简述：

Docker 官方镜像仓库是用于管理公共镜像的地方，大家可以在上面找到想要的镜像，也可以把自己的镜像推送上去。但是有时候服务器无法访问互联网，或者不希望将自己的镜像放到互联网上，那么就需要用到 Docker Registry 私有仓库，它可以用来存储和管理自己的镜像。最近公司将项目全部打包成镜像有部署私有仓库服务的需求，经过几轮商讨，最终选择 Docker Harbor，Docker Harbor 有可视化的 Web 管理界面可以方便管理Docker 镜像操作也很方便简单，又提供了多个项目的镜像权限管理控制功能等。

Harbor 架构构成

Proxy：Harbor 的 Registry、UI、token 等服务。通过一个前置的反向代理统一接收浏览器Docker 客户端的请求，并将请求转发给后端不同的服务。
Registry：负责储存Docker镜像，并处理 Docker push/pull 命令。由于要对用户进行访问控制，即不同用户对Docker image有不同的读写权限，Registry会指向一个 token服务，强制用户的每次 Docker pull/push 请求都要携带一个合法的token,Registry会通过公钥对 token 进行解密验证。

环境：

两台主机：

192.168.50.66 master 服务端

192.168.50.53 lbin-nfs 客户端

两台主机同样操作

关闭防火墙

$root@localhost \~\]# iptables -F \[root@localhost \~\]# setenforce 0 \[root@localhost \~\]# systemctl stop firewalld$

更改主机名

$root@localhost \~\]# hostname master \[root@localhost \~\]# bash$

创建dockers rpm包目录

$root@master \~\]# mkdir docker 导入docker -ce$

root@master docker\]# ll > 总用量 97596 > > -rw-r--r--. 1 root root 30374084 9月 18 2020 containerd.io-1.3.7-3.1.el7.x86_64.rpm > > -rw-r--r--. 1 root root 40816 7月 6 2020 container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm > > -rw-r--r--. 1 root root 302564 5月 14 2020 device-mapper-1.02.164-7.el7_8.2.x86_64.rpm > > -rw-r--r--. 1 root root 195448 5月 14 2020 device-mapper-event-1.02.164-7.el7_8.2.x86_64.rpm > > -rw-r--r--. 1 root root 195004 5月 14 2020 device-mapper-event-libs-1.02.164-7.el7_8.2.x86_64.rpm > > -rw-r--r--. 1 root root 331908 5月 14 2020 device-mapper-libs-1.02.164-7.el7_8.2.x86_64.rpm > > -rw-r--r--. 1 root root 432624 4月 4 2020 device-mapper-persistent-data-0.8.5-2.el7.x86_64.rpm > > -rw-r--r--. 1 root root 25268380 9月 18 2020 docker-ce-19.03.13-3.el7.x86_64.rpm > > -rw-r--r--. 1 root root 40247476 10月 9 2020 docker-ce-cli-19.03.13-3.el7.x86_64.rpm > > -rw-r--r--. 1 root root 1384208 5月 14 2020 lvm2-2.02.186-7.el7_8.2.x86_64.rpm > > -rw-r--r--. 1 root root 1143916 5月 14 2020 lvm2-libs-2.02.186-7.el7_8.2.x86_64.rpm > \[root@localhost docker\]# yum -y install \*.rpm > > \[root@localhost docker\]# cd **重启** > \[root@localhost \~\]# systemctl start docker > > \[root@localhost \~\]# systemctl enable docker > > Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. **配置阿里云镜像加速** > \[root@localhost \~\]# cat \<\< END \> /etc/docker/daemon.json > > \> { > > \> "registry-mirrors":\[ "https://nyakyfun.mirror.aliyuncs.com"

> }

> END

重启服务

$root@localhost \~\]# systemctl daemon-reload \[root@localhost \~\]# systemctl restart docker$

获取Docker Compose容器的工具。

$root@localhost \~\]# rz \[root@localhost \~\]# mv docker-compose /usr/bin \[root@localhost \~\]# chmod +x /usr/bin/docker-compose \[root@localhost \~\]# docker-compose --version docker-compose version 1.21.1, build 5a3f1a3$

Harbor配置服务端

$root@master \~\]# tar xf harbor-offline-installer-v1.6.1.tgz \[root@master \~\]# cd harbor \[root@master harbor\]# tree bash: tree: 未找到命令 \[root@master harbor\]# yum -y install tree \[root@master harbor\]# tree ha ha ├── docker-compose.clair.tpl ├── docker-compose.clair.yml ├── docker-compose.tpl ├── docker-compose.yml ├── initial-registry.sql └── sample ├── active_active │ ├── check.sh │ └── keepalived_active_active.conf └── active_standby ├── check_harbor.sh └── keepalived_active_standby.conf \[root@master \]# vim /root/harbor/harbor.cfg 7 hostname = 192.168.50.66 \[root@master harbor\]# sh install.sh 如果报错就更改下面文件 \[root@master harbor\]# cat ha/initial-registry.sql CREATE DATABASE IF NOT EXISTS \`registry\` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';$

成功

查看

$root@master harbor\]# docker-compose ps Name Command State Ports ---------------------------------------------------------------------------------------------------- harbor-adminserver /harbor/start.sh Up (healthy) harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514-\>10514/tcp harbor-ui /harbor/start.sh Up (healthy) nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443-\>443/tcp, 0.0.0.0:4443-\>4443/tcp, 0.0.0.0:80-\>80/tcp redis docker-entrypoint.sh redis ... Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp$

浏览器访问

如果一切都正常，应该可以打开浏览器访问192.168.50.66的管理页面，默认的管理员用户名和密码是 admin/Harbor12345

创建一个新项目

输入用户名和密码登录界面后可以创建一个新项目。点击"+项目"按钮。

点击"确定"按钮，成功创建

可以使用 Docker 命令在Harbor本地通过 127.0.0.1 来登录和推送镜像了。默认情况下， Register 服务器在端口 80 上

登陆 harbor

[root@master harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下载镜像准备测试

$root@master harbor\]# docker pull cirros Using default tag: latest latest: Pulling from library/cirros d0b405be7a32: Pull complete bd054094a037: Pull complete c6a00de1ec8a: Pull complete Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47 Status: Downloaded newer image for cirros:latest docker.io/library/cirros:latest$

给镜像打tag

$root@master harbor\]# docker tag cirros 127.0.0.1/cccoooo/cirros:v1 上传到 harbor \[root@master harbor\]# docker push 127.0.0.1/cccoooo/cirros:v1 The push refers to repository \[127.0.0.1/cccoooo/cirros$
984ad441ec3d: Pushed

f0a496d92efa: Pushed

e52d19c3bee2: Pushed

v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

查看一下有没有

$root@master harbor\]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 127.0.0.1/cccoooo/cirros v1 f9cae1daf5f6 2 years ago 12.6MB$

刷新查看

客户端上传镜像

修改配置文件

vim /usr/lib/systemd/system/docker.service

14 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-reg istry192.168.50.66

重启服务

$root@localhost \~\]# systemctl daemon-reload \[root@localhost \~\]# systemctl restart docker$

登陆访问

第一种

$root@lbin-nfs \~\]# docker login -u admin -p Harbor12345 http://192.168.50.66 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded$

第二种

$root@lbin-nfs \~\]# docker login -u admin -p Harbor12345 192.168.50.66 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded$

下载镜像准备测试

$root@lbin-nfs \~\]# docker pull cirros Using default tag: latest latest: Pulling from library/cirros d0b405be7a32: Pull complete bd054094a037: Pull complete c6a00de1ec8a: Pull complete Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47 Status: Downloaded newer image for cirros:latest docker.io/library/cirros:latest$

打标签

root@lbin-nfs \~\]# docker tag cirros 192.168.50.66/cccoooo/cirros:v22 **上传** > \[root@lbin-nfs \~\]# docker push 192.168.50.66/cccoooo/cirros:v22 > > The push refers to repository \[192.168.50.66/cccoooo/cirros

984ad441ec3d: Layer already exists

f0a496d92efa: Layer already exists

e52d19c3bee2: Layer already exists

v22: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

浏览器查看

Harbor 日常操作管理

点击"+项目"时按规范填写项目名称。项目级别：私有即不勾选(勾选后会变为"公开")。如果设置为公共仓库，则所有人对此项目下的镜像拥有读权限，命令行中不需要执行"Docker login"即可下载镜像，镜像操作与Docker hub 一致。

创建用户

设置权限

首先退出当前用户，然后使用上述创建的账户登录。

退出

$root@lbin-nfs \~\]# docker logout 192.168.50.66 Removing login credentials for 192.168.50.66$

登陆

$root@lbin-nfs \~\]# docker login 192.168.50.66 Username: asd Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded$

下载v1镜像

$root@lbin-nfs \~\]# docker pull 192.168.50.66/cccoooo/cirros:v1 Error response from daemon: pull access denied for 192.168.50.66/cccoooo/cirros, repository does not exist or may require 'docker login': denied: requested access to the resource is denied \[root@lbin-nfs \~\]# docker pull 192.168.50.66/cccoooo/cirros:v1 v1: Pulling from cccoooo/cirros Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 Status: Downloaded newer image for 192.168.50.66/cccoooo/cirros:v1 192.168.50.66/cccoooo/cirros:v1$

查看

$root@lbin-nfs \~\]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE postgres latest 07e2ee723e2d 19 months ago 374MB mysql 5.6 dd3b2a5dcb48 19 months ago 303MB redis alpine 3900abf41552 20 months ago 32.4MB 192.168.50.66/cccoooo/cirros v1 f9cae1daf5f6 2 years ago 12.6MB$

查看日志

管理 Harbor

可以使用 docker-compose来管理Harbor。一些有用的命令如下所示（必须在与docker-compose.yml 相同的目录中运行）。

停止/启动/重启 Harbor
$root@master harbor\]# docker-compose stop \| start \| restart$

Harbor企业镜像仓库部署（本地）

Harbor配置 服务端

创建一个新项目

客户端上传镜像

管理 Harbor

Harbor配置服务端