Centos8 部署Harbor私有仓库
背景介绍
Harbor是VMware公司开源的企业级Docker Registry项目,是一个用于存储和分发Docker镜像的企业级Registry服务器,可以用来构建企业内部的Docker镜像仓库。它在Docker的开源项目 Distribution的基础上,添加了一些企业需要的功能特性,如镜像同步复制、漏洞扫描和权限管理等。Harbor是CNCF维护的一个项目,它提供了遵从性、性能和互操作性,帮助您在Kubernetes和Docker等云本地计算平台上一致和安全地管理工件 。使命是成为Kubernetes受信任的本地云存储库
Harbor架构
如上图所描述,Harbor由6个大的模块所组成:
- Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
- Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
- Core services: Harbor的核心功能,主要包括如下3个服务:
- UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。
-
WebHook
是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。
-
Token service
会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service。
-
Database
用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
- Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
- Log collector: 负责收集其他模块的日志到一个地方
环境部署
服务器 | IP | 组件 |
---|---|---|
Harbor | 192.168.169.204 | docker-ce、docker-compose、harbor-offline |
client | 192.168.169.203 | docker-ce |
部署docker服务
#安装yum-utils
yum install -y yum-utils
#添加docker-ce.repo
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
#安装docker-ce
yum install -y docker-ce docker-ce-cli containerd.io --allowerasing
#启用docker服务,开机自启动
systemctl enable docker --now
#配置docker镜像加速
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"]
}
EOF
#重启docker服务
systemctl daemon-reload
systemctl restart docker
部署Docker-Compose服务
#进入官网下载compose
https://github.com/docker/compose/releases
#用winscp等软件,上传compose包到/usr/local/bin/
#修改名字
[root@localhost bin]# mv docker-compose-linux-x86_64 docker-compose
#修改权限,查看版本
[root@localhost bin]# chmod 755 docker-compose
[root@localhost ~]# docker-compose version
创建自签证书
创建自签证书用于tls加密,后面将用于对请求进行校验。 首先找到OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中
修改openssl.cnf配置文件
编辑openssl.cnf,在[v3_ca]后面添加:subjectAltName = IP:域名|IP地址,大概位置在245行左右
#可是域名或者IP
subjectAltName = IP:192.168.169.204
创建自签证书
方法一:-subj指定证书信息
#创建证书存放目录
mkdir /data/cert/ -p
cd /data/cert/
openssl req -subj '/C=CN/ST=BeiJing/L=BeiJing/CN=192.168.169.204' -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
# -subj 通过C指定国家、ST指定省份、L指定区、CN指定域名或者IP
方法二:交互式生成
[root@localhost cert]# openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry2.key -out registry2.crt
Generating a RSA private key
......................+++++
........+++++
writing new private key to 'registry2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:ex
Organizational Unit Name (eg, section) []:ex
Common Name (eg, your name or your server's hostname) []:192.168.169.204 #输入Harbor服务器的IP或者域名
Email Address []:admin@example.com
部署Harbor
安装Harbor
#官网下载镜像,可选择离线安装包和在线安装文件,此文档选择下载离线安装包
https://github.com/goharbor/harbor/releases
#用winscp等工具,上传安装包至/usr/local/
[root@localhost bin]# cd /usr/local/
#解压Harbor
[root@localhost local]# tar -zxvf harbor-offline-installer-v2.3.4.tgz
harbor/harbor.v2.3.4.tar.gz
harbor/prepare
harbor/LICENSEHarbor
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
修改安装脚本
[root@localhost cert]# cd /usr/local/harbor/
#复制配置样例harbor.yml.tmpl为harbor.yml,并修改harbor.yml文件
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
#修改Harbor hostname 域名或者IP
[root@localhost harbor]# cat harbor.yml | grep hostname
hostname: 192.168.169.204
#修改自签证书存放路径
[root@localhost harbor]# cat harbor.yml | grep registry
certificate: /data/cert/registry.crt
private_key: /data/cert/registry.key
#Harbor 默认用户名admin 密码Harbor12345
#创建日志目录
[root@localhost harbor]# mkdir /var/log/harbor/
#修改完成后,运行安装脚本
[root@localhost harbor]# ./install.sh
[Step 0]: checking if docker is installed ... #检查docker是否安装
Note: docker version: 20.10.11
[Step 1]: checking docker-compose is installed ... #检查docker-compose是否安装
Note: docker-compose version: 2.1.1
[Step 2]: loading Harbor images ... #拉取Harbor需要的容器
103405848fd2: Loading layer [==================================================>] 37.24MB/37.24MB
bab588f83459: Loading layer [==================================================>] 8.75MB/8.75MB
5f0fc8804b08: Loading layer [==================================================>] 11.64MB/11.64MB
c28f2daf5359: Loading layer [==================================================>] 1.688MB/1.688MB
Loaded image: goharbor/harbor-portal:v2.3.4
.......
[Step 3]: preparing environment ... #准备环境
[Step 4]: preparing harbor configs ... #配置环境
prepare base dir is set to /usr/local/harbor
[Step 5]: starting Harbor ... #启动各个服务
[+] Running 9/9
⠿ Container harbor-log Started 7.0s
......
✔ ----Harbor has been installed and started successfully.----
登录
网页登录https://IP或域名, 用户名为配置文件中的admin/Harbor12345,如有修改用修改后的密码。
测试上传下载镜像
本机测试
登录测试
[root@localhost harbor]# docker login http://127.0.0.1
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传镜像
#daemon.json新增私有库地址
[root@localhost harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
"insecure-registries":["192.168.169.204"]
}
#重启docker服务
[root@localhost harbor]# systemctl restart docker
#重命名容器名
[root@localhost harbor]# docker tag centos 192.168.169.202/library/centos
[root@localhost harbor]# docker images | grep centos
centos latest 5d0da3dc9764 2 months ago 231MB
192.168.169.202/library/centos latest 5d0da3dc9764 2 months ago 231MB
#修改/root/.docker/config.json配置文件
[root@Harbor harbor]# cat /root/.docker/config.json
{
"auths": {
"192.168.169.204": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
[root@localhost harbor]# docker push 192.168.169.202/library/centos
客户端测试
登录测试
#配置私有仓库地址
[root@client ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
"insecure-registries":["192.168.169.204"]
}
[root@client ~]# systemctl restart docker
[root@client ~]# docker login 192.168.169.204
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传镜像
[root@client ~]# docker pull 192.168.169.204/library/centos
Using default tag: latest
latest: Pulling from library/centos
a1d0c7532777: Pull complete
Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
Status: Downloaded newer image for 192.168.169.204/library/centos:latest
192.168.169.204/library/centos:latest
下载镜像
[root@client ~]# docker pull httpd
Using default tag: latest
latest: Pulling from library/httpd
eff15d958d66: Pull complete
ba1caf8ba86c: Pull complete
ab86dc02235d: Pull complete
600feb748d3c: Pull complete
635a49ba2501: Pull complete
Digest: sha256:758c3132b4775e8449ee5959240066546bda47be163f16c2493eb9dc1a148d05
Status: Downloaded newer image for httpd:latest
docker.io/library/httpd:latest
[root@client ~]# docker tag httpd 192.168.169.204/library/httpd
[root@client ~]# docker push 192.168.169.204/library/httpd
Using default tag: latest
The push refers to repository [192.168.169.204/library/httpd]
常见报错
x509: cannot validate certificate for <ipaddress> because it doesn't contain any IP SANs
#OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中
#可是域名或者IP
vim /etc/pki/tls/openssl.cnf
subjectAltName = IP:192.168.169.204
未创建Harbor日志目录
#Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /var/log/harbor/
x509: certificate signed by unknown authority
解决方法:daemon.json新增私有库地址,每一段用逗号隔开
[root@localhost harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
"insecure-registries":["192.168.169.204"]
}
#重启docker服务,再进行测试
[root@localhost harbor]# systemctl restart docker
action: push: unauthorized to access repository
当Harbor配置完成后,发现无法push。原因是/root/.docker/config.json 和daemon.json 中insecure-registries设的主机名不一致导致的。
#authorized: unauthorized to access repository: library/centos, action: push: unauthorized to access repository: library/centos, action: push
[root@Harbor harbor]# cat /root/.docker/config.json
{
"auths": {
"192.168.169.204": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
[root@Harbor harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
"insecure-registries":["192.168.169.204"]
}