Harbor
Harbor概述
Harbor是一个开源的容器镜像仓库管理系统,具有丰富的安全和管理功能。它可以在企业环境中搭建私有仓库,并提供可信度、多租户支持、定制性等特点。
官网:https://goharbor.io/
GitHub:https://github.com/goharbor/harbor
Harbor旨在提供企业级的镜像管理解决方案,具有以下特点和功能:
安全性:
Harbor提供了一套丰富的安全性功能,包括用户身份验证和授权、镜像签名验证、访问控制、漏洞扫描等。这可以帮助你保护你的镜像免受恶意攻击和漏洞利用。
可信度:
Harbor支持对镜像进行数字签名和验证,确保其完整性和来源可信。你可以使用自定义或第三方证书来签名和验证镜像的真实性。
多租户支持:
Harbor支持多个项目和多个仓库,可以根据不同的组织、团队或项目来进行分组和管理。每个项目都可以有自己的用户权限和访问控制策略。
可定制性:
Harbor提供了灵活的配置选项和扩展机制,可以根据你的需求进行自定义设置。你可以调整存储、网络和认证等配置,以适应不同的环境和需求。
高性能:
Harbor使用了缓存和复制策略来提高镜像的访问速度和可用性。它支持多个镜像存储后端,包括本地存储、S3存储等。
用户友好的界面:
Harbor提供了直观且易于使用的Web界面,可以方便地管理镜像、项目、用户和访问权限等。
安装Harbor
下载Harbor的二进制文件进行安装,Harbor安装与配置参考:
https://goharbor.io/docs/2.9.0/install-config/
下载离线安装包
bash
wget https://github.com/goharbor/harbor/releases/download/v2.7.3/harbor-offline-installer-v2.7.3.tgz解压安装包
bash
tar -zxvf harbor-offline-installer-v2.7.3.tgz
bash
[root@master harbor]# ls
common.sh harbor.v2.7.3.tar.gz harbor.yml.tmpl install.sh LICENSE prepare进入Harbor目录
bash
cd harbor配置 Harbor
bash
cp harbor.yml.tmpl harbor.ymlvim harbor.yml
bash
# 当前节点主机名或IP
hostname: 112.74.96.150
# http端口配置
http:
port: 8080
# 这里不使用https,注释该配置
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# Harbor UI的初始密码
harbor_admin_password: Harbor12345
# The default data volume
data_volume: /usr/local/program/harbor/data运行安装程序脚本
当配置harbor.yml完成后,可以使用install.sh脚本安装并启动 Harbor
bash
./install.sh安装成功,将输出如下日志:
bash
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.1s
✔ Container registryctl Started 0.2s
✔ Container harbor-db Started 0.1s
✔ Container redis Started 0.1s
✔ Container registry Started 0.1s
✔ Container harbor-portal Started 0.2s
✔ Container harbor-core Started 0.1s
✔ Container harbor-jobservice Started 0.1s
✔ Container nginx Started 0.1s
✔ ----Harbor has been installed and started successfully.----查看docker镜像,将出现与hardor相关的的镜像列表
bash
[root@master harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
62343618f630 goharbor/nginx-photon:v2.7.3 "nginx -g 'daemon of..." About a minute ago Up About a minute (healthy) 0.0.0.0:8080->8080/tcp nginx
a39ecd6eddf1 goharbor/harbor-jobservice:v2.7.3 "/harbor/entrypoint...." About a minute ago Up About a minute (healthy) harbor-jobservice
f0c1a4957d04 goharbor/harbor-core:v2.7.3 "/harbor/entrypoint...." About a minute ago Up About a minute (healthy) harbor-core
f64062148ccf goharbor/harbor-registryctl:v2.7.3 "/home/harbor/start...." About a minute ago Up About a minute (healthy) registryctl
6fc3d92cc65f goharbor/harbor-db:v2.7.3 "/docker-entrypoint...." About a minute ago Up About a minute (healthy) harbor-db
fc9917cad78e goharbor/harbor-portal:v2.7.3 "nginx -g 'daemon of..." About a minute ago Up About a minute (healthy) harbor-portal
8622fab2670f goharbor/registry-photon:v2.7.3 "/home/harbor/entryp..." About a minute ago Up About a minute (healthy) registry
27e3ba43f9f8 goharbor/redis-photon:v2.7.3 "redis-server /etc/r..." About a minute ago Up About a minute (healthy) redis
feef079dcbd4 goharbor/harbor-log:v2.7.3 "/bin/sh -c /usr/loc..." About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log登录
浏览器访问 http://IP:8080 
使用用户名:admin、配置的密码:Harbor12345进行登录 
启动与停止Harbor
停止Harbor
bash
[root@master harbor]# docker-compose stop
[+] Running 9/9
⠿ Container harbor-jobservice Stopped 0.0s
⠿ Container nginx Stopped 0.0s
⠿ Container registryctl Stopped 10.2s
⠿ Container harbor-portal Stopped 0.3s
⠿ Container harbor-core Stopped 0.0s
⠿ Container harbor-db Stopped 0.4s
⠿ Container registry Stopped 0.2s
⠿ Container redis Stopped 0.5s
⠿ Container harbor-log Stopped 10.2s启动Harbor
bash
[root@master harbor]# docker-compose start
[+] Running 9/9
⠿ Container harbor-log Started 0.3s
⠿ Container redis Started 0.9s
⠿ Container registryctl Started 0.7s
⠿ Container harbor-portal Started 1.0s
⠿ Container harbor-db Started 0.8s
⠿ Container registry Started 1.0s
⠿ Container harbor-core Started 0.3s
⠿ Container nginx Started 0.5s
⠿ Container harbor-jobservice Started 登录Harbor仓库
要登录到Harbor私有仓库,执行以下命令来登录到Harbor仓库:
bash
docker login <Harbor仓库地址>登录异常
bash
[root@master harbor]# docker login 112.74.96.150:8080
Username: admin
Password:
Error response from daemon: Get "https://112.74.96.150:8080/v2/": http: server gave HTTP response to HTTPS client原因:
默认通过 HTTPS 协议与 Harbor 仓库进行通信,但是 Harbor 仓库只配置了 HTTP 服务而没有启用 HTTPS 服务。
解决方案
方案一:
查找docker.service所在目录
bash
[root@master harbor]# find / -name docker.service -type f
/usr/lib/systemd/system/docker.service编辑 vim /usr/lib/systemd/system/docker.service
修改这行配置:
bash
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock使用--insecure选项来跳过https证书验证,改成如下这样:
bash
ExecStart=/usr/bin/dockerd --insecure-registry 112.74.96.150:8080 -H fd:// --containerd=/run/containerd/containerd.sock方案二:
修改
/etc/docker/daemon.json文件,添加配置,指定镜像仓库IP地址
bash
{
"insecure-registries": ["112.74.96.150"]
}登录
重新加载配置、重启docker
bash
systemctl daemon-reload
systemctl restart docker再次登录
注意:可能需要重启Harbor
bash
[root@master harbor]# docker login 112.74.96.150:8080
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded退出
退出Harbor私有仓库的登录状态
bash
docker logout <Harbor仓库地址>
bash
[root@master ~]# docker login 112.74.96.150:8080
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded推送拉取Harbor镜像
镜像命名规范
Harbor的镜像名称,存在一定命名规范,差异之处在于:必须以项目名称作为镜像名称的一部分,具体参考如下示例说明
构建镜像
bash
docker build -t <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签> .将镜像推送到Harbor仓库
bash
docker push <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签>拉取Harbor镜像
bash
docker pull <Harbor仓库地址>/<项目名称>/<镜像名称>:<标签>创建项目
在Harbor仓库的界面或使用Harbor API来创建项目
界面创建 
Harbor API创建
bash
curl -X POST -u username:password -H "Content-Type: application/json" -d '{
"project_name": "projectname",
"public": 1,
"content_trust": "disabled"
}' https://<Harbor仓库地址>/api/projects推送镜像
拉取一个测试镜像
bash
[root@master ~]# docker pull testcontainers/helloworld查看该镜像
bash
[root@master ~]# docker images | grep hello
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB标记本地镜像, 将其归入Harbor仓库
注意:需要多一级,作为项目名
bash
[root@master harbor]# docker tag testcontainers/helloworld:latest 112.74.96.150:8080/projectname/helloworld:v1再次查看镜像
bash
[root@master harbor]# docker images | grep hello
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB将本地镜像推送到镜像仓库(需先登录镜像仓库)
bash
[root@master harbor]# docker push 112.74.96.150:8080/projectname/helloworld:v1
The push refers to repository [112.74.96.150:8080/projectname/helloworld]
802cca11a560: Pushing [============================================> ] 6.194MB/7.019MB
80b7fe966245: Pushed
50644c29ef5a: Pushing [=============================================> ] 5.068MB/5.575MB登录Harbor,查看新建项目projectname下,已成功推送1个镜像
拉取镜像
删除已存在镜像
bash
[root@master harbor]# docker images | grep hello
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB
testcontainers/helloworld latest 6974669be52b 2 years ago 12.7MB
[root@master harbor]# docker rmi 112.74.96.150:8080/projectname/helloworld:v1
Untagged: 112.74.96.150:8080/projectname/helloworld:v1
Untagged: 112.74.96.150:8080/projectname/helloworld@sha256:4ee5a832ef6eee533df7224b80d4cceb9ab219599014f408d0b69690be94c396
[root@master harbor]# docker rmi testcontainers/helloworld:latest
Untagged: testcontainers/helloworld:latest
Untagged: testcontainers/helloworld@sha256:4ee5a832ef6eee533df7224b80d4cceb9ab219599014f408d0b69690be94c396从Harbor拉取镜像
bash
[root@master harbor]# docker pull 112.74.96.150:8080/projectname/helloworld:v1
v1: Pulling from projectname/helloworld
df20fa9351a1: Downloading [==========> ] 614.1kB/2.798MB
7d694ce25b07: Download complete
99f5116afda5: Downloading [================================> ]
2.389MB/3.655MB查看拉取的镜像
bash
[root@master harbor]# docker images | grep hell
112.74.96.150:8080/projectname/helloworld v1 6974669be52b 2 years ago 12.7MB