简介
Docker私有仓库Harbor是一个开源的、企业级的Docker registry解决方案,它提供了安全、可靠和高效的容器镜像存储和分发服务。以下是关于Docker私有仓库Harbor的详细介绍:
一、Harbor的特点
-
基于角色的访问控制(RBAC):Harbor支持基于角色的权限控制,可以为用户和团队分配不同的权限,确保容器镜像的安全访问。
-
镜像复制:Harbor支持跨多个Harbor实例之间的镜像复制,可以实现高可用性和负载均衡,确保容器镜像的可靠分发。
-
LDAP/AD支持:Harbor可以与现有的LDAP/AD系统集成,实现用户认证和权限管理,方便企业内部用户的使用。
-
镜像删除和垃圾回收:Harbor支持镜像的删除和垃圾回收,可以释放存储空间,避免资源的浪费。
-
图形化用户界面:Harbor提供了直观、易用的图形化用户界面,方便用户浏览、搜索和管理容器镜像。
-
审计管理:Harbor支持审计管理功能,可以记录所有针对容器镜像的操作,确保操作的合规性和可追溯性。
-
RESTful API支持:Harbor提供了RESTful API接口,方便管理员和其他系统对Harbor进行集成和管理。
二、Harbor的架构
Harbor的架构主要由以下几个组件组成:
-
Proxy:反向代理组件,负责将来自浏览器、Docker客户端等的请求转发到后端服务上。
-
Registry:Docker registry服务,负责存储和分发容器镜像。
-
UI:图形化用户界面,提供浏览、搜索和管理容器镜像的功能。
-
Token Service:负责生成和管理访问令牌,用于验证客户端的访问权限。
-
Database:数据库组件,用于存储用户、项目、镜像等元数据。
-
Job Service:后台任务处理组件,负责执行镜像复制、垃圾回收等任务。
三、Harbor的部署和管理
Harbor的部署和管理相对简单,可以通过Docker Compose进行快速部署。在部署之前,需要准备好相应的环境,包括Docker环境、数据库等。部署完成后,可以通过图形化用户界面进行容器镜像的管理和操作。Harbor还提供了丰富的配置选项和API接口,方便管理员进行定制化和集成。
总之,Docker私有仓库Harbor是一个功能强大、易于部署和管理的企业级Docker registry解决方案,适用于各种规模和类型的企业和组织。
环境
redhat 9.2 192.168.200.133
Harbor版本:2.9.4
步骤
安装docker
[root@dokcer ~]# yum -y install yum-utils.noarch
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。AppStream 3.1 MB/s | 3.2 kB 00:00
BaseOS 2.7 MB/s | 2.7 kB 00:00
依赖关系解决。
=======================================================================================================软件包 架构 版本 仓库 大小
=======================================================================================================
安装:yum-utils noarch 4.3.0-5.el9_2 BaseOS 45 k
省略 。 。 。 。 。 。 。 。 。
[root@dokcer ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。添加仓库自:http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@dokcer ~]# yum clean all && yum makecache
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。13 个文件已删除
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。Docker CE Stable - x86_64 62 kB/s | 46 kB 00:00
AppStream 164 MB/s | 6.3 MB 00:00
BaseOS 109 MB/s | 1.7 MB 00:00
元数据缓存已建立。
[root@dokcer ~]#
[root@dokcer ~]# yum -y install docker-ce*
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。上次元数据过期检查:0:00:51 前,执行于 2024年05月11日 星期六 16时26分54秒。
依赖关系解决。
=======================================================================================================软件包 架构 版本 仓库 大小
=======================================================================================================
安装:docker-ce x86_64 3:26.1.2-1.el9 docker-ce-stable 27 Mdocker-ce-cli x86_64 1:26.1.2-1.el9 docker-ce-stable 7.8 Mdocker-ce-rootless-extras x86_64 26.1.2-1.el9 docker-ce-stable 4.0 M
安装依赖关系:containerd.io x86_64 1.6.31-3.1.el9 docker-ce-stable 34 M
安装弱的依赖:docker-buildx-plugin x86_64 0.14.0-1.el9 docker-ce-stable 13 Mdocker-compose-plugin x86_64 2.27.0-1.el9 docker-ce-stable 13 M事务概要
=========================================================================================省略 。 。 。 。 。 。
镜像加速
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{"registry-mirrors": ["https://7f40piyw.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker安装compose
[root@dokcer ~]# yum update && yum install docker-compose-plugin
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。上次元数据过期检查:0:08:25 前,执行于 2024年05月11日 星期六 16时26分54秒。
依赖关系解决。
无需任何处理。
完毕!
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。上次元数据过期检查:0:08:25 前,执行于 2024年05月11日 星期六 16时26分54秒。
软件包 docker-compose-plugin-2.27.0-1.el9.x86_64 已安装。
依赖关系解决。
无需任何处理。
完毕!
[root@dokcer ~]# docker compose version
Docker Compose version v2.27.0
下载harbor的安装包
在GitHub上下载harbor的安装包,此包由harbor官网提供:Releases · goharbor/harbor (github.com)
在浏览器直接下载,之后导入到虚拟机里面,因为虚拟机里下载太慢了
装一个传输工具
[root@dokcer ~]# yum -y install lrzsz.x86_64 
传输完成后查看,并将其解压
[root@dokcer ~]# ls
公共 视频 文档 音乐 anaconda-ks.cfg
模板 图片 下载 桌面 harbor-offline-installer-v2.9.4.tgz
[root@dokcer ~]#
[root@dokcer ~]# tar -xvf harbor-offline-installer-v2.9.4.tgz -C /usr/local/
harbor/harbor.v2.9.4.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
[root@dokcer ~]# 用OpenSSL生成一份SSL证书
[root@dokcer ~]# yum -y install mod_ssl.x86_64 openssl
正在更新 Subscription Management 软件仓库。
无法读取客户身份本系统尚未在权利服务器中注册。可使用 subscription-manager 进行注册。上次元数据过期检查:0:49:04 前,执行于 2024年05月11日 星期六 18时26分11秒。
软件包 openssl-1:3.0.7-6.el9_2.x86_64 已安装。
依赖关系解决。#生成一个自签名证书,创建一个存放目录 /private
[root@dokcer ~]# mkdir private
[root@dokcer ~]# openssl genrsa -out ./private/ca.key 2048#生成证书签名请求CSR
[root@dokcer ~]# openssl req -new -key ./private/ca.key -out ./private/ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:#生成X509自签名证书
[root@dokcer ~]# openssl req -new -x509 -key ./private/ca.key -out ./private/ca.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@dokcer ~]# 配置harbor参数文件
[root@dokcer ~]# cd /usr/local/harbor/
[root@dokcer harbor]# vim harbor.yml.tmpl 1 # Configuration file of Harbor2 3 # The IP address or hostname to access admin UI and registry service.4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.5 hostname: 192.168.200.133 //此行改成自己的ip地址6 7 # http related config8 http:9 # port for http, default is 80. If https enabled, this port will redirect to https port10 port: 8011 12 # https related config13 https:14 # https port for harbor, default is 44315 port: 44316 # The path of cert and key files for nginx17 certificate: /root/private/ca.crt //替换为 SSL 证书文件的路径 18 private_key: /root/private/ca.key //替换为 SSL 私钥文件的路径
启动harbor服务
/usr/local/harbor/install.sh
复制一份harbor.yml.tml文件改名为harbor.yml因为启动需要用到
[root@dokcer harbor]# cp harbor.yml.tmpl harbor.yml
[root@dokcer harbor]# bash /usr/local/harbor/install.sh[Step 0]: checking if docker is installed ...Note: docker version: 26.1.2[Step 1]: checking docker-compose is installed ...Note: Docker Compose version v2.27.0[Step 2]: loading Harbor images ...
Loaded image: goharbor/nginx-photon:v2.9.4
Loaded image: goharbor/trivy-adapter-photon:v2.9.4
Loaded image: goharbor/harbor-portal:v2.9.4
Loaded image: goharbor/harbor-core:v2.9.4
Loaded image: goharbor/harbor-log:v2.9.4
Loaded image: goharbor/harbor-jobservice:v2.9.4
Loaded image: goharbor/harbor-exporter:v2.9.4
Loaded image: goharbor/prepare:v2.9.4
Loaded image: goharbor/harbor-db:v2.9.4
Loaded image: goharbor/harbor-registryctl:v2.9.4
Loaded image: goharbor/redis-photon:v2.9.4
Loaded image: goharbor/registry-photon:v2.9.4[Step 3]: preparing environment ...[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dirNote: stopping existing Harbor instance ...
WARN[0000] /usr/local/harbor/docker-compose.yml: `version` is obsolete [Step 5]: starting Harbor ...
WARN[0000] /usr/local/harbor/docker-compose.yml: `version` is obsolete
[+] Running 10/10✔ Network harbor_harbor Created 0.4s ✔ Container harbor-log Started 0.8s ✔ Container harbor-portal Started 2.7s ✔ Container harbor-db Started 3.2s ✔ Container registryctl Started 3.1s ✔ Container redis Started 3.1s ✔ Container registry Started 2.7s ✔ Container harbor-core Started 3.7s ✔ Container harbor-jobservice Started 4.9s ✔ Container nginx Started 5.5s
✔ ----Harbor has been installed and started successfully.----
[root@dokcer harbor]# 查看harbor启动镜像
[root@dokcer harbor]# docker compose ps
WARN[0000] /usr/local/harbor/docker-compose.yml: `version` is obsolete
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
harbor-core goharbor/harbor-core:v2.9.4 "/harbor/entrypoint.…" core About a minute ago Up About a minute (healthy)
harbor-db goharbor/harbor-db:v2.9.4 "/docker-entrypoint.…" postgresql About a minute ago Up About a minute (healthy)
harbor-jobservice goharbor/harbor-jobservice:v2.9.4 "/harbor/entrypoint.…" jobservice About a minute ago Up 58 seconds (healthy)
harbor-log goharbor/harbor-log:v2.9.4 "/bin/sh -c /usr/loc…" log About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal goharbor/harbor-portal:v2.9.4 "nginx -g 'daemon of…" portal About a minute ago Up About a minute (healthy)
nginx goharbor/nginx-photon:v2.9.4 "nginx -g 'daemon of…" proxy About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp
redis goharbor/redis-photon:v2.9.4 "redis-server /etc/r…" redis About a minute ago Up About a minute (healthy)
registry goharbor/registry-photon:v2.9.4 "/home/harbor/entryp…" registry About a minute ago Up About a minute (healthy)
registryctl goharbor/harbor-registryctl:v2.9.4 "/home/harbor/start.…" registryctl About a minute ago Up About a minute (healthy)
[root@dokcer harbor]# 浏览器访问
默认的管理员用户名和密码分别为admin和Harbor12345
创建一个新项目,登录成功后创建一个新的项目
创建好之后出现了一个新的项目
此时可以使用docker 命令在本地通过127.0.0.1 来登录和推送镜像。默认register服务器端口80侦听。
[root@dokcer ~]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@dokcer ~]# 下载镜像进行测试
[root@dokcer ~]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@dokcer ~]#
[root@dokcer ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.9.4 2d73f8aa1dae 3 weeks ago 106MB
goharbor/redis-photon v2.9.4 cdc8364c58be 3 weeks ago 165MB
goharbor/trivy-adapter-photon v2.9.4 c2450773e2e6 3 weeks ago 504MB
goharbor/harbor-registryctl v2.9.4 309a9ce74755 3 weeks ago 149MB
goharbor/registry-photon v2.9.4 fd9a212aba2d 3 weeks ago 83.5MB
goharbor/nginx-photon v2.9.4 7d707a6be242 3 weeks ago 153MB
goharbor/harbor-log v2.9.4 43c3b30c4d6b 3 weeks ago 163MB
goharbor/harbor-jobservice v2.9.4 32cace7c28c0 3 weeks ago 140MB
goharbor/harbor-core v2.9.4 c69d87c3277b 3 weeks ago 168MB
goharbor/harbor-portal v2.9.4 ccec0edebddc 3 weeks ago 161MB
goharbor/harbor-db v2.9.4 ef215f05a8a0 3 weeks ago 269MB
goharbor/prepare v2.9.4 e958fd04a56e 3 weeks ago 206MB
cirros latest f9cae1daf5f6 3 years ago 12.6MB
[root@dokcer ~]#将镜像打上标签为V1,并查看是否成功
随后上传镜像到harbor
[root@dokcer ~]# docker tag cirros:latest 127.0.0.1/my123/cirros:v1
[root@dokcer ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.9.4 2d73f8aa1dae 3 weeks ago 106MB
goharbor/redis-photon v2.9.4 cdc8364c58be 3 weeks ago 165MB
goharbor/trivy-adapter-photon v2.9.4 c2450773e2e6 3 weeks ago 504MB
goharbor/harbor-registryctl v2.9.4 309a9ce74755 3 weeks ago 149MB
goharbor/registry-photon v2.9.4 fd9a212aba2d 3 weeks ago 83.5MB
goharbor/nginx-photon v2.9.4 7d707a6be242 3 weeks ago 153MB
goharbor/harbor-log v2.9.4 43c3b30c4d6b 3 weeks ago 163MB
goharbor/harbor-jobservice v2.9.4 32cace7c28c0 3 weeks ago 140MB
goharbor/harbor-core v2.9.4 c69d87c3277b 3 weeks ago 168MB
goharbor/harbor-portal v2.9.4 ccec0edebddc 3 weeks ago 161MB
goharbor/harbor-db v2.9.4 ef215f05a8a0 3 weeks ago 269MB
goharbor/prepare v2.9.4 e958fd04a56e 3 weeks ago 206MB
127.0.0.1/my123/cirros v1 f9cae1daf5f6 3 years ago 12.6MB
cirros latest f9cae1daf5f6 3 years ago 12.6MB
[root@dokcer ~]#
[root@dokcer ~]# docker push 127.0.0.1/my123/cirros:v1 //上传到my123项目中
The push refers to repository [127.0.0.1/my123/cirros]
984ad441ec3d: Pushed
f0a496d92efa: Pushed
e52d19c3bee2: Pushed
v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
[root@dokcer ~]# 刷浏览器页面进入查看是否有此镜像
