07、企业级镜像仓库Harbor

1. Harbor概述

Habor是由VMWare公司开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的 企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访 问控制 ,AD/LDAP集成以及审计日志等,足以满足基本企业需求。
官方地址:https://vmware.github.io/harbor/cn/
harbor github 地址: https://github.com/goharbor/harbor
安装硬件软件要求:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md

组件 功能
harbor-adminserver 配置管理中心
harbor-db Mysql数据库
harbor-jobservice 负责镜像复制
harbor-log 记录操作日志
harbor-ui Web管理页面和API
nginx 前端代理,负责前端页面和镜像上传/下载转发
redis 会话
registry 镜像存储

2. Harbor部署

Harbor安装有3种方式:
• 在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
• 离线安装:安装包包含部署的相关镜像,因此安装包比较大
• OVA安装程序:当用户具有vCenter环境时,使用此安装程序,在部署OVA后启动Harbor

离线安装:
(1) 安装docker compose

安装依赖 docker compose

安装文档URL:https://docs.docker.com/compose/install/

# sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose 

(2) 安装harbor

# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0-rc1.tgz
# tar zxvf harbor-offline-installer-v1.5.1.tgz 
# cd harbor
# vim harbor.yml
hostname = 10.40.6.165
ui_url_protocol = http 
harbor_admin_password = Harbor12345
# ./install.sh
   ...
[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db   ... done
Creating registryctl ... done
Creating redis       ... done
Creating registry    ... done
Creating harbor-core ... done
Creating harbor-portal     ... done
Creating harbor-jobservice ... done
Creating nginx             ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://10.40.6.165. 
For more details, please visit https://github.com/goharbor/harbor .

### 安装完成之后会有一个docker-compose.yml 文件,编排安装的功能组件镜像是怎么启动容器的

# docker-compose ps   ## 列出功能组件,每个组件一个容器运行状态UP
      Name                     Command                       State                     Ports          
------------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up (health: starting)                            
harbor-db           /entrypoint.sh postgres          Up (health: starting)   5432/tcp                 
harbor-jobservice   /harbor/start.sh                 Up                                               
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (health: starting)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (health: starting)   80/tcp                   
nginx               nginx -g daemon off;             Up (health: starting)   0.0.0.0:80->80/tcp       
redis               docker-entrypoint.sh redis ...   Up                      6379/tcp                 
registry            /entrypoint.sh /etc/regist ...   Up (health: starting)   5000/tcp                 
registryctl         /harbor/start.sh                 Up (health: starting)

然后登陆用浏览访问http://10.40.6.165 登陆

3. 基本使用

推送镜像说明.png

推送镜像步骤及格式:

在项目中标记镜像(打标签):
docker tag SOURCE_IMAGE[:TAG] 10.40.6.165/library/IMAGE[:TAG]

推送镜像到当前项目(上传镜像):
docker push 10.40.6.165/library/IMAGE[:TAG]
# docker tag nginx:v1 10.40.6.165/library/nginx:v1
# docker push 10.40.6.165/library/nginx:v1
The push refers to repository [10.40.6.165/library/nginx]
Get https://10.40.6.165/v2/: dial tcp 10.40.6.165:443: connect: connection refused  

因为我们使用的是http,得做可信任配置

# docker info
   ...
Insecure Registries:
 127.0.0.0/8
   ...

(1)、配置http镜像仓库可信任

# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["http://f1361db2.m.daocloud.io"],
  "insecure-registries":["http://10.40.6.165"]
}

# systemctl restart docker
# docker-compose ps    ## 有些是UP有些是Exit状态
      Name                     Command                  State                 Ports          
---------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Exit 137                                
harbor-db           /entrypoint.sh postgres          Exit 255                                
harbor-jobservice   /harbor/start.sh                 Up                                      
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   80/tcp                   
nginx               nginx -g daemon off;             Exit 128                                
redis               docker-entrypoint.sh redis ...   Exit 137                                
registry            /entrypoint.sh /etc/regist ...   Up (healthy)   5000/tcp                 
registryctl         /harbor/start.sh                 Exit 137                                

# docker-compose up -d
harbor-log is up-to-date
registry is up-to-date
Starting registryctl ... done
Starting harbor-db   ... done
Starting redis       ... done
Starting harbor-core ... done
harbor-jobservice is up-to-date
harbor-portal is up-to-date
Starting nginx       ... done

# docker-compose ps    ## 在去看docker harbor 容器都是UP状态
      Name                     Command                       State                     Ports          
------------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up (health: starting)                            
harbor-db           /entrypoint.sh postgres          Up (health: starting)   5432/tcp                 
harbor-jobservice   /harbor/start.sh                 Up                                               
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)            127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)            80/tcp                   
nginx               nginx -g daemon off;             Up (health: starting)   0.0.0.0:80->80/tcp       
redis               docker-entrypoint.sh redis ...   Up                      6379/tcp                 
registry            /entrypoint.sh /etc/regist ...   Up (healthy)            5000/tcp                 
registryctl         /harbor/start.sh                 Up (health: starting)                 

# docker info   ## 再看配置是否生效
    ...
Insecure Registries:
 10.40.6.165
 127.0.0.0/8
   ...

# docker push 10.40.6.165/library/nginx:v1
The push refers to repository [10.40.6.165/library/nginx]
ff7a247499ae: Preparing 
9974fca73fe1: Preparing 
d69483a6face: Preparing 
denied: requested access to the resource is denied
### 要向公开项目library 未登陆用户只能下载, push 镜像得先登陆用户
### 到管理平台创建用户,并赋权限到某个项目(项目--->library-->成员--->+用户)

# docker login 10.40.6.165   ## 登陆一个镜像仓库
Username: liuzhousheng
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

# docker push 10.40.6.165/library/nginx:v1    
The push refers to repository [10.40.6.165/library/nginx]
ff7a247499ae: Pushed 
9974fca73fe1: Pushed 
d69483a6face: Pushed 
v1: digest: sha256:eb8e3d3901922952fb52d350a1a7c57394a81bf1d4e2fd4338c5dc9f80026c9c size: 953
###成功 push nginx:v1 镜像
### 再多推几个镜像
# docker tag tomcat:v1 10.40.6.165/library/tomcat:v1
# docker push 10.40.6.165/library/tomcat:v1
The push refers to repository [10.40.6.165/library/tomcat]
0920bccbc0aa: Pushed 
368bda959904: Pushed 
d69483a6face: Mounted from library/nginx 
v1: digest: sha256:03c8fe3c389bc36ab066d5e59d9d0c057df4844f5be3fa56ae2add321754b299 size: 952

# docker tag php:v1 10.40.6.165/library/php:v1
# docker push 10.40.6.165/library/php:v1
The push refers to repository [10.40.6.165/library/php]
e7d3d1d0a7bb: Pushed 
a29a1e5944d2: Pushed 
8a4de8d39ad9: Pushed 
5cacb70641e2: Pushed 
d69483a6face: Mounted from library/tomcat 
v1: digest: sha256:1f7093d0d36d82289ce4385429fb902cb0d4cc421bd4496442333a2615326115 size: 1370

创建一个私有项目project并给项目添加用户授权:项目---> +新建项目(不勾选“公开”)


创建project.png

往私有仓库推送镜像nginx:v2

# docker tag nginx:v2 10.40.6.165/project/nginx:v2
# docker push 10.40.6.165/project/nginx:v2
The push refers to repository [10.40.6.165/project/nginx]
c90325a75f68: Pushed 
ff7a247499ae: Mounted from library/nginx 
9974fca73fe1: Mounted from library/nginx 
d69483a6face: Mounted from library/php 
v2: digest: sha256:c2313027dc3ec3085fd0ebdb0b07d811d29561b63a72caa85dbb69c62086fd96 size: 1160

测试公共仓库与私有仓库下载镜像权限:

# docker logout http://10.40.6.165   ## 退出登录
Removing login credentials for 10.40.6.165

# docker pull 10.40.6.165/library/nginx:v1    ## 可以成功下载公共仓库library的nginx:v1镜像
v1: Pulling from library/nginx
Digest: sha256:eb8e3d3901922952fb52d350a1a7c57394a81bf1d4e2fd4338c5dc9f80026c9c
Status: Image is up to date for 10.40.6.165/library/nginx:v1

# docker pull 10.40.6.165/project/nginx:v2   ## 下载私有仓库project 的nginx:v2镜像
Error response from daemon: pull access denied for 10.40.6.165/project/nginx, repository does not exist or may require 'docker login'

###登录liuzhousheng用户去下载私有仓库project 的nginx:v2镜像,可以成功下载
# docker login 10.40.6.165
Username: liuzhousheng
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
# docker pull 10.40.6.165/project/nginx:v2     
v2: Pulling from project/nginx
Digest: sha256:c2313027dc3ec3085fd0ebdb0b07d811d29561b63a72caa85dbb69c62086fd96
Status: Image is up to date for 10.40.6.165/project/nginx:v2

REPOSITORY: 镜像仓库中心(中心地址,默认官方地址)
TAG: 标签
IMAGE ID: 镜像ID
CREATED :镜像创建时间
SIZE: 镜像大小

# docker image ls
REPOSITORY                      TAG                        IMAGE ID            CREATED             SIZE
10.40.6.165/library/tomcat      v2                         59592f04baa9        6 hours ago         501MB
10.40.6.165/project/tomcat      v2                         59592f04baa9        6 hours ago         501MB
tomcat                          v2                         59592f04baa9        6 hours ago         501MB
10.40.6.165/library/tomcat      v1                         e35360e86854        6 hours ago         426MB
tomcat                          v1                         e35360e86854        6 hours ago         426MB
10.40.6.165/library/php         v1                         1c2bb6668116        6 hours ago         521MB
php                             v1                         1c2bb6668116        6 hours ago         521MB
10.40.6.165/project/nginx       v2                         64f743ec5b18        7 hours ago         395MB
nginx                           v2                         64f743ec5b18        7 hours ago         395MB
10.40.6.165/library/nginx       v2                         64f743ec5b18        7 hours ago         395MB
10.40.6.165/library/nginx       v1                         db3cfa07d4a5        7 hours ago         395MB
nginx                           v1                         db3cfa07d4a5        7 hours ago         395MB
nginx                           nginx04                    8868f915bd47        28 hours ago        109MB
busybox                         latest                     64f5d945efcc        5 days ago          1.2MB
mysql                           5.7                        7faa3c53e6d6        7 days ago          373MB
centos                          7                          9f38484d220f        2 months ago        202MB
centos                          latest                     9f38484d220f        2 months ago        202MB

使用远程镜像仓库启一个容器:

# docker run -d 10.40.6.165/library/tomcat:v2
e805a8457b34132e652b0fd6e41308616d5708af87b7865be21c99ad96e3a50c
# docker ps -l
CONTAINER ID        IMAGE                           COMMAND             CREATED             STATUS              PORTS               NAMES
e805a8457b34        10.40.6.165/library/tomcat:v2   "catalina.sh run"   5 seconds ago       Up 4 seconds        8080/tcp            keen_shannon

启动:

# docker-compose start
# docker-compose up -d是不是初次启动?

停止

# docker-compose stop
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,504评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,434评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 160,089评论 0 349
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,378评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,472评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,506评论 1 292
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,519评论 3 413
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,292评论 0 270
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,738评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,022评论 2 329
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,194评论 1 342
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,873评论 5 338
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,536评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,162评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,413评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,075评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,080评论 2 352