Harbor 是Vmware公司开源的企业级Docker Registry管理项目,开源项目地址:https://github.com/vmware/harbor
Harbor的所有组件都在Docker中部署,所以Harbor可使用Docker Compose快速部署。(由于Harbor是基于Docker Registry V2版本,所以docker版本至少1.10.0、docker-compose版本至少1.6.0)
 
主要组件:
(1)proxy:nginx前端代理,分发前端页面ui访问和镜像上传和下载流量;
(2)ui:提供前端页面和后端API,底层使用mysql数据库;
(3)registry:镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,registry的token认证也是通过ui组件完成;
(4)adminserver是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置
(5)jobsevice:负责镜像复制工作,和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log;
(6)log:日志汇总组件,通过docker的log-driver把日志汇总到一起。
 
部署过程:
下面采用的是下载tgz离线安装包的方式(假设docker、docker-compose都已经部署好)
[root@localhost harbor]#tar xvf harbor-offline-installer-v1.7.0.tgz
[root@localhost harbor]# ll
总用量
drwxr-xr-x. root root 1月 : common
-rw-r--r--. root root 12月 : docker-compose.chartmuseum.yml
-rw-r--r--. root root 12月 : docker-compose.clair.yml
-rw-r--r--. root root 12月 : docker-compose.notary.yml
-rw-r--r--. root root 12月 : docker-compose.yml
-rw-r--r--. root root 1月 : harbor.cfg
-rw-r--r--. root root 12月 : harbor.v1.7.0.tar.gz
-rwxr-xr-x. root root 12月 : install.sh
-rw-r--r--. root root 12月 : LICENSE
-rw-r--r--. root root 12月 : open_source_license
-rwxr-xr-x. root root 12月 : prepare
修改配置文件harbor.cfg
## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version = 1.5.
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 132.252.128.67 ##设置访问地址,可以使用ip、主机名,不可以设置为127.0.0.1或localhost #The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http      ##设置访问协议,默认http,若设为https则nginx ssl需要设置on #Maximum number of job workers in job service
max_job_workers = #Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on #The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt ##若没有此目录则需要手动建立
ssl_cert_key = /data/cert/server.key #The path of secretkey storage
secretkey_path = /data #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA #Log files are rotated log_rotate_count times before being removed. If count is , old versions are removed rather than rotated.
log_rotate_count =
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size , size 100k, size 100M and size 100G
#are all valid.
log_rotate_size = 200M #Config http proxy for Clair, e.g. http://my.proxy.com:3128
#Clair doesn't need to connect to harbor ui container via http proxy.
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui #************************BEGIN INITIAL PROPERTIES************************ #下面是邮件设置,发送重置密码邮件时使用,没配的法不能通过邮件重置密码
#Email account settings for sending out password resetting emails.
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port =
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false ##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = ##启动Harbor后,管理员UI登录的密码,默认是Harbor12345 ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth ##认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证 #The url for an ldap endpoint. ##LDAP认证时配置项
ldap_url = ldaps://ldap.mydomain.com #A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #the password of the ldap_searchdn
#ldap_search_pwd = password #The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com #Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person) # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid #the scope to search for users, -LDAP_SCOPE_BASE, -LDAP_SCOPE_ONELEVEL, -LDAP_SCOPE_SUBTREE
ldap_scope = #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is seconds.
ldap_timeout = #Verify certificate from LDAP server
ldap_verify_cert = true #The base dn from which to lookup a group in LDAP/AD
ldap_group_basedn = ou=group,dc=mydomain,dc=com #filter to search LDAP/AD group
ldap_group_filter = objectclass=group
#The attribute used to name a LDAP/AD group, it could be cn, name
ldap_group_gid = cn #The scope to search for ldap groups. -LDAP_SCOPE_BASE, -LDAP_SCOPE_ONELEVEL, -LDAP_SCOPE_SUBTREE
ldap_group_scope = #Turn on or off the self-registration feature
self_registration = on ##是否开启自注册 #The expiration time (in minute) of token created by token service, default is minutes
token_expiration = ##Token有效时间,默认30分钟 #The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone ##用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员) #************************END INITIAL PROPERTIES************************ #######Harbor DB configuration section####### #The address of the Harbor database. Only need to change when using external db.
db_host = mysql #The password for the root user of Harbor DB. Change this before any production use.
db_password = root123 #The port of Harbor database host
db_port = #The user name of Harbor database
db_user = root ##### End of Harbor DB configuration####### #The redis server address. Only needed in HA installation.
#address:port[,weight,password,db_index]
#redis_url = redis:
redis_url = ##########Clair DB configuration############ #Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgres #The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password #Clair DB connect port
clair_db_port = #Clair DB username
clair_db_username = postgres #Clair default database
clair_db = postgres ##########End of Clair DB configuration############ #The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem ### Harbor Storage settings ###
#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository.
#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry.
#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =
#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
registry_custom_ca_bundle = #If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings.
#reload_config=true
#Regular expression to match skipped environment variables
#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)
执行./install.sh,Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像,检测并通过docker-compose启动各服务
各服务以容器的形式存在:nginx、vmware/harbor-jobservice、vmware/harbor-db、library/registry、harbor-ui、vmware/harbor-log
启动完成后,访问http://132.252.128.67:80(端口映射可以去docker-compose.yml中修改)
以后执行docker-compose start/stop命令或者 docker-compose up/down -v就可以快速开关服务。
 
主要功能:
(1)Docker Registry管理UI
部分配置项可以在UI页面上直接修改,如邮件服务器配置、LDMA配置等
(2)角色访问控制
除了admin,用户分为三种角色:项目管理员(MDRWS)、开发人员(RWS)和访客(RS)
M:管理、D:删除、R:读取、W:写入、S:查询
用户只能新建自己的项目,并push/pull自己所在项目的镜像,其他人的私有仓库都不能操作。
用户创建私有项目project_name后,只有该用户允许的用户才向该项目中上传镜像:
$ docker login 132.252.128.67:
Username: admin
Password:
Login Succeeded
$ docker tag XXX 132.252.128.67:/project_name/container_name
$ docker push 132.252.128.67:/project_name/container_name
(2)复制备份
新建复制目标-新建复制规则,就可以通过docker registry的API去拷贝
(3)集成了clair镜像扫描功能
它是cereos开发的一款漏洞扫描工具,可以检查镜像操作系统以及上面安装包是否与已知不安全的包版本相匹配,从而提高镜像安全性。
(4)AD/LDAP集成
默认认证模式把用户凭证存储在本地Mysql数据库。
配置LDAP完成后,即可使用ldap帐户登录harbor,但是项目权限无法通过ldap组去控制。
通过ldap组控制harbor权限,需满足以下条件:支持导入ldap组(harbor版本1.6及以上)、支持memberOf属性
(5)日志管理

企业级Registry仓库Harbor的部署与简介的更多相关文章

  1. Harbor安装 -- 企业级Registry仓库

    (一)Harbor安装 -- 企业级Registry仓库 以下文章转自http://www.jianshu.com/p/2ebadd9a323d 根据Harbor官方描述: Harbor是一个用于存储 ...

  2. 企业级镜像仓库harbor搭建

    企业级镜像仓库harbor搭建 一.    Harbor概述 VMware公司最近开源了企业级Registry项目Harbor,其的目标是帮助用户迅速搭建一个企业级的Docker registry 服 ...

  3. Kubernetes-5:搭建企业级私有仓库Harbor

    搭建企业级私有仓库Harbor 安装需求 python版本 >= 2.7 Docker引擎版本 >= 1.10 docker-compose版本 >= 1.6.0 安装环境 一.Py ...

  4. 企业级镜像仓库 harbor

    企业级镜像仓库 harbor 前言 a. 本文主要为 Docker的视频教程 笔记. b. 环境为 CentOS 7.0 云服务器 c. 上一篇:跨 Docker 宿主机网络 overlay 类型 h ...

  5. (一)Harbor安装 -- 企业级Registry仓库

    根据Harbor官方描述: Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全.标识和管理等,扩展了开源Docker Distri ...

  6. Harbor安装(docker-compose) -- 企业级Registry仓库

    根据Harbor官方描述: Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全.标识和管理等,扩展了开源Docker Distri ...

  7. docker进阶-搭建私有企业级镜像仓库Harbor

    为什么要搭建私有镜像仓库   对于一个刚刚接触Docker的人来说,官方的Docker hub是用于管理公共镜像.既然官方提供了镜像仓库我们为什么还要去自己搭建私有仓库呢?虽然也可以托管私有镜像.我们 ...

  8. docker企业级镜像仓库Harbor管理

    Harbor概述 Harbor是由VMWare公司开源的容器镜像仓库.事实上,Harbor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括: ...

  9. Docker: 企业级镜像仓库Harbor的使用

    上一节,演示了Harbor的安装部署 这次我们来讲解 Harbor的使用. 我们需要了解到: 1. 如何推镜像到镜像仓库 2. 如何从镜像仓库拉取镜像 3. 如何运行从私有仓库拉取的镜像 # 查看 h ...

随机推荐

  1. Dockerfile镜像优化,减小镜像

    前言镜像的优化注意几条: 选择最精简的基础镜像减少镜像的层数清理镜像构建的中间产物注意优化网络请求尽量去用构建缓存使用多阶段构建镜像接下来我们以rhel7镜像构建容器,并在容器中安装nginx的源码包 ...

  2. gitlab的还原

    源服务器: ip: 192.168.0.199 系统:CentOS7.2 内核: 3.10.0-327 gitlab版本: gitlab-ce-8.0.5 新服务器: ip: 192.168.0.19 ...

  3. 数据结构C语言实现----图

    邻接表储存结构 /*邻接表的边*/ typedef struct ArcNode { int adjvex; struct ArcNode *next; }ArcNode; /*邻接表的结点*/ ty ...

  4. 总结HashMap实现原理分析

    一.底层数据结构在JDK1.6,JDK1.7中,HashMap采用位桶+链表实现,即使用链表处理冲突,同一hash值的键值对会被放在同一个位桶里,当桶中元素较多时,通过key值查找的效率较低. 而JD ...

  5. Python time altzone()方法

    描述 Python time altzone() 函数返回格林威治西部的夏令时地区的偏移秒数.高佣联盟 www.cgewang.com 如果该地区在格林威治东部会返回负值(如西欧,包括英国).对夏令时 ...

  6. CMD使用笔记

    CMD杂谈 基本功: 1,列出所有任务及进程号,杀进程   tasklist tasklist /? 获取使用帮助 taskkill taskkill /? 获取使用帮助   2,cd 切换目录 cd ...

  7. Struts/Servlet,action转到jsp后,CSS失效,路径问题(struts2,jsp路径,action路径,action跳转,相对路径,绝对路径)

    问题:使用struts2,如何处理action的路径?还有,在action转到的jsp中,如何写js,css,图 片的路径?(例如访问http://localhost/project/listUser ...

  8. idea中运行Tomcat后控制台出现乱码(统一设置成UTF-8)

    出现问题:运行Tomcat后控制台出现乱码,输出语句乱码(idea 2019.3版本) 解决方法: 方案1:File----->Settings..----->Editor-----> ...

  9. MapReduce之GroupingComparator分组(辅助排序、二次排序)

    指对Reduce阶段的数据根据某一个或几个字段进行分组. 案例 需求 有如下订单数据 现在需要找出每一个订单中最贵的商品,如图 需求分析 利用"订单id和成交金额"作为key,可以 ...

  10. Spring Boot的自动配置,到底是怎么做到?

    作者:祖大帅 链接:juejin.im/post/5b679fbc5188251aad213110 来源:掘金 1. Spring Boot.Spring MVC 和 Spring 有什么区别? 分开 ...