harbor镜像仓库
- 一、镜像仓库
- 1、类型
- 2、构建私有仓库的方案
- 二、部署harbor仓库(单机版)
- 1、安装docker(略)
- 2、安装docker-compose工具
- 3、安装harbor
- 4、生成harbor需要的证书、密钥(V3版本证书)
- 4.1 创建CA
- 4.2 创建harbor仓库需要的证书
- 5、编辑harbor配置文件
- 6、启动harbor
- 三、harbor仓库的使用
- 1、创建项目
- 2、创建用户、授权
- 3、上传镜像
- 3.1 登录仓库
- 3.2 为镜像打标记
- 3.3 上传镜像
- 3.4 退出仓库
一、镜像仓库
1、类型
公有仓库, DockerHub
私有仓库, 企业级的应用
2、构建私有仓库的方案
- registry镜像,早期
- harbor软件
vmware开源的
提供webUI
日志审计
权限分配
统一认证
二、部署harbor仓库(单机版)
1、安装docker(略)
2、安装docker-compose工具
[root@localhost ~]# mv docker-compose /usr/local/bin/
[root@localhost ~]# chmod a+x /usr/local/bin/docker-compose
[root@localhost ~]# docker-compose version
docker-compose version 1.29.0, build 07737305
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
3、安装harbor
[root@localhost ~]# mkdir /work
[root@localhost ~]# tar xf harbor-offline-installer-v2.2.2.tgz -C /work/
[root@localhost ~]# cp /work/harbor/harbor.yml.tmpl /work/harbor/harbor.yml
4、生成harbor需要的证书、密钥(V3版本证书)
4.1 创建CA
[root@localhost ~]# mkdir /opt/ssl
[root@localhost ~]# cd /opt/ssl
[root@localhost ssl]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................++
.......................................................................................................++
e is 65537 (0x10001)
[root@localhost ssl]#
[root@localhost ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor.linux.com" -key ca.key -out ca.crt
[root@localhost ssl]# ls
ca.crt ca.key
4.2 创建harbor仓库需要的证书
[root@localhost ssl]# openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................++
......................++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -sha512 -subj "/CN=harbor.linux.com" -key server.key -out server.csr
[root@localhost ssl]# cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.linux.com
[root@localhost ssl]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/CN=harbor.linux.com
Getting CA Private Key
[root@localhost ssl]#
5、编辑harbor配置文件
[root@localhost ~]# vim /work/harbor/harbor.yml
hostname: harbor.linux.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/ssl/server.crt
private_key: /opt/ssl/server.key
6、启动harbor
[root@localhost harbor]# ./prepare
prepare base dir is set to /work/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 26.1.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.0
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating registryctl ... done
Creating redis ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
[root@localhost harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f9f9ae9ded5 goharbor/harbor-jobservice:v2.2.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
7c9156960ee5 goharbor/nginx-photon:v2.2.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
4d42f7530a21 goharbor/harbor-core:v2.2.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
6b20c3728d4b goharbor/harbor-db:v2.2.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
7e5d825d7161 goharbor/harbor-registryctl:v2.2.2 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
79c07047e9e3 goharbor/redis-photon:v2.2.2 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
2b6f7e8ce7b0 goharbor/harbor-portal:v2.2.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
ca7e332c47e9 goharbor/registry-photon:v2.2.2 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
c2ddc9c858a5 goharbor/harbor-log:v2.2.2 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp
三、harbor仓库的使用
1、创建项目
2、创建用户、授权
3、上传镜像
3.1 登录仓库
[root@martin-host ~]# mkdir /etc/docker/certs.d/harbor.linux.com -p
[root@martin-host ~]#
[root@martin-host ~]# scp root@192.168.140.11:/opt/ssl/server.crt /etc/docker/certs.d/harbor.linux.com/
root@192.168.140.11's password:
server.crt 100% 1846 2.4MB/s 00:00
[root@martin-host ~]#
[root@martin-host ~]# ls /etc/docker/certs.d/harbor.linux.com/
server.crt
[root@martin-host ~]#
[root@martin-host ~]# docker login harbor.linux.com
Username: martin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
3.2 为镜像打标记
[root@martin-host ~]# docker tag websocket-server:1.0 harbor.linux.com/miaosha/websocket-server:1.0
3.3 上传镜像
[root@martin-host ~]# docker push harbor.linux.com/miaosha/websocket-server:1.0
The push refers to repository [harbor.linux.com/miaosha/websocket-server]
00f2a652d376: Pushed
1b9504956550: Pushed
20f340df0413: Pushed
6c3e7df31590: Pushed
1.0: digest: sha256:9a8a24800c9eef5700585a8f461169735b14519760750c4c946857926c737a7e size: 1166
[root@martin-host ~]#
3.4 退出仓库
[root@martin-host ~]# docker logout harbor.linux.com
Removing login credentials for harbor.linux.com
[root@martin-host ~]#
