欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

docker基础:私库系列:再探Harbor:(2) 架构与组件说明

程序员文章站 2022-05-16 14:34:51
...

上篇文章了解到了如何使用新的版本的harbor,这篇文章来了解一下harbor架构的组成和运行时各个组件的使用方式。

架构

docker基础:私库系列:再探Harbor:(2) 架构与组件说明

容器信息

[aaa@qq.com harbor]# docker-compose ps
       Name                     Command               State                                Ports                               
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/start.sh                 Up                                                                       
harbor-db            /usr/local/bin/docker-entr ...   Up      3306/tcp                                                         
harbor-jobservice    /harbor/start.sh                 Up                                                                       
harbor-log           /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp                                        
harbor-ui            /harbor/start.sh                 Up                                                                       
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp 
redis                docker-entrypoint.sh redis ...   Up      6379/tcp                                                         
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp                                                         
[aaa@qq.com harbor]# 

具体说明

组件 说明 实现
Proxy 用于转发用户的请求到registry/ui/token service的反向代理 nginx:使用nginx官方镜像进行配置
Registry 镜像的push/pull命令实施功能 registry:使用registry官方镜像
Database 保存项目/用户/角色/复制策略等信息到数据库中 harbor-db:Mariadb的官方镜像用于保存harbor的数据库信息
Core Service: UI/token/webhook 用户进行镜像操作的界面实现,通过webhook的机制保证镜像状态的变化harbor能够即使了解以便进行日志更新等操作,而项目用户角色则通过token的进行镜像的push/pull等操作 harbor-ui等
Job services 镜像复制,可以在harbor实例之间进行镜像的复制或者同步等操作 harbor-jobservice
Log collector 负责收集各个镜像的日志信息进行统一管理 harbor-log:缺省安装下日志的保存场所为/var/log/harbor

proxy

proxy就是使用nginx作为反向代理,而整个的核心则在于nginx的设定文件,通过如下的设定文件可以清楚的看到harbor所解释的将各个其他组件集成在一起的说明内容,而实际的实现也基本上就是靠nginx的设定。

[aaa@qq.com harbor]# ls
LICENSE  common                    docker-compose.notary.yml  ha          harbor.v1.5.2.tar.gz  open_source_license
NOTICE   docker-compose.clair.yml  docker-compose.yml         harbor.cfg  install.sh            prepare
[aaa@qq.com harbor]# cat common/config/nginx/nginx.conf 
worker_processes auto;

events {
  worker_connections 1024;
  use epoll;
  multi_accept on;
}

http {
  tcp_nodelay on;

  # this is necessary for us to be able to disable request buffering in all cases
  proxy_http_version 1.1;


  upstream registry {
    server registry:5000;
  }

  upstream ui {
    server ui:8080;
  }

  log_format timed_combined '$remote_addr - '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '$request_time $upstream_response_time $pipe';

  access_log /dev/stdout timed_combined;

  server {
    listen 80;
    server_tokens off;
    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    location / {
      proxy_pass http://ui/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /v1/ {
      return 404;
    }

    location /v2/ {
      proxy_pass http://ui/registryproxy/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/ {
      proxy_pass http://ui/service/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/notifications {
      return 404;
    }
  }
}
[aaa@qq.com harbor]# 

database

可以看到使用的是MariaDB 10.2.14, harbor的数据库名称为registry

[aaa@qq.com harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pliumiaopw
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 21
Server version: 10.2.14-MariaDB Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| registry           |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]>

数据库表的信息进行确认后可以看到,当前版本的这种使用方式下,数据库的表有如下 20张表左右

MariaDB [(none)]> use registry;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [registry]> show tables;
+-------------------------------+
| Tables_in_registry            |
+-------------------------------+
| access                        |
| access_log                    |
| alembic_version               |
| clair_vuln_timestamp          |
| harbor_label                  |
| harbor_resource_label         |
| img_scan_job                  |
| img_scan_overview             |
| project                       |
| project_member                |
| project_metadata              |
| properties                    |
| replication_immediate_trigger |
| replication_job               |
| replication_policy            |
| replication_target            |
| repository                    |
| role                          |
| user                          |
| user_group                    |
+-------------------------------+
20 rows in set (0.00 sec)

MariaDB [registry]>

Log collector

harbor中的日志缺省会在如下目录下进行汇集和管理

[root@liumiao harbor]# ls /var/log/harbor
adminserver.log  jobservice.log  mysql.log  proxy.log  redis.log  registry.log  ui.log
[root@liumiao harbor]# 

docker-compose.yml

[aaa@qq.com harbor]# cat docker-compose.yml 
version: '2'
services:
  log:
    image: vmware/harbor-log:v1.5.2
    container_name: harbor-log 
    restart: always
    volumes:
      - /var/log/harbor/:/var/log/docker/:z
      - ./common/config/log/:/etc/logrotate.d/:z
    ports:
      - 127.0.0.1:1514:10514
    networks:
      - harbor
  registry:
    image: vmware/registry-photon:v2.6.2-v1.5.2
    container_name: registry
    restart: always
    volumes:
      - /data/registry:/storage:z
      - ./common/config/registry/:/etc/registry/:z
    networks:
      - harbor
    environment:
      - GODEBUG=netdns=cgo
    command:
      ["serve", "/etc/registry/config.yml"]
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"
  mysql:
    image: vmware/harbor-db:v1.5.2
    container_name: harbor-db
    restart: always
    volumes:
      - /data/database:/var/lib/mysql:z
    networks:
      - harbor
    env_file:
      - ./common/config/db/env
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "mysql"
  adminserver:
    image: vmware/harbor-adminserver:v1.5.2
    container_name: harbor-adminserver
    env_file:
      - ./common/config/adminserver/env
    restart: always
    volumes:
      - /data/config/:/etc/adminserver/config/:z
      - /data/secretkey:/etc/adminserver/key:z
      - /data/:/data/:z
    networks:
      - harbor
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "adminserver"
  ui:
    image: vmware/harbor-ui:v1.5.2
    container_name: harbor-ui
    env_file:
      - ./common/config/ui/env
    restart: always
    volumes:
      - ./common/config/ui/app.conf:/etc/ui/app.conf:z
      - ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
      - ./common/config/ui/certificates/:/etc/ui/certificates/:z
      - /data/secretkey:/etc/ui/key:z
      - /data/ca_download/:/etc/ui/ca/:z
      - /data/psc/:/etc/ui/token/:z
    networks:
      - harbor
    depends_on:
      - log
      - adminserver
      - registry
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "ui"
  jobservice:
    image: vmware/harbor-jobservice:v1.5.2
    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
    volumes:
      - /data/job_logs:/var/log/jobs:z
      - ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
    networks:
      - harbor
    depends_on:
      - redis
      - ui
      - adminserver
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "jobservice"
  redis:
    image: vmware/redis-photon:v1.5.2
    container_name: redis
    restart: always
    volumes:
      - /data/redis:/data
    networks:
      - harbor
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "redis"
  proxy:
    image: vmware/nginx-photon:v1.5.2
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z
    networks:
      - harbor
    ports:
      - 80:80
      - 443:443
      - 4443:4443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"
networks:
  harbor:
    external: false

[aaa@qq.com harbor]# 

使用注意事项:自定义端口号

在前一篇文章的例子中我们使用默认的80口作为harbor的端口,如果希望进行更改(比如改为8848),按照如下步骤进行修改即可

步骤 详细说明
Step 1 修改docker-compose.yml中80:80端口映射,改为8848:80.(https方式修改8848:443)
Step 2 修改hostname信息,将端口号带上,改为192.168.163.128:8848
Step 3 停止harbor:docker-compose down
Step 4 执行prepare更新设定: ./prepare
Step 5 启动harbor:docker-compose up -d

设定内容

可以通过查看数据库的properties或者api/systeminfo来确认harbor设定项目的详细信息

properties

[aaa@qq.com harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pliumiaopw
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 153
Server version: 10.2.14-MariaDB Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use registry
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [registry]> select * from properties;
+----+--------------------------------+----------------------------------------------+
| id | k                              | v                                            |
+----+--------------------------------+----------------------------------------------+
|  1 | cfg_expiration                 | 5                                            |
|  2 | project_creation_restriction   | everyone                                     |
|  3 | uaa_client_secret              | <enc-v1>cBvRPcG+p3oNVnJh8VM+SjvlcEsKYg==     |
|  4 | clair_db_host                  | postgres                                     |
|  5 | token_service_url              | http://ui:8080/service/token                 |
|  6 | mysql_password                 | <enc-v1>HDqd+PbHcG9EWK9DF3RzM43fTtPvCjdvyQ== |
|  7 | uaa_endpoint                   | uaa.mydomain.org                             |
|  8 | max_job_workers                | 50                                           |
|  9 | sqlite_file                    |                                              |
| 10 | email_from                     | admin <aaa@qq.com>            |
| 11 | ldap_base_dn                   | ou=people,dc=mydomain,dc=com                 |
| 12 | clair_db_port                  | 5432                                         |
| 13 | mysql_port                     | 3306                                         |
| 14 | ldap_search_dn                 |                                              |
| 15 | clair_db_username              | postgres                                     |
| 16 | email_insecure                 | false                                        |
| 17 | database_type                  | mysql                                        |
| 18 | ldap_filter                    |                                              |
| 19 | with_notary                    | false                                        |
| 20 | admin_initial_password         | <enc-v1>4ZEvd/GfBYSdF9I6PfeI/XIvfGhPITaD3w== |
| 21 | notary_url                     | http://notary-server:4443                    |
| 22 | auth_mode                      | db_auth                                      |
| 23 | ldap_group_search_scope        | 2                                            |
| 24 | ldap_uid                       | uid                                          |
| 25 | email_username                 | aaa@qq.com                    |
| 26 | mysql_database                 | registry                                     |
| 27 | reload_key                     |                                              |
| 28 | clair_url                      | http://clair:6060                            |
| 29 | ldap_group_search_filter       | objectclass=group                            |
| 30 | email_password                 | <enc-v1>h18ptbUM5oJwtKOzjJ4X5LOiPw==         |
| 31 | email_ssl                      | false                                        |
| 32 | ldap_timeout                   | 5                                            |
| 33 | uaa_client_id                  | id                                           |
| 34 | registry_storage_provider_name | filesystem                                   |
| 35 | self_registration              | true                                         |
| 36 | email_port                     | 25                                           |
| 37 | ui_url                         | http://ui:8080                               |
| 38 | token_expiration               | 30                                           |
| 39 | email_identity                 |                                              |
| 40 | clair_db                       | postgres                                     |
| 41 | uaa_verify_cert                | true                                         |
| 42 | ldap_verify_cert               | true                                         |
| 43 | ldap_group_attribute_name      | cn                                           |
| 44 | mysql_host                     | mysql                                        |
| 45 | read_only                      | false                                        |
| 46 | ldap_url                       | ldaps://ldap.mydomain.com                    |
| 47 | ext_endpoint                   | http://192.168.163.128                       |
| 48 | ldap_group_base_dn             | ou=group,dc=mydomain,dc=com                  |
| 49 | with_clair                     | false                                        |
| 50 | admiral_url                    | NA                                           |
| 51 | ldap_scope                     | 2                                            |
| 52 | registry_url                   | http://registry:5000                         |
| 53 | jobservice_url                 | http://jobservice:8080                       |
| 54 | email_host                     | smtp.mydomain.com                            |
| 55 | ldap_search_password           | <enc-v1>F2QZkeEPTQPsJ9KNsBWcXA==             |
| 56 | mysql_username                 | root                                         |
| 57 | clair_db_password              | <enc-v1>IGBg3NxvT7qCYGIB+zizax+GojoM7ao2VQ== |
+----+--------------------------------+----------------------------------------------+
57 rows in set (0.00 sec)

MariaDB [registry]> 

api/systeminfo

[root@liumiao harbor]# curl http://localhost/api/systeminfo 
{
  "with_notary": false,
  "with_clair": false,
  "with_admiral": false,
  "admiral_endpoint": "NA",
  "auth_mode": "db_auth",
  "registry_url": "192.168.163.128",
  "project_creation_restriction": "everyone",
  "self_registration": true,
  "has_ca_root": false,
  "harbor_version": "v1.5.2-8e61deae",
  "next_scan_all": 0,
  "registry_storage_provider_name": "filesystem",
  "read_only": false
}[root@liumiao harbor]#