docker private warehouse Harbor

preface

Harbor is an open source enterprise Docker Registry project of VMware

1.Harbor's advantages

1. Role based control: there are administrators and ordinary users. Ordinary users can be empowered. For example, they can only upload and download, and can be operated and managed according to the project
2. Image based replication policy: it is also related to permissions. For example, only some users and groups can perform corresponding operations on this item
3. Support LDAP/AD: domain control, such as Nanjing to download Beijing harbor
The image of the private warehouse is marked at both ends, and the LAN address is connected one by one. The data information is transmitted through a tunnel and encrypted through two layers. The first layer is the tunnel
Encryption, the second layer is data encryption, safe and reliable
4. Image deletion and garbage collection: i.e. recycle bin mechanism
5. Graphical UI: it has statistical functions, such as traffic and image ^ download popularity
6. Audit: log is of little significance here, mainly with the help of ELK
7.RESTful API: defines the format of Web language specification, which is convenient for calling Harbor interface and secondary development

1.2 composition of harbor

assemblyeffect
ProxyReceive the requests from the browser and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services
Registry(core component) is responsible for storing Docker images and handling docker push/pull commands
Core servicesThe core functions of Harbor include UI, webhook and token services
DatabaseProviding database services for core services
Log collectorCollect log s of other components for future analysis

These components are packaged in containers and managed using docker compose orchestration
registry is a code repository

2.3 there are two types of parameters in Harbor.cfg configuration file

2.3.1 required parameters

If the user updates them and runs the install.sh script to reinstall Harbor, the parameters will take effect. Specific parameters are as follows:

**hostname: * * used to access the user interface and register service. It should be the IP address or fully qualified domain name (FQDN) of the target machine
For example, 192.168.35.40 or hub.klj.cn. Do not use localhost or 127.0.0.1 as the host name.
ui_url_protocol: (http or https, the default is http) the protocol used to access the UI and token / notification services. If notarization is enabled, this parameter must be https. (during authentication, the Mysql database will be compared and the token will be granted)
**max_job_workers: * * mirror copy job thread.
db_password: used for DB_ The password of the root user of auth's MySQL database.
**customize_crt: * * this attribute can be set to on or off. It is on by default. When this property is turned on, the preparation script creates a private key and root certificate for generating / validating registry tokens. Set this property to off when the key and root certificate are provided by an external source.
**ssl_cert: * * the path of the SSL certificate, which is only applied when the protocol is set to https.
ssl_cert_key: the path of the SSL key, which is only applied when the protocol is set to https.
secretkey_path: the key path used to encrypt or decrypt the remote register password in the replication policy.

2.3.2 optional parameters

These parameters are optional for updating, that is, users can keep them as default values and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when you start Harbor for the first time. Subsequent updates to these parameters will be ignored.
Note: if you choose to set these parameters through the UI, make sure to do so immediately after starting Harbour. Specifically, the required auth must be set before registering or creating any new users in Harbor_ mode. When there are users in the system (except the default admin user), auth_mode cannot be modified. Specific parameters are as follows:

Email: Harbor needs this parameter to send "password reset" email to users, and only when this function is required.
Note that SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, SSL email should be enabled by setting_ ssl = TRUE.
harbour_admin_password: the initial password of the administrator. It only takes effect when Harbour is started for the first time. After that, this setting will be ignored and the administrator's password should be set in the UI.
Note that the default username / password is admin/Harbor12345.
auth_mode: the authentication type used. By default, it is db_auth, that is, the credentials are stored in the database. For LDAP authentication (file authentication), set it to ldap_auth.
self_registration: enables / disables the user registration function. When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
Note: when auth_mode is set to LDAP_ When auth, the self registration function will always be disabled and this flag is ignored.
Token_expiration: the expiration time (minutes) of the token created by the token service. The default is 30 minutes.
project_creation_restriction: flag used to control which users are authorized to create projects. By default, everyone can create a project. If its value is set to "adminonly", only admin can create projects.
verify_remote_cert: on or off. It is on by default. This flag determines whether the SSL/TLS certificate is verified when Harbor communicates with the remote register instance. Setting this property to off bypasses SSL/TLS authentication, which is often used when the remote instance has a self signed or untrusted certificate.

2. Deploy Harbor services

2.1 download Harbor installer

wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
 Or upload a compressed package harbor-offline-installer-v1.2.2.tgz
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

2.2 configuring Harbor parameter files

vim /usr/local/harbor/harbor.cfg
5 hostname = 192.168.226.128		##Modify cost machine address

2.3 start Harbor

Before starting, confirm whether the docker compose version is installed successfully

[root@harbor ~]#  docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3
[root@harbor ~]# sh /usr/local/harbor/install.sh		##Start Harbor; Relevant scripts have been defined in docker compose
 Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

2.4 viewing Harbor boot image

[root@harbor harbor]# cd /usr/local/harbor/
[root@harbor harbor]# docker-compose ps		##View currently running containers
       Name                     Command               State                                                Ports                                             
-------------------------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                                                                                     
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp                                                                                       
harbor-jobservice    /harbor/harbor_jobservice        Up                                                                                                     
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp                                                                        
harbor-ui            /harbor/harbor_ui                Up                                                                                                     
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:4443->4443/tcp,:::4443->4443/tcp,                
                                                              0.0.0.0:80->80/tcp,:::80->80/tcp                                                               
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp
[root@harbor harbor]# cat /usr/local/harbor/docker-compose.yml 	##View file content; Details of 7 components
version: '2'
services:
  log:
    image: vmware/harbor-log:v1.2.2
    container_name: harbor-log 
    restart: always
    volumes:
      - /var/log/harbor/:/var/log/docker/:z
    ports:
      - 127.0.0.1:1514:514
    networks:
      - harbor
  registry:
    image: vmware/registry:2.6.2-photon
    container_name: registry
    restart: always
    volumes:
      - /data/registry:/storage:z
      - ./common/config/registry/:/etc/registry/:z
    networks:
      - harbor
    environment:
      - GODEBUG=netdns=cgo
    command:
      ["serve", "/etc/registry/config.yml"]
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"
  mysql:
    image: vmware/harbor-db:v1.2.2
    container_name: harbor-db
    restart: always
    volumes:
      - /data/database:/var/lib/mysql:z
    networks:
      - harbor
    env_file:
      - ./common/config/db/env
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "mysql"
  adminserver:
    image: vmware/harbor-adminserver:v1.2.2
    container_name: harbor-adminserver
    env_file:
      - ./common/config/adminserver/env
    restart: always
    volumes:
      - /data/config/:/etc/adminserver/config/:z
      - /data/secretkey:/etc/adminserver/key:z
      - /data/:/data/:z
    networks:
      - harbor
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "adminserver"
  ui:
    image: vmware/harbor-ui:v1.2.2
    container_name: harbor-ui
    env_file:
      - ./common/config/ui/env
    restart: always
    volumes:
      - ./common/config/ui/app.conf:/etc/ui/app.conf:z
      - ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
      - /data/secretkey:/etc/ui/key:z
      - /data/ca_download/:/etc/ui/ca/:z
      - /data/psc/:/etc/ui/token/:z
    networks:
      - harbor
    depends_on:
      - log
      - adminserver
      - registry
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "ui"
  jobservice:
    image: vmware/harbor-jobservice:v1.2.2
    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
    volumes:
      - /data/job_logs:/var/log/jobs:z
      - ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
      - /data/secretkey:/etc/jobservice/key:z
    networks:
      - harbor
    depends_on:
      - ui
      - adminserver
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "jobservice"
  proxy:
    image: vmware/nginx-photon:1.11.13
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z
    networks:
      - harbor
    ports:
      - 80:80
      - 443:443
      - 4443:4443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"
networks:
  harbor:
    external: false

2.5 accessing the UI interface of harbor

Open browser access http://192.168.226.128 The default administrator user name and password is admin/Harbor12345.

Add the project and fill in the project name mytest

2.6 command line login to harbor

1.Harbor server is based on local operation
Use the Docker command to log in and push images locally through 127.0.0.1. By default, the Register server listens on port 80.

[root@harbor harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1 	##// Sign in
....
Login Succeeded
[root@harbor harbor]# docker pull cirros		##Download the image for testing
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete 
bd054094a037: Pull complete 
c6a00de1ec8a: Pull complete 
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@harbor harbor]# docker tag cirros:latest 127.0.0.1/mytest/cirros:v1	##Image labeling
[root@harbor harbor]# docker push 127.0.0.1/mytest/cirros:v1
The push refers to repository [127.0.0.1/mytest-test/cirros]
984ad441ec3d: Preparing 
f0a496d92efa: Preparing 
e52d19c3bee2: Preparing 
denied: requested access to the resource is denied 
[root@harbor harbor]# docker tag cirros:latest 127.0.0.1/mytest/cirros	##Image labeling
[root@harbor harbor]# docker push 127.0.0.1/mytest/cirros	##Upload image to Harbor
Using default tag: latest
The push refers to repository [127.0.0.1/mytest/cirros]
984ad441ec3d: Pushed 
f0a496d92efa: Pushed 
e52d19c3bee2: Pushed 
latest: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

2. Non local operation of harbor server
The above operations are performed locally on the Harbor server. If other clients upload images to Harbor, a message will be sent
The following error. The reason for this problem is that HTTPS is used by default for Docker Registry interaction, but private mirrors are built
For example, the HTTP service is used by default, so the following error occurs when interacting with the private image.

[root@client ~]# docker login  -u admin -p Harbor12345 http://192.168.226.128 		## Non local login will report an error
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.226.128/v2/: EOF
 [root@client ~]# vim /usr/lib/systemd/system/docker.service		##Point to private warehouse address
 13 ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.35.40 --containerd=/run/containerd/containerd.sock
 [root@client ~]# systemctl daemon-reload
[root@client ~]# systemctl restart docker
[root@harbor harbor]# docker login  -u admin -p Harbor12345 http://192.168.226.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@client ~]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Image is up to date for cirros:latest
docker.io/library/cirros:latest
[root@client ~]# docker tag cirros 192.168.226.128/myproject-kgc/cirros:v2
[root@harbor harbor]# docker tag cirros:latest 192.168.226.128/mytest/cirros:1
[root@harbor harbor]# 
[root@harbor harbor]# docker push 192.168.226.128/mytest/cirros:1
The push refers to repository [192.168.226.128/mytest/cirros]
984ad441ec3d: Layer already exists 
f0a496d92efa: Layer already exists 
e52d19c3bee2: Layer already exists 
1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

2.7 harbor user management

1. Create Harbor user
System management - user management - + user - enter user name, email address, full name and password

2. Add members to the project

3. Verify whether it can be downloaded using the identity of zhangsan user developer

//Operate on client
[root@harbor harbor]# docker rmi 192.168.226.128mytest/cirros		##Delete previously downloaded images
Untagged: 192.168.226.128/mytest/cirros:latest
[root@client ~]# docker logout 192.168.226.128	##Logout login
Removing login credentials for 192.168.226.128
 [root@harbor harbor]# docker login -u zhangsan -p Harbor12345 http://192.168.226.128 	## Sign in
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@harbor harbor]# docker pull 192.168.226.128/mytest/cirros:latest
latest: Pulling from mytest/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for 192.168.226.128/mytest/cirros:latest
192.168.226.128/mytest/cirros:latest

2.8 maintenance management Harbor

have access to docker-compose To manage Harbor. Some useful commands are shown below and must be used with docker-compose.yml Run in the same directory.
modify Harbor.cfg configuration file
 To change Harbour Please stop the existing configuration file first Harbour Instance and update Harbor.cfg;Then run prepare Script to fill in the configuration; Finally, recreate and start Harbour Examples of.
docker-compose down -v
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor
[root@harbor harbor]# cd /usr/local/harbor/
[root@harbor harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Cleari: ng the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
 [root@harbor harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ...		 done

Keywords: Operation & Maintenance Docker Container

Added by bigdspbandj on Sat, 04 Dec 2021 00:34:56 +0200