主机环境要求

硬件Hardware

Resource

Capacity

Description

CPU

minimal 2 CPU

4 CPU is prefered

Mem

minimal 4GB

8GB is prefered

Disk

minimal 40GB

160GB is prefered

软件Software

Software

Version

Description

Python

version 2.7 or higher

Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default

Docker engine

version 1.10 or higher

For installation instructions, please refer to: https://docs.docker.com/engine/installation/

Docker Compose

version 1.6.0 or higher

For installation instructions, please refer to: https://docs.docker.com/compose/install/

Openssl

latest is prefered

Generate certificate and keys for Harbor

网络端口Network ports

Port

Protocol

Description

443

HTTPS

Harbor UI and API will accept requests on this port for https protocol

4443

HTTS

Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled

80

HTTP

Harbor UI and API will accept requests on this port for http protocol

安装harbor

安装docker

详见docker的部署安装

安装docker-compose

  1. curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
  2. chmod +x /usr/local/bin/docker-compose
  3.  
  4. docker-compose version
  5. #------------------------------------------------------------
  6. docker-compose version 1.18., build 8dd22a9
  7. docker-py version: 2.6.
  8. CPython version: 2.7.
  9. OpenSSL version: OpenSSL 1.0.1t May
  10. #------------------------------------------------------------

下载harbor离线包

  1. wget http://harbor.orientsoft.cn/harbor-v1.3.0/harbor-offline-installer-v1.3.0.tgz
  2. tar xvf harbor-offline-installer-v1.3.0.tgz

配置HTTPS所需证书

  1. mkdir /data
  2. mkdir /root/data
  3. cd /root/data
  4.  
  5. # 创建自已的CA证书
  6. openssl req -newkey rsa: -nodes -sha256 -keyout ca.key -x509 -days -out ca.crt
  7. #------------------------------------------------------------
  8. Country Name ( letter code) [AU]:CN
  9. State or Province Name (full name) [Some-State]:Harbin
  10. Locality Name (eg, city) []:Harbin
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
  12. Organizational Unit Name (eg, section) []:ydgw
  13. Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
  14. Email Address []:liuyajun@ydgw.cn
  15. #------------------------------------------------------------
  16.  
  17. # 生成一个证书签名请求
  18. openssl req -newkey rsa: -nodes -sha256 -keyout 10.240.4.159.key -out 10.240.4.159.csr
  19. #------------------------------------------------------------
  20. Country Name ( letter code) [AU]:CN
  21. State or Province Name (full name) [Some-State]:Harbin
  22. Locality Name (eg, city) []:Harbin
  23. Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
  24. Organizational Unit Name (eg, section) []:ydgw
  25. Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
  26. Email Address []:liuyajun@ydgw.cn
  27.  
  28. Please enter the following 'extra' attributes
  29. to be sent with your certificate request
  30. A challenge password []: #密码留空即可
  31. An optional company name []:
  32. #------------------------------------------------------------
  33.  
  34. # 创建文件夹和辅助内容
  35. mkdir demoCA
  36. cd demoCA
  37. touch index.txt
  38. echo '' > serial
  39. cd ..
  40.  
  41. ll
  42. #------------------------------------------------------------
  43. total
  44. drwxr-xr-x root root Jan : ./
  45. drwx------ root root Jan : ../
  46. -rw-r--r-- root root Jan : 10.240.4.159.csr
  47. -rw-r--r-- root root Jan : 10.240.4.159.key
  48. -rw-r--r-- root root Jan : ca.crt
  49. -rw-r--r-- root root Jan : ca.key
  50. drwxr-xr-x root root Jan : demoCA/
  51. #------------------------------------------------------------
  52.  
  53. # 签名证书
  54. echo subjectAltName = IP:10.240.4.159 > extfile.cnf
  55. openssl ca -in 10.240.4.159.csr -out 10.240.4.159.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days -outdir .
  56.  
  57. #------------------------------------------------------------
  58. Using configuration from /usr/lib/ssl/openssl.cnf
  59. Check that the request matches the signature
  60. Signature ok
  61. Certificate Details:
  62. Serial Number: (0x1)
  63. Validity
  64. Not Before: Jan :: GMT
  65. Not After : Jan :: GMT
  66. Subject:
  67. countryName = CN
  68. stateOrProvinceName = Harbin
  69. organizationName = ydgw
  70. organizationalUnitName = ydgw
  71. commonName = 10.240.4.159
  72. emailAddress = liuyajun@ydgw.cn
  73. X509v3 extensions:
  74. X509v3 Subject Alternative Name:
  75. IP Address:10.240.4.159
  76. Certificate is to be certified until Jan :: GMT ( days)
  77. Sign the certificate? [y/n]:y
  78.  
  79. out of certificate requests certified, commit? [y/n]y
  80. Write out database with new entries
  81. Data Base Updated
  82. #------------------------------------------------------------
  83.  
  84. ll
  85. #------------------------------------------------------------
  86. total
  87. drwxr-xr-x root root Jan : ./
  88. drwx------ root root Jan : ../
  89. -rw-r--r-- root root Jan : .pem
  90. -rw-r--r-- root root Jan : 10.240.4.159.crt
  91. -rw-r--r-- root root Jan : 10.240.4.159.csr
  92. -rw-r--r-- root root Jan : 10.240.4.159.key
  93. -rw-r--r-- root root Jan : ca.crt
  94. -rw-r--r-- root root Jan : ca.key
  95. drwxr-xr-x root root Jan : demoCA/
  96. -rw-r--r-- root root Jan : extfile.cnf
  97. #------------------------------------------------------------
  98.  
  99. # 证书加入本机信任
  100. cp 10.240.4.159.crt /usr/local/share/ca-certificates/
  101. update-ca-certificates
  102.  
  103. # 重启docker使证书生效
  104. systemctl daemon-reload
  105. systemctl restart docker

上述安装使用的IP地址曾用域名配置,但启动harbor后,docker login总会报类似以下错误信息,调了两天也没有找到解决办法,最后只好放弃
docker login reg.ydgw.cn
Username: admin
Password:
Error response from daemon: Get https://reg.ydgw.cn/v2/: x509: certificate is not valid for any names, but wanted to match reg.ydgw.cn

配置安装启动harbor

  1. # 进入harbor的触压后的目录
  2. cd harbor
  3. #------------------------------------------------------------
  4. ll
  5. total
  6. drwxr-xr-x root root Jan : ./
  7. drwx------ root root Jan : ../
  8. drwxr-xr-x root root Jan : common/
  9. -rw-r--r-- root root Jan : docker-compose.clair.yml
  10. -rw-r--r-- root root Jan : docker-compose.notary.yml
  11. -rw-r--r-- root root Jan : docker-compose.yml
  12. -rw-r--r-- root root Jan : harbor_1_1_0_template
  13. -rw-r--r-- root root Jan : harbor.cfg
  14. -rw-r--r-- root root Jan : harbor.v1.3.0.tar.gz
  15. -rwxr-xr-x root root Jan : install.sh*
  16. -rw-r--r-- root root Jan : LICENSE
  17. -rw-r--r-- root root Jan : NOTICE
  18. -rwxr-xr-x root root Jan : prepare*
  19. -rwxr-xr-x root root Jan : upgrade*
  20. #------------------------------------------------------------
  21.  
  22. vi harbor.cfg
  23. # 更改以下几项内容
  24. #------------------------------------------------------------
  25. hostname = reg.ydgw.cn
  26. ui_url_protocol = https
  27.  
  28. ssl_cert = /root/data/10.240.4.159.crt
  29. ssl_cert_key = /root/data/10.240.4.159.key
  30.  
  31. db_password = xxxxxxx # MYSQL数据库密码,可以改复杂些的
  32. harbor_admin_password = xxxxxxxx # harbor admin用户密码,后在WEB界面也能改
  33. #------------------------------------------------------------
  34.  
  35. # 生成配置文件
  36. ./prepare
  37.  
  38. # 启动harbor(第一次启动,需要pull一些镜像)
  39. docker-compose up -d

持久性的数据和日志文件

默认情况下,注册表数据将保留在主机的/data目录中。即使拆除和或重建Harbor的集装箱,这些数据也保持不变。

  1. ll /data
  2. #------------------------------------------------------------
  3. total
  4. drwxr-xr-x root root Jan : ./
  5. drwxr-xr-x root root Jan : ../
  6. drwxr-xr-x Jan : ca_download/
  7. drwxr-xr-x Jan : config/
  8. drwxr-xr-x Jan : database/
  9. drwxr-xr-x Jan : job_logs/
  10. drwxr-xr-x Jan : psc/
  11. drwxr-xr-x Jan : registry/
  12. -rw------- Jan : secretkey
  13. #------------------------------------------------------------

Harbor的使用

web登陆

使用浏览器打开:https://10.240.4.159

输入用户名和密码登陆

客户端docker login

  1. # 客户端不安装证书直接登陆会报以下错误
  2. docker login 10.240.4.159
  3. Username: admin
  4. Password:
  5. Error response from daemon: Get https://10.240.4.159/v2/: x509: certificate signed by unknown authority
  6.  
  7. # 将证书拷贝到如10.240.4.160客户机上并信任
  8. scp 10.240.4.159.crt 10.240.4.160:/usr/local/share/ca-certificates/
  9.  
  10. # 在10.240.4.160客户机上执行
  11. update-ca-certificates
  12.  
  13. # 重启docker使证书生效
  14. systemctl daemon-reload
  15. systemctl restart docker
  16.  
  17. # 之后就可以正常登陆了
  18. docker login 10.240.4.159
  19. Username: admin
  20. Password:
  21. Login Succeeded

上传镜像到harbor

在harbor中新建一个os的项目,访问级别设置为公开

点击os项目,推送镜像可以看到命令提示

  1. # 先下载官方的centos镜像
  2. docker pull centos:7.4.
  3.  
  4. # 修改TAG标签
  5. docker tag centos:7.4. 10.240.4.159/os/centos:7.4.
  6.  
  7. docker images | grep centos
  8. 10.240.4.159/os/centos 7.4. 3afd47092a0e months ago 197MB
  9. centos 7.4. 3afd47092a0e months ago 197MB
  10.  
  11. # 推送镜像(需要login)
  12. docker push 10.240.4.159/os/centos:7.4.

重新刷新后,harbor中已经能看到推送的镜像了

Harbor的生命周期

  1. cd harbor
  2.  
  3. # 停止和启动
  4. docker-compose stop
  5. docker-compose start
  6.  
  7. # 要更改Harbor的配置,请首先停止现有的Harbor实例并进行更新harbor.cfg。然后运行prepare脚本来填充配置。最后重新创建并启动Harbor的实例:
  8. docker-compose down -v # 删除Harbor 的容器,同时保留图像数据和Harbor的数据库文件在文件系统上
  9. vi harbor.cfg
  10. ./prepare
  11. docker-compose up -d

Harbor故障排除

  1. docker-compose ps
  2. #----------------------------------------------------------------------------------------------------------------------------
  3. Name Command State Ports
  4. ------------------------------------------------------------------------------------------------------------------------------
  5. harbor-adminserver /harbor/start.sh Up
  6. harbor-db /usr/local/bin/docker-entr ... Up /tcp
  7. harbor-jobservice /harbor/start.sh Up
  8. harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:->/tcp
  9. harbor-ui /harbor/start.sh Up
  10. nginx nginx -g daemon off; Up 0.0.0.0:->/tcp, 0.0.0.0:->/tcp, 0.0.0.0:->/tcp
  11. registry /entrypoint.sh serve /etc/ ... Up /tcp
  12. #----------------------------------------------------------------------------------------------------------------------------
  13. # 如果容器未处于UP状态,请检查目录中该容器的日志文件/var/log/harbor。例如,如果容器harbor-ui没有运行,则应该查看日志文件ui.log
  14.  
  15. netstat -tnulp
  16. Active Internet connections (only servers)
  17. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  18. tcp 0.0.0.0: 0.0.0.0:* LISTEN /rpc.statd
  19. tcp 127.0.0.1: 0.0.0.0:* LISTEN /docker-proxy
  20. tcp 0.0.0.0: 0.0.0.0:* LISTEN /rpcbind
  21. tcp 0.0.0.0: 0.0.0.0:* LISTEN /sshd
  22. tcp6 ::: :::* LISTEN /rpcbind
  23. tcp6 ::: :::* LISTEN /docker-proxy #
  24. tcp6 ::: :::* LISTEN /rpc.statd
  25. tcp6 ::: :::* LISTEN /sshd
  26. tcp6 ::: :::* LISTEN /docker-proxy
  27. tcp6 ::: :::* LISTEN /docker-proxy
  28. udp 0.0.0.0: 0.0.0.0:* /rpcbind
  29. udp 0.0.0.0: 0.0.0.0:* /rpc.statd
  30. udp 0.0.0.0: 0.0.0.0:* /rpcbind
  31. udp 127.0.0.1: 0.0.0.0:* /rpc.statd
  32. udp6 ::: :::* /rpcbind
  33. udp6 ::: :::* /rpcbind
  34. udp6 ::: :::* /rpc.statd

参考文档:

搭建harbor企业级私有registry的更多相关文章

  1. 搭建Harbor企业级docker仓库

    搭建Harbor企业级docker仓库 一.Harbor简介 1.Harbor介绍 Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如 ...

  2. Harbor 企业级私有仓库 Ubuntu16.04 搭建及使用

    一.Harbor简介 1.1.什么是Harbor 几个VMware中国的人搞了一个容器镜像仓库.Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器. 1.2.Harbor架 ...

  3. Harbor 企业级 Docker Registry

    HarBor项目:https://github.com/vmware/harbor 下载:https://github.com/vmware/harbor/releases 安装文档:https:// ...

  4. Kubernetes集群搭建之企业级环境中基于Harbor搭建自己的私有仓库

    搭建背景 企业环境中使用Docker环境,一般出于安全考虑,业务使用的镜像一般不会从第三方公共仓库下载.那么就要引出今天的主题 企业级环境中基于Harbor搭建自己的安全认证仓库 介绍 名称:Harb ...

  5. docker 系列 - 企业级私有镜像仓库Harbor部署(转载)

     本文转载自 搜云库 的文章 https://www.jianshu.com/p/7d76850de03f  , 感谢作者 3.png 上一篇文章搭建了一个具有基础功能,权限认证.TLS 的私有仓库, ...

  6. 搭建harbor私有仓库

    2-1.项目说明  Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,由VMware开源,其通过添加一些企业必需的功能特性,例如安全.标识和管理等,扩展了开源 Docke ...

  7. docker搭建私有registry

    搭建docker的私有registry 1.   registry简介 Docker在2015年推出了distribution项目,即Docker Registry 2.相比于old registry ...

  8. Harbor企业级私服Docker镜像仓库搭建及应用

    一.简介 Docker Hub作为Docker默认官方公共镜像,如果想要自己搭建私有镜像,Harbor是企业级镜像库非常好的选择. 所谓私有仓库,也就是在本地(局域网)搭建的一个类似公共仓库的东西,搭 ...

  9. Docker镜像仓库的搭建--> Harbor篇

    简介 Harbor是VMware公司开源的一个企业级Docker Registry项目,项目地址:https://github.com/goharbor/harbor Harbor作为一个企业级私有R ...

随机推荐

  1. JVM探秘:jmap生成内存堆转储快照

    本系列笔记主要基于<深入理解Java虚拟机:JVM高级特性与最佳实践 第2版>,是这本书的读书笔记. jmap 命令用来生成内存堆转储快照,一般称为heapdump或dump文件. 除了使 ...

  2. uwsgi Import Error: No module named 'encodings'

    https://serverfault.com/questions/558427/uwsgi-import-error-no-module-named-encodings I don't know i ...

  3. 吴裕雄--天生自然 PHP开发学习:MySQL 预处理语句

    <?php $servername = "localhost"; $username = "root"; $password = "admin& ...

  4. 12 Spring Data JPA:springDataJpa的运行原理以及基本操作(下)

    spring data jpaday1:orm思想和hibernate以及jpa的概述和jpa的基本操作 day2:springdatajpa的运行原理 day2:springdatajpa的基本操作 ...

  5. 实例说明 PeekMessage与GetMessage的区别

    PeekMessage与GetMessage的对比相同点:PeekMessage函数与GetMessage函数都用于查看应用程序消息队列,有消息时将队列中 的消息派发出去. 不同点:无论应用程序消息队 ...

  6. 《后端也要懂一点前端系列》使用webpack搭建项目

    今天突然有兴致想要学习一下前端的技术,所以特此记录学习前端之路.由于之前在公司做的项目大部分都是关于JSP页面的增删改查,所以前端后端都是一个人来写的,对于前端还只是停留在js.html.css阶段, ...

  7. 吴裕雄--天生自然TensorFlow高层封装:使用TensorFlow-Slim处理MNIST数据集实现LeNet-5模型

    # 1. 通过TensorFlow-Slim定义卷机神经网络 import numpy as np import tensorflow as tf import tensorflow.contrib. ...

  8. tcp和udp的socket形式

    Sockets编程有三种: (1).流套接字(SOCK_STREAM): (2).数据包套接字(SOCK_DGRAM): (3).原始套接字(SOCK_RAW): TCP是流套接字 UCP是数据包套接 ...

  9. Spring容器中的Bean几种初始化方法和销毁方法的先后顺序

    https://blog.csdn.net/caihaijiang/article/details/8629725

  10. 吴裕雄--天生自然C语言开发:数组

    ] = {1000.0, 2.0, 3.4, 7.0, 50.0}; ]; #include <stdio.h> int main () { ]; /* n 是一个包含 10 个整数的数组 ...