docker harbor private warehouse

1. Introduction to harbor
Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux release that supports Docker

The environments the server-side host needs to install are Python, Docker, and Docker-compose

harbor also works in k8s

harbor is a project for managing the image, which is easy to manage

II. Deployment of Harbor Services

Experimental environment:
Harbor server: 192.168.100.21, docker, compose, harbor
client side: 192.168.100.22, docker

The first host acts as a private warehouse, and the second host acts as a client for access verification.
Required parameters
These parameters must be set before installation, and if managers want to update them, they must be installed again after changing the parameters before they take effect

1. Download packages

[root@docker ~]# hostnamectl set-hostname harbor
[root@docker~]# su
[root@harbor ~]# yum install wget -y;wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
[root@harbor ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

2. Interpretation of Configuration File Parameters

Required parameters
These parameters must be set before installation, and if managers want to update them, they must be installed again after changing the parameters before they take effect

Optional parameters
These parameters are optional for updates, that is, managers can leave them as defaults and modify updates on the web side after startup

If you enter harbor.cfg, it will only take effect when Harbor is first started, and subsequent updates to these parameters will ignore Harbor

Remarks:

If you choose to set these parameters via WEB, you must operate only with admin, the administrator user, after starting Habor; auth_mode cannot be modified when there are users in harbor other than admin; so set the parameters early

[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common  docker-compose.clair.yml  docker-compose.notary.yml  docker-compose.yml  harbor_1_1_0_template  harbor.cfg  harbor.v1.2.2.tar.gz  install.sh  LICENSE  NOTICE  prepare  upgrade
[root@harbor harbor]# vim /usr/local/harbor/harbor.cfg
 Modify Fifth Line hostname For local ip,Do not use localhost Or 127.0.0.1,because Harbor Require access by external clients
hostname = 192.168.100.21

## Profile Harbor

#Access the IP address or hostname of the management user interface and registry service.
#Do not use localhost or 127.0.0.1 because Harbor needs to be accessed by an external client.
hostname = reg.mydomain.com

#Protocol used to access UI and token/notification services, http by default.
#If ssl is enabled on nginx, it can be set to https.
ui_url_protocol = http

#The password of the root user of db_auth of mysql db is changed before any production use. The user authentication information is stored in mysql db. When the user logs in, the account password is compared with the content of mysql. If correct, the user is given a temporary token of 30 minutes.
db_password = root123

#Maximum number of mirror copy job threads.
max_job_workers = 3 

#Determines whether certificates are generated for registry tokens.
#If the value is on, the prepare script creates a new root certificate and private key to generate a token to access the registry. If the value is off, the default key/certificate is used, and the root certificate/key from an external source can also be specified.
#This flag also controls the creation of notary certificates.
customize_crt = on

#nginx's cert and key file paths, which apply only to protocols set to https
ssl_cert = /data/cert/server.crt
#The path to the certificate, which applies only when the protocol is set to https.
ssl_cert_key = /data/cert/server.key
#The path to the key, which applies only when the protocol is set to https.

#The path of the key store used to encrypt or decrypt the key path of the remote register password in the replication policy.
secretkey_path = /data

#Admiral's url, comment on this property, or set its value to NA when Harbor is independent
admiral_url = NA

#The password for Clair's postgres database is valid only when Harbor is deployed using Clair.
#Please update it before deployment, and subsequent updates will result in Clair's API server and Harbor not being able to access Clair's database.
clair_db_password = password

#Note: Attributes between the start and end initial attributes will only take effect at the first boot, and subsequent changes to these attributes should be performed on the web ui

#Begin the initial properties, then you can select the parameters, here is the dividing line, above which are the required parameters

#E-mail account settings Send password reset e-mail.

#The e-mail server authenticates and acts as an identity on the TLS connection to the host using the given user name and password.
#Leave the identity blank as the user name.
email_identity = 
#Harbor needs this parameter to send a Password Reset e-mail to the user and only if this feature is required.
#Note that SSL connections are not enabled by default. If the SMTP server requires SSL, STARTTLS is not supported
#Then SSL email_ssl = TRUE should be enabled by setting.
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

##The initial password for the Harbor administrator is valid only when Harbor is started.
#No effect after the first boot
#Change the administrator password from the user interface after startup. The default username/password is admin/Harbor12345.
harbor_admin_password = Harbor12345

##By default, the authentication mode is db_auth, where credentials are stored in the local database.
#If you want to authenticate the user's credentials against the LDAP server, set it to ldap_auth.
auth_mode = db_auth

#url of ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com

# DN of a user with search LDAP/AD server privileges.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#Password for ldap_searchdn
#ldap_search_pwd = password

#Base DN used to find users in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search for LDAP/AD filters to ensure that the syntax of the filters is correct.
#ldap_filter = (objectClass=person)

#  The attributes used to match users in a search can be uid, cn, e-mail, sAMAccountName, or other attributes (depending on your LDAP/AD)
ldap_uid = uid 

#Scope of search users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3 

#Timeout (in seconds) when connecting to the LDAP server. The default (and most reasonable) value is 5 seconds.
ldap_timeout = 5

#Turn on or off self-registration; when disabled, new users can only be created by Admin users
#Only administrator users can create new users in Harbour.
#Note: When auth_mode is set to ldap_auth, self-registration is always disabled and this flag is ignored.
self_registration = on

#The token expiration time (minutes) created by the token service, which defaults to 30 minutes
token_expiration = 30

#Flag to control which users have privileges to create projects
#The default value of everyone allows everyone to create a project.
#Set to "adminonly" and only administrator users can create projects.
project_creation_restriction = everyone

#Determines whether the job service should verify the ssl certificate when connecting to the remote registry.
#Setting this flag off when a remote registry uses a self-signed or untrusted certificate bypasses SSL/TLS authentication, which is often used when a remote instance has a self-signed or untrusted certificate.
verify_remote_cert = on
#************************************End Initial Properties******************
#############

In addition, by default, Harbour stores mirrors on the local file system. In production environments, you might consider using a different storage backend than the local file system.

For example, S3, Openstack Swif, Ceph, etc. However, the common/templates/registry/config.yml file needs to be updated.

docker-compose.yml writes the arrangement of containers, some of which mount physical volumes to provide storage backups
This file contains the arrangement of several containers, such as

There is a warehouse mirror mounted with physical volumes

Log log container,

There will also be a mysql database in which the mirror information will be stored

jobservice server

Proxy proxy

A network namespace is shared between these containers

View install.sh
Use install.sh to call the docker-compose-yml file. The YML file starts the orchestration of multiple containers and creates multiple containers

3. Install harbor

[root@harbor harbor]# cd /usr/local/harbor
[root@harbor harbor]# sh /usr/local/harbor/install.sh
.....
Creating nginx              ... done
Creating harbor-jobservice  ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.100.21.
For more details, please visit https://github.com/vmware/harbor .

[root@harbor common]# ps aux|grep nginx
root      46553  0.0  0.0  32372  3224 ?        Ss   23:27   0:00 nginx: master process nginx -g daemon off;
nfsnobo+  46655  0.0  0.0  32748  1776 ?        S    23:27   0:00 nginx: worker process
nfsnobo+  46656  0.0  0.0  32748  1776 ?        S    23:27   0:00 nginx: worker process
nfsnobo+  46657  0.0  0.0  32748  1776 ?        S    23:27   0:00 nginx: worker process
nfsnobo+  46658  0.0  0.0  32748  1520 ?        S    23:27   0:00 nginx: worker process
root      47033  0.0  0.0 112824   98
4 pts/0    S+   23:27   0:00 grep --color=auto nginx

Note: Also remember to have a docker-compose environment

View containers and mirrors

[root@harbor ~]# docker ps -a
CONTAINER ID   IMAGE                              COMMAND                  CREATED             STATUS                           PORTS                                                                                                                 NAMES
450db62916ff   vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   About an hour ago   Up About an hour                                                                                                                                       harbor-jobservice
8245baf10c89   vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   About an hour ago   Up About an hour                 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:4443->4443/tcp, :::4443->4443/tcp   nginx
ad9000705968   vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      About an hour ago   Up About an hour                                                                                                                                       harbor-ui
e04f67ed937d   vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   About an hour ago   Up About an hour                 3306/tcp                                                                                                              harbor-db
a25564c2b140   vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   About an hour ago   Up About an hour                 5000/tcp                                                                                                              registry
5a3251439564   vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   About an hour ago   Up About an hour                                                                                                                                       harbor-adminserver
735fd7c98469   vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   About an hour ago   Up About an hour                 127.0.0.1:1514->514/tcp                                                                                               harbor-log
3fa91c2d3f5f   compose_nginx_nginx                "/usr/local/nginx/sb..."   5 days ago          Exited (255) About an hour ago   0.0.0.0:1216->80/tcp, :::1216->80/tcp, 0.0.0.0:1217->443/tcp, :::1217->443/tcp                                        compose_nginx_nginx_1
[root@harbor ~]# docker images
REPOSITORY                   TAG               IMAGE ID       CREATED         SIZE
compose_nginx_nginx          latest            19d68c8db762   5 days ago      308MB
<none>                       <none>            3214fff1b536   5 days ago      204MB
centos                       stress            cc9f380c2556   5 days ago      520MB
192.168.100.21:5000/nginx    latest            8ac85260ea00   5 days ago      205MB
nginx                        v1                8ac85260ea00   5 days ago      205MB
nginx                        latest            822b7ec2aaf2   11 days ago     133MB
registry                     latest            b2cb11db9d3d   13 days ago     26.2MB
nginx                        1.21              8345d48257de   13 days ago     132MB
redis                        6.2-alpine3.14    f6f2296798e9   2 weeks ago     32.3MB
busybox                      latest            42b97d3c2ae9   3 weeks ago     1.24MB
nginx                        lnmp              dd34e67e3371   4 weeks ago     133MB
127.0.0.1/lvlq/cirros        vers1             f9cae1daf5f6   6 months ago    12.6MB
192.168.100.21/lvlq/cirros   vers1             f9cae1daf5f6   6 months ago    12.6MB
cirros                       latest            f9cae1daf5f6   6 months ago    12.6MB
hello-world                  latest            d1165f221234   6 months ago    13.3kB
centos                       7                 8652b9f0cb4c   10 months ago   204MB
vmware/harbor-log            v1.2.2            36ef78ae27df   3 years ago     200MB
vmware/harbor-jobservice     v1.2.2            e2af366cba44   3 years ago     164MB
vmware/harbor-ui             v1.2.2            39efb472c253   3 years ago     178MB
vmware/harbor-adminserver    v1.2.2            c75963ec543f   3 years ago     142MB
vmware/harbor-db             v1.2.2            ee7b9fa37c5d   3 years ago     329MB
vmware/nginx-photon          1.11.13           6cc5c831fc7f   3 years ago     144MB
vmware/registry              2.6.2-photon      5d9100e4350e   4 years ago     173MB
vmware/postgresql            9.6.4-photon      c562762cbd12   4 years ago     225MB
vmware/clair                 v2.0.1-photon     f04966b4af6c   4 years ago     297MB
vmware/harbor-notary-db      mariadb-10.1.10   64ed814665c6   4 years ago     324MB
vmware/notary-photon         signer-0.5.0      b1eda7d10640   4 years ago     156MB
vmware/notary-photon         server-0.5.0      6e2646682e3c   4 years ago     157MB
photon                       1.0               e6e4e4a2ba1b   5 years ago     128MB

4. Log on to harbor

Log on to the web http://192.168.100.21/harbor/sign-in


Add Items



View harbor related containers

[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common                     docker-compose.yml     harbor.v1.2.2.tar.gz  NOTICE
docker-compose.clair.yml   harbor_1_1_0_template  install.sh            prepare
docker-compose.notary.yml  harbor.cfg             LICENSE               upgrade
[root@harbor harbor]#  docker-compose ps
       Name                     Command               State                  Ports
--------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp
harbor-jobservice    /harbor/harbor_jobservice        Up
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp
harbor-ui            /harbor/harbor_ui                Up
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp,:::443->443/tcp
                                                              , 0.0.0.0:4443->4443/tcp,:::4443->44
                                                              43/tcp,
                                                              0.0.0.0:80->80/tcp,:::80->80/tcp
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp

Note: This command can only operate under / usr/local/harbor/

4. Local terminal uploads mirror using docker push

Log on and push mirrors locally through 127.0.0.1. By default, the Register server listens on port 80.

It is also possible to specify 192.168.100.21

Log on first

[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Download a small mirror for subsequent validation, no warehouse name specified at this time, default pull mirror from public network warehouse

[root@harbor ~]# docker pull cirros
Status: Downloaded newer image for cirros:latest

Tags: Linux Operation & Maintenance Docker

Posted on Tue, 14 Sep 2021 23:37:46 -0400 by smordue