4、Docker私有仓库

Docker私有仓库

文章目录

• Docker私有仓库
• • [一、 概述](#一、 概述)
  • • Harbor介绍
    • Harbor仓库结构
    • harbor依赖组件
    • harbor组件数据流向
  • [二、 Harbor架构部署](#二、 Harbor架构部署)
  • • 安装方式
    • 离线安装步骤
    • 推荐系统配置
    • 离线部署流程
    • • 软件要求
      • 系统环境要求
      • 验证compose
      • 安装harbor
      • harbor的启停
      • harbor访问
      • • [浏览器登录 ： admin/Harbor12345](#浏览器登录 ： admin/Harbor12345)
        • 命令行登录
  • 三、Harbor的使用
  • • • 案例

一、 概述

Harbor介绍

Harbor是由VMware公司开源的企业级的Docker Registry管理项目，Harbor主要提供Dcoker Registry管理UI，提供的功能包括：基于角色访问的控制权限管理(RBAC)、AD/LDAP集成、日志审核、管理界面、自我注册、镜像复制和中文支持等。Harbor的目标是帮助用户迅速搭建一个企业级的Docker registry服务。它以Docker公司开源的registry为基础，额外提供了如下功能:

1. 基于角色的访问控制(Role Based Access Control)
2. 基于策略的镜像复制(Policy based image replication)
3. 镜像的漏洞扫描(Vulnerability Scanning)
4. AD/LDAP集成(LDAP/AD support)
5. 镜像的删除和空间清理(Image deletion & garbage collection)
6. 友好的管理UI(Graphical user portal)
7. 审计日志(Audit logging)
8. RESTful API
9. 部署简单(Easy deployment)

Harbor的所有组件都在Docker中部署，所以Harbor可使用Docker Compose快速部署。需要特别注意：由于Harbor是基于Docker Registry V2版本，所以docker必须大于等于1.10.0版本，docker-compose必须要大于1.6.0版本！

**Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，

Harbor仓库结构

Harbor的每个组件都是以Docker容器的形式构建的，可以使用Docker Compose来进行部署。如果环境中使用了kubernetes，Harbor也提供了kubernetes的配置文件。Harbor大概需要以下几个容器组成：

• ui(Harbor的核心服务)
• log(运行着rsyslog的容器，进行日志收集)
• mysql(由官方mysql镜像构成的数据库容器)
• Nginx(使用Nginx做反向代理)
• registry(官方的Docker registry)
• adminserver(Harbor的配置数据管理器)
• jobservice(Harbor的任务管理服务)
• redis(用于存储session)

harbor依赖组件

• Nginx（Proxy代理层）：Nginx前端代理，主要用于分发前端页面ui访问和镜像上传和下载流量; Harbor的registry,UI,token等服务，通过一个前置的反向代理统一接收浏览器、Docker客户端的请求，并将请求转发给后端不同的服务

• Registry v2：镜像仓库，负责存储镜像文件; Docker官方镜像仓库, 负责储存Docker镜像，并处理docker push/pull命令。由于我们要对用户进行访问控制，即不同用户对Docker image有不同的读写权限，Registry会指向一个token服务，强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token进行解密验证

• Database(MySQL或Postgresql)：为core services提供数据库服务，负责储存用户权限、审计日志、Docker image分组信息等数据

• Core services(Admin Server)：这是Harbor的核心功能，主要提供以下服务：

  UI：提供图形化界面，帮助用户管理registry上的镜像（image）, 并对用户进行授权
  webhook：为了及时获取registry 上image状态变化的情况， 在Registry上配置webhook，把状态变化传递给UI模块
  Auth服务：负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token，会被重定向到这里，获得token后再重新向Registry进行请求
  API: 提供Harbor，RESTful API

• Replication Job Service：提供多个 Harbor 实例之间的镜像同步功能

• Log collector：为了帮助监控Harbor运行，负责收集其他组件的log，供日后进行分析

harbor组件数据流向

• proxy，它是一个nginx前端代理，主要是分发前端页面ui访问和镜像上传和下载流量，上图中通过深蓝色先标识；
• ui提供了一个web管理页面，当然还包括了一个前端页面和后端API，底层使用mysql数据库；
• registry是镜像仓库，负责存储镜像文件，当镜像上传完毕后通过hook通知ui创建repository，上图通过红色线标识，当然registry的token认证也是通过ui组件完成；
• adminserver是系统的配置管理中心附带检查存储用量，ui和jobserver启动时候回需要加载adminserver的配置，通过灰色线标识；
• jobsevice是负责镜像复制工作的，他和registry通信，从一个registry pull镜像然后push到另一个registry，并记录job_log，上图通过紫色线标识；
• log是日志汇总组件，通过docker的log-driver把日志汇总到一起，通过浅蓝色线条标识。

二、 Harbor架构部署

安装方式

官方提供2种部署Harbor的方式:

1. 在线安装: 从Docker Hub下载Harbor的镜像来安装, 由于Docker Hub比较慢, 建议Docker配置好加速器。（非常慢）
2. 离线安装: 这种方式应对与部署主机没联网的情况使用。需要提前下载离线安装包: harbor-offline-installer-.tgz 到本地

离线安装步骤

1. 下载Harbor最新的在线安装包
2. 配置Harbor (harbor.yml)
3. 运行install.sh来安装和启动Harbor
4. Harbor的日志路径:/var/log/harbor

推荐系统配置

离线部署流程

软件要求

软件名称	版本
Python	2.7+
Docker Engine	1.10+
Docker Compose	1.6.0+

系统环境要求

设置项目	结果
SELinux	setenforce 0 ；关闭SELinux
firewalld	关闭并开机不自启；systemctl stop firewalld && systemctl disable firewalld
python	python --version 确定软件版本
Docker	docker -v 确定软件版本

验证compose

###下载compose
[root@localhost ~]# curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
##更改命令权限
 [root@localhost ~]# chmod +x /usr/local/bin/docker-compose 
#查看版本
[root@localhost ~]# docker-compose version 
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t  3 May 2016

安装harbor

###导入harbor软件包###
[root@localhost ~]# ls
harbor-offline-installer-v2.7.3.tgz
###解压###
    [root@localhost ~]# tar xf harbor-offline-installer-v2.7.3.tgz 
###修改安装配置###
[root@localhost ~]# cd harbor/
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# cat harbor.yml
#######################################################################################################
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.115.129   ##此处修改为harbor主机的IP地址

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
  #port: 443             ##此处注释，关闭https功能
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path  ##此处注释，不指定证书存储路径
  #private_key: /your/private/key/path  ##此处注释，不指定证书存储路径

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345  ##harbor登录密码

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123 #数据库root用户的密码
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100  #数据库最大空闲连接数
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900  #数据库最大打开连接数
  # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
  conn_max_lifetime: 5m  #数据库连接最大生命周期
  # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
  conn_max_idle_time: 0  #数据库连接最大空闲时间，这里是0，表示不限制

# The default data volume
data_volume: /data  #Harbor数据卷的路径

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false  #是否忽略未修复的漏洞
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false  #是否跳过Trivy更新
  #
  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
  # It would work if all the dependencies are in local.
  # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
  offline_scan: false #是否进行离线扫描
  #
  # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
  security_check: vuln #Trivy安全检查类型
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false #是否允许不安全的传输
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10 #JobService的最大工作进程数

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10 #Webhook作业最大重试次数

chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: disabled #Chart的绝对URL

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info #日志级别
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50 #本地日志旋转次数
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M #本地日志旋转大小
    # The directory on your host that store log
    location: /var/log/harbor #本地日志存储路径

  # Uncomment following lines to enable external syslog endpoint.
  # external_endpoint:
  #   # protocol used to transmit log to external endpoint, options is tcp or udp
  #   protocol: tcp
  #   # The host of external endpoint
  #   host: localhost
  #   # Port of external endpoint
  #   port: 5140

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.7.0 #Harbor的版本

# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment redis if need to customize redis db
# redis:
#   # db_index 0 is for core, it's unchangeable
#   # registry_db_index: 1
#   # jobservice_db_index: 2
#   # trivy_db_index: 5
#   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
#   # harbor_db_index: 6
#   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
#   # cache_layer_db_index: 7

# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password: 
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30
#   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
#   # harbor_db_index: 6
#   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
#   # cache_layer_db_index: 7

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
  http_proxy: #HTTP代理地址
  https_proxy: #HTTPS代理地址
  no_proxy: #不使用代理的域名列表
  components: #Harbor组件列表
    - core
    - jobservice
    - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metrics

# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
#   enabled: true
#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
#   sample_rate: 1
#   # # namespace used to differenciate different harbor services
#   # namespace:
#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
#   # attributes:
#   #   application: harbor
#   # # jaeger should be 1.26 or newer.
#   # jaeger:
#   #   endpoint: http://hostname:14268/api/traces
#   #   username:
#   #   password:
#   #   agent_host: hostname
#   #   # export trace data by jaeger.thrift in compact mode
#   #   agent_port: 6831
#   # otel:
#   #   endpoint: hostname:4318
#   #   url_path: /v1/traces
#   #   compression: false
#   #   insecure: true
#   #   # timeout is in seconds
#   #   timeout: 10

# enable purge _upload directories
upload_purging:
  enabled: true #上传清理功能是否启用
  # remove files in _upload directories which exist for a period of time, default is one week.
  age: 168h #上传文件保留时间
  # the interval of the purge operations
  interval: 24h #上传文件清理间隔
  dryrun: false #上传清理是否进行干跑

# cache layer configurations
# If this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which can especially help to improve the performance of high concurrent
# manifest pulling.
# NOTICE
# If you are deploying Harbor in HA mode, make sure that all the harbor
# instances have the same behaviour, all with caching enabled or disabled,
# otherwise it can lead to potential data inconsistency.
cache:
  # not enabled by default
  enabled: false #缓存功能是否启用
  # keep cache for one day by default
  expire_hours: 24 #缓存有效期
#######################################################################################################
###修改docker客户端配置文件####
 "data-root": "/opt/module/docker_data",
[root@localhost ~]# cat /etc/docker/daemon.json
{
 "log-driver": "json-file",
 "log-opts": {
   "max-size": "100m"
 },
 "insecure-registries": [
   "192.168.115.129:80"
 ],
     "registry-mirrors": [
        "https://0vmzj3q6.mirror.aliyuncs.com",
        "https://docker.m.daocloud.io",
        "https://mirror.baidubce.com",
        "https://dockerproxy.com",
        "https://mirror.iscas.ac.cn",
        "https://huecker.io",
        "https://dockerhub.timeweb.cloud",
        "https://noohub.ru",
        "https://vlgh0kqj.mirror.aliyuncs.com"
    ]

}
[root@www harbor]# systemctl daemon-reload 
[root@www harbor]# systemctl restart docker
########################
###配置文件解析######
1. data-root: 指定Docker存储数据的根目录，这里设置为/opt/module/docker_data。
2. log-driver: 指定Docker的日志驱动程序，这里设置为json-file，表示将日志以JSON格式存储。
3. log-opts: 指定日志驱动程序的参数选项。
   max-size: 指定日志文件的最大大小，这里设置为100m，表示最大为100MB。
4. insecure-registries: 指定不安全的镜像仓库，在这里设置为192.168.115.129:80，表示允许与该镜像仓库通信，即使没有启用TLS。
####安装harbor####
[root@localhost harbor]# ./install.sh

harbor的启停

##切换到harbor安装包目录
##停止Harbor
[root@localhost harbor]# docker-compose stop   
##启动Harbor
[root@localhost harbor]# docker-compose start  

harbor访问

浏览器登录 ： admin/Harbor12345

http://192.168.115.129

命令行登录

[root@localhost ~]# docker login -u admin http://192.168.115.129:80
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

到此Harbor部署完毕！！

三、Harbor的使用

案例

将nginx:latest镜像文件上传到创建好的harbor仓库中。

通过web浏览器界面在Harbor创建项目

上传镜像流程

###修改nginx:latest的tag标签
[root@localhost ~]# docker tag nginx:latest 192.168.115.129:80/nginx/nginx:v1
#登录harbor
[root@localhost ~]# docker login -u admin -p Harbor12345 192.168.115.129:80
#推送镜像到harbor
[root@localhost ~]# docker push 192.168.115.129:80/nginx/nginx:v1
The push refers to repository [192.168.115.129:80/nginx/nginx]
d874fd2bc83b: Pushed 
32ce5f6a5106: Pushed 
f1db227348d0: Pushed 
b8d6e692a25e: Pushed 
e379e8aedd4d: Pushed 
2edcec3590a4: Pushed 
v1: digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 size: 1570

问浏览器查看Harbor项目信息

68.115.129:80/nginx/nginx:v1

#登录harbor

root@localhost \~# docker login -u admin -p Harbor12345 192.168.115.129:80

#推送镜像到harbor

root@localhost \~# docker push 192.168.115.129:80/nginx/nginx:v1

The push refers to repository 192.168.115.129:80/nginx/nginx

d874fd2bc83b: Pushed

32ce5f6a5106: Pushed

f1db227348d0: Pushed

b8d6e692a25e: Pushed

e379e8aedd4d: Pushed

2edcec3590a4: Pushed

v1: digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 size: 1570

**问浏览器查看Harbor项目信息**