企业级Registry仓库Harbor的部署与简介

Harbor 是Vmware公司开源的企业级Docker Registry管理项目，开源项目地址：https://github.com/vmware/harbor

Harbor的所有组件都在Docker中部署，所以Harbor可使用Docker Compose快速部署。（由于Harbor是基于Docker Registry V2版本，所以docker版本至少1.10.0、docker-compose版本至少1.6.0）

 

主要组件：

（1）proxy：nginx前端代理，分发前端页面ui访问和镜像上传和下载流量；

（2）ui：提供前端页面和后端API，底层使用mysql数据库；

（3）registry：镜像仓库，负责存储镜像文件，当镜像上传完毕后通过hook通知ui创建repository，registry的token认证也是通过ui组件完成；

（4）adminserver是系统的配置管理中心附带检查存储用量，ui和jobserver启动时候回需要加载adminserver的配置

（5）jobsevice：负责镜像复制工作，和registry通信，从一个registry pull镜像然后push到另一个registry，并记录job_log；

（6）log：日志汇总组件，通过docker的log-driver把日志汇总到一起。

 

部署过程：

下面采用的是下载tgz离线安装包的方式（假设docker、docker-compose都已经部署好）

[root@localhost harbor]#tar xvf harbor-offline-installer-v1.7.0.tgz
[root@localhost harbor]# ll
总用量
drwxr-xr-x.  root root         1月    : common
-rw-r--r--.  root root        12月  : docker-compose.chartmuseum.yml
-rw-r--r--.  root root        12月  : docker-compose.clair.yml
-rw-r--r--.  root root       12月  : docker-compose.notary.yml
-rw-r--r--.  root root       12月  : docker-compose.yml
-rw-r--r--.  root root       1月    : harbor.cfg
-rw-r--r--.  root root  12月  : harbor.v1.7.0.tar.gz
-rwxr-xr-x.  root root       12月  : install.sh
-rw-r--r--.  root root      12月  : LICENSE
-rw-r--r--.  root root     12月  : open_source_license
-rwxr-xr-x.  root root      12月  : prepare

修改配置文件harbor.cfg

## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version = 1.5.
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 132.252.128.67          ##设置访问地址，可以使用ip、主机名，不可以设置为127.0.0.1或localhost

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http　　　　　　##设置访问协议，默认http，若设为https则nginx ssl需要设置on

#Maximum number of job workers in job service
max_job_workers = 

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt           ##若没有此目录则需要手动建立
ssl_cert_key = /data/cert/server.key

#The path of secretkey storage
secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is , old versions are removed rather than rotated.
log_rotate_count =
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size , size 100k, size 100M and size 100G
#are all valid.
log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128
#Clair doesn't need to connect to harbor ui container via http proxy.
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#下面是邮件设置，发送重置密码邮件时使用，没配的法不能通过邮件重置密码
#Email account settings for sending out password resetting emails.
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =
email_server = smtp.mydomain.com
email_server_port =
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password =     ##启动Harbor后，管理员UI登录的密码，默认是Harbor12345

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth   ##认证方式，这里支持多种认证方式，如LADP、本次存储、数据库认证。默认是db_auth，mysql数据库认证

#The url for an ldap endpoint.  ##LDAP认证时配置项
ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn
#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid

#the scope to search for users, -LDAP_SCOPE_BASE, -LDAP_SCOPE_ONELEVEL, -LDAP_SCOPE_SUBTREE
ldap_scope = 

#Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is  seconds.
ldap_timeout = 

#Verify certificate from LDAP server
ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD
ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group
ldap_group_filter = objectclass=group
#The attribute used to name a LDAP/AD group, it could be cn, name
ldap_group_gid = cn

#The scope to search for ldap groups. -LDAP_SCOPE_BASE, -LDAP_SCOPE_ONELEVEL, -LDAP_SCOPE_SUBTREE
ldap_group_scope = 

#Turn on or off the self-registration feature
self_registration = on     ##是否开启自注册

#The expiration time (in minute) of token created by token service, default is  minutes
token_expiration =       ##Token有效时间，默认30分钟

#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone     ##用户创建项目权限控制，默认是everyone（所有人），也可以设置为adminonly（只能管理员）

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.
db_host = mysql

#The password for the root user of Harbor DB. Change this before any production use.
db_password = root123

#The port of Harbor database host
db_port = 

#The user name of Harbor database
db_user = root

##### End of Harbor DB configuration#######

#The redis server address. Only needed in HA installation.
#address:port[,weight,password,db_index]
#redis_url = redis:
redis_url =

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgres

#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = password

#Clair DB connect port
clair_db_port = 

#Clair DB username
clair_db_username = postgres

#Clair default database
clair_db = postgres

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem

### Harbor Storage settings ###
#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository.
#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry.
#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =
#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
registry_custom_ca_bundle =

#If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings.
#reload_config=true
#Regular expression to match skipped environment variables
#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)

执行./install.sh，Harbor服务就会根据当期目录下的docker-compose.yml开始下载依赖的镜像，检测并通过docker-compose启动各服务

各服务以容器的形式存在：nginx、vmware/harbor-jobservice、vmware/harbor-db、library/registry、harbor-ui、vmware/harbor-log

启动完成后，访问http://132.252.128.67:80（端口映射可以去docker-compose.yml中修改）

以后执行docker-compose start/stop命令或者 docker-compose up/down -v就可以快速开关服务。

 

主要功能：

（1）Docker Registry管理UI

部分配置项可以在UI页面上直接修改，如邮件服务器配置、LDMA配置等

（2）角色访问控制

除了admin，用户分为三种角色：项目管理员（MDRWS）、开发人员（RWS）和访客（RS）

M:管理、D:删除、R:读取、W:写入、S:查询

用户只能新建自己的项目，并push/pull自己所在项目的镜像，其他人的私有仓库都不能操作。

用户创建私有项目project_name后，只有该用户允许的用户才向该项目中上传镜像：

$ docker login 132.252.128.67:
Username: admin
Password:
Login Succeeded
$ docker tag XXX 132.252.128.67:/project_name/container_name
$ docker push 132.252.128.67:/project_name/container_name

（2）复制备份

新建复制目标-新建复制规则，就可以通过docker registry的API去拷贝

（3）集成了clair镜像扫描功能

它是cereos开发的一款漏洞扫描工具，可以检查镜像操作系统以及上面安装包是否与已知不安全的包版本相匹配，从而提高镜像安全性。

（4）AD/LDAP集成

默认认证模式把用户凭证存储在本地Mysql数据库。

配置LDAP完成后，即可使用ldap帐户登录harbor，但是项目权限无法通过ldap组去控制。

通过ldap组控制harbor权限，需满足以下条件：支持导入ldap组（harbor版本1.6及以上）、支持memberOf属性

（5）日志管理