Harbor 概述
Harbor是由VMWare公司开源的容器镜像仓库。事实上,Harbor是在Docker Registry上进行了相应的企业级扩展, 从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制 ,AD/LDAP集成以及 审计日志等,足以满足基本企业需求。
官方:https://goharbor.io/
Github:https://github.com/goharbor/harbor
Harbor 部署先决条件
服务器硬件配置:
最低要求:CPU2核/内存4G/硬盘40GB
推荐:CPU4核/内存8G/硬盘160GB
软件:
Docker CE 17.06版本+
Docker Compose 1.18版本+
Harbor安装有2种方式:
在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
离线安装:安装包包含部署的相关镜像,因此安装包比较大
Harbor 部署HTTP
1、先安装Docker和Docker Compose
https://github.com/docker/compose/releases
2、部署Harbor HTTP
mv docker-compose-Linux-x86_64 /usr/bin/docker-composechmod +x /usr/bin/docker-composetar zxvf harbor-offline-installer-v2.0.0.tgz cd harbor cp harbor.yml.tmpl harbor.yml vi harbor.yml hostname: reg.azhe.com harbor_admin_password: Harbor12345 ./prepare ./install.sh
3、访问harbor
Harbor 基本使用
1、配置http镜像仓库可信任(默认是https访问的,上面配置的是http,这里需要配置可信任)
vi /etc/docker/daemon.json {"insecure-registries" :["reg.azhe.com" ]} systemctl restart docker docker-compose ps docker-compose down docker-compose up -d
2.配置本地hosts文件解析
vim /etc/hosts 192.168.0.11 reg.azhe.com
3.登录harbbor,打标签,上传,下载
docker login reg.azhe.com Username: admin Password: Harbor12345 docker /images docker tag mysql:5.7 reg.azhe.com/library/mysql:5.7 docker push reg.azhe.com/library/mysql:5.7 docker pull reg.azhe.com/library/mysql:5.7
Harbor 部署HTTPS
1、生成SSL证书
mkdir sslcd sslls ca-config.json ca-key.pem cfssl.sh reg.azhe.com-key.pem ca.csr ca.pem reg.azhe.com.csr reg.azhe.com.pem ca-csr.json certs.sh reg.azhe.com-csr.json
vim cfssl.sh (证书生成工具)
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl*mv cfssl_linux-amd64 /usr/bin/cfsslmv cfssljson_linux-amd64 /usr/bin/cfssljsonmv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
vim certs.sh (证书生成脚本)
#注意里面的域名修改为自己的harbor域名
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cat > reg.azhe.com-csr.json <<EOF { "CN": "reg.azhe.com", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes reg.azhe.com-csr.json | cfssljson -bare reg.azhe.com
2、Harbor启用HTTPS
vi harbor.yml https: port: 443 certificate: /root/ssl/reg.azhe.com.pem private_key: /root/ssl/reg.azhe.com-key.pem
3、重新配置并部署Harbor
./prepare docker-compose down docker-compose up –d
4、修改Docker启动文件添加“–insecure-registry reg.azhe.com ”并配置hosts文件
vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry reg.azhe.com systemctl restart docker vim /etc/hosts 192.168.0.11 reg.azhe.com
5、验证
docker login reg.azhe.com Username: admin Password: Harbor12345 docker /images docker pull reg.azhe.com/library/mysql:5.7
以上harbor部署https方式的第4步骤,如果配置完成后,在docker主机登录harbor报证书错误,那么可以通过以下方式解决或参考链接:
4.将数字证书复制到Docker主机
scp reg.azhe.com.pem root@192.168.0.13:~ mkdir /etc/docker/certs.d/reg.azhe.comcp reg.azhe.com.pem /etc/docker/certs.d/reg.azhe.com/reg.azhe.com.crt
参考链接
https://blog.csdn.net/chenglang0914/article/details/100833054
Harbor 主从复制
主备模式
1.准备备机harbor
mv docker-compose-Linux-x86_64 /usr/bin/docker-composechmod +x /usr/bin/docker-composetar -zxf harbor-offline-installer-v2.0.0.tgz cd harbor cp harbor.yml.tmpl harbor.yml vi harbor.yml hostname: 192.168.0.12 harbor_admin_password: Harbor12345 ./prepare ./install.sh
2.在主harbor页面配置主从复制和规则
3.客户端docker主机上传镜像到主harbor并验证是否复制到从harbor
docker login reg.azhe.com Username: admin Password: Harbor12345 docker tag centos:7 reg.azhe.com/library/centos:7 docker push reg.azhe.com/library/centos:7
Harbor 运维维护
容器数据持久化目录:/data
日志文件目录:/var/log/harbor
PG数据库做好定期备份,里面存放用户数据文件。
主从复制,主harbor挂掉,启用备harbor,需要把pg数据导入到备harbor。
