Centos8 部署Harbor私有仓库

背景介绍

Harbor是VMware公司开源的企业级Docker Registry项目,是一个用于存储和分发Docker镜像的企业级Registry服务器,可以用来构建企业内部的Docker镜像仓库。它在Docker的开源项目 Distribution的基础上,添加了一些企业需要的功能特性,如镜像同步复制、漏洞扫描和权限管理等。Harbor是CNCF维护的一个项目,它提供了遵从性、性能和互操作性,帮助您在Kubernetes和Docker等云本地计算平台上一致和安全地管理工件 。使命是成为Kubernetes受信任的本地云存储库

Harbor架构

image20211118202232107.png 如上图所描述,Harbor由6个大的模块所组成:

  • Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
  • Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
  • Core services: Harbor的核心功能,主要包括如下3个服务:
  • UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。
    1. WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。
    1. Token service会根据该用户在一个工程中的角色,为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话,registry会将该请求重定向到token service。
    1. Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
  • Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
  • Log collector: 负责收集其他模块的日志到一个地方

环境部署

服务器 IP 组件
Harbor 192.168.169.204 docker-ce、docker-compose、harbor-offline
client 192.168.169.203 docker-ce

部署docker服务

#安装yum-utils
yum install -y yum-utils
#添加docker-ce.repo
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
#安装docker-ce
yum install -y docker-ce docker-ce-cli containerd.io --allowerasing
#启用docker服务,开机自启动
systemctl enable docker --now
#配置docker镜像加速
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << EOF
{
        "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"]
}
EOF
#重启docker服务
systemctl daemon-reload
systemctl restart docker

部署Docker-Compose服务

#进入官网下载compose
https://github.com/docker/compose/releases

image20211116223758976.png

#用winscp等软件,上传compose包到/usr/local/bin/
#修改名字
[root@localhost bin]# mv docker-compose-linux-x86_64 docker-compose
#修改权限,查看版本
[root@localhost bin]# chmod 755 docker-compose
[root@localhost ~]# docker-compose version

创建自签证书

创建自签证书用于tls加密,后面将用于对请求进行校验。 首先找到OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中 image.png

修改openssl.cnf配置文件

编辑openssl.cnf,在[v3_ca]后面添加:subjectAltName = IP:域名|IP地址,大概位置在245行左右

#可是域名或者IP
subjectAltName = IP:192.168.169.204

image.png

创建自签证书

方法一:-subj指定证书信息

#创建证书存放目录
mkdir /data/cert/ -p
cd /data/cert/
openssl req -subj '/C=CN/ST=BeiJing/L=BeiJing/CN=192.168.169.204' -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
# -subj 通过C指定国家、ST指定省份、L指定区、CN指定域名或者IP

方法二:交互式生成

[root@localhost cert]# openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry2.key -out registry2.crt
Generating a RSA private key
......................+++++
........+++++
writing new private key to 'registry2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:ex
Organizational Unit Name (eg, section) []:ex
Common Name (eg, your name or your server's hostname) []:192.168.169.204 #输入Harbor服务器的IP或者域名
Email Address []:admin@example.com

部署Harbor

安装Harbor

#官网下载镜像,可选择离线安装包和在线安装文件,此文档选择下载离线安装包
https://github.com/goharbor/harbor/releases

image.png

#用winscp等工具,上传安装包至/usr/local/
[root@localhost bin]# cd /usr/local/
#解压Harbor
[root@localhost local]# tar -zxvf harbor-offline-installer-v2.3.4.tgz
harbor/harbor.v2.3.4.tar.gz
harbor/prepare
harbor/LICENSEHarbor
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl

修改安装脚本

[root@localhost cert]# cd /usr/local/harbor/
#复制配置样例harbor.yml.tmpl为harbor.yml,并修改harbor.yml文件
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
#修改Harbor hostname 域名或者IP
[root@localhost harbor]# cat harbor.yml | grep hostname
hostname: 192.168.169.204
#修改自签证书存放路径
[root@localhost harbor]# cat harbor.yml | grep registry
  certificate: /data/cert/registry.crt
  private_key: /data/cert/registry.key
#Harbor 默认用户名admin 密码Harbor12345

#创建日志目录
[root@localhost harbor]# mkdir /var/log/harbor/
#修改完成后,运行安装脚本
[root@localhost harbor]# ./install.sh

[Step 0]: checking if docker is installed ...  #检查docker是否安装

Note: docker version: 20.10.11

[Step 1]: checking docker-compose is installed ... #检查docker-compose是否安装

Note: docker-compose version: 2.1.1

[Step 2]: loading Harbor images ... #拉取Harbor需要的容器
103405848fd2: Loading layer [==================================================>]  37.24MB/37.24MB
bab588f83459: Loading layer [==================================================>]   8.75MB/8.75MB
5f0fc8804b08: Loading layer [==================================================>]  11.64MB/11.64MB
c28f2daf5359: Loading layer [==================================================>]  1.688MB/1.688MB
Loaded image: goharbor/harbor-portal:v2.3.4
.......
[Step 3]: preparing environment ... #准备环境

[Step 4]: preparing harbor configs ... #配置环境
prepare base dir is set to /usr/local/harbor
[Step 5]: starting Harbor ... #启动各个服务
[+] Running 9/9
 ⠿ Container harbor-log         Started                                                                                                                                                                               7.0s
......
✔ ----Harbor has been installed and started successfully.----

image.png

登录

网页登录https://IP或域名, 用户名为配置文件中的admin/Harbor12345,如有修改用修改后的密码。 image.png image.png

测试上传下载镜像

本机测试

登录测试

[root@localhost harbor]# docker login http://127.0.0.1
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传镜像

#daemon.json新增私有库地址
[root@localhost harbor]# cat /etc/docker/daemon.json
{
        "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
        "insecure-registries":["192.168.169.204"]
}
#重启docker服务
[root@localhost harbor]# systemctl restart docker
#重命名容器名
[root@localhost harbor]# docker tag centos 192.168.169.202/library/centos
[root@localhost harbor]# docker images | grep centos
centos                           latest    5d0da3dc9764   2 months ago   231MB
192.168.169.202/library/centos   latest    5d0da3dc9764   2 months ago   231MB
#修改/root/.docker/config.json配置文件
[root@Harbor harbor]# cat /root/.docker/config.json
{
        "auths": {
                "192.168.169.204": {
                        "auth": "YWRtaW46SGFyYm9yMTIzNDU="
                }
        }
}
[root@localhost harbor]# docker push 192.168.169.202/library/centos

客户端测试

登录测试

#配置私有仓库地址
[root@client ~]# cat /etc/docker/daemon.json
{
        "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
        "insecure-registries":["192.168.169.204"]
}
[root@client ~]# systemctl restart docker
[root@client ~]# docker login 192.168.169.204
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传镜像

[root@client ~]# docker pull 192.168.169.204/library/centos
Using default tag: latest
latest: Pulling from library/centos
a1d0c7532777: Pull complete
Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
Status: Downloaded newer image for 192.168.169.204/library/centos:latest
192.168.169.204/library/centos:latest

下载镜像

[root@client ~]# docker pull httpd
Using default tag: latest
latest: Pulling from library/httpd
eff15d958d66: Pull complete
ba1caf8ba86c: Pull complete
ab86dc02235d: Pull complete
600feb748d3c: Pull complete
635a49ba2501: Pull complete
Digest: sha256:758c3132b4775e8449ee5959240066546bda47be163f16c2493eb9dc1a148d05
Status: Downloaded newer image for httpd:latest
docker.io/library/httpd:latest
[root@client ~]# docker tag httpd 192.168.169.204/library/httpd
[root@client ~]# docker push 192.168.169.204/library/httpd
Using default tag: latest
The push refers to repository [192.168.169.204/library/httpd]

image.png

常见报错

x509: cannot validate certificate for <ipaddress> because it doesn't contain any IP SANs

#OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中
#可是域名或者IP
vim /etc/pki/tls/openssl.cnf
subjectAltName = IP:192.168.169.204

未创建Harbor日志目录

#Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /var/log/harbor/

x509: certificate signed by unknown authority

解决方法:daemon.json新增私有库地址,每一段用逗号隔开

[root@localhost harbor]# cat /etc/docker/daemon.json
{
        "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
        "insecure-registries":["192.168.169.204"]
}
#重启docker服务,再进行测试
[root@localhost harbor]# systemctl restart docker

action: push: unauthorized to access repository

当Harbor配置完成后,发现无法push。原因是/root/.docker/config.json 和daemon.json 中insecure-registries设的主机名不一致导致的。

#authorized: unauthorized to access repository: library/centos, action: push: unauthorized to access repository: library/centos, action: push

[root@Harbor harbor]# cat /root/.docker/config.json
{
        "auths": {
                "192.168.169.204": {
                        "auth": "YWRtaW46SGFyYm9yMTIzNDU="
                }
        }
}
[root@Harbor harbor]# cat /etc/docker/daemon.json
{
        "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"],
        "insecure-registries":["192.168.169.204"]
}