Episode 79 private warehouse harbor

Harbor overview

1. Docker Harbor has a visual Web management interface, which is convenient for managing docker images, and provides image permission management and control functions for multiple projects.

2. Harbor's advantages:
Role based control: there are administrators and ordinary users. Ordinary users can be empowered. For example, they can only upload and download, and can be operated and managed according to the project
Image based replication policy: it is also related to permissions. For example, only some users and groups can perform corresponding operations on this item
Support LDAP/AD: domain control, such as Nanjing to download Beijing harbor
The image of the private warehouse is marked at both ends, and the LAN address is connected one by one. The data information is transmitted through a tunnel and encrypted through two layers. The first layer is the tunnel
Encryption, the second layer is data encryption, safe and reliable
Image deletion and garbage collection: the recycle bin mechanism
Graphical UI: it has statistical functions, such as traffic and image ^ download popularity
Audit: log is of little significance here, mainly with the help of ELK
RESTful API: defines the format of Web language specification, which is convenient for calling Harbor interface and secondary development

3. Harbpr is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker. (registry is its core component)

4. Compared with registry, harbor has the following advantages: Harbor supports multiple functions, graphical interface management, multi-user permissions, role management mechanism and security mechanism

There are two types of parameters in the Harbor.cfg configuration file

Required parameters

If the user updates them and runs the install.sh script to reinstall Harbor, the parameters will take effect. The specific parameters are as follows:

**hostname: * * used to access the user interface and register service. It should be the IP address or fully qualified domain name (FQDN) of the target machine
For example, 192.168.35.40 or hub.klj.cn. Do not use localhost or 127.0.0.1 as the host name.
ui_url_protocol: (http or https, the default is http) the protocol used to access the UI and token / notification service. If notarization is enabled, this parameter must be https. (the Mysql database will be compared during authentication, and then the token will be granted)
**max_job_workers: * * mirror copy job thread.
db_password: the password of the root user of the MySQL database for db_auth.
**customize_crt: * * this property can be set to on or off. It is on by default. When this property is on, the preparation script creates the private key and root certificate for generating / verifying the registry token. When the key and root certificate are provided by an external source, set this property to off.
**ssl_cert: * * the path of the SSL certificate, which is only applied when the protocol is set to https.
ssl_cert_key: the path of SSL key, which is only applied when the protocol is set to https.
Secret key_path: the key path used to encrypt or decrypt the remote register password in the replication policy.

Optional parameters

These parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when you start Harbor for the first time. Subsequent updates to these parameters will be ignored.
Note: if you choose to set these parameters through UI, please ensure that this operation is performed immediately after starting Harbour. Specifically, the required auth_mode must be set before registering or creating any new users in Harbor. When there are users in the system (except the default admin user), auth_mode cannot be modified. The specific parameters are as follows:

Email: Harbor needs this parameter to send "password reset" email to users, and only when this function is required.
Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email_ssl = TRUE should be enabled by setting.
harbour_admin_password: the initial password of the administrator, which takes effect only when harbour is started for the first time. After that, this setting will be ignored and the administrator's password should be set in the UI.
Note that the default username / password is admin/Harbor12345.
auth_mode: the authentication type used. By default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication (in the form of file authentication), set it to ldap_auth.
self_registration: enables / disables the user registration function. When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
Note: when auth_mode is set to ldap_auth, the self registration function will always be disabled and this flag will be ignored.
Token_expiration: the expiration time (minutes) of the token created by the token service. The default is 30 minutes.
project_creation_restriction: a flag that controls which users have permission to create a project. By default, everyone can create a project. If its value is set to "adminonly", only admin can create a project.
verify_remote_cert: on or off, on by default. This flag determines whether to verify SSL/TLS certificates when Harbor communicates with the remote register instance. Setting this property to off will bypass SSL/TLS authentication, which is often used when the remote instance has self signed or untrusted certificates.

Deploy Harbor service

download Harbor erection sequence:
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
 Or upload a compressed package harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

to configure Harbor Parameter file:
vim /usr/local/harbor/harbor.cfg
5 hostname = 192.168.8.153		##Modify cost machine address

start-up Harbor:Confirm before starting Docker-Compose Is the version installed successfully
[root@harbor ~]#  docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3
[root@harbor ~]# sh /usr/local/harbor/install.sh		##Start relevant scripts defined in Harbor; docker compose
 Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

see Harbor Start mirroring:
[root@harbor harbor]# cd /usr/local/harbor/
[root@harbor harbor]# docker-compose ps		##View currently running containers
[root@harbor harbor]# cat /usr/local/harbor/docker-compose.yml 	##View file contents; details of 7 components

visit harbor of UI Interface:
Open browser access http://On the management page of 192.168.8.153, the default administrator user name and password are admin/Harbor12345

```bash
 Local command line login harbor: 
Harbor The server is based on local operations
 use Docker The command is passed locally.0.0.1 To log in and push images. By default, Register The server listens on port 80
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Harbor Server non local operation:
The above operations are in Harbor Server local operation. If other clients upload images to Harbor,Will report
 The following error. What is the cause of this problem Docker Registry Interactive default is HTTPS,But build a private mirror
 Like the default is HTTP Service, so the following error occurred when interacting with the private image
[root@client ~]# docker login  -u admin -p Harbor12345 http://192.168.8.153 		## Non local login will report an error
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.152.130/v2/: EOF

[root@client ~]# vim /usr/lib/systemd/system/docker.service		##Point to private warehouse address
 13 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.152.130 --containerd=/run/containerd/containerd.sock
[root@client ~]# systemctl daemon-reload
[root@client ~]# systemctl restart docker
[root@harbor harbor]# docker login  -u admin -p Harbor12345 http://192.168.8.153
......
Login Succeeded

Test pull image:
[root@client ~]# docker pull cirros

[root@client ~]# docker tag cirros 192.168.8.153/myproject-kgc/cirros:v2
[root@harbor harbor]# docker tag cirros:latest 192.168.8.153/mytest/cirros:1
[root@harbor harbor]# docker push 192.168.8.153/mytest/cirros:1

harbor User management:
establish Harbor user
 system management----user management ----+user----Enter user name, email address, full name and password
 Verify that you can use zhangsan Download as user developer:
//Operate on client
[root@harbor harbor]# docker rmi 192.168.8.153/mytest/cirros		##Delete previously downloaded images
[root@harbor harbor]# docker pull 192.168.8.153/mytest/cirros:latest  ## Pull image

maintenance management  Harbor: 
have access to docker-compose To manage Harbor. Some useful commands are shown below and must be used with docker-compose.yml Run in the same directory.
modify Harbor.cfg Profile:
To change Harbour Please stop the existing configuration file first Harbour Instance and update Harbor.cfg;Then run prepare Script to fill in the configuration; Finally, recreate and start Harbour Examples of.

Tags: Docker

Posted on Tue, 14 Sep 2021 21:24:34 -0400 by VapiD