雖然前面也介紹了Docker自帶的私有倉庫Registry,也能滿足小公司或團隊的需求,但是在一些大公司企業環境中還存在一定的不足。所以這裏介紹一款企業級的鏡像倉庫軟件——Harbor。
Harbor是由VMware公司開源的企業級的Docker Registry管理項目,它包括權限管理(RBAC)、LDAP、日誌審覈、管理界面、自我註冊、鏡像複製和中文支持等功能。Harbor的github地址爲:https://github.com/goharbor/harbor ,上面有其詳細介紹,下面嘗試在Centos7上部署Harbor鏡像倉庫。
1、環境準備
Harbor是以多個Docker容器的方式部署,因此其可以安裝在任何支Docker的Linux發行版上,安裝的前提條件是需要先安裝好Docker、Python和Docker Compose等軟件。
硬件要求:
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is preferred |
| Mem | minimal 4GB | 8GB is preferred |
| Disk | minimal 40GB | 160GB is preferred |
| Software | Version | Description |
|---|---|---|
| Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
| Docker engine | version 1.10 or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
| Docker Compose | version 1.6.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
網絡端口:
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
[root@centos7 ~]# grep processor /proc/cpuinfo |wc -l 2 [root@centos7 ~]# free -m total used free shared buff/cache available Mem: 3774 138 3363 8 272 3363 Swap: 3071 0 3071 [root@centos7 ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@centos7 ~]# python -V Python 2.7.5 [root@centos7 ~]# docker --version Docker version 1.13.1, build 8633870/1.13.1
2、下載Harbor離線安裝包
Harbor有在線和離線兩種安裝方式,一般採用離線安裝包進行安裝。可以從 https://github.com/goharbor/harbor/releases 下載最新的offline安裝包,目前最新版是1.74。
3、安裝Docker
因爲之前已經安裝過Docker,所以該步省略。
4、安裝Docker-compose
[root@centos7 ~]# wget https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` [root@centos7 ~]# ll docker-compose* -rw-r--r-- 1 root root 8273264 May 26 2017 docker-compose-Linux-x86_64 [root@centos7 ~]# mv docker-compose-Linux-x86_64 /usr/bin/docker-compose [root@centos7 ~]# chmod +x /usr/bin/docker-compose [root@centos7 ~]# docker-compose --version docker-compose version 1.13.0, build 1719ceb
5、自籤TLS證書
[root@centos7 opt]# tar -zxf harbor-offline-installer-v1.7.4.tgz [root@centos7 opt]# cd harbor [root@centos7 harbor]# mkdir ssl [root@centos7 harbor]# cd ssl [root@centos7 ssl]# openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus .......................................................................................................................++ ........................................................................................................................................................................................++ e is 65537 (0x10001) [root@centos7 ssl]# ll total 4 -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key [root@centos7 ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 \ > -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com" \ > -key ca.key \ > -out ca.crt [root@centos7 ssl]# ll total 8 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key [root@centos7 ssl]# openssl genrsa -out harbor.contoso.com.key 4096 Generating RSA private key, 4096 bit long modulus ................++ .......................++ e is 65537 (0x10001) [root@centos7 ssl]# ll total 12 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key [root@centos7 ssl]# openssl req -sha512 -new \ > -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com" \ > -key harbor.contoso.com.key \ > -out harbor.contoso.com.csr [root@centos7 ssl]# ll total 16 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 1691 Mar 16 13:38 harbor.contoso.com.csr -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key [root@centos7 ssl]# cat > v3.ext <<-EOF > authorityKeyIdentifier=keyid,issuer > basicConstraints=CA:FALSE > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment > extendedKeyUsage = serverAuth > subjectAltName = @alt_names > > [alt_names] > DNS.1=contoso.com > DNS.2=contoso > DNS.3=centos7 > EOF [root@centos7 ssl]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in harbor.contoso.com.csr \ > -out harbor.contoso.com.crt Signature ok subject=/C=CN/ST=Guangdong/L=Shenzhen/O=IT/OU=IT/CN=contoso.com Getting CA Private Key [root@centos7 ssl]# ll total 28 -rw-r--r-- 1 root root 2004 Mar 16 13:34 ca.crt -rw-r--r-- 1 root root 3243 Mar 16 13:32 ca.key -rw-r--r-- 1 root root 17 Mar 16 13:43 ca.srl -rw-r--r-- 1 root root 2061 Mar 16 13:43 harbor.contoso.com.crt -rw-r--r-- 1 root root 1691 Mar 16 13:38 harbor.contoso.com.csr -rw-r--r-- 1 root root 3247 Mar 16 13:35 harbor.contoso.com.key -rw-r--r-- 1 root root 259 Mar 16 13:42 v3.ext
6、安裝Harbor並配置
[root@centos7 harbor]# cp harbor.cfg harbor.cfg.ori [root@centos7 harbor]# vi harbor.cfg [root@centos7 harbor]# diff harbor.cfg.ori harbor.cfg 8c8 < hostname = reg.mydomain.com --- > hostname = harbor.contoso.com 12c12 < ui_url_protocol = http --- > ui_url_protocol = https 24,25c24,25 < ssl_cert = /data/cert/server.crt < ssl_cert_key = /data/cert/server.key --- > ssl_cert = ./ssl/harbor.contoso.com.crt > ssl_cert_key = ./ssl/harbor.contoso.com.key [root@centos7 harbor]# ./prepare Generated and saved secret to file: /data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [root@centos7 harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.13.1 Note: docker-compose version: 1.13.0 [Step 1]: loading Harbor images ... ...... [Step 2]: preparing environment ... ...... [Step 3]: checking existing instance of Harbor ... ...... [Step 4]: starting Harbor ... ...... ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://harbor.contoso.com. For more details, please visit https://github.com/goharbor/harbor .
7、Docker主機訪問Harbor
因爲Docker的宿主機安裝在VMware Workstation虛擬機中,所以我需要從VMware Workstation的宿主機中進行訪問。首先,配置宿主機的hosts,添加harbor域名的解析:
192.168.49.40 harbor.contoso.com # IP地址即是Docker宿主機的IP地址
然後,使用瀏覽器進行訪問:
使用Harbor配置文件中指定的賬號密碼登錄,如下:
初始的界面如上圖所示,我們可以看到系統各個模塊如下:
項目:新增/刪除項目,查看鏡像倉庫,給項目添加成員、查看操作日誌、複製項目等
日誌:倉庫各個鏡像create、push、pull等操作日誌
系統管理
用戶管理:新增/刪除用戶、設置管理員等
複製管理:新增/刪除從庫目標、新建/刪除/啓停複製規則等
配置管理:認證模式、複製、郵箱設置、系統設置等
其他設置
用戶設置:修改用戶名、郵箱、名稱信息
修改密碼:修改用戶密碼
注意:非系統管理員用戶登錄,只能看到有權限的項目和日誌,其他模塊不可見。
8、Harbor的使用示例
1)創建新項目
2)使用admin用戶上傳鏡像到harbor中
# 將harbor的域名寫入到本機的hosts中 [root@centos7 ~]# grep harbor /etc/hosts 127.0.0.1 harbor.contoso.com [root@centos7 ~]# ping harbor.contoso.com -c 2 -w 1 PING harbor.contoso.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.033 ms --- harbor.contoso.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.033/0.052/0.071/0.019 ms # 嘗試登錄harbor鏡像倉庫 [root@centos7 ~]# docker login harbor.contoso.com Username: admin Password: Login Succeeded # 給本地鏡像打標籤 [root@centos7 ~]# docker tag mynginx:v1 harbor.contoso.com/lnmp/nginx:latest [root@centos7 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE harbor.contoso.com/lnmp/nginx latest 5cd531df9a2d 13 days ago 361 MB mynginx v1 5cd531df9a2d 13 days ago 361 MB ...... # 推送鏡像到harbor鏡像倉庫中 [root@centos7 ~]# docker push harbor.contoso.com/lnmp/nginx:latest The push refers to a repository [harbor.contoso.com/lnmp/nginx] 611a87313170: Pushed 37b32146938c: Pushed 053c7964c2c3: Pushed 071d8bd76517: Pushed latest: digest: sha256:69643447fe8ba118763793df8d399ac39e1e7b27df4a53c8853f543b47881f57 size: 1158
到harbor的圖形界面中驗證:
3)創建新用戶
4)新用戶測試鏡像拉取
[root@centos7 ~]# docker login harbor.contoso.com Username (admin): zhangsan Password: Login Succeeded [root@centos7 ~]# docker pull harbor.contoso.com/lnmp/nginx:latest Trying to pull repository harbor.contoso.com/lnmp/nginx ... latest: Pulling from harbor.contoso.com/lnmp/nginx Digest: sha256:69643447fe8ba118763793df8d399ac39e1e7b27df4a53c8853f543b47881f57 Status: Image is up to date for harbor.contoso.com/lnmp/nginx:latest [root@centos7 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE harbor.contoso.com/lnmp/nginx latest 5cd531df9a2d 13 days ago 361 MB ......
此外,Harbor還能跟LDAP集成、日誌審計、鏡像複製、空間回收等功能,因爲篇幅有限準備不足,就不再一一演示。