Harbor: Docker 镜像仓库



Harbor -- 企业级容器镜像仓库



Overview


What is Harbor?

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.


虽然 Docker 官方提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的 Registry 也是非常必要的。

Harbor 是由 VMware 公司开源的企业级的 Docker Registry 管理项目,相比 docker 官方拥有更丰富的权限权利和完善的架构设计,适用大规模 docker 集群部署提供仓库服务。

它主要提供 Dcoker Registry 管理界面 UI,可基于角色访问控制,镜像复制, AD/LDAP 集成,日志审核等功能,完全的支持中文。


主要功能


基于角色的访问控制

用户与 Docker 镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。


基于镜像的复制策略

镜像可以在多个 Registry 实例中复制(可以将仓库中的镜像同步到远程的 Harbor,类似于 MySQL 主从同步功能),尤其适合于负载均衡,高可用,混合云和多云的场景。


图形化用户界面

用户可以通过浏览器来浏览,检索当前 Docker 镜像仓库,管理项目和命名空间。


支持 AD/LDAP

Harbor 可以集成企业内部已有的 AD/LDAP,用于鉴权认证管理。


镜像删除和垃圾回收

Harbor 支持在 Web 删除镜像,回收无用的镜像,释放磁盘空间。image 可以被删除并且回收 image 占用的空间。


审计管理

所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。


RESTful API

RESTful API 提供给管理员对于 Harbor 更多的操控, 使得与其它管理软件集成变得更容易。


部署简单

提供在线和离线两种安装工具, 也可以安装到 vSphere 平台 (OVA方式) 虚拟设备。


Harbor 的所有组件都在 Docker 中部署,所以 Harbor 可使用 Docker Compose 快速部署。

注意: 由于 Harbor 是基于 Docker Registry V2 版本,所以 docker 版本必须 > = 1.10.0 docker-compose >= 1.6.0


Harbor 架构组件


  • 1、Proxy:反向代理工具
  • 2、Registry:负责存储 docker 镜像,处理上传/下载命令。对用户进行访问控制,它指向一个 token 服务,强制用户的每次 docker pull/push 请求都要携带一个合法的 token,registry 会通过公钥对 token 进行解密验证。
  • 3、Core service:Harbor 的核心功能:
    • UI:图形界面
    • Webhook:及时获取 registry 上 image 状态变化情况,在 registry 上配置 webhook,把状态变化传递给 UI 模块。
    • Token 服务:负责根据用户权限给每个 docker push/pull 命令签发 token。Docker 客户端向 registry 服务发起的请求,如果不包含 token,会被重定向到这里,获得 token 后再重新向 registry 进行请求。
  • 4、Database:提供数据库服务,存储用户权限,审计日志,docker image 分组信息等数据
  • 5、Log collector:为了帮助监控 harbor 运行,复责收集其他组件的 log,供日后进行分析






Getting started


Harbor can be installed on any Kubernetes environment or on a system with Docker support. Information on how to get started:



安装部署


环境准备

两台虚拟机:


  • harbor (harbor 服务端,用于搭建私有仓库)
    • 192.168.2.181 docker-ce、docker-compose(必须安装)、Harbor
  • client(客户端,用于远程访问私有仓库)
    • 192.168.2.47 docker-ce


安装 compose


Download the Harbor Installer


You download the Harbor installers from the official releases page. Download either the online installer or the offline installer.

  • Online installer: The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.
  • Offline installer: Use the offline installer if the host to which are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images, so it is larger than the online installer.

The installation processes are almost the same for the online and offline installers.


$ ls
harbor-offline-installer-v2.0.2.tgz
$ tar -xf harbor-offline-installer-v2.0.2.tgz
$ ls
harbor  harbor-offline-installer-v2.0.2.tgz
$ ls harbor
common.sh  harbor.v2.0.2.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare
$ cd harbor
$ cp harbor.yml.tmpl harbor.yml


Configure HTTPS Access to Harbor


Configure the Harbor YML File


$ vim harbor.yml
hostname: 192.168.2.181
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 5004
external_url: http://192.168.2.181:5004
data_volume: /home/hdd0/harbor
# https related config
#https:
#  # https port for harbor, default is 443
#  port: 443
#  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path



Configure Enabling Internal TLS


Run the Installer Script


$ ls
common     docker-compose.yml    harbor.yml       install.sh  prepare
common.sh  harbor.v2.0.2.tar.gz  harbor.yml.tmpl  LICENSE
$ sh install.sh


Deploy Harbor on Kubernetes


You can also use Helm to install Harbor on a Kubernetes cluster, to make Harbor highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see Deploying Harbor with High Availability via Helm.


Post-Installation Configuration


For information about how to manage your deployed Harbor instance, see Reconfigure Harbor and Manage the Harbor Lifecycle.

By default, Harbor uses its own private key and certificate to authenticate with Docker. For information about how to optionally customize your configuration to use your own key and certificate, see Customize the Harbor Token Service.

After installation, log into your Harbor via the web console to configure the instance under ‘configuration’. Harbor also provides a command line interface (CLI) that allows you to Configure Harbor User Settings at the Command Line.


查看 compose 编排的容器 docker-compose ps

$ sudo docker-compose ps
      Name                     Command                  State                        Ports
------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/entrypoint.sh            Up (healthy)
harbor-db           /docker-entrypoint.sh            Up (healthy)   5432/tcp
harbor-jobservice   /harbor/entrypoint.sh            Up (healthy)
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   8080/tcp
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:5004->8080/tcp,:::5004->8080/tcp
redis               redis-server /etc/redis.conf     Up (healthy)   6379/tcp
registry            /home/harbor/entrypoint.sh       Up (healthy)   5000/tcp
registryctl         /home/harbor/start.sh            Up (healthy)

此时可使用 Docker 命令在本地通过 127.0.0.1 来登录和推送镜像。默认情况下,

Register 服务器在端口 5004 上侦听。

打开浏览器访问 http://192.168.2.181 的管理页面


Harbor Components

The table below lists the some of the key components that are deployed when you deploy Harbor.

ComponentVersion
Postgresql13.3.0
Redis6.0.13
Beego1.9.0
Chartmuseum0.9.0
Docker/distribution2.7.1
Docker/notary0.6.1
Helm2.9.1
Swagger-ui3.22.1



使用




登录 harbor 的字符界面

docker login -u admin -p Harbor12345 192.168.2.181:5004

若登录报错: http://pointborn.com/article/2022/4/20/1875.html



下载私有仓库的镜像

# docker pull 192.168.2.181:5004/images/nginx:v1


上传镜像到私有仓库

//先从官方仓库下载 nginx 镜像
# docker pull nginx
# docker tag nginx:latest 192.168.2.181:5004/images/nginx:v2



管理维护


修改 Harbor.cfg 配置文件

修改 harbor.cfg 配置文件,先停止现有的 Harbor 实例并更新 harbor.cfg 中的配置,然后再运行 prepare 脚重新加载配置,最后重新创建并且启动 harbor 的实例。

关闭所有容器

docker-compose down -v


[root@server1 harbor]# ls
common                     docker-compose.yml     harbor.v1.2.2.tar.gz  NOTICE
docker-compose.clair.yml   harbor_1_1_0_template  install.sh            prepare
docker-compose.notary.yml  harbor.cfg             LICENSE               upgrade
[root@server1 harbor]# vi harbor.cfg 
[root@server1 harbor]# ./prepare 
[root@server1 harbor]# systemctl restart docker
[root@server1 harbor]# docker-compose up -d



reference

https://goharbor.io/docs/2.5.0/install-config/download-installer/

https://blog.csdn.net/weixin_49228721/article/details/110480722