25 # dir: /etc/harbor/tls/internal
26
27 # Uncomment external_url if you want to enable external proxy
28 # And when it enabled the hostname will no longer used
29 # external_url: https://reg.mydomain.com:8433
30
31 # The initial password of Harbor admin
32 # It only works in first time to install harbor
33 # Remember Change the admin password from UI after launching Harbor.
34 harbor_admin_password: westos ##之后登录harbor仓库的密码
......
1.3 建立配置文件中的证书目录
[root@lnmp0 harbor]# mkdir /data/
[root@lnmp0 harbor]# cd
[root@lnmp0 ~]# cp certs/ /data/ -r
[root@lnmp0 ~]# cd /data/
[root@lnmp0 data]# ls
certs
[root@lnmp0 data]# cd certs/
[root@lnmp0 certs]# ls
westos.org.crt westos.org.key
[root@lnmp0 certs]#
##一定要保持和配置文件中的证书位置保持一致,否则不生效
1.4 解决依赖性
[root@lnmp0 ~]# cd docker/
[root@lnmp0 docker]# ls
docker-compose-linux-x86_64-v2.5.0 harbor harbor-offline-installer-v2.5.0.tgz
[root@lnmp0 docker]# mv docker-compose-linux-x86_64-v2.5.0 /usr/local/bin/docker-compose
[root@lnmp0 docker]# chmod +x /usr/local/bin/docker-compose
[root@lnmp0 docker]# which docker-compose
/usr/local/bin/docker-compose
##docker-compose-linux-x86_64-v2.5.0是一个二进制文件,直接移动到/usr/local/bin/下,赋予其权限,即可生效
1.5 安装harbor
[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# ./install.sh ##执行harbor的安装脚本./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.5.0
[Step 2]: loading Harbor images ...
.......
.......
⠿ Container harbor-core Started 2.2s
⠿ Container harbor-jobservice Started 3.2s
⠿ Container nginx Started 3.2s
✔ ----Harbor has been installed and started successfully.----
1.6 安装完毕后,可直接在浏览器访问主机IP,来登录harbor仓库
2. harbor仓库的安装及使用
2.1 上传镜像到harbor仓库
[root@lnmp0 harbor]# docker tag nginx:latest reg.westos.org/library/nginx:latest ##更改镜像标签
[root@lnmp0 harbor]# docker push reg.westos.org/library/nginx ##上传镜像
Using default tag: latest
The push refers to repository [reg.westos.org/library/nginx]
33e3df466e11: Pushed
747b7a567071: Pushed
57d3fc88cb3f: Pushed
53ae81198b64: Pushed
58354abe5f0e: Pushed
ad6562704f37: Pushed
latest: digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 size: 1570
2.1.1 在harbor仓看查看
2.2 模拟客户端拉取镜像
2.2.1 在一台新的客户端主机安装docker
第一步
在已经安装好docker的服务端,将客户端安装所需要的文件传输过去
[root@lnmp0 harbor]# cd /etc/yum.repos.d/
[root@lnmp0 yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo dvd.repo redhat.repo
[root@lnmp0 yum.repos.d]# scp CentOS-Base.repo docker-ce.repo
192.168.2.101:/etc/yum.repos.d/ ##传输所需要的软件仓库
The authenticity of host '192.168.2.101 (192.168.2.101)' can't be established.
ECDSA key fingerprint is SHA256:oxRnSm4XrBlUdoFCUSi1NBOeYPPBORULxDng7a3I9FU.
ECDSA key fingerprint is MD5:5b:9c:8a:6b:86:b9:3a:0f:fe:89:02:a0:f3:e2:b6:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.101' (ECDSA) to the list of known hosts.
root@192.168.2.101's password:
CentOS-Base.repo 100% 949 896.9KB/s 00:00
docker-ce.repo 100% 151 198.1KB/s 00:00
第二步
在客户端下载,启动docker-ce
[root@lnmp1 ~]# cd /etc/yum.repos.d/
[root@lnmp1 yum.repos.d]# ls
CentOS-Base.repo docker-ce.repo dvd.repo redhat.repo
[root@lnmp1 yum.repos.d]# yum repolist ##刷新软件源
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
base | 3.6 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
file:///media/repodata/repomd.xml: [Errno 14] curl#37 - "Couldn't open file /media/repodata/repomd.xml"
Trying other mirror.
extras | 2.9 kB 00:00:00
.......
[root@lnmp1 yum.repos.d]# yum install docker-ce -y ##下载docker-ce
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
file:///media/repodata/repomd.xml: [Errno 14] curl#37 - "Couldn't open file /media/repodata/repomd.xml"
Trying other mirror.
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 3:20.10.17-3.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: containerd.io >= 1.4.1 for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Processing Dependency: docker-ce-rootless-extras for package: 3:docker-ce-20.10.17-3.el7.x86_64
--> Running transaction check
.........
第三步
现在直接拉取镜像,会因为没有用户认证失败的,所以还要将服务端的认证文件传输到客户端
[root@lnmp0 docker]# scp -r certs.d/ 192.168.2.101:/etc/docker/ ##认证文件
root@192.168.2.101's password:
redhat-entitlement-authority.crt 100% 2626 1.5MB/s 00:00
ca.crt 100% 2159 5.3MB/s 00:00
[root@lnmp0 docker]# scp /etc/docker/daemon.json 192.168.2.101:/etc/docker/ ##镜像加速器文件
root@192.168.2.101's password:
daemon.json 100% 65 136.0KB/s 00:00
第四步
在客户端添加服务端的主机解析,更改镜像加速器文件
[root@lnmp1 yum.repos.d]# vim /etc/hosts
[root@lnmp1 yum.repos.d]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.100 lnmp0 reg.westos.org ##添加服务端的解析
[root@lnmp1 yum.repos.d]# cd
[root@lnmp1 ~]# cd /etc/docker/
[root@lnmp1 docker]# ls
certs.d daemon.json key.json
[root@lnmp1 docker]# vim daemon.json
[root@lnmp1 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"] ##将镜像加速文件中的域名更改为服务端的域名和解析文件保持一致
}
[root@lnmp1 docker]# systemctl restart docker.service ##重新启动docker
2.3 客户端拉取镜像测试
[root@lnmp1 docker]# systemctl restart docker.service
[root@lnmp1 docker]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
42c077c10790: Pull complete
62c70f376f6a: Pull complete
915cc9bd79c2: Pull complete
75a963e94de0: Pull complete
7b1fab684d70: Pull complete
db24d06d5af4: Pull complete
Digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
2.4 在harbor仓库查看是否有客户端拉取镜像的记录
harbor仓库有客户端拉取镜像日志记录,证明在客户端拉取镜像成功
3. docker-compose的使用
docker-compose ps ##查看正在运行中的容器
docker-compose restart ##重新启动停止运行的仓库
docker-compose只能在harbor目录下使用,其他目录下不可使用
[root@lnmp0 docker]# docker-compose ps
no configuration file provided: not found
[root@lnmp0 docker]# cd harbor/
[root@lnmp0 harbor]# docker-compose ps
NAME COMMAND SERVICE STATUS PORTS
harbor-core "/harbor/entrypoint.…" core running (healthy)
harbor-db "/docker-entrypoint.…" postgresql running (healthy)
harbor-jobservice "/harbor/entrypoint.…" jobservice running (healthy)
harbor-log "/bin/sh -c /usr/loc…" log running (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal "nginx -g 'daemon of…" portal running (healthy)
nginx "nginx -g 'daemon of…" proxy running (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp, :::80->8080/tcp, :::443->8443/tcp
redis "redis-server /etc/r…" redis running (healthy)
registry "/home/harbor/entryp…" registry running (healthy)
registryctl "/home/harbor/start.…" registryctl running (healthy)
3.1 增加harbor的容器选项
[root@lnmp0 harbor]# ./install.sh --halp ##查看可增加的选项
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@lnmp0 harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum ##添加完选项后重新运行脚本
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.5.0
.........
⠿ Container nginx Started 4.1s
✔ ----Harbor has been installed and started successfully.----
3.2 在harbor仓库查看新增的选项(要重新登录)
4 . 镜像签名的部署
4.1 部署根证书
[root@lnmp0 ~]# mkdir -p ~/.docker/tls/reg.westos.org:4443/
[root@lnmp0 ~]# cp /etc/docker/certs.d/reg.westos.org/ca.crt ~/.docker/tls/reg.westos.org:4443/
4.2 启用docker内容信任
[root@lnmp0 harbor]# export DOCKER_CONTENT_TRUST=1 ##激活内容信任
[root@lnmp0 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443 ##告诉docker内容信任服务器及端口
4.3 上传镜像
[root@lnmp0 ~]# docker tag centos:latest reg.westos.org/library/centos:latest
[root@lnmp0 ~]# docker push reg.westos.org/library/centos:latest
4. 4 删除签名
[root@lnmp0 ~]# docker trust revoke reg.westos.org/library/nginx:latest
5 docker 仓库子命令
docker search ##查询镜像
docker pull ##拉取镜像
docker push ##上传镜像
docker login ##登录仓库
docker logout ##登出仓库
