作用
- 遠程鏡像只拉取一次即可,減少下載鏡像的網絡延遲
- 存儲項目中由開發人員構建的程序鏡像
- 爲集羣提供鏡像共享
Hardware 硬件要求
硬件 | 最低配置 | 推薦配置 |
---|---|---|
處理器 | 2 CPU | 4 CPU |
內存 | 4GB | 8GB |
硬盤 | 40GB | 160GB |
Software 軟件要求
軟件 | 版本 | 說明 |
---|---|---|
Docker | 17.03.0-ce 或更高 | |
Docker Compose | 1.18.0 或更高 | |
Openssl | 首選最新版本 | 爲Harbor生成證書和密鑰 |
前置條件
安裝步驟
- 下載安裝程序;
- 配置harbor.yml;
- 運行install.sh安裝並啓動Harbor;
下載安裝程序
爲了簡單,我選擇了在線安裝
[root@k8s-master setup]# pwd
/home/deploy/setup
[root@k8s-master setup]# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-online-installer-v1.8.0.tgz
[root@k8s-master setup]#
[root@k8s-master setup]# tar -zxvf harbor-online-installer-v1.8.0.tgz
[root@k8s-master setup]#
[root@k8s-master setup]# ll harbor
total 32
-rw-r--r-- 1 root root 4531 Jun 6 09:58 harbor.yml
-rwxr-xr-x 1 root root 5088 May 21 15:59 install.sh
-rw-r--r-- 1 root root 11347 May 21 15:59 LICENSE
-rwxr-xr-x 1 root root 1654 May 21 15:59 prepare
[root@k8s-master setup]#
配置harbor.yml
爲了簡單安裝部署,這裏只修改必填項
[root@k8s-master harbor]# vim harbor.yml
# 修改域名 或 IP地址
hostname: k8s.dev-share.top
# 數據存儲目錄
data_volume: /home/harbordata
# 訪問接口
http:
port: 80
# 用戶密碼
harbor_admin_password: Harbor12345
# 數據庫密碼
database:
password: root123
[root@k8s-master harbor]#
在線安裝
[root@k8s-master harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 19.03.0
Note: docker-compose version: 1.18.0
[Step 1]: preparing environment ...
# 省略
......
Creating harbor-log ... done
Status: Downloaded newer image for goharbor/harbor-jobservice:v1.8.0
Pulling proxy (goharbor/nginx-photon:v1.8.0)...
v1.8.0: Pulling from goharbor/nginx-photon
Creating registryctl ... done
Creating harbor-core ... done
Digest: sha256:9c7c9ca3d34e5872743577ce911cabce9965935261f3b53de4196ce394504799
Creating harbor-portal ... done
Creating nginx ... done
Creating registry ...
Creating redis ...
Creating harbor-db ...
Creating registryctl ...
Creating harbor-core ...
Creating harbor-jobservice ...
Creating harbor-portal ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://k8s.dev-share.top.
For more details, please visit https://github.com/goharbor/harbor .
[root@k8s-master harbor]#
測試連接
http://k8s.dev-share.top
用戶名:admin
用戶密碼:Harbor12345
在遠程終端測試連接
執行 docker push 的時候必需要登錄到私有倉庫
# 不登錄不能 push
[root@k8s-master ~]# docker login k8s.dev-share.top -u admin
Password:Harbor12345
Login Succeeded
[root@k8s-master ~]#
啓動/停止
[root@k8s-master harbor]#
[root@k8s-master harbor]# pwd
/home/deploy/setup/harbor
[root@k8s-master harbor]#
# 啓動
[root@k8s-master harbor]# docker-compose start
# 停止
[root@k8s-master harbor]# docker-compose stop
# 重新創建並啓動Harbor的實例
[root@k8s-master harbor]# docker-compose up -d
# 刪除Harbor的容器,同時將圖像數據和Harbor的數據庫文件保存在文件系統上
[root@k8s-master harbor]# docker-compose down -v
配置私有倉庫代理地址
執行 docker pull 的時候需要指定 倉庫地址
[root@k8s-master ~]# cat > /etc/docker/daemon.json << EOF
{
# http連接,非加密連接,數據傳輸不安全,使用相對簡單
# 私服地址
"insecure-registries": ["http://k8s.dev-share.top"],
# 遠程鏡像代理地址,與Harbor無關
"registry-mirrors": ["http://f1361db2.m.daocloud.io"]
}
EOF
[root@k8s-master ~]#
遠程鏡像推送到私有倉庫
分爲兩步
- 在項目中標記鏡像:
docker tag SOURCE_IMAGE[:TAG] k8s.dev-share.top/library/IMAGE[:TAG]
docker tag 本地鏡像名:Tag 私服倉庫地址/遠程鏡像名:Tag - 推送鏡像到Harbor私有倉庫:
docker push k8s.dev-share.top/library/IMAGE[:TAG]
docker push 私服倉庫地址/遠程鏡像名:Tag
接下來在如下示例當中實現,將本地的 node.js鏡像 推送到遠程的 私服倉庫
[root@k8s-master ~]# docker images | grep node
node
[root@k8s-master ~]#
[root@k8s-master ~]# docker push k8s.dev-share.top/library/node:slim
The push refers to repository [k8s.dev-share.top/library/node]
daade46d532d: Pushed
46b67135288b: Pushed
715cf255d73f: Pushed
aa5a12ea4279: Pushed
6270adb5794c: Pushed
slim: digest: sha256:1b5871385c87ed5cc64e6a6f2a4b789a03266d29b4a0c72c4a740ed67f29286e size: 1367
[root@k8s-master ~]#
換到節點服務器測試,從遠程私有倉庫進行拉取
[root@k8s-node1 ~]# docker pull k8s.dev-share.top/library/node:slim
Error response from daemon: Get https://k8s.dev-share.top/v2/: dial tcp 47.92.200.41:443: getsockopt: connection refused
# 子節點也需要配置代理地址,這個操作可以使用 ansible批量執行
[root@k8s-node1 ~]#
[root@k8s-node1 ~]# cat > /etc/docker/daemon.json << EOF
{
"insecure-registries": ["http://k8s.dev-share.top"],
"registry-mirrors": ["https://dhq9bx4f.mirror.aliyuncs.com"]
}
EOF
[root@k8s-node1 ~]#
[root@k8s-node1 ~]# systemctl daemon-reload
[root@k8s-node1 ~]#
[root@k8s-node1 ~]# systemctl reload docker
[root@k8s-node1 ~]#
[root@k8s-node1 ~]# docker pull k8s.dev-share.top/library/node:slim
slim: Pulling from library/node
743f2d6c1f65: Pull complete
89252b028f01: Pull complete
a4c96ce39a15: Pull complete
b3d04fa69e29: Pull complete
6194decb3876: Pull complete
Digest: sha256:1b5871385c87ed5cc64e6a6f2a4b789a03266d29b4a0c72c4a740ed67f29286e
Status: Downloaded newer image for k8s.dev-share.top/library/node:slim
[root@k8s-node1 ~]#
[root@k8s-node1 ~]# docker images | grep node
k8s.dev-share.top/library/node slim d9bfca6c7741 7 days ago 150MB
[root@k8s-node1 ~]#
有些細節要注意
- docker push私服鏡像需要登錄
- 節點機器 要使用私服上的鏡像,需要配置 私服倉庫地址授信
- 修改 /etc/docker/daemon.json 文件時不要重新加載 docker
- 文章中的示例使用的是,由外網地址訪問私服,下載速度很慢並且不安全,真正的生產環境一定是內網環境,速度快也安全