容器云平台No.5~企业级私有镜像仓库Harbor V2.02

镜像仓库

仓库，顾名思义，就是存放东西的地方，Docker仓库,理所当然，就是存放docker镜像的地方了。

Docker仓库分公有仓库和私有仓库。共有仓库有hub.docker.com、gcr.io、k8s.gcr.io等，一般常用开源应用程序的官方镜像都存放于共有仓库，但是鉴于这些仓库都在国外，下载速度比较慢。尤其k8s相关的镜像，得魔法上网。

私有仓库一般是公司内部自行搭建，用于存放内部构建的docker镜像，部署服务时从私有仓库下载，分发速度快。

Docker 官方提供了一个搭建私有仓库的镜像 registry ，只需把镜像下载下来，运行容器并暴露5000端口，就可以使用了。这里不做详细介绍。

harbor

一个用于存储docker镜像的企业级Registry服务。相比较于原生的Regisrty来说，它具有很多的优势。

• 提供分层传输机制，优化网络传输
• 提供WEB界面，优化用户体验
• 支持水平扩展集群
• 良好的安全机制
• Harbor提供了基于角色的访问控制机制，并通过项目来对镜像进行组织和访问权限的控制

harbor架构图

安装harbor

PS：因为镜像仓库属于基础服务，建议使用单独的服务器部署。

1、下载离线安装包

# wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz

2、解压并根据需求自行修改harbor.yml配置文件，这里直接是用默认

# tar -zxf harbor-offline-installer-v2.0.2.tgz
# cd harbor/
# mv  harbor.yml.tmpl harbor.yml

3、执行安装命令

这里使用默认安装，感兴趣的可以安装更多Notary, Clair, or Chart Repository Service等服务。使用./install.sh --with-notary --with-clair --with-chartmuseum

./install.sh
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.26.2
[Step 2]: loading Harbor images ...
Loaded image: goharbor/prepare:v2.0.2
Loaded image: goharbor/harbor-jobservice:v2.0.2
Loaded image: goharbor/harbor-registryctl:v2.0.2
Loaded image: goharbor/registry-photon:v2.0.2
Loaded image: goharbor/harbor-core:v2.0.2
Loaded image: goharbor/notary-signer-photon:v2.0.2
Loaded image: goharbor/clair-photon:v2.0.2
Loaded image: goharbor/trivy-adapter-photon:v2.0.2
Loaded image: goharbor/harbor-log:v2.0.2
Loaded image: goharbor/nginx-photon:v2.0.2
Loaded image: goharbor/clair-adapter-photon:v2.0.2
Loaded image: goharbor/chartmuseum-photon:v2.0.2
Loaded image: goharbor/harbor-portal:v2.0.2
Loaded image: goharbor/harbor-db:v2.0.2
Loaded image: goharbor/redis-photon:v2.0.2
Loaded image: goharbor/notary-server-photon:v2.0.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /opt/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating registryctl   ... done
Creating redis         ... done
Creating harbor-db     ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
 ----Harbor has been installed and started successfully.----

查看下运行了哪些服务？

docker ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS                   PORTS                       NAMES
8d746c430f3e        goharbor/harbor-jobservice:v2.0.2    "/harbor/entrypoint."   4 minutes ago       Up 4 minutes (healthy)                               harbor-jobservice
388f24831ec9        goharbor/nginx-photon:v2.0.2         "nginx -g 'daemon of"   4 minutes ago       Up 4 minutes (healthy)   0.0.0.0:80->8080/tcp        nginx
15bc12fd3826        goharbor/harbor-core:v2.0.2          "/harbor/entrypoint."   4 minutes ago       Up 4 minutes (healthy)                               harbor-core
bb48e39130e5        goharbor/harbor-db:v2.0.2            "/docker-entrypoint."   4 minutes ago       Up 4 minutes (healthy)   5432/tcp                    harbor-db
1bcd0ffcae82        goharbor/harbor-registryctl:v2.0.2   "/home/harbor/start."   4 minutes ago       Up 4 minutes (healthy)                               registryctl
8ef9f3d3a668        goharbor/redis-photon:v2.0.2         "redis-server /etc/r"   4 minutes ago       Up 4 minutes (healthy)   6379/tcp                    redis
e05d4d845f3f        goharbor/harbor-portal:v2.0.2        "nginx -g 'daemon of"   4 minutes ago       Up 4 minutes (healthy)   8080/tcp                    harbor-portal
c5fcd2369931        goharbor/registry-photon:v2.0.2      "/home/harbor/entryp"   4 minutes ago       Up 4 minutes (healthy)   5000/tcp                    registry
61e69b171b33        goharbor/harbor-log:v2.0.2           "/bin/sh -c /usr/loc"   4 minutes ago       Up 4 minutes (healthy)   127.0.0.1:1514->10514/tcp   harbor-log

从输出信息可以看出，安装不服务组件还是挺多的，可以参考架构图。

至此，harbor安装好了，现在来测试下往这个仓库上传镜像、从这个私有仓库下载镜像

上传镜像

首先登陆私有仓库

docker login 10.26.27.106
Username: admin
Password:
Error response from daemon: Get https://10.26.27.106/v2/: dial tcp 10.26.27.106:443: connect: connection refused

发现，登陆失败，因为这里仓库没有配置https，docker默认只允许登陆https的服务，http认为是不安全的。

现在我们来修改docker的配置，允许docker登陆不安全的仓库

vim /etc/docker/daemon.json,添加"insecure-registries":["10.26.27.106"]

{
  "registry-mirrors": ["https://ci7pm4nx.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com"],
  "insecure-registries":["10.26.27.106"]
}

再次登陆

# systemctl restart docker
# docker login http://10.26.27.106
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

现在看到，已经登陆成功了，让我们从公有仓库下载一个镜像，然后传到私有仓库中

docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
df8698476c65: Pull complete
Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

使用tag个给刚才下载的busybox镜像打标签，改为10.26.27.106/library/busybox:latest

# docker tag busybox:latest 10.26.27.106/library/busybox:latest
# docker push 10.26.27.106/library/busybox:latest
The push refers to repository [10.26.27.106/library/busybox]
be8b8b42328a: Pushed
latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527

可以看到，已经上传成功。

下载镜像

首先我们删除所以的busybox镜像

docker images|grep busybox
10.26.27.106/libary/busybox                         latest              6858809bf669        4 days ago          1.23MB
10.26.27.106/library/busybox                        latest              6858809bf669        4 days ago          1.23MB
busybox                                             latest              6858809bf669        4 days ago          1.23MB

docker rmi busybox 10.26.27.106/library/busybox     10.26.27.106/libary/busybox
Untagged: busybox:latest
Untagged: busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Untagged: 10.26.27.106/library/busybox:latest
Untagged: 10.26.27.106/library/busybox@sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Untagged: 10.26.27.106/libary/busybox:latest
Deleted: sha256:6858809bf669cc5da7cb6af83d0fae838284d12e1be0182f92f6bd96559873e3
Deleted: sha256:be8b8b42328a15af9dd6af4cba85821aad30adde28d249d1ea03c74690530d1c

下载镜像

docker pull 10.26.27.106/library/busybox
Using default tag: latest
latest: Pulling from library/busybox
df8698476c65: Pull complete
Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Status: Downloaded newer image for 10.26.27.106/library/busybox:latest
10.26.27.106/library/busybox:latest

可以看到，下载成功，收工￥#@￥#@￥@