离线安装harbor：使用docker-compose方式_离线下载harbor

一、安装docker

参照博客docker学习文档来安装docker

二、安装docker-compose

1、下载docker-compose

考虑到网速原因，这里直接提供百度网盘下载信息：

链接：https://pan.baidu.com/s/1SHSUkDL-OPJXxaY-QXqZWQ?pwd=isci

提取码：isci

如果大家想自己去下载，可以使用这个下载链接：

https://github.com/docker/compose/releases/download/v2.3.4/docker-compose-linux-x86_64

2、安装docker-compose

// 1、将文件移动到/usr/local/bin下，并改名为docker-compose
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose

// 2、添加权限
chmod +x /usr/local/bin/docker-compose
1
2
3
4
5

3、验证安装效果

// 任意找一个目录执行，只要能看到“Docker Compose version v2.3.4”就可以了
docker-compose -v
1
2

三、安装harbor

1、下载harbor

下载链接：https://github.com/goharbor/harbor/releases/download/v2.4.2/harbor-offline-installer-v2.4.2.tgz

2、解压harbor

tar -zxvf harbor-offline-installer-v2.3.1.tgz -C /opt/harbor/
1

3、修改harbor.yml

// 1、复制harbor.yml.tmpl，并且改名为harbor.yml
cp harbor.yml.tmpl harbor.yml

// 2、修改harbor.yml中的内容，注意不要在上述yml中添加中文
// 修改主机ip：将hostname属性值修改成主机ip，例如:192.168.1.10或reg.yourdomain.com。不要使用localhost或127.0.0.1作为主机名；比如现在我的主机ip是192.168.56.10
hostname 192.168.56.10
// 修改harbor访问端口：将port属性值修改成harbor访问端口，比如82，我们在浏览器访问harbor首页的时候可以使用“http://192.168.56.10:82”；搜索“http related config”，下面的port值就是端口
http:
  port: 82
// 修改harbor仓库密码：将harbor_admin_password属性值修改成密码，其中默认用户名/密码为admin/Harbor12345
harbor_admin_password: admin123456
// 修改PostgreSQL数据库的root用户密码：将password属性值修改成密码；搜索“Harbor DB configuration”，下面的password值就是密码
database:
  password: 123456
// 修改harbor数据存储位置：将data_volume属性值修改成数据存储位置，如果原来没有这个存储位置，记得提前创建，例如：/opt/harbor-data
data_volume: /opt/harbor-data
// 修改harbor日志存储位置：将location属性值修改成日志存储位置；搜索“Log configurations”，下面的location值就是日志存储位置；注意：我们这里没有修改
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
// 注释以下内容，避免出现错误“The protocol is https but attribute ssl_cert is not set”
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /your/certificate/path
  private_key: /your/private/key/path
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

下面把我修改之后的harbor.yml示例文件发出来，被修改的位置上面添加了update by mingkuaidexuanmi61

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# update by mingkuaidexuanmi61
hostname: 192.168.56.10

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  # update by mingkuaidexuanmi61
  port: 82

# update by mingkuaidexuanmi61
# https related config
# https:
#   # https port for harbor, default is 443
#   port: 443
#   # The path of cert and key files for nginx
#   certificate: /your/certificate/path
#   private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
# update by mingkuaidexuanmi61
harbor_admin_password: admin123456

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
# update by mingkuaidexuanmi61
  password: 123456
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900

# The default data volume
# update by mingkuaidexuanmi61
data_volume: /opt/harbor-data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10

chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: disabled

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor

  # Uncomment following lines to enable external syslog endpoint.
  # external_endpoint:
  #   # protocol used to transmit log to external endpoint, options is tcp or udp
  #   protocol: tcp
  #   # The host of external endpoint
  #   host: localhost
  #   # Port of external endpoint
  #   port: 5140

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.3.0

# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metrics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

4、安装harbor

// 1、进入安装文件解压目录
cd /opt/harbor

// 2、安装harbor
./install.sh
1
2
3
4
5

5、修改docker配置文件

// 1、打开daemon.json
vi /etc/docker/daemon.json

// 2、添加harbor访问信息，并保存
将"insecure-registries": ["主机ip:harbor端口"]添加到里面，例如：
{
  "registry-mirrors": ["https://95c1opgi.mirror.aliyuncs.com"],
  "insecure-registries": ["192.168.56.10:82"]
}
其中主机ip“192.168.56.10”是安装harbor的主机ip，而端口“82”是我在harbor.yml中设置的http.port值

// 3、应用docker配置，并重启docker
systemctl daemon-reload
systemctl restart docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14

6、配置harbor自启动

// 1、编辑harbor.service文件
vi /usr/lib/systemd/system/harbor.service

// 2、将以下内容填充到上述文件中，并保存
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target

// 3、设置开机自启
systemctl enable harbor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

四、登录harbor

直接在浏览器上访问即可，其中ip是主机ip，端口是harbor.yml中配置的http.port，比如：http://192.168.56.10:82

其中用户名是admin，密码是admin123456，登录成功后页面如下

五、测试harbor

1、测试在linux上登录harbor

在linux上输入docker login 主节点ip:82回车即可，比如我的就是docker login 192.168.56.10:82，然后依次输入用户名回车、输入密码回车就可以登录harbor了，如下：

2、测试通过docker命令推送镜像到harbor

本次测试推送busybox到harbor仓库

首先通过docker pull busybox下载busybox镜像

然后将镜像打成符合推送要求的样子，命令是：docker tag 本地镜像名称:本地镜像版本号 仓库访问地址/项目名称/推送到harbor仓库的镜像名称:推送到harbor仓库的镜像版本号，比如我的就是：

docker tag busybox:latest 192.168.56.10:82/test/busybox:v1.0.0
1

解释如下：

• busybox:latest：本地镜像名称:本地镜像版本号

• 192.168.56.10:82：harbor访问地址
  

• test：harbor仓库中的项目名称
  

• busybox：harbor仓库中的镜像名称
  

• v1.0.0：harbor仓库中的镜像版本号
  

然后把镜像推送到harbor仓库中就可以了（注意：推送之前记得在harbor控制台页面中创建test项目），命令是：docker push 仓库访问地址/项目名称/推送到harbor仓库的镜像名称:推送到harbor仓库的镜像版本号，比如我的就是：

docker push 192.168.56.10:82/test/busybox:v1.0.0
1

命令执行完成效果如下：

3、测试通过docker命令从harbor仓库下载镜像

首先删除同名镜像，命令是：docker rmi 仓库访问地址/项目名称/镜像名称:镜像版本号，例如：

docker rmi 192.168.56.10:82/test/busybox:v1.0.0
1

然后下载镜像，命令是：docker pull 仓库访问地址/项目名称/镜像名称:镜像版本号，例如：

docker pull 192.168.56.10:82/test/busybox:v1.0.0
1

命令执行完成效果如下：