赞
踩
目录
4)、移除 Harbor 服务容器全部数据(重新部署时采用)
Harbor的每个组件都是以Docker容器的形式构建的,因此,使用Docker Compose 来 对它进行部署。在源代码中(https://github.com/vmware/Harbor), 用于部署Harbor的Docker Compose 模板位于 Harbor/make/docker-compose.tpl。
案列环境
角色 | 操作系统 | 主机名 | IP地址 | 软件 |
仓库服务 | CentOS7.5-1 | master | 192.168.147.138 | docker-ce docker-compose Harbor-offline |
仓库服务 | CentOS7.5-2 | slave | 192.168.147.139 | docker-ce docker-compose Harbor-offline |
Docker客户端 | CentOS7.5-3 | client | 192.168.147.140 | docker-ce |
- [root@localhost ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
-
- [root@localhost ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
- [root@localhost ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
-
- [root@localhost ~]# ls /etc/yum.repos.d/
- backup Centos-Base.repo CentOS-Media.repo docker-ce.repo
-
- [root@localhost ~]# yum -y install docker-ce
- [root@localhost ~]# systemctl start docker
- [root@localhost ~]# systemctl enable docker
- Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
- [root@master ~]# cat << END > /etc/docker/daemon.json
- > {
- > "registry-mirrors":[ "https://nyakyfun.mirror.aliyuncs.com" ]
- > }
- > END
下载最新 Docker-Compose(master、slave)
- [root@slave ~]# ll
-
- -rw-r--r--. 1 root root 10867152 8月 3 19:22 docker-compose
- [root@master ~]# chmod +x /usr/local/bin/docker-compose
-
查看 Docker-Compose 版本判断安装是否成功
- [root@master ~]# docker-compose --version
- docker-compose version 1.21.1, build 5a3f1a3
Harbor 被部署为多个 Docker 容器,因此可以部署在任何支持 Docker 的 Linux 发行版上。目标主机需要安装 Python、Docker 和 Docker Compose。
下载 Harbor 安装程序(master、slave)
- [root@master ~]# ll
- 总用量 642752
- -rw-------. 1 root root 1257 7月 18 16:47 anaconda-ks.cfg
- -rw-r--r--. 1 root root 658170229 8月 7 10:32 harbor-offline-installer-v1.6.1.tgz
- [root@master ~]# tar xf harbor-offline-installer-v1.6.1.tgz -C /usr/local/
- [root@harbor01 ~]# vim /usr/local/harbor/harbor.cfg
- 7 hostname = 192.168.147.138
关于 Harbor.cfg 配置文件中有两类参数,所需参数和可选参数。
所需参数:这些参数需要在配置文件 Harbor.cfg 中设置。如果用户更新它们并运行 install.sh 脚本重新安装 Harbor,参数将生效。具体参数如下:
可选参数:这些参数对于更新是可选的,即用户可以将其保留为默认值,并在启动时生效,随后对这些参数的更新,Harbor.cfg 将被忽略。
注意:如果选择通过 UI 设置这些参数,请确保在启动 Harbour 后立即执行此操作。具体来说,必须在注册或在 Harbor 中创建任何新用户之前设置所需的 auth_mode。当系统中有用户时(除了默认的 admin 用户), auth_mode 不能被修改。具体参数如下:
另外,默认情况下Harbor 将镜像存储在本地文件系统上。在生产环境中,可以考虑使用其他存储后端而不是本地文件系统,如 S3、Openstack Swif、Ceph 等。需要更新 common/templates/registry/config.yml 文件。
- [root@master ~]# sh /usr/local/harbor/install.sh
- [Step 4]: starting Harbor ...
- Creating network "harbor_harbor" with the default driver
- Creating harbor-log ... done
- Creating harbor-adminserver ... done
- Creating registry ... done
- Creating harbor-db ... done
- Creating redis ... done
- Creating harbor-ui ... done
- Creating harbor-jobservice ... done
- Creating nginx ... done
-
- ✔ ----Harbor has been installed and started successfully.----
-
- Now you should be able to visit the admin portal at http://192.168.147.138.
- For more details, please visit https://github.com/goharbor/harbor .
-
如果一切都正常,应该可以打开浏览器访问 http://192.168.147.138的管理页面,默认的管理员用户名和密码是 admin/Harbor12345。
至此, Harbor已经搭建完成,具体在WEB UI下面操作也是非常的简单,只有几个选项。
输入用户名和密码登录界面后可以创建一个新项目。点击“+项目”按钮。
填写项目名称为“123456789”。点击确定。
可以使用 Docker 命令在Harbor本地通过 127.0.0.1 来登录和推送镜像了。默认情况下, Register 服务器在端口 80 上侦听。
登录 Harbor。
- [root@master ~]# docker login -u admin -p Harbor12345 http://127.0.0.1
- WARNING! Using --password via the CLI is insecure. Use --password-stdin.
- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
- Configure a credential helper to remove this warning. See
- https://docs.docker.com/engine/reference/commandline/login/#credentials-store
-
- Login Succeeded
下载体积小点的镜像进行测试。
- [root@master ~]# docker pull busybox
- Using default tag: latest
- latest: Pulling from library/busybox
- 5cc84ad355aa: Pull complete
- Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
- Status: Downloaded newer image for busybox:latest
- docker.io/library/busybox:latest
镜像打 tag。
[root@master ~]# docker tag busybox 127.0.0.1/123456789/busybox:v1
上传镜像到 Harbor。
- [root@master ~]# docker push 127.0.0.1/123456789/busybox:v1
- The push refers to repository [127.0.0.1/123456789/busybox]
- 01fd6df81c8e: Pushed
- v1: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
在 Harbor 界面 123456789目录下就可以看见这个镜像,以及这个镜像的一些信息。
以上操作都是在 harbor01 服务器本地操作,如果其他客户端上传镜像到 Harbor,就会报如下错误。出现这问题的原因是 Docker 自从 1.3.X 之后 Docker Registry 交互默认使用的是 HTTPS,但是搭建私有镜像默认使用的是 HTTP 服务,所以与私有镜像交互时出现以下错误。
- [root@client ~]# docker login -u admin -p Harbor12345 http://192.168.147.138
- WARNING! Using --password via the CLI is insecure. Use --password-stdin.
- Error response from daemon: Get "https://192.168.147.138/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
-
解决办法是:在 Docker server 启动的时候,增加启动参数,默认使用 HTTP 访问
- [root@client ~]# vim /usr/lib/systemd/system/docker.service
- 13 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.147.138
- [root@client ~]# systemctl daemon-reload
- [root@client ~]# systemctl restart docker
- [root@client ~]# docker login -u admin -p Harbor12345 192.168.147.138
- WARNING! Using --password via the CLI is insecure. Use --password-stdin.
- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
- Configure a credential helper to remove this warning. See
- https://docs.docker.com/engine/reference/commandline/login/#credentials-store
-
- Login Succeeded
- [root@client ~]# docker pull cirros
- Using default tag: latest
- latest: Pulling from library/cirros
- d0b405be7a32: Pull complete
- bd054094a037: Pull complete
- c6a00de1ec8a: Pull complete
- Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
- Status: Downloaded newer image for cirros:latest
- docker.io/library/cirros:latest
- [root@client ~]# docker tag cirros 192.168.147.138/123456789/cirros:v1
- [root@client ~]# docker push 192.168.147.138/123456789/cirros:v1
- The push refers to repository [192.168.147.138/123456789/cirros]
- 984ad441ec3d: Pushed
- f0a496d92efa: Pushed
- e52d19c3bee2: Pushed
- v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
查看 Harbor 的 web 管理界面,123456789项目里面有两个镜像。
点击“+项目”时按规范填写项目名称。项目级别:私有即不勾选(勾选后会变为"公开")。如果设置为公共仓库,则所有人对此项目下的镜像拥有读权限,命令行中不需要执行"Docker login"即可下载镜像,镜像操作与Docker hub 一致。
创建用户并分配权限
系统管理->用户管理->创建用户,填写用户名为“666”,邮箱为 666@163.com,全名为“666”,密码为“Abc123456”,注释为“管理员”
添加项目成员
项目-> 123456789->成员->+成员,填写上述创建的用户并分配角色为“项目管理员”。
删除上述打标签的本地镜像
- [root@client ~]# docker rmi 192.168.147.138/123456789/cirros:v1
- Untagged: 192.168.147.138/123456789/cirros:v1
- Untagged: 192.168.147.138/123456789/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
- [root@client ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- cirros latest f9cae1daf5f6 2 years ago 12.6MB
首先退出当前用户,然后使用上述创建的账户666 登录。
- [root@client ~]# docker logout 192.168.147.138
- Removing login credentials for 192.168.147.138
- [root@client ~]# docker login 192.168.147.138
- Username: 666
- Password:
- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
- Configure a credential helper to remove this warning. See
- https://docs.docker.com/engine/reference/commandline/login/#credentials-store
-
- Login Succeeded
下载 192.168.147.138/123456789/cirros 标签为 v1 的镜像。
- [root@client ~]# docker pull 192.168.147.138/123456789/cirros:v1
- v1: Pulling from 123456789/cirros
- Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
- Status: Downloaded newer image for 192.168.147.138/123456789/cirros:v1
- 192.168.147.138/123456789/cirros:v1
- [root@client ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- 192.168.147.138/123456789/cirros v1 f9cae1daf5f6 2 years ago 12.6MB
- cirros latest f9cae1daf5f6 2 years ago 12.6MB
Web 界面日志,操作日志按时间顺序记录用户相关操作。
可以使用 docker-compose来管理Harbor。一些有用的命令如下所示(必须在与docker-compose.yml 相同的目录中运行)。
- [root@master ~]# cd /usr/local/harbor/
- [root@master harbor]# docker-compose stop | start | restart
要更改 Harbor 的配置文件时,请先停止现有的 Harbor 实例并更新 harbor.cfg;然后运行 prepare 脚本来填充配置;最后重新创建并启动 Harbour 的实例。
- [root@master harbor]# docker-compose down -v
- Removing nginx ... done
- Removing harbor-jobservice ... done
- Removing harbor-ui ... done
- Removing harbor-db ... done
- Removing redis ... done
- Removing registry ... done
- Removing harbor-adminserver ... done
- Removing harbor-log ... done
- Removing network harbor_harbor
- [root@master harbor]# vim harbor.cfg
- [root@master harbor]# ./prepare
- Clearing the configuration file: ./common/config/adminserver/env
- Clearing the configuration file: ./common/config/ui/env
- Clearing the configuration file: ./common/config/ui/app.conf
- Clearing the configuration file: ./common/config/ui/private_key.pem
- Clearing the configuration file: ./common/config/db/env
- Clearing the configuration file: ./common/config/jobservice/env
- Clearing the configuration file: ./common/config/jobservice/config.yml
- Clearing the configuration file: ./common/config/registry/config.yml
- Clearing the configuration file: ./common/config/registry/root.crt
- Clearing the configuration file: ./common/config/registryctl/env
- Clearing the configuration file: ./common/config/registryctl/config.yml
- Clearing the configuration file: ./common/config/nginx/nginx.conf
- Clearing the configuration file: ./common/config/log/logrotate.conf
- loaded secret from file: /data/secretkey
- Generated configuration file: ./common/config/nginx/nginx.conf
- Generated configuration file: ./common/config/adminserver/env
- Generated configuration file: ./common/config/ui/env
- Generated configuration file: ./common/config/registry/config.yml
- Generated configuration file: ./common/config/db/env
- Generated configuration file: ./common/config/jobservice/env
- Generated configuration file: ./common/config/jobservice/config.yml
- Generated configuration file: ./common/config/log/logrotate.conf
- Generated configuration file: ./common/config/registryctl/env
- Generated configuration file: ./common/config/ui/app.conf
- Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
- The configuration files are ready, please use docker-compose to start the service.
- [root@master harbor]# docker-compose up -d
- Creating network "harbor_harbor" with the default driver
- Creating harbor-log ... done
- Creating harbor-db ... done
- Creating harbor-adminserver ... done
- Creating registry ... done
- Creating redis ... done
- Creating harbor-ui ... done
- Creating nginx ... done
- Creating harbor-jobservice ... done
[root@harbor harbor]# docker-compose down -v
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的
/var/log/Harbor/目录下
- [root@master harbor]# rm -r /data/database/
- [root@master harbor]# rm -r /data/registry/
五、Harbor安全设置
- [root@master harbor]# yum -y install openssl
- [root@master harbor]# mkdir -p /data/ssl
- [root@master harbor]# cd /data/ssl/
- [root@master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
- Generating a 4096 bit RSA private key
- ..................................................................................................................++
- ................................++
- writing new private key to 'ca.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [XX]:CN
- State or Province Name (full name) []:beijing
- Locality Name (eg, city) [Default City]:beijing
- Organization Name (eg, company) [Default Company Ltd]:skl
- Organizational Unit Name (eg, section) []:skl
- Common Name (eg, your name or your server's hostname) []:www.skl.com
- Email Address []:
- [root@master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
- Generating a 4096 bit RSA private key
- ..................................................................................................................++
- ................................++
- writing new private key to 'ca.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [XX]:CN
- State or Province Name (full name) []:beijing
- Locality Name (eg, city) [Default City]:beijing
- Organization Name (eg, company) [Default Company Ltd]:skl
- Organizational Unit Name (eg, section) []:skl
- Common Name (eg, your name or your server's hostname) []:www.skl.com
- Email Address []:
- [root@master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.crushlinux.com.key -out www.crushlinux.com.csr
- Generating a 4096 bit RSA private key
- ...............................................................................++
- ..........................................................................................................................................++
- writing new private key to 'www.crushlinux.com.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [XX]:CN
- State or Province Name (full name) []:beijing
- Locality Name (eg, city) [Default City]:beijing
- Organization Name (eg, company) [Default Company Ltd]:skl
- Organizational Unit Name (eg, section) []:skl
- Common Name (eg, your name or your server's hostname) []:www.skl.com
- Email Address []:
-
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- [root@master ssl]# openssl x509 -req -days 365 -in www.crushlinux.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.crushlinux.com.crt
- Signature ok
- subject=/C=CN/ST=beijing/L=beijing/O=skl/OU=skl/CN=www.skl.com
- Getting CA Private Key
- [root@master ssl]# ls -l
- 总用量 24
- -rw-r--r--. 1 root root 2000 8月 7 18:12 ca.crt
- -rw-r--r--. 1 root root 3272 8月 7 18:12 ca.key
- -rw-r--r--. 1 root root 17 8月 7 18:20 ca.srl
- -rw-r--r--. 1 root root 1883 8月 7 18:20 www.crushlinux.com.crt
- -rw-r--r--. 1 root root 1691 8月 7 18:19 www.crushlinux.com.csr
- -rw-r--r--. 1 root root 3272 8月 7 18:19 www.crushlinux.com.key
由于CA证书是我们自己签发的,Linux操作系统是不信任的,因此我们需要把证书加入到系统的信任证书里。
- [root@master ssl]# cp www.crushlinux.com.crt /etc/pki/ca-trust/source/anchors/
- [root@master ssl]# update-ca-trust extract
- [root@master ssl]# update-ca-trust enable
- [root@master ssl]# mkdir -p /etc/ssl/harbor
- [root@master ssl]# cp /data/ssl/www.crushlinux.com.key /etc/ssl/harbor/
- [root@master ssl]# cp /data/ssl/www.crushlinux.com.crt /etc/ssl/harbor/
- [root@master ssl]# ll /etc/ssl/harbor/
- 总用量 8
- -rw-r--r--. 1 root root 1883 8月 7 18:22 www.crushlinux.com.crt
- -rw-r--r--. 1 root root 3272 8月 7 18:22 www.crushlinux.com.key
- [root@master ssl]# cd /usr/local/harbor/
- [root@master harbor]# docker-compose stop
- Stopping harbor-jobservice ... done
- Stopping nginx ... done
- Stopping harbor-ui ... done
- Stopping redis ... done
- Stopping registry ... done
- Stopping harbor-adminserver ... done
- Stopping harbor-db ... done
- Stopping harbor-log ... done
- [root@master harbor]# docker rm -f $(docker ps -qa)
- 8cbc99060b15
- a610c0fe3eab
- 770b6b4fa0b0
- 00603caaec4e
- 1d7d980e55ba
- cf1a1bf4b356
- 1dabb9d0cfca
- 62fa72f52efd
- [root@master harbor]# vim harbor.cfg
- 7 hostname = www.skl.com
- 11 ui_url_protocol = https
- 23 ssl_cert = /etc/ssl/harbor/www.crushlinux.com.crt
- 24 ssl_cert_key = /etc/ssl/harbor/www.crushlinux.com.key
[root@master harbor]#./install.sh --with-notary --with-clair ##--with-notary启用镜像签名;--with-clair启用漏洞扫描
正版要钱我没钱就不给你们演示了
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。