Privatization lightweight continuous integration deployment scheme -- 06 private image warehouse Harbor

Tip: all notes in this series exist in Github , you can directly Github View all notes

Aiming at the problem of private image warehouse, Docker officially provides the image service of building warehouse service: registry , private warehouses can be deployed using this image.

However, the service provided by the official is particularly lightweight, and even there is no UI management page, which brings high management and maintenance costs.

To solve this problem, there are many open source communities registry Projects that provide UI management are also based on registry , secondary development project

The representative project of secondary development based on registry is Harbor It is also one of the common solutions in enterprise level


Harbor overview

Harbor project is based on registry In addition, it provides the functions required by enterprise users such as management UI, role-based access control, AD/LDAP integration and audit logging. At the same time, it supports Chinese.

It can be said that Harbor provides a complete management system to make up for the deficiency of registry.

Harbor is also relatively small in terms of resource occupation.

Harbor deployment

Harbor Download

Harbor is Github Two deployment methods are provided in

  1. Offline installation
  2. Online installation

Both deployment methods are based on Docker Compose. The difference is that the offline installation package includes the image used for deployment.

It is recommended to download the offline version locally and upload it to the server for decompression and deployment.

sudo tar xf /tgz/harbor-offline-installer-v2.4.1.tgz

PS: pay attention to the version number

Harbor deployment configuration

Two key files in the harbor directory are: Harbor yml. TML and install sh.

harbor.yml.tml is a configuration file template, which needs to be changed to harbor YML, harbor. Com will be used during deployment YML configuration file. is the execution file, which can be deployed.

harbor. There are many default attributes in the YML configuration file, which can be modified.

Only the changed attributes are listed here.

# To set the access address, you can use ip and domain name, but not or localhost.
# Access address

# HTTP access protocol settings
  # http access port number
  port: 8433

# Disable HTTPS protocol access
# https port for harbor, default is 443
#  port: 443
# The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path

# admin user password
harbor_admin_password: XXXXXXX

# Database settings
  # Database password
  password: XXXXXX

# Harbor data mount directory
data_volume: /volumes/harbor

The page access, pull, push and other operations of Harbor application use the hostname attribute value in the configuration file, so the gateway agent is set in place in this step.

PS: Harbor recommends using HTTPS protocol. The gateway is used here, so only HTTP protocol is set

configure gateway

The gateway only needs to configure the Nginx attribute.

server {
    #The SSL access port number is 443
    listen 443 ssl http2;
    #Fill in the domain name of the binding certificate
    #Upload size limit
    client_max_body_size 3000M;
    error_log /var/log/nginx/docker/error.log;
    access_log /var/log/nginx/docker/access.log;
    #Certificate file
    ssl_certificate /etc/nginx/conf.d/ssl/docker/docker.mwjz.live_bundle.crt;
    #Certificate key file
    ssl_certificate_key /etc/nginx/conf.d/ssl/docker/;

    ssl_ciphers SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!3DES:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {

Restart gateway service

docker exec -it gateway nginx -s reload

Execute deployment

At this point, you can execute install SH file for deployment

After deployment, harbor will create a Docker Compose named harbor

And 9 container services will be started.

Adding a prefix to a container is a headache for people with obsessive-compulsive disorder...

After deployment, visit Harbor and jump to the login page to log in with the administrator account.

Harbor page

The main page of Harbor is the project module.

A project is a mirror group. Multiple mirrors can be stored in a project.

Harbor creates a public project called library by default.

You can create your own project according to the actual situation

Create a private project named mwjz here to store the deploy web demo image

PS: other modules can be viewed by themselves

Harbor continuous integration

The rules for pulling and pushing Harbor images are host name / project / image name

That is, the address of the mwjz project deploy web demo image pull and push is docker mwjz. live/mwjz/deploy-web-demo

Server configuration

Update Docker Compose

The image address pulled from the Docker Compose file of the web project should be changed to the Harbor warehouse address.

Log in to Harbor

Harbor warehouse mwjz is a private project, which can only be pulled and pushed after login.

Test the pull operation in the server. If you don't log in, you will directly return the no permission error.

When using Docker to log in Harbor warehouse, please note that sudo or root user must be used to log in, otherwise other users cannot use this login certificate

Note: you must use sudo or root to log in, otherwise other users cannot use this login certificate

After the Harbor warehouse is successfully logged in, Docker will be in / root / Docker/config. Add the login credentials of the current warehouse to the JSON file.

This login credential is required for Drone continuous integration.

Drone configuration

Secret configuration

  1. Image pull login credentials The container in the Drone engine is a pure running environment, which cannot directly use the login credentials of the server to pull the private warehouse image. To solve this problem, Drone predefined an image_pull_secrets attribute, image_pull_secrets will read the warehouse login credentials from Secret and execute the login operation. That is, you need to configure the warehouse login credential information in Secret: docker_auth_config, the attribute value is / root / docker/config. JSON file content.

PS: note that the login credentials must be logged in by sudo or root user, otherwise they do not have the permission to pull

  1. Image push account Set docker_username, docker_ The two Secret attribute values of password are changed to the account password of Harbor warehouse.

.drone.yml configuration

.drone. The main change points of YML file are the image name and warehouse address

  1. Build image steps: Set the repo property value to docker mwjz. live/mwjz/deploy-web-demo, And add the registry attribute with the value of docker mwjz. Live (Harbor warehouse hostname)
  2. Deploy project steps Change the image pull address to docker mwjz. live/mwjz/deploy-web-demo
  3. deploy pipeline: The private warehouse login credential key attribute needs to be set in the deploy pipeline: image_pull_secrets
kind: pipeline          # Define a pipe
type: docker            # Define pipe type
name: build              # Define pipe name

- name: build-image     # Step name
    image: plugins/docker # Use mirror
    depends_on: [build-tags, build-project] # Dependent steps
    settings:             # Current settings
      username:           # Account name 
        from_secret: docker_username
      password:           # Account password
        from_secret: docker_password
      dockerfile: deploy/Dockerfile # Dockerfile address. Note that it is a relative address
      registry:  # Private image warehouse address
      repo: # Image name


kind: pipeline
type: docker
name: deploy

image_pull_secrets: # Private image pull certificate key
  - docker_auth_config


  - name: deploy-project
    image: appleboy/drone-ssh
        from_secret: server_host
        from_secret: server_username
        from_secret: server_password
      port: 22
      # Secure: false if the pulled image address uses the http protocol, set this property to true
      command_timeout: 3m
        - echo ====Start deployment=======
        - docker pull
        - docker-compose -p web down
        - docker volume rm web-nginx
        - docker-compose -f /yml/docker-compose/web.yml -p web up -d
        - docker rmi $(docker images | grep deploy-web-demo | grep none | awk  '{print $3}')
        - echo ====Deployment successful=======

Perform test

After all preparations are completed, the project version number can be modified for test construction.

There may be other problems during construction, but they are generally small problems that can be solved by checking the configuration or querying Google.

It can't be solved. You can leave a message.

Added by zander213 on Tue, 08 Mar 2022 11:49:28 +0200