1, Harbor overview
1. What is Harbor
- Harbor is an open source enterprise Docker Registry project of VMware. Its goal is to help users quickly build an enterprise Docker Registry service.
- Based on Docker's open source Registry, Harbor provides functions required by enterprise users such as graphical management UI, role-based access control, AD/LDAP integration, and audit logging. At the same time, it supports Chinese.
- Each component of Harbor is built in the form of Docker container, and Docker compose is used to deploy it. The Docker composition template for deploying Harbor is located at Harbor / Docker-composition.yml.
2. Harbor features
- Role based control: users and warehouses are organized based on projects, and users can have different permissions in projects.
- Image based replication strategy: images can be replicated (synchronized) between multiple Harbor instances.
- Support LDAP/AD: Harbor can integrate the existing AD/LDAP (a table similar to the database) in the enterprise for authentication and management of existing users.
- Image deletion and garbage collection: the image can be deleted or the space occupied by the image can be recycled.
- Graphical user interface: users can browse, search the image warehouse and manage the project through the browser.
- Audit management: all operations on the image warehouse can be recorded and traced for audit management.
- Support for RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
- Relationship between harbor and docker registry: Harbor essentially encapsulates docker registry and extends its own business template.
3. Composition of Harbor
In terms of architecture, Harbor mainly includes six components: Proxy, Registry, Core services, Database (Harbor dB), Log collector (Harbor log) and Job services.
- Proxy: the Registry, UI, Token service and other components of harbor are behind nginx reverse proxy. The agent forwards requests from browsers and docker clients to different back-end services.
- Registry: responsible for storing Docker images and handling Docker push/pull commands. Due to the access control of users, that is, different users have different read and write permissions on the Docker image, registry will point to a Token service, forcing users to carry a legal Token every Docker pull/push request, and registry will decrypt and verify the Token through the public key.
- Core services: the core function of harbor, which mainly provides the following three services:
- UI (harbor UI): provides a graphical interface to help users manage image s on the Registry and authorize users.
- Webhook: in order to timely obtain the status changes of the image on the Registry, configure Webhook on the Registry and pass the status changes to the UI module.
- Token service: responsible for issuing tokens to each Docker push/pull command according to user permissions. If the request initiated by the Docker client to the Registry service does not contain a token, it will be redirected to the token service. After obtaining the token, it will make a request to the Registry again.
- Database (harbor dB): provides database services for core services, and is responsible for storing data such as user permissions, audit logs, Docker image grouping information, etc.
- Job services: mainly used for image replication. Local images can be synchronized to remote Harbor instances.
- Log collector (harbor log): it is responsible for collecting logs of other components to one place.
Each component of Harbor is built in the form of Docker container. Therefore, Docker Compose is used to deploy it.
There are seven containers in total. You can view them by executing the docker compose PS command in the directory where docker-compose.yml is located. The names are nginx, harbor jobservice, harbor UI, harbor dB, harbor adminserver, registry and harbor log.
Among them, harbor admin server is mainly used as a back-end configuration data management, and does not have many other functions. All data to be operated by harbor UI is completed through a data configuration management center such as harbor adminserver.
2, Harbor deployment
Harbor server 192.168.50.40 docker CE, docker compose, harbor-offline-v1.2.2
client server 192.168.50.50 docker CE
1.deploy Docker-Compose service| #Download or upload docker compose curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m`-o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose -v 2.deploy Harbor service (1)Download or upload Harbor erection sequence wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline installer-v1.2.2.tgz tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/ (2)modify harbor Installed profile vim /usr/1ocal/harbor/harbor.cfg --5 that 's ok--Modify, set to Harbor Server IP Address or domain name hostname = 192.168.80.10 -- 59 that 's ok--Specify the initial password of the administrator and the default user name/The password is admin/ Harbor12345 harbor_admin_ password = Harbor12345 ====================================================== about Harbor.cfg There are two types of parameters in the configuration file:Required and optional parameters 1,Required parameters:These parameters need to be in the configuration file Harbor.cfg Set in. If the user updates them and runs install.sh Script reinstallation Harbour,The parameter will take effect. Specific parameters are as follows: ●hostname:Used to access the user interface and register Service. It should be the target machine IP Address or fully qualified domain name(FQDN) ，For example 192.168.80.10 or hub. kgc.cn. Do not use localhost Or 127.0.0.1 Is the host name ●ui_url_protocol:(http or https,Default to http)For access UI And token/Agreement for notification services. If notarization is enabled, this parameter must be https ●max_job_workers: Mirror copy job thread ●db_password: be used for db_auth of MySQL database root User's password ●customize_crt:This property can be set to on or off. It is on by default. When this property is turned on, prepare the script to create the private key and root certificate for generation/Validate registry token. Set this property to when the key and root certificate are provided by an external source off ●ssl_cert: SSL Path to the certificate, only if the protocol is set to https Apply only when ●secretkey_path:Used to encrypt or decrypt remote in replication policy register Key path for password ●project_creation_restriction: Flag that controls which users have permission to create items. By default, everyone can create-A project. If its value is set to“ adminonly" So only admin You can create projects ●verify_remote_cert: On or off, on by default. This flag determines when Harbor With remote register Verify when communicating with instances SSL/TLS Certificate. Set this property to off Will bypass SSL/TLS Authentication, which is often used when the remote instance has a self signed or untrusted certificate In addition, by default, Harbour Store the image on the local file system.Come on. In a production environment, consider using other storage back ends instead of local file systems, such as S3,Openstack Swif,Ceph And other object storage. But it needs to be updated common/templates/registry/config.yml file ======================================================== 3.start-up Harbor cd /usr/local/harbor/ ./install.sh 4.see Harbor Start mirroring cd /usr/local/harbor/ docker-compose ps 5.Create a new project (1)Browser access: http://192.168.50.10 log in to the Harbor WEB UI interface. The default administrator user name and password are admin / harbor 12345 (2)After entering the user name and password, you can create a new project. Click“+Project button (3)Fill in the item name as"myproject-kgc"，Click OK to create a new project (4)Available at this time Docker The command is passed locally.0.0.1 To log in and push images. By default, Registry The server is on port 80. Listen on. //Log in to Harbor docker login -u admin -p Harbor12345 http://127.0.0.1 //Download the image for testing docker pull nginx //Label the image format: docker tag image:Label warehouse IP/entry name/Image name:label docker tag nginx:latest 127.0.0.1/myproject-kgc/nginx:v1 //Upload image to Harbor docker push 127.0.0.1/myproject-gcc/cirros:v1 (5)stay Harbor Jieer myproject-kgc The image and related information can be seen in the directory 6.Upload images on other clients The above operations are in Harbor Server local operation. If another client logs in to Harbor, The following error will be reported. The reason for this problem is Docker Registry Interactive default is HTTPS，However, the default setting for building private images is HTTP Service, so the following error occurred when interacting with the private image. docker login -u admin -p Harbor12345 http://192.168.80.10 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https:L/192.168.50.10/v2/: dial tcp 192.168.50.10:443: connect: connection refused (1)stay Docker Client configuration operation //The solution is: when the Docker server is started, add the startup parameters and use HTTP access by default. vim /usr/lib/systemd/system/docker.service --13 that 's ok--modify ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.50.10 --containerd=/run/containerd/containerd. sock or ExecStart=/usr/bin/dockerd --insecure-registry 192.168.50.10 //Restart Docker and log in again systemctl daemon- reload systemctl restart docker //Log in to Harbor again docker login -u admin -p harbor12345 http://192.168.50.10 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Login Succeeded //The credentials will be automatically saved to / root/.docker/config.json. You can directly log in to Harbor with your credentials when logging in next time //Download the image for testing docker pull 192.168.50.10/myproject-kgc/nginx:v1 //Upload images for testing docker pull cirros docker tag cirros:latest 192.168.50.10/myproject-kgc/cirros:v2 docker push 192.168.80.10/myproject-kgc/cirros:v2 (2)Refresh Harbor of Web View the management interface and you will find myproject-kgc There are two images in the project
Note: the above operations are performed locally on the Harbor server. If other clients log in to Harbor, the following error will be reported. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but HTTP service is used by default for building private images. Therefore, the following errors occur when interacting with private images
In the case of a client:
3, Maintenance management Harbor
1. Create a project through Harbor Web
In the Harbor warehouse, any image must have its own project before being push ed to the regsitry.
Click "+ project" and fill in the project name. If the project level is set to "private", it will not be checked. If it is set as a public warehouse, the owner has read permission to the image under this project. The image can be downloaded without executing "Docker login" on the command line. The image operation is the same as that of Docker Hub.
2. Create Harbor user
(1) Create users and assign permissions
In the Web management interface, click system management - > User Management - > user, fill in the user name as "Zhangsan" and the email address as“ email@example.com ”, the full name is "Zhangsan", the password is "Abc123456", and the comment is "Administrator" (which can be omitted).
Note: after the user is created successfully, click the "..." button on the left to set the above created user as the administrator role or delete it. This example does not make any settings.
(2) Add project members
Click Project - > myproject > member - > member, fill in the user zhangsan created above and assign the role as "developer".
Attachment: click the "..." button on the left to change or delete the member role
(3) Operate the image with a normal account on the client
Delete the above labeled local image
docker rmi 192.168.50.10/myproject/cirros:v2
Exit the current user first, and then log in with the account zhangsan created above
docker logout 192.168.50.10
docker login 192.168.50.10
docker login -u zhangsan -p Abc123456 http://192.168.50.10
Download and upload images for testing
docker pull 192.168.50.10/myproject/cirros:v2
docker tag cirros:latest 192.168.50.10/myproject/cirros:v3
docker push 192.168.50.10/myproject/cirros:v3
3. View log
4. Modify Harbor.cfg configuration file
To change the optional parameters in the Harbour configuration file, stop the existing Harbour instance and update Harbor.cfg; Then run the prepare script to populate the configuration; Finally, recreate and start the instance of Harbour.
When using docker composition to manage Harbor, you must run it in the same directory as docker-composition.yml.
cd /usr/local/harbor docker-compose down -v vim harbor.cfg #Only optional parameters can be modified ./prepare docker-compose up -d //If the following errors are reported, you need to turn on the firewall firewalld service Creating network "harbor_harbor" with the default driver ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-b53c314f45e8 -j RETURN: iptables: No chain/target/match by that name. (exit status 1)) systemctl restart firewalld.service docker-compose up -d
5. Remove the Harbor service container, retain the mirrored data / database, and migrate
//Operate on Harbor server
(1) Remove Harbor service container
docker-compose down -v
(2) Package the image data in the project
//Persistent data, such as images and databases, are in the / data / directory of the host, and logs are in the / var/log/Harbor / directory of the host
tar zcvf kgc-registry.tar.gz ./*
6. If redeployment is required, all data of Harbor service container shall be removed
docker-compose down -v
rm -r /data/database
rm -r /data/registry