Docker私有仓库Harbor介绍和部署方法详解
docker容器应用的开发和运行离不开可靠的镜像管理,虽然docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的registry
也是非常必要的。这里介绍一款企业级docker镜像仓库harbor的部署和使用,在kubernetes集群中,推荐使用harbor仓库环境。
一、harbor仓库介绍
我们在日常docker容器使用和管理过程中,渐渐发现部署企业私有仓库往往是很有必要的, 它可以帮助你管理企业的一些敏感镜像, 同时由于docker hub的下载速度和gfw的原因, 往往需要将一些无法直接下载的镜像导入本地私有仓库. 而harbor就是部署企业私有仓库的一个不二之选。
harbor是由vmware公司开源的企业级的docker registry管理项目,harbor主要提供dcoker registry管理ui,提供的功能包括:基于角色访问的控制权限管理(rbac)、ad/ldap集成、日志审核、管理界面、自我注册、镜像复制和中文支持等。
harbor的目标是帮助用户迅速搭建一个企业级的docker registry服务。它以docker公司开源的registry为基础,额外提供了如下功能:
-> 基于角色的访问控制(role based access control)
-> 基于策略的镜像复制(policy based image replication)
-> 镜像的漏洞扫描(vulnerability scanning)
-> ad/ldap集成(ldap/ad support)
-> 镜像的删除和空间清理(image deletion & garbage collection)
-> 友好的管理ui(graphical user portal)
-> 审计日志(audit logging)
-> restful api
-> 部署简单(easy deployment)
harbor的所有组件都在dcoker中部署,所以harbor可使用docker compose快速部署。需要特别注意:由于harbor是基于docker registry v2版本,所以docker必须大于等于1.10.0版本,docker-compose必须要大于1.6.0版本!
二、harbor仓库结构
harbor的每个组件都是以docker容器的形式构建的,可以使用docker compose来进行部署。如果环境中使用了kubernetes,harbor也提供了kubernetes的配置文件。harbor大概需要以下几个容器组成:ui(harbor的核心服务)、log(运行着rsyslog的容器,进行日志收集)、mysql(由官方mysql镜像构成的数据库容器)、nginx(使用nginx做反向代理)、registry(官方的docker registry)、adminserver(harbor的配置数据管理器)、jobservice(harbor的任务管理服务)、redis(用于存储session)。
harbor是一个用于存储和分发docker镜像的企业级registry服务器,整体架构还是很清晰的。下面借用了网上的架构图:
harbor依赖的外部组件
-> nginx(即proxy代理层): nginx前端代理,主要用于分发前端页面ui访问和镜像上传和下载流量; harbor的registry,ui,token等服务,通过一个前置的反向代理统一接收浏览器、docker客户端的请求,并将请求转发给后端不同的服务。
-> registry v2: 镜像仓库,负责存储镜像文件; docker官方镜像仓库, 负责储存docker镜像,并处理docker push/pull命令。由于我们要对用户进行访问控制,即不同用户对docker image有不同的读写权限,registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, registry会通过公钥对token进行解密验证。
-> database(mysql或postgresql):为core services提供数据库服务,负责储存用户权限、审计日志、docker image分组信息等数据。
harbor自有组件
-> core services(admin server): 这是harbor的核心功能,主要提供以下服务:
-> ui:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
-> webhook:为了及时获取registry 上image状态变化的情况, 在registry上配置webhook,把状态变化传递给ui模块。
-> auth服务:负责根据用户权限给每个docker push/pull命令签发token. docker 客户端向regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向registry进行请求。
-> api: 提供harbor restful api
-> replication job service:提供多个 harbor 实例之间的镜像同步功能。
-> log collector:为了帮助监控harbor运行,负责收集其他组件的log,供日后进行分析。
再来仔细看下harbor主要组件和数据流走向:
-> proxy,它是一个nginx前端代理,主要是分发前端页面ui访问和镜像上传和下载流量,上图中通过深蓝色先标识;
-> ui提供了一个web管理页面,当然还包括了一个前端页面和后端api,底层使用mysql数据库;
-> registry是镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,上图通过红色线标识,当然registry的token认证也是通过ui组件完成;
-> adminserver是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置,通过灰色线标识;
-> jobsevice是负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log,上图通过紫色线标识;
-> log是日志汇总组件,通过docker的log-driver把日志汇总到一起,通过浅蓝色线条标识。
harbor的误区
误区一: harbor是负责存储容器镜像的 (harbor是镜像仓库,那么它就应当是存储镜像的)
其实关于镜像的存储,harbor使用的是官方的docker registry服务去完成,至于registry是用本地存储或者s3都是可以的,harbor的功能是在此之上提供用户权限管理、镜像复制等功能,提高使用的registry的效率。误区二:harbor镜像复制是存储直接复制 (镜像的复制,很多人以为应该是镜像分层文件的直接拷贝)
其实harbor镜像复制采用了一个更加通用、高屋建瓴的做法,通过docker registry 的api去拷贝,这不是省事,这种做法屏蔽了繁琐的底层文件操作、不仅可以利用现有docker registry功能不必重复造*,而且可以解决冲突和一致性的问题。
harbor的部署
这里不建议使用kubernetes来部署, 原因是镜像仓库非常重要, 尽量保证部署和维护的简洁性, 因此这里直接使用compose的方式进行部署。官方提供3种部署harbor的方式:
1)在线安装: 从docker hub下载harbor的镜像来安装, 由于docker hub比较慢, 建议docker配置好加速器。
2)离线安装: 这种方式应对与部署主机没联网的情况使用。需要提前下载离线安装包: harbor-offline-installer-.tgz 到本地
3)ova安装: 这个主要用vcentor环境是使用
后面部署时会为docker配置镜像加速器, 因此会采用在线部署的方式, 部署步骤如下:
-> 下载harbor最新的在线安装包
-> 配置harbor (harbor.cfg)
-> 运行install.sh来安装和启动harbor
-> harbor的日志路径:/var/log/harbor
harbor仓库部署的官方要求的最小系统配置
-> 2个cpu
-> 4g内存
-> 40g硬盘,因为是存储镜像的所以推荐硬盘大点。
参考
三、harbor仓库环境部署记录
3.1) 环境要求和准备工作
harbor以容器的形式进行部署, 因此可以被部署到任何支持docker的linux发行版, 要使用harbor,需要安装docker和docker-compose编排工具,并且具备如下环境: python2.7+ docker engine 1.10+ docker compose 1.6.0+ 这里测试环境部署到centos7.5机器上,如下: [root@harbor-node ~]# cat /etc/redhat-release centos linux release 7.6.1810 (core) [root@harbor-node ~]# setenforce 0 [root@harbor-node ~]# cat /etc/sysconfig/selinux ........... selinux=disabled [root@harbor-node ~]# systemctl stop firewalld [root@harbor-node ~]# systemctl disable firewalld [root@harbor-node ~]# firewall-cmd --state not running centos7自带的python版本就是2.7.5 [root@harbor-node ~]# python --version python 2.7.5
3.2) 安装docker
更新yum包 [root@harbor-node ~]# yum update 卸载旧版本 docker [root@harbor-node ~]# yum remove docker docker-common docker-selinux docker-engine 安装软件包 [root@harbor-node ~]# yum install -y yum-utils device-mapper-persistent-data lvm2 添加 docker yum源 [root@harbor-node ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo loaded plugins: fastestmirror adding repo from: https://download.docker.com/linux/centos/docker-ce.repo grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo repo saved to /etc/yum.repos.d/docker-ce.repo 安装 docker (直接yum按照docker-ce即可) 随着docker的不断流行与发展,docker公司(或称为组织)也开启了商业化之路,docker 从 17.03版本之后分为 ce(community edition) 和 ee(enterprise edition): 1) docker ee由公司支持,可在经过认证的操作系统和云提供商中使用,并可运行来自docker store的、经过认证的容器和插件。 2) docker ce是免费的docker产品的新名称,docker ce包含了完整的docker平台,非常适合开发人员和运维团队构建容器app。 事实上,docker ce 17.03,可理解为docker 1.13.1的bug修复版本。因此,从docker 1.13升级到docker ce 17.03风险相对是较小的。 [root@harbor-node ~]# yum -y install docker-ce 启动 docker [root@harbor-node ~]# systemctl start docker [root@harbor-node ~]# systemctl enable docker [root@harbor-node ~]# systemctl status docker ● docker.service - docker application container engine loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) active: active (running) since sun 2019-05-26 22:15:34 cst; 27min ago docs: https://docs.docker.com main pid: 15260 (dockerd) cgroup: /system.slice/docker.service └─15260 /usr/bin/dockerd -h fd:// --containerd=/run/containerd/containerd.sock may 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26t22:15:33.570826805+08:00" level=info msg="pickfirstbalancer: handlesubconnstatechange: 0xc420175490, ready" module=grpc may 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26t22:15:33.570899114+08:00" level=info msg="pickfirstbalancer: handlesubconnstatechange: 0xc42006de20, ready" module=grpc may 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26t22:15:33.665440742+08:00" level=info msg="graph migration to content-addressability took 0.00 seconds" may 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26t22:15:33.666111994+08:00" level=info msg="loading containers: start." may 26 22:15:33 harbor-node dockerd[15260]: time="2019-05-26t22:15:33.913110547+08:00" level=info msg="default bridge (docker0) is assigned with an ip address 172.17.0.0/16... ip address" may 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26t22:15:34.088687650+08:00" level=info msg="loading containers: done." may 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26t22:15:34.128885651+08:00" level=info msg="docker daemon" commit=481bc77 graphdriver(s)=overlay2 version=18.09.6 may 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26t22:15:34.129073367+08:00" level=info msg="daemon has completed initialization" may 26 22:15:34 harbor-node dockerd[15260]: time="2019-05-26t22:15:34.223886566+08:00" level=info msg="api listen on /var/run/docker.sock" may 26 22:15:34 harbor-node systemd[1]: started docker application container engine. hint: some lines were ellipsized, use -l to show in full. 查看 docker 版本号 [root@harbor-node ~]# docker --version docker version 18.09.6, build 481bc77156 [root@harbor-node ~]# docker version client: version: 18.09.6 api version: 1.39 go version: go1.10.8 git commit: 481bc77156 built: sat may 4 02:34:58 2019 os/arch: linux/amd64 experimental: false server: docker engine - community engine: version: 18.09.6 api version: 1.39 (minimum version 1.12) go version: go1.10.8 git commit: 481bc77 built: sat may 4 02:02:43 2019 os/arch: linux/amd64 experimental: false
3.3) 安装docker compose
docker compose 是 docker 容器进行编排的工具,定义和运行多容器的应用,可以一条命令启动多个容器。 安装 epel-release [root@harbor-node ~]# yum install epel-release 安装 python-pip [root@harbor-node ~]# yum install -y python-pip 安装 docker-compose [root@harbor-node ~]# pip install docker-compose ......... successfully installed asn1crypto-0.24.0 bcrypt-3.1.6 cached-property-1.5.1 certifi-2019.3.9 cffi-1.12.3 chardet-3.0.4 cryptography-2.6.1 docker-3.7.2 docker-compose-1.24.0 docker-pycreds-0.4.0 dockerpty-0.4.1 docopt-0.6.2 enum34-1.1.6 functools32-3.2.3.post2 idna-2.7 jsonschema-2.6.0 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0 requests-2.20.1 texttable-0.9.1 urllib3-1.24.3 websocket-client-0.56.0 you are using pip version 8.1.2, however version 19.1.1 is available. you should consider upgrading via the 'pip install --upgrade pip' command. 查看 docker-compose 版本号 [root@harbor-node ~]# docker-compose -version docker-compose version 1.24.0, build 0aa5906 [root@harbor-node ~]# pip freeze | grep compose you are using pip version 8.1.2, however version 19.1.1 is available. you should consider upgrading via the 'pip install --upgrade pip' command. docker-compose==1.24.0 安装 git [root@harbor-node ~]# yum install git
3.4) 为docker配置加速器, 方便通过国内镜像服务器快速拉取docker hub提供的镜像
[root@harbor-node ~]# mkdir -p /etc/docker [root@harbor-node ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"] }
3.5) 下载harbor安装包,配置harbor
到harbor的github仓库的release页面, 下载最新的在线安装包。
这里分为在线和离线的版本,我下载的是1.8.0在线的版本
[root@harbor-node ~]# ll harbor-online-installer-v1.8.0.tgz -rw-r--r-- 1 root root 7954 may 26 22:45 harbor-online-installer-v1.8.0.tgz [root@harbor-node ~]# tar -zvxf harbor-online-installer-v1.8.0.tgz [root@harbor-node ~]# cd harbor [root@harbor-node harbor]# ls harbor.yml install.sh license prepare 下载下来之后解压缩,目录下会有harbor.yaml (新版本是.yaml文件,之前版本是.conf 或者 .cfg文件),就是harbor的配置文件了。 [root@harbor-node harbor]# cp harbor.yml harbor.yml.bak [root@harbor-node harbor]# vim harbor.yml [root@harbor-node harbor]# cat harbor.yml |grep -v "#"|grep -v "^$" hostname: 172.16.60.213 http: port: 80 harbor_admin_password: kevin@bo123 database: password: root123 data_volume: /data clair: updaters_interval: 12 http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,core,registry jobservice: max_job_workers: 10 chart: absolute_url: disabled log: level: info rotate_count: 50 rotate_size: 200m location: /var/log/harbor _version: 1.8.0 配置解释 hostname: 修改成harbao部署机自身的ip地址 db_password: 这是postgresql数据库root密码 harbor_admin_password: harbor初始管理员密码为harbor12345, 这里最好修改成自己的密码,默认密码至少8位,最好是大小写、数字和特殊字符。 配置完harbor之后,接着进行安装启动harbor,harbor目录下有一个install.sh, 执行它来进行安装 [root@harbor-node harbor]# ./install.sh ........... ........... ✔ ----harbor has been installed and started successfully.---- now you should be able to visit the admin portal at http://172.16.60.213. for more details, please visit https://github.com/goharbor/harbor . 安装完成后,会发现解压目录harbor下面多了一个docker-compose.yml文件,里面包含了harbor依赖的镜像和对应容器创建的信息 查看harbor对应容器信息(还可以执行"docker images"和"docker ps"查看harbor的镜像和容器情况) [root@harbor-node harbor]# docker-compose ps #"注意docker-compose"命令只能在当前harbor目录下使用(因为该目录下有harbor配置文件) name command state ports --------------------------------------------------------------------------------------------- harbor-core /harbor/start.sh up (healthy) harbor-db /entrypoint.sh postgres up (healthy) 5432/tcp harbor-jobservice /harbor/start.sh up harbor-log /bin/sh -c /usr/local/bin/ ... up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; up (healthy) 80/tcp nginx nginx -g daemon off; up (healthy) 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... up 6379/tcp registry /entrypoint.sh /etc/regist ... up (healthy) 5000/tcp registryctl /harbor/start.sh up (healthy) 然后就可以访问harbor了,访问地址为:http://172.16.60.213 用户名为admin,密码为配置文件中定义的"kevin@bo123"
==== 这里需要注意一个harbor 部署的坑点(docker 18.09.1 及以上的版本,系统内核版本需要升级到4.4.x) ====
1)centos 7.x 系统自带的3.10.x内核存在一些bugs,导致运行的docker、kubernetes不稳定。
2)高版本的 docker(1.13 以后) 启用了3.10 kernel实验支持的kernel memory account功能(无法关闭),当docker节点压力大 (如频繁启动和停止容器) 时会导致 cgroup memory leak;
3)docker 18.09.1 及以上的版本,需要手动升级内核到 4.4.x 以上;
因为得出结论:
部署harbor的时候,要首先查看下本机的docker版本,如果docker版本在18.90.1以上,则需要手动升级内核版本到 4.4.x以上。
否则会出现:
harbor部署harbor正常启动,端口正常监听,防火墙也已关闭,但是通过http://ip:80 访问不了harbor,并且/var/log/harbor目录下没有任何日志产生!! 使用" telnet ip 80"查看发现不通或者闪退!!!
手动修改系统内核版本可以参考:kubernetes(k8s)容器集群管理环境完整部署详细教程-上篇
具体升级内核操作如下:
[root@harbor-node ~]# uname -r 3.10.0-862.el7.x86_64 [root@harbor-node ~]# rpm -uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm 安装完成后检查 /boot/grub2/grub.cfg 中对应内核 menuentry 中是否包含 initrd16 配置,如果没有,再安装一次! [root@harbor-node ~]# yum --enablerepo=elrepo-kernel install -y kernel-lt 设置开机从新内核启动 [root@harbor-node ~]# grub2-set-default 0 重启机器 [root@harbor-node ~]# init 6 安装内核源文件(在升级完内核并重启机器后执行,也可以不用执行这一步。可选): [root@harbor-node ~]# yum --enablerepo=elrepo-kernel install kernel-lt-devel-$(uname -r) kernel-lt-headers-$(uname -r) [root@harbor-node ~]# uname -r 4.4.180-2.el7.elrepo.x86_64 ======================================================================================================================== 或者也可以采用下面升级内核的方法: # git clone --branch v1.14.1 --single-branch --depth 1 https://github.com/kubernetes/kubernetes # cd kubernetes # kube_git_version=v1.14.1 ./build/run.sh make kubelet goflags="-tags=nokmem" # init 6
harbor 服务的关闭和启动
1) harbor的日志路径:var/log/harbor [root@harbor-node harbor]# cat harbor.yml|grep log log: # log files are rotated log_rotate_count times before being removed. if count is 0, old versions are removed rather than rotated. # log files are rotated only if they grow bigger than log_rotate_size bytes. if size is followed by k, the size is assumed to be in kilobytes. # the directory on your host that store log location: /var/log/harbor [root@harbor-node harbor]# ls /var/log/harbor/ core.log jobservice.log portal.log postgresql.log proxy.log redis.log registryctl.log registry.log 2) 停止和关闭harbor命令: "docker-compose down -v" [root@harbor-node harbor]# docker-compose down -v stopping nginx ... done stopping harbor-jobservice ... done stopping harbor-portal ... done stopping harbor-core ... done stopping redis ... done stopping registryctl ... done stopping registry ... done stopping harbor-db ... done stopping harbor-log ... done removing nginx ... done removing harbor-jobservice ... done removing harbor-portal ... done removing harbor-core ... done removing redis ... done removing registryctl ... done removing registry ... done removing harbor-db ... done removing harbor-log ... done removing network harbor_harbor [root@harbor-node harbor]# docker-compose ps name command state ports ------------------------------ [root@harbor-node harbor]# docker ps container id image command created status ports names 可以修改harbor配置文件,比如这里修改harbor的web登录端口,由80端口修改为8080端口 [root@harbor-node harbor]# vim harbor.yml ......... http: # port for http, default is 80. if https enabled, this port will redirect to https port port: 8080 然后将harbor修改的配置更新到 docker-compose.yml 文件 [root@harbor-node harbor]# ./prepare prepare base dir is set to /root/harbor clearing the configuration file: /config/log/logrotate.conf clearing the configuration file: /config/nginx/nginx.conf clearing the configuration file: /config/core/env clearing the configuration file: /config/core/app.conf clearing the configuration file: /config/registry/config.yml clearing the configuration file: /config/registry/root.crt clearing the configuration file: /config/registryctl/env clearing the configuration file: /config/registryctl/config.yml clearing the configuration file: /config/db/env clearing the configuration file: /config/jobservice/env clearing the configuration file: /config/jobservice/config.yml generated configuration file: /config/log/logrotate.conf generated configuration file: /config/nginx/nginx.conf generated configuration file: /config/core/env generated configuration file: /config/core/app.conf generated configuration file: /config/registry/config.yml generated configuration file: /config/registryctl/env generated configuration file: /config/db/env generated configuration file: /config/jobservice/env generated configuration file: /config/jobservice/config.yml loaded secret from file: /secret/keys/secretkey generated configuration file: /compose_location/docker-compose.yml clean up the input dir 防止容器进程没有权限读取生成的配置 [root@harbor-node harbor]# ll common/ total 0 drwxr-xr-x 9 root root 105 may 26 23:10 config [root@harbor-node harbor]# chmod -r 777 common [root@harbor-node harbor]# ll common/ total 0 drwxrwxrwx 9 root root 105 may 27 00:41 config ======================================================================================================================================= 特别注意: 这里的common权限如果设置太小,可能会导致harbor启动后,报下面的错 发现启动harbor后,如上有些服务,如nginx,registry状态一直是"restarting",这时需要查看日志: [root@harbor-node harbor]# tail -100 /var/log/harbor/registry.log |grep error may 27 01:01:18 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied may 27 01:01:21 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied may 27 01:01:23 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied may 27 01:01:27 172.19.0.1 registry[2960]: configuration error: open /etc/registry/config.yml: permission denied ======================================================================================================================================= 最后再次启动 harbor [root@harbor-node harbor]# docker-compose up -d creating network "harbor_harbor" with the default driver creating harbor-log ... done creating registryctl ... done creating registry ... done creating redis ... done creating harbor-db ... done creating harbor-core ... done creating harbor-jobservice ... done creating harbor-portal ... done creating nginx ... done 查看服务 [root@harbor-node harbor]# docker-compose ps name command state ports ------------------------------------------------------------------------------------------------------ harbor-core /harbor/start.sh up (health: starting) harbor-db /entrypoint.sh postgres up (health: starting) 5432/tcp harbor-jobservice /harbor/start.sh up harbor-log /bin/sh -c /usr/local/bin/ ... up (health: starting) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; up (health: starting) 80/tcp nginx nginx -g daemon off; up (health: starting) 0.0.0.0:8080->80/tcp redis docker-entrypoint.sh redis ... up 6379/tcp registry /entrypoint.sh /etc/regist ... up (health: starting) 5000/tcp registryctl /harbor/start.sh up (health: starting) 然后访问http://172.16.60.213:8080,即可访问harbor的web界面 ############################################################################################### 要是想修改harbor的登陆用户密码,则最好在harbor web界面里直接修改,这样是最保险的! 如果是想通过修改harbar.yaml文件来重置harbor用户密码,则不能单纯的修改后就执行"./prepare"和重启docker-compose,这样是不能修改harbor用户密码的! 这时因为harbor在这里用的是postgresql数据库,以pdkdf2算法保存的秘文密码!需要先进入"harbor-db"容器内部,执行相关postgresql命令行。 而且postgresql的用户密码采用的是pbkdf2算法,需要提前计算好新密码的密钥值,pdkdf2算法需要"盐值","迭代次数"和密钥长度int型等,特别麻烦!! 所以如果忘记harbor的web密码或者是admin密码需要重置,并且对于postgresql数据库 或者 pbkdf2算法操作不熟悉的话,建议删除data源数据的database,重新部署! 做法如下: # docker-compose down -v # rm -rf /data/database # vim harbor.yaml #在这里重置或修改密码 # docker-compose up -d 这样就可以使用重置后的新密码登陆harbor web界面了,但是之前创建的用户和项目就都删除了。 这种情况最好适用于刚创建初期。 ############################################################################################### docker-compose up -d # 后台启动,如果容器不存在根据镜像自动创建 docker-compose down -v # 停止容器并删除容器 docker-compose start # 启动容器,容器不存在就无法启动,不会自动创建镜像 docker-compose stop # 停止容器 需要注意: 其实上面是停止docker-compose.yml中定义的所有容器,默认情况下docker-compose就是操作同目录下的docker-compose.yml文件。 如果使用其他yml文件,可以使用-f自己指定。
-> 登录harbor web界面,在"系统管理"->"配置管理"->"认证模式"->"允许自注册"这一项的对勾去掉,则登录的时候就不会有"用户注册"这一功能了。
-> 可以在"配置管理"这一项进行认证模式,邮箱,标签等设置。
3.6) 使用harbor私有仓库
3.6.1)harbor的login登录
1)在harbor远程别的客户机上登录 [root@docker-client ~]# docker login 172.16.60.213 username: admin password: error response from daemon: get https://172.16.60.213/v1/users/: dial tcp 172.16.60.213:443: connect: connection refused 在进行harbor登录或上传代码时,会报出上面错误! 这是因为docker1.3.2版本开始默认docker registry使用的是https,而harbor默认设置的是http方式而不是https,所以当执行用docker login、pull、push等 命令操作非https的docker regsitry的时就会报错。 解决办法: 如下,在/etc/docker/daemon.json文件里添加"insecure-registries"配置。(如果还不行,可以尝试将下面添加的地址由"172.16.60.213"改为"http://172.16.60.213") [root@docker-client ~]# vim /etc/docker/daemon.json { "insecure-registries": [ "172.16.60.213" ] } 然后重启docker服务 [root@docker-client ~]# systemctl restart docker 接着再次验证harbor登录,发现就能登录上了 [root@docker-client ~]# docker login 172.16.60.213 #或者直接执行"docker login -u admin -p kevin@bo123 172.16.60.213"命令登陆 username: admin password: login succeeded [root@docker-client ~]# 2)如果是在harbor本机登录,出现上面的报错: [root@harbor-node harbor]# docker login 172.16.60.213 username: admin password: error response from daemon: get https://172.16.60.213/v1/users/: dial tcp 172.16.60.213:443: connect: connection refused 解决办法: 在/etc/docker/daemon.json 文件里添加"insecure-registries"配置 (第一行是之前添加的docker加速配置),注意两行之间有一个","逗号隔开 [root@harbor-node harbor]# vim /etc/docker/daemon.json { "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"], "insecure-registries": ["172.16.60.213"] } 修改过后重启docker, 然后重启harbor服务 [root@harbor-node harbor]# systemctl restart docker [root@harbor-node harbor]# docker-compose stop [root@harbor-node harbor]# docker-compose start 然后再测试再harbor本机登录 [root@harbor-node harbor]# docker login 172.16.60.213 username: admin password: warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded [root@harbor-node harbor]# 登录的账号信息都保存到/root/.docker/config.json文件里了 [root@harbor-node harbor]# cat /root/.docker/config.json { "auths": { "172.16.60.213": { "auth": "ywrtaw46a2v2aw5aqk8xotg3" } }, "httpheaders": { "user-agent": "docker-client/18.09.6 (linux)" } 只要/root/.docker/config.json里的信息不删除,后续再次登录的时候,就不用输入用户名和密码了 [root@harbor-node ~]# docker login 172.16.60.213 authenticating with existing credentials... warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded
注意事项总结:
harbor支持http和https,但如果使用http的话,在拉取镜像的时候,会抛出仓库不受信任的异常。
需要在所有的docker客户端的docker配置文件/etc/docker/daemon.json中添加如下配置:
{ "insecure-registries": ["https://*.*.*.*"] }
如果使用自签名的https证书,仍然会提示证书不受信任的问题。需要将自签名的ca证书发送到所有的docker客户端的指定目录。
关于使用自签名证书配置harbor的具体过程可以参考: https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
3.6.2)harbor仓库的使用
#镜像打标签的命令 # docker tag 镜像名:标签 私服地址/仓库项目名/镜像名:标签 #推送到私服的命令 #docker push 私服地址/仓库项目名/镜像名:标签 #从私服拉取镜像的命令 #docker pull 私服地址/仓库项目名/镜像名:标签
首先在harbor web界面里最好创建一个自己需要的"项目" (或者使用默认的"library"项目),项目公开和私有:
- public: 所有用户对于公开项目都有读权限,这种方式对于你想把一些仓库分享给其他人的时候,是非常方便的.
- private: 私有项目只能被有特定用户权限的人去访问。这种方式对于内部团队来说共享也是比较方便的
比如创建一个公开项目"kevin_bo",点击进去可以看到推送镜像的信息提示
然后就可以在harbor服务器的终端命令行里进行镜像推送到harbor仓库的操作了:
在进行harbor镜像推送和拉取操作前,需要事先login登录到harbor仓库里,这样才有harbor镜像的推送和拉取的权限!! [root@harbor-node ~]# docker login 172.16.60.213 authenticating with existing credentials... warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded 先查看本机有哪些镜像 [root@harbor-node ~]# docker images repository tag image id created size goharbor/redis-photon v1.8.0 66d7402d2770 10 days ago 103mb goharbor/harbor-registryctl v1.8.0 0ca3e2b624f5 10 days ago 96.2mb goharbor/registry-photon v2.7.1-patch-2819-v1.8.0 1e7d99ccba24 10 days ago 81.3mb goharbor/nginx-photon v1.8.0 4a4b48b32ae4 10 days ago 36mb goharbor/harbor-log v1.8.0 e718bdc405a3 10 days ago 81.5mb goharbor/harbor-jobservice v1.8.0 d47940dd883f 10 days ago 118mb goharbor/harbor-core v1.8.0 b07a1a4be17f 10 days ago 135mb goharbor/harbor-portal v1.8.0 76298a1ef089 10 days ago 42.9mb goharbor/harbor-db v1.8.0 d1e0b3df3e95 10 days ago 140mb goharbor/prepare v1.8.0 769ca785dab0 10 days ago 139mb 比如推送其中的goharbor/redis-photon:v1.8.0镜像到harbor仓库的"kevin_bo"项目里 [root@harbor-node ~]# docker tag goharbor/redis-photon:v1.8.0 172.16.60.213/kevin_bo/redis-photon:v1.0 [root@harbor-node ~]# docker push 172.16.60.213/kevin_bo/redis-photon:v1.0 the push refers to repository [172.16.60.213/kevin_bo/redis-photon] 8864c4b9ac3d: pushed 420b26399278: pushed 4433bcd802e7: pushed 268091c30a67: pushed 23d9f72a5270: pushed v1.0: digest: sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d size: 1366 查看本机的images,发现多了一个上面制作的镜像,就是原来goharbor/redis-photon:v1.8.0的tag,可以选择删除 [root@harbor-node ~]# docker rmi 172.16.60.213/kevin_bo/redis-photon:v1.0 untagged: 172.16.60.213/kevin_bo/redis-photon:v1.0 untagged: 172.16.60.213/kevin_bo/redis-photon@sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d [root@harbor-node ~]# docker images repository tag image id created size goharbor/redis-photon v1.8.0 66d7402d2770 10 days ago 103mb goharbor/harbor-registryctl v1.8.0 0ca3e2b624f5 10 days ago 96.2mb goharbor/registry-photon v2.7.1-patch-2819-v1.8.0 1e7d99ccba24 10 days ago 81.3mb goharbor/nginx-photon v1.8.0 4a4b48b32ae4 10 days ago 36mb goharbor/harbor-log v1.8.0 e718bdc405a3 10 days ago 81.5mb goharbor/harbor-jobservice v1.8.0 d47940dd883f 10 days ago 118mb goharbor/harbor-core v1.8.0 b07a1a4be17f 10 days ago 135mb goharbor/harbor-portal v1.8.0 76298a1ef089 10 days ago 42.9mb goharbor/harbor-db v1.8.0 d1e0b3df3e95 10 days ago 140mb goharbor/prepare v1.8.0 769ca785dab0 10 days ago 139mb 同理,推送其他镜像是同样的操作,比如再推送goharbor/harbor-core:v1.8.0到harbor仓库的"kevin_bo"项目里 [root@harbor-node ~]# docker tag goharbor/harbor-core:v1.8.0 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 [root@harbor-node ~]# docker push 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 the push refers to repository [172.16.60.213/kevin_bo/goharbor/harbor-core] 5385ffb8451e: pushed 36e1cb2d6ffa: pushed 452d238b3e48: pushed af3a6f89469a: pushed 05bc5efb1724: pushed 23d9f72a5270: mounted from kevin_bo/redis-photon v1.0: digest: sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de size: 1580 [root@harbor-node ~]# docker images repository tag image id created size goharbor/redis-photon v1.8.0 66d7402d2770 10 days ago 103mb goharbor/harbor-registryctl v1.8.0 0ca3e2b624f5 10 days ago 96.2mb goharbor/registry-photon v2.7.1-patch-2819-v1.8.0 1e7d99ccba24 10 days ago 81.3mb goharbor/nginx-photon v1.8.0 4a4b48b32ae4 10 days ago 36mb goharbor/harbor-log v1.8.0 e718bdc405a3 10 days ago 81.5mb goharbor/harbor-jobservice v1.8.0 d47940dd883f 10 days ago 118mb goharbor/harbor-core v1.8.0 b07a1a4be17f 10 days ago 135mb 172.16.60.213/kevin_bo/goharbor/harbor-core v1.0 b07a1a4be17f 10 days ago 135mb goharbor/harbor-portal v1.8.0 76298a1ef089 10 days ago 42.9mb goharbor/harbor-db v1.8.0 d1e0b3df3e95 10 days ago 140mb goharbor/prepare v1.8.0 769ca785dab0 10 days ago 139mb [root@harbor-node ~]# docker rmi 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 untagged: 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 untagged: 172.16.60.213/kevin_bo/goharbor/harbor-core@sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de [root@harbor-node ~]# docker images repository tag image id created size goharbor/redis-photon v1.8.0 66d7402d2770 10 days ago 103mb goharbor/harbor-registryctl v1.8.0 0ca3e2b624f5 10 days ago 96.2mb goharbor/registry-photon v2.7.1-patch-2819-v1.8.0 1e7d99ccba24 10 days ago 81.3mb goharbor/nginx-photon v1.8.0 4a4b48b32ae4 10 days ago 36mb goharbor/harbor-log v1.8.0 e718bdc405a3 10 days ago 81.5mb goharbor/harbor-jobservice v1.8.0 d47940dd883f 10 days ago 118mb goharbor/harbor-core v1.8.0 b07a1a4be17f 10 days ago 135mb goharbor/harbor-portal v1.8.0 76298a1ef089 10 days ago 42.9mb goharbor/harbor-db v1.8.0 d1e0b3df3e95 10 days ago 140mb goharbor/prepare v1.8.0 769ca785dab0 10 days ago 139mb
然后登录到harbor web 界面里,就可以看到"kevin_bo"项目里就有了上面推送的两个镜像了,点击到对应的镜像了,还可以对镜像进行打标签,复制镜像等操作:
比如将"kevin_bo"项目里上面的kevin_bo/goharbor/harbor-core镜像复制到"library"项目里
然后到"library"项目里就能看到上面从"kevin_bo"项目里复制过来的镜像了
注意: harbor私仓的相关容器映射到主机的volumes数据卷的空间要有保证,最好是单独的分区空间。
上面测试harbor容器通过volumes映射到主机的目录是/data, 可以到这里查看harbor推送的镜像:
[root@harbor-node repositories]# pwd /data/registry/docker/registry/v2/repositories 可以查看两个"项目" [root@harbor-node repositories]# ll total 0 drwxr-xr-x 4 10000 10000 42 may 27 14:01 kevin_bo drwxr-xr-x 3 10000 10000 27 may 27 14:08 library [root@harbor-node repositories]# ll kevin_bo/ total 0 drwxr-xr-x 3 10000 10000 25 may 27 14:01 goharbor drwxr-xr-x 5 10000 10000 55 may 27 13:58 redis-photon [root@harbor-node repositories]# ll library/ total 0 drwxr-xr-x 3 10000 10000 21 may 27 14:08 172.16.60.213 [root@harbor-node repositories]# ll library/172.16.60.213/ total 0 drwxr-xr-x 3 10000 10000 25 may 27 14:08 library
========测试下在harbor客户端下载harbor仓库里的镜像=======
[root@client ~]# docker login 172.16.60.213 username: admin password: login succeeded [root@client ~]# docker images repository tag image id created size 从harbor仓库拉取镜像 [root@client ~]# docker pull 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 trying to pull repository 172.16.60.213/kevin_bo/goharbor/harbor-core ... v1.0: pulling from 172.16.60.213/kevin_bo/goharbor/harbor-core 4e360eca2e60: pull complete c066267eb2b9: pull complete 932afda2a169: pull complete 7ed16fb7e79a: pull complete d09137d80617: pull complete 588769341947: pull complete digest: sha256:7899f284617bb051180adf6c3aedd140a519d9092b8986dd9058d4dcec0d31de status: downloaded newer image for 172.16.60.213/kevin_bo/goharbor/harbor-core:v1.0 [root@client ~]# docker pull 172.16.60.213/kevin_bo/redis-photon:v1.0 trying to pull repository 172.16.60.213/kevin_bo/redis-photon ... v1.0: pulling from 172.16.60.213/kevin_bo/redis-photon 4e360eca2e60: already exists b08cc3be5c43: pull complete a750a309c85d: pull complete 49b2d8335a1a: pull complete 31e8f89dc042: pull complete digest: sha256:1e2ce8e6a852713d789c6315642d1483d1efdb4acee4699817810bef219ec93d status: downloaded newer image for 172.16.60.213/kevin_bo/redis-photon:v1.0 [root@client ~]# docker images repository tag image id created size 172.16.60.213/kevin_bo/redis-photon v1.0 66d7402d2770 10 days ago 103 mb 172.16.60.213/kevin_bo/goharbor/harbor-core v1.0 b07a1a4be17f 10 days ago 135 mb
可以在登录harbor web界面之后,修改相关用户的密码。在不同用户账号下创建项目,以及推送和拉取harbor镜像操作。
3.6.3)harbor的https证书启用
通过上面可知,harbor默认安装后采用的是http方式,后面使用的时候可能会发现很多不方面。因为docker客户端登录harbor进行镜像推送或拉取时默认是https方式!所以http方式下,需要在每一台harbor客户端机器上都要设置"insecure-registries", 感觉很麻烦!所以最好还是将harbor默认的http方式改为https方式!另外,从安全角度考虑,容器的仓库在生产环境中往往也是需要被设定为https的方式,而harbor将这些证书的创建和设定都进行了简单的集成,下面来看一下在harbor下如何使用https的方式。配置记录如下:
在创建证书之前,为了方面验证,需要将前面在客户端机器上/etc/docker/daemon.json文件里添加"insecure-registries"配置删除 [root@docker-client ~]# vim /etc/docker/daemon.json {} [root@docker-client ~]# rm -rf /root/.docker 重启docker服务 [root@docker-client ~]# systemctl restart docker 将harbor部署机自身的/etc/docker/daemon.json文件里添加"insecure-registries"配置也删除 [root@harbor-node ~]# vim /etc/docker/daemon.json { "registry-mirrors": ["https://v5d7kh0f.mirror.aliyuncs.com"] } [root@harbor-node ~]# rm -rf /root/.docker 然后重启docker和docker-compose [root@harbor-node ~]# systemctl restart docker [root@harbor-node ~]# docker-compose down -t [root@harbor-node ~]# docker-compose up -d 1)创建ca [root@harbor-node harbor]# pwd /root/harbor [root@harbor-node harbor]# mkdir ssl [root@harbor-node harbor]# cd ssl/ [root@harbor-node ssl]# pwd /root/harbor/ssl [root@harbor-node ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt generating a 4096 bit rsa private key ......................................++ ...................................................................................................................................................................................................................................................................++ writing new private key to 'ca.key' ----- you are about to be asked to enter information that will be incorporated into your certificate request. what you are about to enter is what is called a distinguished name or a dn. there are quite a few fields but you can leave some blank for some fields there will be a default value, if you enter '.', the field will be left blank. ----- country name (2 letter code) [xx]:cn state or province name (full name) []:beijing locality name (eg, city) [default city]:beijing organization name (eg, company) [default company ltd]:devops organizational unit name (eg, section) []:tec common name (eg, your name or your server's hostname) []:172.16.60.213 email address []:wangshibo@kevin.com 2) 创建证书请求文件csr [root@harbor-node ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 172.16.60.213.key -out 172.16.60.213.csr generating a 4096 bit rsa private key .++ ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++ writing new private key to '172.16.60.213.key' ----- you are about to be asked to enter information that will be incorporated into your certificate request. what you are about to enter is what is called a distinguished name or a dn. there are quite a few fields but you can leave some blank for some fields there will be a default value, if you enter '.', the field will be left blank. ----- country name (2 letter code) [xx]:cn state or province name (full name) []:beijing locality name (eg, city) [default city]:beijing organization name (eg, company) [default company ltd]:devops organizational unit name (eg, section) []:tec common name (eg, your name or your server's hostname) []:172.16.60.213 email address []:wangshibo@kevin.com please enter the following 'extra' attributes to be sent with your certificate request a challenge password []:123456 an optional company name []:devops 3) 创建证书 [root@harbor-node ssl]# echo subjectaltname = ip:172.16.60.213 > extfile.cnf [root@harbor-node ssl]# openssl x509 -req -days 365 -in 172.16.60.213.csr -ca ca.crt -cakey ca.key -cacreateserial -extfile extfile.cnf -out 172.16.60.213.crt signature ok subject=/c=cn/st=beijing/l=beijing/o=devops/ou=tec/cn=172.16.60.213/emailaddress=wangshibo@kevin.com getting ca private key 4) 设定证书 & 修改 查看证书所在路径, 后面将harbor.yaml文件中的路径也同样设定 [root@harbor-node ssl]# pwd /root/harbor/ssl [root@harbor-node ssl]# ll total 28 -rw-r--r-- 1 root root 2033 may 28 01:16 172.16.60.213.crt -rw-r--r-- 1 root root 1809 may 28 01:15 172.16.60.213.csr -rw-r--r-- 1 root root 3272 may 28 01:15 172.16.60.213.key -rw-r--r-- 1 root root 2114 may 28 01:13 ca.crt -rw-r--r-- 1 root root 3268 may 28 01:13 ca.key -rw-r--r-- 1 root root 17 may 28 01:16 ca.srl -rw-r--r-- 1 root root 34 may 28 01:16 extfile.cnf 5) 修改harbor.yaml文件 先关闭docker-compose [root@harbor-node harbor]# pwd /root/harbor [root@harbor-node harbor]# docker-compose down -v stopping nginx ... done stopping harbor-jobservice ... done stopping harbor-portal ... done stopping harbor-core ... done stopping harbor-db ... done stopping registryctl ... done stopping redis ... done stopping registry ... done stopping harbor-log ... done removing nginx ... done removing harbor-jobservice ... done removing harbor-portal ... done removing harbor-core ... done removing harbor-db ... done removing registryctl ... done removing redis ... done removing registry ... done removing harbor-log ... done removing network harbor_harbor [root@harbor-node harbor]# docker-compose ps name command state ports ------------------------------ [root@harbor-node harbor]# vim harbor.yml (可以将80端口的配置注释了,直接使用443端口配置。docker login https://ip 登录即可) ................. ................. # http related config http: # port for http, default is 80. if https enabled, this port will redirect to https port port: 80 # https related config https: # # https port for harbor, default is 443 port: 443 # # the path of cert and key files for nginx certificate: /root/harbor/ssl/172.16.60.213.crt private_key: /root/harbor/ssl/172.16.60.213.key ................. ................. ================================================================================================================ 特别注意: 上面harbor.yaml文件中修改的配置格式一定要正确!"https"要顶格写,"port:443" 和 "certificate"、"private_key"保持缩进一致! 否则在下面执行"./prepare"更新命令时,会报错: [root@harbor-node harbor]# ./prepare .......... file "/usr/lib/python3.6/site-packages/yaml/composer.py", line 84, in compose_node node = self.compose_mapping_node(anchor) file "/usr/lib/python3.6/site-packages/yaml/composer.py", line 127, in compose_mapping_node while not self.check_event(mappingendevent): file "/usr/lib/python3.6/site-packages/yaml/parser.py", line 98, in check_event self.current_event = self.state() file "/usr/lib/python3.6/site-packages/yaml/parser.py", line 439, in parse_block_mapping_key "expected <block end>, but found %r" % token.id, token.start_mark) yaml.parser.parsererror: while parsing a block mapping in "/input/harbor.yml", line 15, column 4 expected <block end>, but found '<block mapping start>' in "/input/harbor.yml", line 17, column 5 上面的报错,就是由于harbor.yaml文件配置格式不正确导致的!!!! ================================================================================================================ 接着执行prepare脚本,将harbor修改的配置更新到 docker-compose.yml 文件 [root@harbor-node harbor]# ./prepare prepare base dir is set to /root/harbor clearing the configuration file: /config/log/logrotate.conf clearing the configuration file: /config/nginx/nginx.conf clearing the configuration file: /config/core/env clearing the configuration file: /config/core/app.conf clearing the configuration file: /config/registry/config.yml clearing the configuration file: /config/registry/root.crt clearing the configuration file: /config/registryctl/env clearing the configuration file: /config/registryctl/config.yml clearing the configuration file: /config/db/env clearing the configuration file: /config/jobservice/env clearing the configuration file: /config/jobservice/config.yml generated configuration file: /config/log/logrotate.conf generated configuration file: /config/nginx/nginx.conf generated configuration file: /config/core/env generated configuration file: /config/core/app.conf generated configuration file: /config/registry/config.yml generated configuration file: /config/registryctl/env generated configuration file: /config/db/env generated configuration file: /config/jobservice/env generated configuration file: /config/jobservice/config.yml loaded secret from file: /secret/keys/secretkey generated configuration file: /compose_location/docker-compose.yml clean up the input dir 查看一下docker-compose.yml文件,发现已经将新配置的443端口的https信息更新到docker-compose.yml文件里了 如下80端口和443端口都配置了,所以harbor访问时是http强转到https的 [root@harbor-node harbor]# cat docker-compose.yml |grep 443 -c3 dns_search: . ports: - 80:80 - 443:443 depends_on: - postgresql - registry 重启docker-compose [root@harbor-node harbor]# docker-compose up -d creating network "harbor_harbor" with the default driver creating harbor-log ... done creating registry ... done creating harbor-db ... done creating registryctl ... done creating redis ... done creating harbor-core ... done creating harbor-jobservice ... done creating harbor-portal ... done creating nginx ... done [root@harbor-node harbor]# docker-compose ps name command state ports ------------------------------------------------------------------------------------------------------------ harbor-core /harbor/start.sh up (healthy) harbor-db /entrypoint.sh postgres up (healthy) 5432/tcp harbor-jobservice /harbor/start.sh up harbor-log /bin/sh -c /usr/local/bin/ ... up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; up (healthy) 80/tcp nginx nginx -g daemon off; up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... up 6379/tcp registry /entrypoint.sh /etc/regist ... up (healthy) 5000/tcp registryctl /harbor/start.sh up (healthy) 在harbor部署机本机确认login登陆 (使用80端口或443端口都可以,自动跳转的) [root@harbor-node harbor]# docker login -u admin -p kevin@bo1987 172.16.60.213 warning! using --password via the cli is insecure. use --password-stdin. error response from daemon: get https://172.16.60.213/v2/: x509: certificate signed by unknown authority [root@harbor-node harbor]# docker login -u admin -p kevin@bo1987 172.16.60.213:443 warning! using --password via the cli is insecure. use --password-stdin. error response from daemon: get https://172.16.60.213:443/v2/: x509: certificate signed by unknown authority 以上出现报错,解决办法: 此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。 解决办法: [root@harbor-node harbor]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem [root@harbor-node harbor]# cat /root/harbor/ssl/172.16.60.213.crt >> /etc/pki/tls/certs/ca-bundle.crt [root@harbor-node harbor]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem 由于证书是docker的daemon需要用到的,所以需要重启docker服务,进而也要重启docker-compose [root@harbor-node harbor]# systemctl restart docker [root@harbor-node harbor]# docker-compose down -v [root@harbor-node harbor]# docker-compose up -d 然后再次尝试在harbor本机登陆, 发现就可以正常登陆了!! [root@harbor-node harbor]# docker login -u admin -p kevin@bo1987 172.16.60.213 warning! using --password via the cli is insecure. use --password-stdin. warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded 登陆的权限信息保存到/root/.docker/config.json 文件里了,只要这个文件不删除,下次就可以不需要输入用户名和密码直接登陆了! [root@harbor-node harbor]# cat /root/.docker/config.json { "auths": { "172.16.60.213": { "auth": "ywrtaw46a2v2aw5aqk9ctzeymw==" } }, "httpheaders": { "user-agent": "docker-client/18.09.6 (linux)" } } [root@harbor-node harbor]# docker login 172.16.60.213 authenticating with existing credentials... warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded 上面是使用80端口登陆的,后面加上443端口也是可以登陆的 [root@harbor-node harbor]# docker login 172.16.60.213:443 username: admin password: warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded [root@harbor-node harbor]# docker login 172.16.60.213:443 authenticating with existing credentials... warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded [root@harbor-node ssl]# docker login -u admin -p kevin@bo1987 172.16.60.213:443 warning! using --password via the cli is insecure. use --password-stdin. warning! your password will be stored unencrypted in /root/.docker/config.json. configure a credential helper to remove this warning. see https://docs.docker.com/engine/reference/commandline/login/#credentials-store login succeeded ========================================================================================== 上面是在harbor本机尝试的登陆,现在在远程客户机上(这里客户机为172.16.60.214)测试harbor登陆: 首先很重要的一步,这一步极其关键!一定不要忘记操作!! 就是需要将harbor服务端生成的ca证书拷贝到每个远程客户机的"/etc/docker/certs.d/harbor服务器的域名或ip/" 目录下 [root@client ~]# mkdir /etc/docker/certs.d/172.16.60.213/ 接着在harbor服务器将ca证书拷贝过来 [root@harbor-node ssl]# rsync -e "ssh -p22" -avpgolr ./* root@172.16.60.214:/etc/docker/certs.d/172.16.60.213/ 然后在客户机上查看是否拷贝过来了harbor服务端的ca证书 [root@client 172.16.60.213]# pwd /etc/docker/certs.d/172.16.60.213 [root@client 172.16.60.213]# ls 172.16.60.213.crt 172.16.60.213.csr 172.16.60.213.key ca.crt ca.key ca.srl extfile.cnf 进行同样的授权操作, [root@client 172.16.60.213]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem [root@client 172.16.60.213]# cat /etc/docker/certs.d/172.16.60.213/172.16.60.213.crt >> /etc/pki/tls/certs/ca-bundle.crt [root@client 172.16.60.213]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem 重启docker服务 [root@client 172.16.60.213]# systemctl restart docker 最后进行harbor登陆,就可以正常登陆了! [root@client 172.16.60.213]# docker login -u admin -p kevin@bo1987 172.16.60.213:443 login succeeded [root@client 172.16.60.213]# cat /root/.docker/config.json { "auths": { "172.16.60.213:443": { "auth": "ywrtaw46a2v2aw5aqk9ctzeymw==" } } } 上面是使用443端口登陆harbor仓库是正常的,如果此时使用80端口登陆,则出现如下报错: [root@client 172.16.60.213]# docker login -u admin -p kevin@bo1987 172.16.60.213 error response from daemon: missing client certificate 172.16.60.213.cert for key 172.16.60.213.key 所以在客户端就使用443端口来登陆harbor仓库了!
[[ 需要注意 ]] 如果harbor里创建了多个账号,客户端使用a账号登录harbor后,docker pull下载的镜像是在b账号的项目里面的,并且该项目是私有的,那么需要先将a账号添加为该项目的成员后才能正常docker pull下载,否则会出现报错:
denied: requested access to the resource is denied
3.6.4) harbor私仓的高可用
单机部署harbor显然无法满足在生产中需求,必须要保证应用的高可用性。
目前有两种主流的方案来解决harbor高可用问题:
- 双主复制
- 多harbor实例共享后端存储
1. harbor双主复制
- 主从同步
harbor官方默认提供主从复制的方案来解决镜像同步问题,通过复制方式,可以实时将测试环境harbor仓库的镜像同步到生产环境harbor,类似于如下流程:
在实际生产运维的中,往往需要把镜像发布到几十或上百台集群节点上。这时,单个registry已经无法满足大量节点的下载需求,因此要配置多个registry实例做负载均衡。手工维护多个registry实例上的镜像,将是十分繁琐的事情。harbor可以支持一主多从的镜像发布模式,可以解决大规模镜像发布的难题。
只要往一台registry上发布,镜像就像"仙女散花"般地同步到多个registry中,高效可靠。如果是地域分布较广的集群,还可以采用层次型发布方式,如从集团总部同步到省公司,从省公司再同步到市公司。
然而单靠主从同步方式仍然解决不了harbor主节点的单点问题。
- 双主复制说明
所谓双主复制其实就是复用主从同步实现两个harbor节点之间的双向同步,来保证数据的一致性,然后在两台harbor前端配置一个负载均衡器将进来的请求分流到不同的实例中去,只要有一个实例中有了新的镜像,就是自动的同步复制到另外的的实例中去,这样实现了负载均衡,也避免了单点故障,在一定程度上实现了harbor的高可用性。可以使用下面方案:nginx+keepalive+harbor,vip可以在lb上实现漂移。(或者vip直接在harbor之间漂移)。
创建harbor主主复制,可以在harbor的web界面里创建相互之间镜像同步关系,同步关系可以选择相同用户或不同用户之间。这样就保证了harbor双机热备关系。
1) "系统管理"->"仓库管理"->"新建目标", 填写对端harbor信息
2) "系统管理"->"同步管理"->"新建规则", 规则里会引用目的registry,也就是上面一步创建的目标。同步模式有push-based,pull-based;触发模式有自动和定时。
不过这个方案有一个问题:就是有可能两个harbor实例中的数据不一致。假设如果一个实例a挂掉了,这个时候有新的镜像进来,那么新的镜像就会在另外一个实例b中,后面即使恢复了挂掉的a实例,harbor实例b也不会自动去同步镜像,这样只能手动的先关掉harbor实例b的复制策略,然后再开启复制策略,才能让实例b数据同步,让两个实例的数据一致。所以,在实际生产使用中,主从复制十分的不靠谱。
2. 多harbor实例共享后端存储
共享后端存储算是一种比较标准的方案,就是多个harbor实例共享同一个后端存储,任何一个实例持久化到存储的镜像,都可被其他实例中读取。通过前置lb进来的请求,可以分流到不同的实例中去处理,这样就实现了负载均衡,也避免了单点故障。
这个方案在实际生产环境中部署需要考虑三个问题:
1. 共享存储的选取,harbor的后端存储目前支持aws s3、openstack swift、ceph等,[在实验环境里,可以直接使用nfs]
2. session在不同的实例上共享,这个现在其实已经不是问题了,在最新的harbor中,默认session会存放在redis中,我们只需要将redis独立出来即可。可以通过redis sentinel或者redis cluster等方式来保证redis的可用性。[在实验环境里,仍然使用单台redis]
3. harbor多实例数据库问题,这个只需要将harbor中的数据库拆出来独立部署即可。让多实例共用一个外部数据库,外部数据库可以通过mysql 高可用方案保证高可用性。