docker基础:私库系列:再探Harbor:(2) 架构与组件说明
程序员文章站
2022-05-16 14:34:51
...
上篇文章了解到了如何使用新的版本的harbor,这篇文章来了解一下harbor架构的组成和运行时各个组件的使用方式。
架构
容器信息
[aaa@qq.com harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
[aaa@qq.com harbor]#
具体说明
组件 | 说明 | 实现 |
---|---|---|
Proxy | 用于转发用户的请求到registry/ui/token service的反向代理 | nginx:使用nginx官方镜像进行配置 |
Registry | 镜像的push/pull命令实施功能 | registry:使用registry官方镜像 |
Database | 保存项目/用户/角色/复制策略等信息到数据库中 | harbor-db:Mariadb的官方镜像用于保存harbor的数据库信息 |
Core Service: UI/token/webhook | 用户进行镜像操作的界面实现,通过webhook的机制保证镜像状态的变化harbor能够即使了解以便进行日志更新等操作,而项目用户角色则通过token的进行镜像的push/pull等操作 | harbor-ui等 |
Job services | 镜像复制,可以在harbor实例之间进行镜像的复制或者同步等操作 | harbor-jobservice |
Log collector | 负责收集各个镜像的日志信息进行统一管理 | harbor-log:缺省安装下日志的保存场所为/var/log/harbor |
proxy
proxy就是使用nginx作为反向代理,而整个的核心则在于nginx的设定文件,通过如下的设定文件可以清楚的看到harbor所解释的将各个其他组件集成在一起的说明内容,而实际的实现也基本上就是靠nginx的设定。
[aaa@qq.com harbor]# ls
LICENSE common docker-compose.notary.yml ha harbor.v1.5.2.tar.gz open_source_license
NOTICE docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh prepare
[aaa@qq.com harbor]# cat common/config/nginx/nginx.conf
worker_processes auto;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream registry {
server registry:5000;
}
upstream ui {
server ui:8080;
}
log_format timed_combined '$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
server {
listen 80;
server_tokens off;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
location / {
proxy_pass http://ui/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://ui/registryproxy/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://ui/service/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
}
[aaa@qq.com harbor]#
database
可以看到使用的是MariaDB 10.2.14, harbor的数据库名称为registry
[aaa@qq.com harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pliumiaopw
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 21
Server version: 10.2.14-MariaDB Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| registry |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]>
数据库表的信息进行确认后可以看到,当前版本的这种使用方式下,数据库的表有如下 20张表左右
MariaDB [(none)]> use registry;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [registry]> show tables;
+-------------------------------+
| Tables_in_registry |
+-------------------------------+
| access |
| access_log |
| alembic_version |
| clair_vuln_timestamp |
| harbor_label |
| harbor_resource_label |
| img_scan_job |
| img_scan_overview |
| project |
| project_member |
| project_metadata |
| properties |
| replication_immediate_trigger |
| replication_job |
| replication_policy |
| replication_target |
| repository |
| role |
| user |
| user_group |
+-------------------------------+
20 rows in set (0.00 sec)
MariaDB [registry]>
Log collector
harbor中的日志缺省会在如下目录下进行汇集和管理
[root@liumiao harbor]# ls /var/log/harbor
adminserver.log jobservice.log mysql.log proxy.log redis.log registry.log ui.log
[root@liumiao harbor]#
docker-compose.yml
[aaa@qq.com harbor]# cat docker-compose.yml
version: '2'
services:
log:
image: vmware/harbor-log:v1.5.2
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: vmware/registry-photon:v2.6.2-v1.5.2
container_name: registry
restart: always
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.5.2
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.5.2
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.5.2
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certificates/:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.5.2
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
networks:
- harbor
depends_on:
- redis
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
redis:
image: vmware/redis-photon:v1.5.2
container_name: redis
restart: always
volumes:
- /data/redis:/data
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: vmware/nginx-photon:v1.5.2
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
[aaa@qq.com harbor]#
使用注意事项:自定义端口号
在前一篇文章的例子中我们使用默认的80口作为harbor的端口,如果希望进行更改(比如改为8848),按照如下步骤进行修改即可
步骤 | 详细说明 |
---|---|
Step 1 | 修改docker-compose.yml中80:80端口映射,改为8848:80.(https方式修改8848:443) |
Step 2 | 修改hostname信息,将端口号带上,改为192.168.163.128:8848 |
Step 3 | 停止harbor:docker-compose down |
Step 4 | 执行prepare更新设定: ./prepare |
Step 5 | 启动harbor:docker-compose up -d |
设定内容
可以通过查看数据库的properties或者api/systeminfo来确认harbor设定项目的详细信息
properties
[aaa@qq.com harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pliumiaopw
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 153
Server version: 10.2.14-MariaDB Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use registry
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [registry]> select * from properties;
+----+--------------------------------+----------------------------------------------+
| id | k | v |
+----+--------------------------------+----------------------------------------------+
| 1 | cfg_expiration | 5 |
| 2 | project_creation_restriction | everyone |
| 3 | uaa_client_secret | <enc-v1>cBvRPcG+p3oNVnJh8VM+SjvlcEsKYg== |
| 4 | clair_db_host | postgres |
| 5 | token_service_url | http://ui:8080/service/token |
| 6 | mysql_password | <enc-v1>HDqd+PbHcG9EWK9DF3RzM43fTtPvCjdvyQ== |
| 7 | uaa_endpoint | uaa.mydomain.org |
| 8 | max_job_workers | 50 |
| 9 | sqlite_file | |
| 10 | email_from | admin <aaa@qq.com> |
| 11 | ldap_base_dn | ou=people,dc=mydomain,dc=com |
| 12 | clair_db_port | 5432 |
| 13 | mysql_port | 3306 |
| 14 | ldap_search_dn | |
| 15 | clair_db_username | postgres |
| 16 | email_insecure | false |
| 17 | database_type | mysql |
| 18 | ldap_filter | |
| 19 | with_notary | false |
| 20 | admin_initial_password | <enc-v1>4ZEvd/GfBYSdF9I6PfeI/XIvfGhPITaD3w== |
| 21 | notary_url | http://notary-server:4443 |
| 22 | auth_mode | db_auth |
| 23 | ldap_group_search_scope | 2 |
| 24 | ldap_uid | uid |
| 25 | email_username | aaa@qq.com |
| 26 | mysql_database | registry |
| 27 | reload_key | |
| 28 | clair_url | http://clair:6060 |
| 29 | ldap_group_search_filter | objectclass=group |
| 30 | email_password | <enc-v1>h18ptbUM5oJwtKOzjJ4X5LOiPw== |
| 31 | email_ssl | false |
| 32 | ldap_timeout | 5 |
| 33 | uaa_client_id | id |
| 34 | registry_storage_provider_name | filesystem |
| 35 | self_registration | true |
| 36 | email_port | 25 |
| 37 | ui_url | http://ui:8080 |
| 38 | token_expiration | 30 |
| 39 | email_identity | |
| 40 | clair_db | postgres |
| 41 | uaa_verify_cert | true |
| 42 | ldap_verify_cert | true |
| 43 | ldap_group_attribute_name | cn |
| 44 | mysql_host | mysql |
| 45 | read_only | false |
| 46 | ldap_url | ldaps://ldap.mydomain.com |
| 47 | ext_endpoint | http://192.168.163.128 |
| 48 | ldap_group_base_dn | ou=group,dc=mydomain,dc=com |
| 49 | with_clair | false |
| 50 | admiral_url | NA |
| 51 | ldap_scope | 2 |
| 52 | registry_url | http://registry:5000 |
| 53 | jobservice_url | http://jobservice:8080 |
| 54 | email_host | smtp.mydomain.com |
| 55 | ldap_search_password | <enc-v1>F2QZkeEPTQPsJ9KNsBWcXA== |
| 56 | mysql_username | root |
| 57 | clair_db_password | <enc-v1>IGBg3NxvT7qCYGIB+zizax+GojoM7ao2VQ== |
+----+--------------------------------+----------------------------------------------+
57 rows in set (0.00 sec)
MariaDB [registry]>
api/systeminfo
[root@liumiao harbor]# curl http://localhost/api/systeminfo
{
"with_notary": false,
"with_clair": false,
"with_admiral": false,
"admiral_endpoint": "NA",
"auth_mode": "db_auth",
"registry_url": "192.168.163.128",
"project_creation_restriction": "everyone",
"self_registration": true,
"has_ca_root": false,
"harbor_version": "v1.5.2-8e61deae",
"next_scan_all": 0,
"registry_storage_provider_name": "filesystem",
"read_only": false
}[root@liumiao harbor]#