catalogue
2.Docker private warehouse architecture
3.Harbor configuration file and related parameters
2, Harbor builds Docker private warehouse
3. Install harbor-offline-installer-v1.2.2
4. Configure the Harbo parameter file
5. View Harbor boot image and container
6. Create a project in the UI interface
4. Remove Harbor service container
1, Docker Harbor overview
It has a visual Web management interface, which is convenient to manage Docker images, and provides image permission management and control functions for multiple projects. Harbor is an open source enterprise Docker Registry project of VMware.
1. Advantages of harbor
Role based control: there are administrators and ordinary users. Ordinary users can be empowered. For example, they can only upload and download, and can be operated and managed according to the project
Image based replication policy: it is also related to permissions. For example, only some users and groups can perform corresponding operations on this item
Support LDAP/AD: domain control. For example, Nanjing downloads the image of Beijing harbor private warehouse. Both ends are marked with LAN addresses and connected together. Data information is transmitted through a tunnel and will be encrypted through two layers. The first layer is tunnel encryption and the second layer is data encryption, which is safe and reliable
Image deletion and garbage collection: the recycle bin mechanism
Graphical UI: it has statistical functions, such as traffic and image download popularity
Audit: log is of little significance here, mainly with the help of ELK
RESTful API: defines the format of Web language specification, which is convenient for calling Harbor interface and secondary development
2.Docker private warehouse architecture
Explanation of components in the figure
Proxy: receive requests from browser and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services
Registry: responsible for storing Docker images and handling docker push/pull commands
Core services: the core functions of Harbor, including UI, webhook and token services
Database: provides database services for core services
Log collector: · collect logs of other components for later analysis
3.Harbor configuration file and related parameters
The harbor configuration file is: / usr/local/harbor/harbor.cfg
(1) Required parameters - after modifying this parameter, you need to run the install.sh script to reinstall Harbour before the parameter will take effect.
- hostname
- Used to access the user interface and register service.
- It should be the IP address or fully qualified domain name (FQDN) of the target machine
- For example, 192.168.163.100 or test.com.
- Do not use localhost or 127.0.0.1 as the host name.
- ui_url_protocol (parameter options: http or https, the default is HTTP)
- Protocol for accessing UI and token / notification services.
- If notarization is enabled, this parameter must be https.
- max_job_workers
- Mirror copy job thread.
- db_password
- For DB_ The password of the root user of auth's MySQL database.
- customize_crt
- This property can be set to on or off. It is on by default.
- When this property is turned on, the preparation script creates a private key and root certificate for generating / validating registry tokens.
- Set this property to off when the key and root certificate are provided by an external source.
- ssl_cert
- The path of the SSL certificate, which is only applied when the protocol is set to https.
- ssl_cert_key
- The path of the SSL key, which is only applied when the protocol is set to https.
- secretkey_path
- The key path used to encrypt or decrypt the remote register password in the replication policy.
- Configuration is not recommended, which has great potential safety hazards
(2) Optional parameters
These parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when you start Harbor for the first time. Subsequent updates to these parameters will be ignored.
Note: if you choose to set these parameters through the UI, make sure to do so immediately after starting Harbour. Specifically, the required settings must be set before registering or creating any new users in Harbor
- auth_mode
- When there are users in the system (except the default admin user), auth_mode cannot be modified.
- Email
- Harbor needs this parameter to send "password reset" email to users, and only when this function is required.
- Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email should be enabled by setting_ ssl = TRUE.
- harbour_admin_password
- The initial password of the administrator will only take effect when Harbour is started for the first time.
- After that, this setting will be ignored and the administrator's password should be set in the UI.
- The default user name / password is admin/Harbor12345.
- auth_mode
- Type of authentication used
- By default, it is db_auth, that is, the credentials are stored in the database.
- For LDAP authentication, set it to ldap_auth.
- self_registration
- Enables / disables the user registration feature.
- When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
- Note: when auth_mode is set to LDAP_ When auth, the self registration function will always be disabled and this flag is ignored.
- Token_expiration
- The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
- I.e. login – after exiting, you can log in without entering your user name and password within 30 minutes, and you need to verify again after 30 minutes.
- project_creation_restriction
- Flag used to control which users are authorized to create projects, indicating which users can create projects.
- By default, everyone can create a project.
- If its value is set to "adminonly", only admin can create projects.
- verify_remote_cert
- On or off, on by default.
- This flag determines whether the SSL/TLS certificate is verified when Harbor communicates with the remote register instance.
- Setting this property to off bypasses SSL/TLS authentication, which is often used when the remote instance has a self signed or untrusted certificate.
In addition, by default, Harbour stores the image on the local file system. In the production environment, you can consider using other storage back ends instead of local file systems, such as S3, Openstack Swif, Ceph, etc. However, the common/templates/registry/config.yml file needs to be updated.
2, Harbor builds Docker private warehouse
1. Environment and needs
host | operating system | Host name / IP address | Main software and version |
Harbor | Centos7.6 | 192.168.32.15 | docker,docker-compose,harbor-offline-installer-v1.2.2 |
Client | Centos7.6 | 192.168.32.16 | docker |
2. Install docker compose
[root@harbor ~]# cd /usr/local/bin/ [root@harbor bin]# rz -E #Upload docker compose related software rz waiting to receive. [root@localhost bin]# ls docker-compose [root@harbor ~]# chmod +x docker-compose #Set permissions
3. Install harbor-offline-installer-v1.2.2
(1) Online download
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
(2) Upload directly when there are relevant software packages
[root@harbor ~]# cd /usr/local/ [root@harbor local]# rz -E rz waiting to receive. [root@harbor local]# ls harbor-offline-installer-v1.2.2.tgz ... [root@harbor local]# tar zxvf harbor-offline-installer-v1.2.2.tgz [root@harbor local]# ls harbor harbor-offline-installer-v1.2.2.tgz [root@harbor local]# cd harbor [root@harbor harbor]# ls common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.2.tar.gz LICENSE prepare docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
4. Configure the Harbo parameter file
[root@harbor harbor]# vim harbor.cfg ... hostname = 192.168.150.100 #Line 5, change to the ip address of the private warehouse harbor_admin_password = Harbor12345 #Line 59, default password Harbor12345, user admin [root@harbor harbor]# sh install.sh #Start harbor Note: docker version: 20.10.11 Note: docker-compose version: 1.21.1 [Step 1]: loading Harbor images ... dd60b611baaa: Loading layer [=======================================>] 133.2MB/133.2MB abf0579c40fd: Loading layer [=======================================>] 1.536kB/1.536kB ea1fc7bed9c5: Loading layer [=======================================>] 22.48MB/22.48MB 1d6671367c69: Loading layer [=======================================>] 7.168kB/7.168kB b322bb3e4765: Loading layer [=======================================>] 5.339MB/5.339MB
5. View Harbor boot image and container
(1) View mirror
(2) View container
(3) Check whether the service container is open
6. Create a project in the UI interface
Browser access http://192.168.150.100 Page, the default administrator user name and password is admin/Harbor12345
7.harbor server test
At this time, you can use the Docker command to log in and push the image locally through 127.0.0.1. By default, the Register server listens on port 80.
(1) Log in to the local private warehouse
[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
(2) Download the image for testing
[root@harbor harbor]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx e5ae68f74026: Pull complete 21e0df283cd6: Pull complete ed835de16acd: Pull complete 881ff011f1c9: Pull complete 77700c52c969: Pull complete 44be98c0fab6: Pull complete Digest: sha256:9522864dd661dcadfd9958f9e0de192a1fdda2c162a35668ab6ac42b465f0603 Status: Downloaded newer image for nginx:latest docker.io/library/nginx:latest [root@harbor harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest f652ca386ed1 2 days ago 141MB
(3) Image labeling
[root@harbor harbor]# docker tag nginx:latest 127.0.0.1/aaa/nginx:v1 [root@harbor harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 127.0.0.1/aaa/nginx v1 f652ca386ed1 2 days ago 141MB nginx latest f652ca386ed1 2 days ago 141MB
(4) Upload image to Harbor
[root@harbor harbor]# docker push 127.0.0.1/aaa/nginx:v1 #It can only be uploaded after labeling The push refers to repository [127.0.0.1/aaa/nginx] 2bed47a66c07: Pushed 82caad489ad7: Pushed d3e1dca44e82: Pushed c9fcd9c6ced8: Pushed 0664b7821b60: Pushed 9321ff862abb: Pushed v1: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570
(5) Verify whether the upload is successful on the browser
8. Client test
The above operations are performed locally on the Harbor server. If other clients upload images to Harbor, the following error will be reported. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but HTTP service is used by default for building private images. Therefore, the following errors occur when interacting with private images.
(1) Error phenomenon
(2) Solution
[root@docker ~]# vim /usr/lib/systemd/system/docker.service method 1: modify the configuration file of the client ... ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.150.100 --containerd=/run/containerd/containerd.sock ... [root@localhost ~]# cat /etc/docker/daemon.json #Method 2: modify / ets/docker/daemon.json { "insecure-registries": ["192.168.150.100"], #Service ip address pointing to harbor "registry-mirrors": ["https://4iv7219l.mirror.aliyuncs.com"] } [root@localhost ~]# systemctl daemon-reload #Refresh configuration [root@localhost ~]# systemctl restart docker #Restart service [root@docker docker]# docker login -u admin -p Harbor12345 http://192.168.150.100 # modify the error information and log in again WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
(3) Download Image Test
[root@docker docker]# docker tag nginx:latest 192.168.150.100/aaa/nginx:v2 [root@docker docker]# docker push 192.168.150.100/aaa/nginx:v2 The push refers to repository [192.168.150.100/aaa/nginx] 2bed47a66c07: Layer already exists 82caad489ad7: Layer already exists d3e1dca44e82: Layer already exists c9fcd9c6ced8: Layer already exists 0664b7821b60: Layer already exists 9321ff862abb: Layer already exists v2: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570
(4) View on Browser
3, Harbor user creation
1. Create user
2. Client test
Delete previously labeled images
[root@docker ~]# docker login 192.168.150.100 -u zch -p Abc12345 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@docker ~]# docker rmi 192.168.150.100/aaa/nginx:v1 Untagged: 192.168.150.100/aaa/nginx:v1 Untagged: 192.168.150.100/aaa/nginx@sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47
3. Test new users created
[root@docker ~]# docker pull 192.168.150.100/aaa/nginx:v2 #Re download v2 from private repository v2: Pulling from aaa/nginx Digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 Status: Downloaded newer image for 192.168.150.100/aaa/nginx:v2 192.168.150.100/aaa/nginx:v2 [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.150.100/aaa/nginx v2 f652ca386ed1 3 days ago 141MB 192.168.150.10:5000/nginx latest f652ca386ed1 3 days ago 141MB
[root@localhost ~]# docker tag nginx:latest 192.168.150.100/aaa/nginx:v3 #Labeling v3 [root@localhost ~]# docker push 192.168.150.100/aaa/nginx:v3 #Upload test The push refers to repository [192.168.150.100/aaa/nginx] 2bed47a66c07: Layer already exists 82caad489ad7: Layer already exists d3e1dca44e82: Layer already exists c9fcd9c6ced8: Layer already exists 0664b7821b60: Layer already exists 9321ff862abb: Layer already exists v3: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570
4. Remove Harbor service container
Package the image data in the project
(1) Operate on Harbor server
[root@harbor ~]# cd /usr/local/harbor/ [root@harbor harbor]# docker-compose down -v Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-ui ... done Stopping registry ... done Stopping harbor-adminserver ... done Stopping harbor-db ... done Stopping harbor-log ... done Removing harbor-jobservice ... done Removing nginx ... done Removing harbor-ui ... done Removing registry ... done Removing harbor-adminserver ... done Removing harbor-db ... done Removing harbor-log ... done Removing network harbor_harbor [root@harbor harbor]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@harbor ~]# cd /usr/local/harbor/ [root@harbor harbor]# docker-compose down -v [root@harbor harbor]# ls /data/registry/docker/registry/v2/repositories/aaa nginx [root@harbor harbor]# cd /data/registry/docker/registry/v2/repositories/aaa/ [root@harbor harbor]# tar zcvf aaa.tar.gz ./*
(2) To redeploy, you need to remove all data from the Harbor service container
Persistent data, such as images and databases, are in the / data / directory of the host, and logs are in the / var/log/Harbor / directory of the host
rm -rf /data/database rm -rf /data/registry