高可用harbor集群搭建

一、安装部署

1.节点角色

角色 数量 名称 备注
harbor主节点 2 harbor-1 harbor-2 双主模式
haproxy 2 HA-1 HA-2 需要通过keepalived绑定vip
Redis 高可用集群 redis harbor组件,本地启动或远程配置
postgresql 高可用集群 postgres harbor组件,本地启动或远程配置
ceph 高可用集群 ceph harbor组件

2.离线安装

1、下载离线源码包解压至harbor-1 harbor-2 节点 /data/harbor目录下,修改启动脚本harbor.cfg各项配置参数如下



## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!

_version = 1.7.0

#The IP address or hostname to access admin UI and registry service.

#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

#DO NOT comment out this line, modify the value of "hostname" directly, or the installation will fail.

hostname = harbor.xxx.xxx.com //配置域名信息

#The protocol for accessing the UI and token/notification service, by default it is http.

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = https //指定为https协议

#Maximum number of job workers in job service

max_job_workers = 10

#Determine whether or not to generate certificate for the registry's token.

#If the value is on, the prepare script creates new root cert and private key

#for generating token to access the registry. If the value is off the default key/cert will be used.

#This flag also controls the creation of the notary signer's cert.

customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https

ssl_cert = /data/harbor/cert/uat.cmft.com.pem

ssl_cert_key = /data/harbor/cert/uat.cmft.com.pem

#The path of secretkey storage

secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone

admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

log_rotate_count = 50

#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

#are all valid.

log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128

#Clair doesn't need to connect to harbor internal components via http proxy.

http_proxy =

https_proxy =

no_proxy = 127.0.0.1,localhost,core,registry

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES

#only take effect in the first boot, the subsequent changes of these properties

#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

#Identity left blank to act as username.

email_identity =

email_server = smtp.mydomain.com

email_server_port = 25

email_username = sample_admin@mydomain.com

email_password = abc

email_from = admin <sample_admin@mydomain.com>

email_ssl = false

email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.

#It has no effect after the first launch of Harbor.

#Change the admin password from UI after launching Harbor.

harbor_admin_password = yourpassword //配置harboradmin账户密码,建议修改

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.

#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.

auth_mode = db_auth

#The url for an ldap endpoint.

ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.

#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.

#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn

#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD

ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.

#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD

ldap_uid = uid

#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_scope = 2

#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.

ldap_timeout = 5

#Verify certificate from LDAP server

ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD

ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group

ldap_group_filter = objectclass=group

#The attribute used to name a LDAP/AD group, it could be cn, name

ldap_group_gid = cn

#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_group_scope = 2

#Turn on or off the self-registration feature

self_registration = on

#The expiration time (in minute) of token created by token service, default is 30 minutes

token_expiration = 30

#The flag to control what users have permission to create projects

#The default value "everyone" allows everyone to creates a project.

#Set to "adminonly" so that only admin user can create project.

project_creation_restriction = everyone

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.

db_host = 100.12.13.10

#The password for the root user of Harbor DB. Change this before any production use.

db_password = yourdbpassword

#The port of Harbor database host

db_port = 7810

#The user name of Harbor database

db_user = harbordata

#若采用本地配置,则采用如下配置形式,指定db为本地启动。

#db_host = postgresql

#db_password = yourpassword

#db_port = 5432

#db_user = postgres

##### End of Harbor DB configuration#######

##########Redis server configuration.############

#Redis connection address

redis_host = 100.101.21.3

#Redis connection port

redis_port = 4410

#Redis connection password

redis_password = 123456

#Redis connection db index

#db_index 1,2,3 is for registry, jobservice and chartmuseum.

#db_index 0 is for UI, it's unchangeable

redis_db_index = 1,2,3

########## End of Redis server configuration ############

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.

clair_db_host = 100.101.12.3 //clair 使用与db相同的数据库,注意使用新的database,防止数据冲突。

#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.

#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.

clair_db_password = 123456

#Clair DB connect port

clair_db_port = 7810

#Clair DB username

clair_db_username = harbordata

#Clair default database

clair_db = template1 //由于与主数据库公用 不可与db指定相同的database

#clair_db_host = postgresql

#clair_db_password = root123

#clair_db_port = 5432

#clair_db_username = postgres

#clair_db = postgres

#The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.

clair_updaters_interval = 12

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth

uaa_endpoint = uaa.mydomain.org

uaa_clientid = id

uaa_clientsecret = secret

uaa_verify_cert = true

uaa_ca_cert = /path/to/ca.pem

### Harbor Storage settings ###

#若采用本地ceph 指定 registry_storage_provider_name = filesystem 且忽略registry_storage_provider_config

#默认申请ceph具有如下形式

#bucket region accesskey secretkey regionendpoint参数

#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository.

#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.

registry_storage_provider_name = s3//使用s3协议连接ceph

#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".

#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry.

#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.

registry_storage_provider_config = bucket: registry, region: default, accesskey: 123456, secretkey: 123456, regionendpoint: http://100.xx.xxx.xxx:7480, rootdirectory: /harbor-registry/st

#ceph建议使用域名配置 若使用ip有可能出现 401 signatureMisMatch的错误。

#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore

#of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signeed certificate.

registry_custom_ca_bundle =

#If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings.

#reload_config=false

#Regular expression to match skipped environment variables

#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)

3.初始化与证书生成

1.harbor-1节点/data/harbor目录下执行命令: ./install.sh --with-notary --with-clair --with-chartmuseum #初始化运行harbor watch 'docker ps -a' #监测各组件运行情况 2.拷贝证书 : /data/harbor/common/config/core/private_key.pem /data/harbor/common/config/registry/root.crt 到/tmp/certfile目录下 同时拷贝到harbor-2节点的相同目录下

4、指定生成证书



#关闭harbor-1节点与相关组件:

docker-compose down -v --remove-orphans


1.修改启动脚本install.sh


 if [ -f harbor*.tar.gz ]

 then

 h2 "[Step $item]: loading Harbor images ..."; let item+=1

 #docker load -i ./harbor*.tar.gz

 fi

 echo "" #关闭重复加载image


2.(下列修改操作同时针对 harbor-1 与 harbor-2)


if customize_crt == 'on' and openssl_installed():

print("creating cert-----------------------------")

shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT)

empty_subj = "/"

private_key_pem = os.path.join(config_dir, "core", "private_key.pem")

root_crt = os.path.join(config_dir, "registry", "root.crt")

create_root_cert(empty_subj, key_path=private_key_pem, cert_path=root_crt)

mark_file(private_key_pem)

mark_file(root_crt)

else:

print("Copied configuration file: %s" % os.path.join("/tmp", "certfile", "private_key.pem"))

shutil.copyfile(os.path.join("/tmp", "certfile", "private_key.pem"), os.path.join(core_config_dir, "private_key.pem"))

print("Copied configuration file: %s" % os.path.join("/tmp", "certfile", "root.crt"))

shutil.copyfile(os.path.join("/tmp", "certfile", "root.crt"), os.path.join(registry_config_dir, "root.crt"))

#此处将harbor自动生成证书关闭,将证书拷贝到外部路径并直接指定,否则将导致出现两个节点鉴权失败的问题。

修改install.sh 添加参数 customize_crt == off  #关闭自生成证书

5、启动harbor

分别进入harbor-1 harbor-2 执行启动命令

 ./install.sh --with-notary --with-clair --with-chartmuseum

 watch 'docker ps -a' #监测各组件运行情况

6、配置haproxy/keep-alived

在HA-1 HA-2节点 安装ha/keepalived 修改配置文件如下

harproxy(haproxy.cfg):

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global

# to have these messages end up in /var/log/haproxy.log you will

# need to:

#

# 1) configure syslog to accept network log events. This is done

# by adding the '-r' option to the SYSLOGD_OPTIONS in

# /etc/sysconfig/syslog

#

# 2) configure local2 events to go to the /var/log/haproxy.log

# file. A line like the following can be added to

# /etc/sysconfig/syslog

#

# local2.* /var/log/haproxy.log

#

log 127.0.0.1 local2

chroot /var/lib/haproxy

pidfile /var/run/haproxy.pid

maxconn 20000

user haproxy

group haproxy

daemon

tune.bufsize 131072

tune.ssl.default-dh-param 2048

# turn on stats unix socket

stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#---------------------------------------------------------------------

defaults

mode http

log global

option httplog

option dontlog-normal

option http-server-close

option forwardfor except 127.0.0.0/8

option redispatch

retries 3

timeout http-request 10s

timeout queue 1m

timeout connect 10s

timeout client 1m

timeout server 30m

timeout http-keep-alive 10s

timeout check 10s

maxconn 10000

#---------------------------------------------------------------------

# static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------

#---------------------------------------------------------------------

# round robin balancing between the various backends

#---------------------------------------------------------------------

frontend app

bind *:443

balance roundrobin

mode tcp

server s1 100.65.22.2:443 weight 1  #绑定harbor-1 harbor-2 的443端口

#server s2 100.65.22.3:443 weight 1

#---------------------------------------------------------------------

# round robin balancing between the various backends

#---------------------------------------------------------------------

frontend ceph

bind *:80

balance roundrobin

server app1 100.xx.xx.xx:7480 check  #ceph 可选配置


keepalived (keepalived.conf):




vrrp_script chk_http_haproxy {

script "/app/haproxy/bin/check_haproxy.sh"

interval 10

weight 2

}

global_defs {

notification_email {

admin@admin.com

}

notification_email_from admin@admin.com

smtp_server mail.admin.com

smtp_connect_timeout 30

router_id CMRH_WEB

}

vrrp_instance VI_1 {

state MASTER

interface eth0

virtual_router_id 6

priority 101

advert_int 1

track_script {

#run the script

chk_http_haproxy

}

virtual_ipaddress {

100.70.42.6

}

}

    /app/haproxy/bin/check_haproxy.sh

#! /bin/bash

num=`ps -C haproxy --no-header |wc -l`

if [ $num -eq 0 ]; then

/app/haproxy/sbin/haproxy -f /app/haproxy/conf/haproxy.cfg

sleep 3

if [ `ps -C haproxy --no-header |wc -l` -eq 0 ]; then

killall keepalived

fi

fi


#! /bin/bash

num=`ps -C haproxy --no-header |wc -l`

if [ $num -eq 0 ]; then

/app/haproxy/sbin/haproxy -f /app/haproxy/conf/haproxy.cfg

sleep 3

if [ `ps -C haproxy --no-header |wc -l` -eq 0 ]; then

killall keepalived

fi

fi

配置完成后启动在HA-1 HA-2 上启动haproxy

systemcl start keepalived

systemctl start haproxy

7、访问测试

1、访问ha-vip页面 443端口 测试前端访问

2、pull/push测试

3、关闭harbor-1 harbor-2节点:高可用测试

8、常见问题:

1、页面可正常访问,但经常性显示错误,账号登出

haproxy/keepalive配置错误,确认配置

2、harbor启动日志查看/问题排查:/var/log/harbor/下存在的log文件

3、401 SignatureMisMatch :

ceph地址配置错误,建议使用域名进行配置

4、harbor仓库内部数据访问异常:

此处可能是harbor迁移时,使用的新数据库内部有脏数据导致,可清除template1数据库内所有表数据重置。

5、notary数据库为本地:待解决

6、日志刷新时有概率出现无数据问题:交替访问harbor节点导致,待解决

7、unkown blob问题

When setting up Harbor behind an nginx proxy or elastic load balancing, look for the line below, in common/templates/nginx/nginx.http.conf and remove it from the sections if the proxy already has similar settings: location /, location /v2/ and location /service/.

proxy_set_header X-Forwarded-Proto $scheme;

harbor高可用集群搭建的更多相关文章

  1. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  2. 实现CI/CDk8s高可用集群搭建总结以及部署API到k8s

    实现CI/CD(Centos7.2)系列二:k8s高可用集群搭建总结以及部署API到k8s 前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署 ...

  3. hadoop高可用集群搭建小结

    hadoop高可用集群搭建小结1.Zookeeper集群搭建2.格式化Zookeeper集群 (注:在Zookeeper集群建立hadoop-ha,amenode的元数据)3.开启Journalmno ...

  4. Spark高可用集群搭建

    Spark高可用集群搭建 node1    node2    node3   1.node1修改spark-env.sh,注释掉hadoop(就不用开启Hadoop集群了),添加如下语句 export ...

  5. Hadoop HA高可用集群搭建(Hadoop+Zookeeper+HBase)

    声明:作者原创,转载注明出处. 作者:帅气陈吃苹果 一.服务器环境 主机名 IP 用户名 密码 安装目录 master188 192.168.29.188 hadoop hadoop /home/ha ...

  6. Hadoop 3.1.2(HA)+Zookeeper3.4.13+Hbase1.4.9(HA)+Hive2.3.4+Spark2.4.0(HA)高可用集群搭建

    目录 目录 1.前言 1.1.什么是 Hadoop? 1.1.1.什么是 YARN? 1.2.什么是 Zookeeper? 1.3.什么是 Hbase? 1.4.什么是 Hive 1.5.什么是 Sp ...

  7. MongoDB高可用集群搭建(主从、分片、路由、安全验证)

    目录 一.环境准备 1.部署图 2.模块介绍 3.服务器准备 二.环境变量 1.准备三台集群 2.安装解压 3.配置环境变量 三.集群搭建 1.新建配置目录 2.修改配置文件 3.分发其他节点 4.批 ...

  8. RabbitMQ高级指南:从配置、使用到高可用集群搭建

    本文大纲: 1. RabbitMQ简介 2. RabbitMQ安装与配置 3. C# 如何使用RabbitMQ 4. 几种Exchange模式 5. RPC 远程过程调用 6. RabbitMQ高可用 ...

  9. spring cloud 服务注册中心eureka高可用集群搭建

    spring cloud 服务注册中心eureka高可用集群搭建 一,准备工作 eureka可以类比zookeeper,本文用三台机器搭建集群,也就是说要启动三个eureka注册中心 1 本文三台eu ...

随机推荐

  1. DC-6靶机

    仅供个人娱乐 靶机信息 下载地址:https://download.vulnhub.com/dc/DC-6.zip 一.主机发现 nmap -sn 192.168.216.0/24 二.端口扫描 nm ...

  2. 关于vue3简单状态管理约定引发的思考

    官方文档的代码是这样的 export const store = { debug: true, state: reactive({ message: 'Hello!' }), setMessageAc ...

  3. 用QT写的简单Todo记事本-附源码(浮动窗口)

    去年边学边写了搞了很久, 已经好久没继续开发了, 先放出来供大家参考吧. 发现自己的学习能力还是不错的. 技术点: 使用QT, QML技术 代码参考: https://github.com/cnscu ...

  4. alpakka-kafka(6)-kafka应用案例,用户接口

    了解了kafka原理之后,对kafka的的应用场景有了一些想法.在下面的一系列讨论中把最近一个项目中关于kafka的应用介绍一下. 先介绍一下使用kafka的起因:任何进销存系统,销售开单部分都应该算 ...

  5. 1.9 货仓选址问题——Python

    题目描述 在一条数轴上有 N 家商店,它们的坐标分别为 A1~AN. 现在需要在数轴上建立一家货仓,每天清晨,从货仓到每家商店都要运送一车商品. 为了提高效率,求把货仓建在何处,可以使得货仓到每家商店 ...

  6. [TensorFlow2.0]-正则化

    本人人工智能初学者,现在在学习TensorFlow2.0,对一些学习内容做一下笔记.笔记中,有些内容理解可能较为肤浅.有偏差等,各位在阅读时如有发现问题,请评论或者邮箱(右侧边栏有邮箱地址)提醒. 若 ...

  7. 关于Algorithm in Nutshell源代码

    获取源码包 "Algorithm in Nutshell"的源码包ADK-1.0.zip在这本书主页上"Download Example Code"页面的Rel ...

  8. MySQL-14-备份恢复

    备份类型 1 热备 在业务正常时,对数据库进行备份数据,并且能够一致性恢复(只能是innodb) 对业务影响非常小 2 温备 锁表备份,只能查询不能修改(myisam) 影响到写入操作 3 冷备 关闭 ...

  9. 题解 biology

    传送门 赛时靠spfa求最长路骗了30pts spfa的时间复杂度是\(O(k|E|)\),不是\(O(k|N|)\)! dijkstra 时间复杂度\(O((n+m)logn)\) 特别注意这两个的 ...

  10. 题解 [AHOI2017/HNOI2017]大佬

    传送门 注意到题面里n很小,有\(n\leq100\) 考虑联系n的实际意义 n是你在大佬手中能活的天数 题面颇富深意 好了不闹了 n很小,对于\(40\%\)的数据,爆搜即可 考场上靠这个骗了40p ...