Harbor builds docker private warehouse

catalogue

1, Docker Harbor overview

1. Advantages of harbor

2.Docker private warehouse architecture

3.Harbor configuration file and related parameters

2, Harbor builds Docker private warehouse

1. Environment and needs

2. Install docker compose

3. Install harbor-offline-installer-v1.2.2

4. Configure the Harbo parameter file

5. View Harbor boot image and container

6. Create a project in the UI interface

7.harbor server test

8. Client test

3, Harbor user creation

1. Create user

2. Client test

3. Test new users created

4. Remove Harbor service container

1, Docker Harbor overview

It has a visual Web management interface, which is convenient to manage Docker images, and provides image permission management and control functions for multiple projects. Harbor is an open source enterprise Docker Registry project of VMware.

1. Advantages of harbor

Role based control: there are administrators and ordinary users. Ordinary users can be empowered. For example, they can only upload and download, and can be operated and managed according to the project
Image based replication policy: it is also related to permissions. For example, only some users and groups can perform corresponding operations on this item
Support LDAP/AD: domain control. For example, Nanjing downloads the image of Beijing harbor private warehouse. Both ends are marked with LAN addresses and connected together. Data information is transmitted through a tunnel and will be encrypted through two layers. The first layer is tunnel encryption and the second layer is data encryption, which is safe and reliable
Image deletion and garbage collection: the recycle bin mechanism
Graphical UI: it has statistical functions, such as traffic and image download popularity
Audit: log is of little significance here, mainly with the help of ELK
RESTful API: defines the format of Web language specification, which is convenient for calling Harbor interface and secondary development

2.Docker private warehouse architecture

Explanation of components in the figure
Proxy: receive requests from browser and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services
Registry: responsible for storing Docker images and handling docker push/pull commands
Core services: the core functions of Harbor, including UI, webhook and token services
Database: provides database services for core services
Log collector: · collect logs of other components for later analysis

3.Harbor configuration file and related parameters

The harbor configuration file is: / usr/local/harbor/harbor.cfg

(1) Required parameters - after modifying this parameter, you need to run the install.sh script to reinstall Harbour before the parameter will take effect.

  • hostname
    • Used to access the user interface and register service.
    • It should be the IP address or fully qualified domain name (FQDN) of the target machine
    • For example, 192.168.163.100 or test.com.
    • Do not use localhost or 127.0.0.1 as the host name.
  • ui_url_protocol (parameter options: http or https, the default is HTTP)
    • Protocol for accessing UI and token / notification services.
    • If notarization is enabled, this parameter must be https.
  • max_job_workers
    • Mirror copy job thread.
  • db_password
    • For DB_ The password of the root user of auth's MySQL database.
  • customize_crt
    • This property can be set to on or off. It is on by default.
    • When this property is turned on, the preparation script creates a private key and root certificate for generating / validating registry tokens.
    • Set this property to off when the key and root certificate are provided by an external source.
  • ssl_cert
    • The path of the SSL certificate, which is only applied when the protocol is set to https.
  • ssl_cert_key
    • The path of the SSL key, which is only applied when the protocol is set to https.
  • secretkey_path
    • The key path used to encrypt or decrypt the remote register password in the replication policy.
    • Configuration is not recommended, which has great potential safety hazards

(2) Optional parameters

These parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when you start Harbor for the first time. Subsequent updates to these parameters will be ignored.
Note: if you choose to set these parameters through the UI, make sure to do so immediately after starting Harbour. Specifically, the required settings must be set before registering or creating any new users in Harbor

  • auth_mode
    • When there are users in the system (except the default admin user), auth_mode cannot be modified.
  • Email
    • Harbor needs this parameter to send "password reset" email to users, and only when this function is required.
    • Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email should be enabled by setting_ ssl = TRUE.
  • harbour_admin_password
    • The initial password of the administrator will only take effect when Harbour is started for the first time.
    • After that, this setting will be ignored and the administrator's password should be set in the UI.
    • The default user name / password is admin/Harbor12345.
  • auth_mode
    • Type of authentication used
    • By default, it is db_auth, that is, the credentials are stored in the database.
    • For LDAP authentication, set it to ldap_auth.
  • self_registration
    • Enables / disables the user registration feature.
    • When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
    • Note: when auth_mode is set to LDAP_ When auth, the self registration function will always be disabled and this flag is ignored.
  • Token_expiration
    • The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
    • I.e. login – after exiting, you can log in without entering your user name and password within 30 minutes, and you need to verify again after 30 minutes.
  • project_creation_restriction
    • Flag used to control which users are authorized to create projects, indicating which users can create projects.
    • By default, everyone can create a project.
    • If its value is set to "adminonly", only admin can create projects.
  • verify_remote_cert
    • On or off, on by default.
    • This flag determines whether the SSL/TLS certificate is verified when Harbor communicates with the remote register instance.
    • Setting this property to off bypasses SSL/TLS authentication, which is often used when the remote instance has a self signed or untrusted certificate.

In addition, by default, Harbour stores the image on the local file system. In the production environment, you can consider using other storage back ends instead of local file systems, such as S3, Openstack Swif, Ceph, etc. However, the common/templates/registry/config.yml file needs to be updated.

2, Harbor builds Docker private warehouse

1. Environment and needs

host

operating system

Host name / IP address

Main software and version

Harbor

Centos7.6

192.168.32.15

docker,docker-compose,harbor-offline-installer-v1.2.2

Client

Centos7.6

192.168.32.16

docker

2. Install docker compose

[root@harbor ~]# cd /usr/local/bin/
[root@harbor bin]# rz -E                  #Upload docker compose related software
rz waiting to receive.
[root@localhost bin]# ls
docker-compose
[root@harbor ~]# chmod +x docker-compose  #Set permissions   

3. Install harbor-offline-installer-v1.2.2

(1) Online download

wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz

(2) Upload directly when there are relevant software packages

[root@harbor ~]# cd /usr/local/
[root@harbor local]# rz -E
rz waiting to receive.
[root@harbor local]# ls
harbor-offline-installer-v1.2.2.tgz ...
[root@harbor local]# tar zxvf harbor-offline-installer-v1.2.2.tgz
[root@harbor local]# ls
harbor  harbor-offline-installer-v1.2.2.tgz
[root@harbor local]# cd harbor
[root@harbor harbor]# ls
common                    docker-compose.notary.yml  harbor_1_1_0_template  harbor.v1.2.2.tar.gz  LICENSE  prepare
docker-compose.clair.yml  docker-compose.yml         harbor.cfg             install.sh            NOTICE   upgrade

4. Configure the Harbo parameter file

[root@harbor harbor]# vim harbor.cfg
...
hostname = 192.168.150.100           #Line 5, change to the ip address of the private warehouse
harbor_admin_password = Harbor12345  #Line 59, default password Harbor12345, user admin

[root@harbor harbor]# sh install.sh  #Start harbor
Note: docker version: 20.10.11

Note: docker-compose version: 1.21.1

[Step 1]: loading Harbor images ...
dd60b611baaa: Loading layer [=======================================>]  133.2MB/133.2MB
abf0579c40fd: Loading layer [=======================================>]  1.536kB/1.536kB
ea1fc7bed9c5: Loading layer [=======================================>]  22.48MB/22.48MB
1d6671367c69: Loading layer [=======================================>]  7.168kB/7.168kB
b322bb3e4765: Loading layer [=======================================>]  5.339MB/5.339MB

5. View Harbor boot image and container

(1) View mirror

(2) View container  

(3) Check whether the service container is open

6. Create a project in the UI interface

Browser access http://192.168.150.100 Page, the default administrator user name and password is admin/Harbor12345

7.harbor server test

At this time, you can use the Docker command to log in and push the image locally through 127.0.0.1. By default, the Register server listens on port 80.

(1) Log in to the local private warehouse

[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

(2) Download the image for testing

[root@harbor harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
e5ae68f74026: Pull complete 
21e0df283cd6: Pull complete 
ed835de16acd: Pull complete 
881ff011f1c9: Pull complete 
77700c52c969: Pull complete 
44be98c0fab6: Pull complete 
Digest: sha256:9522864dd661dcadfd9958f9e0de192a1fdda2c162a35668ab6ac42b465f0603
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

[root@harbor harbor]# docker images
REPOSITORY                  TAG               IMAGE ID       CREATED       SIZE
nginx                       latest            f652ca386ed1   2 days ago    141MB

(3) Image labeling

[root@harbor harbor]# docker tag nginx:latest 127.0.0.1/aaa/nginx:v1
[root@harbor harbor]# docker images
REPOSITORY                  TAG               IMAGE ID       CREATED       SIZE
127.0.0.1/aaa/nginx         v1                f652ca386ed1   2 days ago    141MB
nginx                       latest            f652ca386ed1   2 days ago    141MB

(4) Upload image to Harbor

[root@harbor harbor]# docker push 127.0.0.1/aaa/nginx:v1   #It can only be uploaded after labeling
The push refers to repository [127.0.0.1/aaa/nginx]
2bed47a66c07: Pushed 
82caad489ad7: Pushed 
d3e1dca44e82: Pushed 
c9fcd9c6ced8: Pushed 
0664b7821b60: Pushed 
9321ff862abb: Pushed 
v1: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570

(5) Verify whether the upload is successful on the browser  

8. Client test

The above operations are performed locally on the Harbor server. If other clients upload images to Harbor, the following error will be reported. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but HTTP service is used by default for building private images. Therefore, the following errors occur when interacting with private images.  

(1) Error phenomenon

(2) Solution

[root@docker ~]# vim /usr/lib/systemd/system/docker.service method 1: modify the configuration file of the client
...
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.150.100 --containerd=/run/containerd/containerd.sock
...

[root@localhost ~]# cat /etc/docker/daemon.json      #Method 2: modify / ets/docker/daemon.json
{
"insecure-registries": ["192.168.150.100"],          #Service ip address pointing to harbor
"registry-mirrors": ["https://4iv7219l.mirror.aliyuncs.com"]
}

[root@localhost ~]# systemctl daemon-reload     #Refresh configuration
[root@localhost ~]# systemctl restart docker    #Restart service

[root@docker docker]# docker login -u admin -p Harbor12345 http://192.168.150.100 # modify the error information and log in again
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

(3) Download Image Test

[root@docker docker]# docker tag nginx:latest 192.168.150.100/aaa/nginx:v2
[root@docker docker]# docker push 192.168.150.100/aaa/nginx:v2
The push refers to repository [192.168.150.100/aaa/nginx]
2bed47a66c07: Layer already exists 
82caad489ad7: Layer already exists 
d3e1dca44e82: Layer already exists 
c9fcd9c6ced8: Layer already exists 
0664b7821b60: Layer already exists 
9321ff862abb: Layer already exists 
v2: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570

(4) View on Browser

3, Harbor user creation

1. Create user

2. Client test

Delete previously labeled images

[root@docker ~]# docker login 192.168.150.100 -u zch -p Abc12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@docker ~]# docker rmi 192.168.150.100/aaa/nginx:v1
Untagged: 192.168.150.100/aaa/nginx:v1
Untagged: 192.168.150.100/aaa/nginx@sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47

3. Test new users created

[root@docker ~]# docker pull 192.168.150.100/aaa/nginx:v2   #Re download v2 from private repository
v2: Pulling from aaa/nginx
Digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47
Status: Downloaded newer image for 192.168.150.100/aaa/nginx:v2
192.168.150.100/aaa/nginx:v2
[root@docker ~]# docker images
REPOSITORY                  TAG       IMAGE ID       CREATED        SIZE
192.168.150.100/aaa/nginx   v2        f652ca386ed1   3 days ago     141MB
192.168.150.10:5000/nginx   latest    f652ca386ed1   3 days ago     141MB
[root@localhost ~]# docker tag nginx:latest 192.168.150.100/aaa/nginx:v3	#Labeling v3
[root@localhost ~]# docker push 192.168.150.100/aaa/nginx:v3		        #Upload test
The push refers to repository [192.168.150.100/aaa/nginx]
2bed47a66c07: Layer already exists 
82caad489ad7: Layer already exists 
d3e1dca44e82: Layer already exists 
c9fcd9c6ced8: Layer already exists 
0664b7821b60: Layer already exists 
9321ff862abb: Layer already exists 
v3: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570

4. Remove Harbor service container

Package the image data in the project

(1) Operate on Harbor server

[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# docker-compose down -v
Stopping harbor-jobservice  ... done
Stopping nginx              ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping harbor-log         ... done
Removing harbor-jobservice  ... done
Removing nginx              ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing harbor-log         ... done
Removing network harbor_harbor

[root@harbor harbor]# docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# docker-compose down -v
[root@harbor harbor]# ls /data/registry/docker/registry/v2/repositories/aaa
nginx
[root@harbor harbor]# cd /data/registry/docker/registry/v2/repositories/aaa/
[root@harbor harbor]# tar zcvf aaa.tar.gz ./*

(2) To redeploy, you need to remove all data from the Harbor service container

Persistent data, such as images and databases, are in the / data / directory of the host, and logs are in the / var/log/Harbor / directory of the host

rm -rf /data/database
rm -rf /data/registry

Tags: Operation & Maintenance Docker

Posted on Sun, 05 Dec 2021 19:24:43 -0500 by V-Man