harbor私有仓库

内部有反向代理,接受用户的连接;有管理server;有复制server;可以进行账户验证;还有仓库

harbor安装流程:
docker
docker-compose
harbor
配置
启动harbor

采用脚本安装:
[root@ubuntu2004 ~]#ls
harbor-offline-installer-v2.6.1.tgz  install_harbor.sh
安装脚本:
#!/bin/bash
#
#********************************************************************
#Author:            limanman
#QQ:                461624736
#Date:              2023-02-04
#FileName:          install_harbor.sh
#Description:       The test script
#********************************************************************

HARBOR_VERSION=2.6.1
#HARBOR_VERSION=2.6.0
HARBOR_BASE=/apps
HARBOR_NAME=harbor.li.org
#HARBOR_NAME=`hostname -I|awk '{print $1}'`

DOCKER_VERSION="20.10.10"
#DOCKER_VERSION="19.03.14"
DOCKER_URL="http://mirrors.ustc.edu.cn"
#DOCKER_URL="https://mirrors.tuna.tsinghua.edu.cn"

DOCKER_COMPOSE_VERSION=2.6.1
#DOCKER_COMPOSE_VERSION=1.29.2
DOCKER_COMPOSE_FILE=docker-compose-Linux-x86_64


HARBOR_ADMIN_PASSWORD=123456

HARBOR_IP=`hostname -I|awk '{print $1}'`


COLOR_SUCCESS="echo -e \\033[1;32m"
COLOR_FAILURE="echo -e \\033[1;31m"
END="\033[m"

. /etc/os-release
UBUNTU_DOCKER_VERSION="5:${DOCKER_VERSION}~3-0~${ID}-${UBUNTU_CODENAME}"

color () {
    RES_COL=60
    MOVE_TO_COL="echo -en \\033[${RES_COL}G"
    SETCOLOR_SUCCESS="echo -en \\033[1;32m"
    SETCOLOR_FAILURE="echo -en \\033[1;31m"
    SETCOLOR_WARNING="echo -en \\033[1;33m"
    SETCOLOR_NORMAL="echo -en \E[0m"
    echo -n "$1" && $MOVE_TO_COL
    echo -n "["
    if [ $2 = "success" -o $2 = "0" ] ;then
        ${SETCOLOR_SUCCESS}
        echo -n $"  OK  "    
    elif [ $2 = "failure" -o $2 = "1"  ] ;then 
        ${SETCOLOR_FAILURE}
        echo -n $"FAILED"
    else
        ${SETCOLOR_WARNING}
        echo -n $"WARNING"
    fi
    ${SETCOLOR_NORMAL}
    echo -n "]"
    echo 
}


install_docker(){
    if [ $ID = "centos" -o $ID = "rocky" ];then
        if [ $VERSION_ID = "7" ];then
            cat >  /etc/yum.repos.d/docker.repo  <<EOF
[docker]
name=docker
gpgcheck=0
#baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/
baseurl=${DOCKER_URL}/docker-ce/linux/centos/7/x86_64/stable/
EOF
        else     
            cat >  /etc/yum.repos.d/docker.repo  <<EOF
[docker]
name=docker
gpgcheck=0
#baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/x86_64/stable/
baseurl=${DOCKER_URL}/docker-ce/linux/centos/8/x86_64/stable/
EOF
        fi
	    yum clean all 
        ${COLOR_FAILURE} "Docker有以下版本"${END}
        yum list docker-ce --showduplicates
        ${COLOR_FAILURE}"5秒后即将安装: docker-"${DOCKER_VERSION}" 版本....."${END}
        ${COLOR_FAILURE}"如果想安装其它Docker版本,请按ctrl+c键退出,修改版本再执行"${END}
        sleep 5
        yum -y install docker-ce-$DOCKER_VERSION docker-ce-cli-$DOCKER_VERSION  \
            || { color "Base,Extras的yum源失败,请检查yum源配置" 1;exit; }
    else
	    dpkg -s docker-ce &> /dev/null && $COLOR"Docker已安装,退出" 1 && exit
        apt update || { color "更新包索引失败" 1 ; exit 1; }  
        apt  -y install apt-transport-https ca-certificates curl software-properties-common || \
            { color "安装相关包失败" 1 ; exit 2;  }  
        curl -fsSL ${DOCKER_URL}/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
        add-apt-repository "deb [arch=amd64] ${DOCKER_URL}/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
        apt update
        ${COLOR_FAILURE} "Docker有以下版本"${END}
        apt-cache madison docker-ce
        ${COLOR_FAILURE}"5秒后即将安装: docker-"${UBUNTU_DOCKER_VERSION}" 版本....."${END}
        ${COLOR_FAILURE}"如果想安装其它Docker版本,请按ctrl+c键退出,修改版本再执行"${END}
        sleep 5
        apt -y  install docker-ce=${UBUNTU_DOCKER_VERSION} docker-ce-cli=${UBUNTU_DOCKER_VERSION}
    fi
    if [ $? -eq 0 ];then
        color "安装软件包成功"  0
    else
        color "安装软件包失败,请检查网络配置" 1
        exit
    fi
        
    mkdir -p /etc/docker
    tee /etc/docker/daemon.json <<-'EOF'
{
	  "registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"],
	  "insecure-registries": ["harbor.wang.org"]
}
EOF
    systemctl daemon-reload
    systemctl enable docker
    systemctl restart docker
    docker version && color "Docker 安装成功" 0 ||  color "Docker 安装失败" 1
    echo 'alias rmi="docker images -qa|xargs docker rmi -f"' >> ~/.bashrc
    echo 'alias rmc="docker ps -qa|xargs docker rm -f"' >> ~/.bashrc
}



install_docker_compose(){
    if [ $ID = "centos" -o $ID = "rocky" ];then
        ${COLOR_SUCCESS}"开始安装 Docker compose....."${END}
        sleep 1
        if [ ! -e  ${DOCKER_COMPOSE_FILE} ];then
            #curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/${DOCKER_COMPOSE_FILE} -o /usr/bin/docker-compose
            curl -L https://get.daocloud.io/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/bin/docker-compose
        else
            mv ${DOCKER_COMPOSE_FILE} /usr/bin/docker-compose
        fi
        chmod +x /usr/bin/docker-compose
    else 
        apt -y install docker-compose
    fi
    if docker-compose --version ;then
        ${COLOR_SUCCESS}"Docker Compose 安装完成"${END} 
    else
        ${COLOR_FAILURE}"Docker compose 安装失败"${END}
        exit
    fi
}

install_harbor(){
    ${COLOR_SUCCESS}"开始安装 Harbor....."${END}
    sleep 1
    if  [ ! -e  harbor-offline-installer-v${HARBOR_VERSION}.tgz ] ;then
        wget https://github.com/goharbor/harbor/releases/download/v${HARBOR_VERSION}/harbor-offline-installer-v${HARBOR_VERSION}.tgz || ${COLOR_FAILURE} "下载失败!" ${END}
    fi
    [ -d ${HARBOR_BASE} ] ||  mkdir ${HARBOR_BASE}
    tar xvf harbor-offline-installer-v${HARBOR_VERSION}.tgz  -C ${HARBOR_BASE}
    cd ${HARBOR_BASE}/harbor
    cp harbor.yml.tmpl harbor.yml
    sed -ri "/^hostname/s/reg.mydomain.com/${HARBOR_NAME}/" harbor.yml
    sed -ri "/^https/s/(https:)/#\1/" harbor.yml
    sed -ri "s/(port: 443)/#\1/" harbor.yml
    sed -ri "/certificate:/s/(.*)/#\1/" harbor.yml
    sed -ri "/private_key:/s/(.*)/#\1/" harbor.yml
    sed -ri "s/Harbor12345/${HARBOR_ADMIN_PASSWORD}/" harbor.yml
    sed -i 's#^data_volume: /data#data_volume: /data/harbor#' harbor.yml
    #mkdir -p /data/harbor
    ${HARBOR_BASE}/harbor/install.sh && ${COLOR_SUCCESS}"Harbor 安装完成"${END} ||  ${COLOR_FAILURE}"Harbor 安装失败"${END}
    cat > /lib/systemd/system/harbor.service <<EOF
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f  ${HARBOR_BASE}/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f ${HARBOR_BASE}/harbor/docker-compose.yml down

[Install]
WantedBy=multi-user.target
EOF

    systemctl daemon-reload 
    systemctl enable  harbor &>/dev/null ||  ${COLOR}"Harbor已配置为开机自动启动"${END}
    if [ $?  -eq 0 ];then  
        echo 
        color "Harbor安装完成!" 0
        echo "-------------------------------------------------------------------"
        echo -e "请访问链接: \E[32;1mhttp://${HARBOR_IP}/\E[0m" 
		echo -e "用户和密码: \E[32;1madmin/${HARBOR_ADMIN_PASSWORD}\E[0m" 
    else
        color "Harbor安装失败!" 1
        exit
    fi
    echo "$HARBOR_IP     $HARBOR_NAME"   >> /etc/hosts
}



docker info  &> /dev/null  && ${COLOR_FAILURE}"Docker已安装"${END} || install_docker

docker-compose --version &> /dev/null && ${COLOR_FAILURE}"Docker Compose已安装"${END} || install_docker_compose

install_harbor




[root@ubuntu2004 ~]#bash install_harbor.sh 
Harbor 安装完成

Harbor安装完成!                                            [  OK  ]
-------------------------------------------------------------------
请访问链接: http://10.0.0.101/
用户和密码: admin/123456

配置完后,可以用IP访问也可以用域名,脚本默认域名,可以修改配置文件为IP
[root@ubuntu2004 ~]#vim /apps/harbor/harbor.yml
hostname: 10.0.0.101
生效更新一下
[root@ubuntu2004 ~]#cd /apps/harbor/
[root@ubuntu2004 harbor]#./prepare
将容器删了重启一下
[root@ubuntu2004 harbor]#docker-compose down
[root@ubuntu2004 harbor]#docker-compose up -d

通过harbor上传和下载镜像

web登录harbor
创建仓库项目:test
#在项目中点推送命令,
#复制在项目中标记镜像一行进行贴标签:
格式:docker tag SOURCE_IMAGE[:TAG] 10.0.0.101/test/REPOSITORY[:TAG]
[root@ubuntu2004 ubuntu]#docker tag ubuntu:20.04 10.0.0.101/test/ubuntu:20.04

#先授权需要上传镜像的服务器能够连接101/102服务器的80端口
[root@ubuntu2004 ~]#vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"],
    "dns" : [ "114.114.114.114", "119.29.29.29"],
  "insecure-registries": ["10.0.0.101","10.0.0.102"]
}
#重启
[root@ubuntu2004 ~]#systemctl restart docker
#查看是否添加成功
[root@ubuntu2004 ~]#docker info 
Insecure Registries:
  10.0.0.101
  10.0.0.102
  127.0.0.0/8
#登录101服务器harbor:
[root@ubuntu2004 ~]#docker login 10.0.0.101
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

查看登录信息:[root@ubuntu2004 ~]#cat .docker/config.json 
{
	"auths": {
		"10.0.0.101": {
			"auth": "YWRtaW46MTIzNDU2"
		}
	}

#上传镜像:
推送镜像到当前项目:
格式:docker push 10.0.0.101//REPOSITORY[:TAG]
[root@ubuntu2004 ~]docker push 10.0.0.101/m50/ubuntu:20.04
此时web页面harbor上已经可以看到上传的镜像

#下载镜像
在web页面镜像后面拉取复制连接,到需要下载的服务器
先配置harbor服务器的IP
[root@ubuntu2004 ~]#vim /etc/docker/daemon.json
再登录
[root@ubuntu2004 ~]#docker login 10.0.0.101
Username: admin
Password:123456
复制连接拉取下载

实现harbor高可用

harbor服务器主机名要用自己的IP,名字不能一样
[root@ubuntu2004 ~]#vim /apps/harbor/harbor.yml
hostname: 10.0.0.101
[root@ubuntu2004 ~]#vim /apps/harbor/harbor.yml
hostname: 10.0.0.102

1.仓库管理-新建目标,填写目标名:m50(项目名称);目标URL:http://10.0.0.102;账号和密码

2.复制管理-新建规则
根据页面提示填写相关信息,推送选push,拉去选pull,
#在另一个服务器上重复上面两个步骤,即可实现同步

选事件驱动只同步新增加的,可以先点手动同步,点复制,将之前的镜像同步过去
加反向代理

[root@ubuntu2004 conf.d]#vim harbor.conf
upstream harbor {
    hash $remote_addr;
    server 10.0.0.101;
    server 10.0.0.102;
}

server {
    listen 80;
    server_name harbor.li.org;
    client_max_body_size 10g;
    location / {
      proxy_pass http://harbor;
    }
}

客户端配置文件增加域名,用域名上传镜像	
[root@ubuntu2004 ~]#vim /etc/docker/daemon.json
"insecure-registries": ["10.0.0.101","10.0.0.102","harbor.li.org"]
vim /etc/hosts
10.0.0.104 harbor.li.org

https安全实现

https步骤如下:
创建单独放证书的目录:
[root@ubuntu2004 certs]#pwd
/data/harbor/certs
生成ca私钥
[root@ubuntu2004 certs]#openssl genrsa -out ca.key 4096
生成自签名证书
[root@ubuntu2004 certs]#openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=li.org" \-key ca.key \-out ca.crt
利用ca生成harbor服务器私钥
[root@ubuntu2004 certs]#openssl genrsa -out harbor.li.org.key 4096
生成harbor服务器证书申请
[root@ubuntu2004 certs]#openssl req -sha512 -new \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.li.org" \-key harbor.li.org.key \-out harbor.li.org.csr
写配置文件
[root@ubuntu2004 certs]#vim v3.ext
authorityKeyIdentifier=keyid,issuer 
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names 
 
[alt_names] 
DNS.1=li.org
DNS.2=li 
DNS.3=harbor.li.org
颁发harbor服务器证书
[root@ubuntu2004 certs]#openssl x509 -req -sha512 -days 3650 \-extfile v3.ext \-CA ca.crt -CAkey ca.key -CAcreateserial \-in harbor.li.org.csr \-out harbor.li.org.crt

Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = harbor.li.org
Getting CA Private Key
将不用的证书放入一个文件夹,只留下harbor的私钥和证书
[root@ubuntu2004 certs]#ls
ca.crt  ca.key  ca.srl  harbor.li.org.crt  harbor.li.org.csr  harbor.li.org.key  v3.ext
[root@ubuntu2004 certs]#mkdir bak
[root@ubuntu2004 certs]#mv ca.crt  ca.key  ca.srl harbor.li.org.csr v3.ext bak/
[root@ubuntu2004 certs]#ls
bak  harbor.li.org.crt  harbor.li.org.key
修改harbor的yml文件,开启https,协商私钥证书路径
[root@ubuntu2004 certs]#vim /apps/harbor/harbor.yml
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/harbor/certs/harbor.li.org.crt
  private_key: /data/harbor/certs/harbor.li.org.key
重新生成配置文件
[root@ubuntu2004 certs]#cd /apps/harbor/
[root@ubuntu2004 harbor]#./prepare 
[root@ubuntu2004 harbor]#systemctl restart harbor.service
配置docker客户端使用https证书
转换证书后缀,docker默认cert后缀为客户端证书,此步可不做
openssl x509 -inform PEM -in harbor.wang.li.crt -out harbor.li.org.cert
在客户端创建和harbor服务器同名的目录
mkdir -pv /etc/docker/certs.d/harbor.li.org/	
将证书拷到客户端服务器,官方说要拷三个,实际上拷一个也行
scp harbor.li.org.crt 10.0.0.8:/etc/docker/certs.d/harbor.li.org
重启
[root@ubuntu2004 data]#systemctl restart docker