如今docker容器的不管在开发和运行过程中都离不开镜像的管理。Docker官方也有部署私有镜像仓库的registry,但是功能各方面不够强大。Harbor是由VMware公司开源的企业级Docker Registry管理项目,包括权限管理、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
1、部署一个Harbor镜像
- 环境准备(准备一台2核CPU和4G内存的服务器)
[root@harbor ~]# sed -i 's/SELINUX=enforcing/SELINUX=disable/' /etc/selinux/config
[root@harbor ~]# systemctl stop firewalld
[root@harbor ~]# systemctl disable firewalld
- 部署Docker Docker-compose(下载的harbor安装包是利用docker安装的)
#安装docker
yum install -y wget vim net-tools
yum install -y gcc gcc-c++ yum-utils
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce
systemctl start docker && systemctl enable docker
docker version
#添加镜像加速器
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://lk6rg42k.mirror.aliyuncs.com"]
}
EOF
#安装docker-compose
curl -SL https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
docker-compose version
- 部署Harbor
Harbor官方下载
[root@harbor ~]# tar -xvf harbor-online-installer-v2.5.6.tgz -C /usr/local/
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ls
common common.sh harbor.yml.tmpl install.sh LICENSE prepare
#修改配置文件
[root@harbor ~]# cp harbor.yml.tmpl harbor.yml
[root@harbor ~]# vim harbor.yml
... ...
hostname: 192.168.2.80 #服务名
http:
port: 80 #开放端口
... ...
#还可以https安全访问,但是需要证书暂时注释掉
#查看admin账号的初始password
[root@harbor harbor]# cat harbor.yml | grep "harbor_admin_password"
harbor_admin_password: Harbor12345
#启动install.sh文件
[root@harbor harbor]# ./install.sh
#启动完成之后,会有多个容器启动
[root@harbor harbor]# docker ps
- 打开浏览器访问Harbor镜像网页
http://ip/
image.png
image.png
2、Harbor的基本使用
-
创建一个项目(如果可以更好的管理项目,可以添加成员,每个角色的权限不同)
image.png - 推送镜像到Harbor仓库
#自定义一个镜像
]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v2.0.1 2a7170f4da9f 43 seconds ago 480MB
#将新镜像修改成符合Harbor私服库的tag(Harbor地址/项目名称/镜像名)
]# docker tag 2a7170f4da9f 192.168.2.80:80/repo/demo:v2.0.1
]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.2.80:80/repo/demo v2.0.1 2a7170f4da9f 5 minutes ago 480MB
#默认docker是不支持http的,需要修改配置文件使之支持
]# vim /etc/docker/daemon.json
{
"insecure-registries": ["192.168.2.80:80"]
}
~]# systemctl daemon-reload
~]# systemctl restart docker
#push镜像到私服上
]# docker push 192.168.2.80:80/repo/demo:v2.0.1
The push refers to repository [192.168.2.80:80/repo/demo]
5f70bf18a086: Preparing
aee99c508573: Preparing
82baff784831: Preparing
4616395f2378: Preparing
34f9780c8bfb: Preparing
e871e75299d2: Waiting
109e67eff29c: Waiting
556c5fb0d91b: Waiting
unauthorized: unauthorized to access repository: repo/demo, action: push: unauthorized to access repository: repo/demo, action: push
#报错了没有权限,因为Harbor需要账号密码先登录
]# docker login -u admin -p Harbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
]# docker login -u admin -p Harbor12345 192.168.2.80:80
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#重新push
]# docker push 192.168.2.80:80/repo/demo:v2.0.1
仓库中显示有镜像
image.png
- 其它服务器拉取镜像
#docker的daemon.json需要配置
]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://lk6rg42k.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.2.80:80"]
}
[root@serverb ~]# systemctl daemon-reload
[root@serverb ~]# systemctl restart docker
拉取镜像
image.png
[root@serverb ~]# docker pull 192.168.2.80/repo/demo@sha256:440aeb051edb697e058f8401d136d715f53052d00ee7a79ca512c367e85d5f2e
Error response from daemon: Get "https://192.168.2.80/v2/": dial tcp 192.168.2.80:443: connect: connection refused
[root@serverb ~]# docker pull 192.168.2.80/repo/demo:v2.0.1
Error response from daemon: Get "https://192.168.2.80/v2/": dial tcp 192.168.2.80:443: connect: connection refused
[root@serverb ~]# docker pull 192.168.2.80:80/repo/demo:v2.0.1
]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.2.80:80/repo/demo v2.0.1 2a7170f4da9f About an hour ago 480MB
3、Jenkins整合Harbor
image.png
要想Jenkins可以推送镜像到Harbor,就需要Jenkins容器中有docker命令。想要在以运行的Jenkins容器中安装docker的话比较复杂,此处可以将容器所在的宿主机将docker映射到Jenkins容器中
#修改宿主机docker.sock的所属组改为root,并配置其它用户可读写权限
]# cd /var/run/
]# chown :root docker.sock
]# chmod o+rw docker.sock
#修改Jenkins的docker-compose.yaml文件,将docker相关的内容添加到Jenkins的数据卷中
[root@jenkins jenkins_docker]# vim docker-compose.yml
version: "3.1"
services:
jenkins:
image: jenkins/jenkins:2.375.3-lts
container_name: jenkins
ports:
- 8080:8080
- 50000:50000
volumes:
- ./data/:/var/jenkins_home/
- /var/run/docker.sock:/var/run/docker.sock #将docker.sock传到容器中
- /usr/bin/docker:/usr/bin/docker #将docker命令传到容器中
- /etc/docker/daemon.json:/etc/docker/daemon.json #docker配置文件
#启动容器
[root@jenkins jenkins_docker]# docker-compose up -d
#进入容器查看是否映射成功
[root@jenkins jenkins_docker]# docker exec -it jenkins bash
jenkins@997b940da0cf:/$ ls /var/run/docker.sock
/var/run/docker.sock
jenkins@997b940da0cf:/$ ls /usr/bin/docker
/usr/bin/docker
jenkins@997b940da0cf:/$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://lk6rg42k.mirror.aliyuncs.com"],
"insecure-registries":["192.168.2.80:80"]
}
jenkins@997b940da0cf:/$ docker version
-
在idea中重新push一下代码(推送一个v4.0.0的版本,打一个新tag)
image.png -
修改Jenkins的构建任务(构建步骤在构建maven打包后添加构建自定义镜像并上传的仓库)
image.png - 在目标服务器上创建编写拉取自定义镜像的脚本
vim pDockerimages.sh
#!/bin/bash
#各个参数由Jenkins构建配置进行传入
HarborAddr=$1 #镜像仓库的地址
RepoName=$2 #仓库名字
ImageName=$3 #镜像名称
Tag=$4 #镜像版本(标签)
Port=$5 #容器内运行的端口
image=$HarborAddr/$RepoName/$ImageName:$Tag #拉取下来的镜像名
#echo $image
#如果该镜像正在运行,将运行的镜像停止并删除
containerID=`docker ps | grep $ImageName | awk '{print $1}'`
#echo $containerID
if [ "$containerID" != "" ];then
docker stop $containerID
docker rm -f $containerID
fi
#如果该镜像名称已存在,删除原有的镜像
imageID=`docker images | grep $HarborAddr/$RepoName/$ImageName | awk '{print $3}'`
#echo $imageID
if [ "$imageID" != "" ];then
docker rmi -f $imageID
fi
docker login -u admin -p Harbor12345 $HarborAddr #docker登录镜像仓库
docker pull $image #拉取镜像
#运行容器
docker run -d -p $Port:$Port --name=$ImageName $image
echo "pull successful"
#将构建好的脚本放进环境变量中,并赋予可执行权限(任何人都有无论在哪目录都能执行该脚本)
echo $PATH
mv pDockerimages.sh /usr/bin/
chmod 755 pDockerimages.sh
-
修改Jenkins的配置,增加构建后步骤(ssh连接目标服务器的操作,以serverb为例)
image.png
上图中的$port的变量来自于构建任务中,额外设置了一个参数,如下图
image.png -
构建任务
image.png
image.png
image.png
