1.Harbor倉庫
Harbor簡史
Harbor是由VMware公司開源的容器鏡像倉庫, 事實上, Harbor是在Docker Registry上進行了相應的企業級拓展, 從而獲得了更加廣泛的應用, 這些企業級拓展包括: 管理用戶界面、基於角色訪問控制、AD/LDAP集成以及審計日誌, 足以滿足基本企業需求.
基於角色訪問控制
- Guest: 對指定項目只讀權限
- Developer: 開發人員, 讀寫項目權限
- Admin: 項目管理, 所有權限
- Anonymous: 當用戶未登陸時,該用戶視爲匿名, 不能訪問私有項目, 只能訪問公開項目
2.Harbor部署
1.環境準備
在k8s集羣搭建完成的情況下再準備一臺虛擬機作爲harbor倉庫
192.168.13.139 harbor #harbor倉庫的服務端
192.168.13.141 master #作爲客戶端
下載:https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.3.tgz
下載此軟件包需要翻牆, 請自行安裝Google瀏覽器插件
2.安裝docker和compose
#安裝必要的一些系統工具
[root@harbor ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
#添加軟件源信息
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 更新並安裝Docker-CE
[root@harbor ~]# yum makecache fast
[root@harbor ~]# yum -y install docker-ce
#開啓Docker服務
[root@harbor ~]# systemctl enable docker && systemctl start docker
GitHub:docker-compose1.22 :
[root@harbor ~]# curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@harbor ~]# chmod a+x /usr/local/bin/docker-compose
3.無證書部署
將harbor-offline-installer-v1.5.3.tgz 包 上傳並解壓
[root@harbor ~]# tar xf harbor-offline-installer-v1.5.3.tgz
[root@harbor ~]# cd harbor
[root@harbor harbor]# vim harbor.cfg #修改兩個地方
hostname = 192.168.13.139 #改爲倉庫服務端地址
customize_crt = false #不用證書的方式
[root@harbor harbor]# ./prepare #修改配置文件後一定要執行這一步
[root@harbor harbor]# ./install.sh
#首次安轉用這個命令,以後都用docker-compose up -d 命令啓動
[root@harbor harbor]# docker-compose ps #全部爲up就是啓動成功
Name Command State Ports
-----------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp,
0.0.0.0:4443->4443/tcp,
0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp
如果出錯 用docker-compose down 停掉服務(^+s)
docker-compose up -d 啓動服務
1.客戶端配置
[root@master ~]# vim /etc/docker/daemon.conf
{
"insecure-registries": ["http://192.168.13.139"]
}
[root@master ~]# cat /usr/lib/systemd/system/docker.service |grep ExecStart
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.13.139 --containerd=/run/containerd/containerd.sock
#找到 ExecStart開頭的 添加--insecure-registry 192.168.13.139
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker
2.服務端配置
[root@harbor harbor]# vim /etc/docker/daemon.conf
{
"insecure-registries": ["http://192.168.13.139"]
}
[root@harbor harbor]# cat /usr/lib/systemd/system/docker.service |grep ExecStart
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.13.139:5000 --containerd=/run/containerd/containerd.sock
#找到 ExecStart開頭的 添加--insecure-registry 192.168.13.139:5000
[root@harbor harbor]# systemctl daemon-reload
[root@harbor harbor]# systemctl restart docker
3.客戶端測試
[root@master ~]# docker login -u admin -p Harbor12345 http://192.168.13.139
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4.Harbor使用
打開網頁訪問服務端IP http://192.168.13.139/
[root@harbor harbor]# vim harbor.cfg
查看配置文件,默認的用戶名爲admin,密碼爲Harbor12345
登錄上之後裏面只有一個公開的library,我們可以新建一個
然後我們去客戶端上面上傳一個鏡像到該倉庫
[root@master ~]# docker images #查看鏡像
REPOSITORY TAG IMAGE ID CREATED SIZE
daocloud.io/library/nginx latest e791337790a6 2 weeks ago 127MB
[root@master ~]# docker tag daocloud.io/library/nginx:latest 192.168.13.139/yjssjm/nginx
[root@master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.13.139/yjssjm/nginx latest e791337790a6 2 weeks ago 127MB
daocloud.io/library/nginx latest e791337790a6 2 weeks ago 127MB
harbor.io/library/nginx latest e791337790a6 2 weeks ago 127MB
[root@master ~]# docker push 192.168.13.139/yjssjm/nginx #推送
The push refers to repository [192.168.13.139/yjssjm/nginx]
be91fceb796e: Pushed
919b6770519b: Pushed
b60e5c3bcef2: Pushed
latest: digest: sha256:6b3b6c113f98e901a8b1473dee4c268cf37e93d72bc0a01e57c65b4ab99e58ee size: 948
我們在頁面上查看
這裏面可以創建新的用戶,然後給他們設置每個項目的權限就能實現角色訪問控制。