Introduction:
Harbor is an enterprise Registry server for storing and distributing Docker images that extends the open source Docker Distribution by adding some of the features necessary for the enterprise, such as security, identity, and management.As an enterprise private Registry server, Harbor provides better performance and security.Enhance the efficiency with which users use Registry to build and run environment transport mirrors.Harbor supports replication of mirrored resources installed on multiple Registry nodes, keeping all mirrors in a private Registry to ensure that data and intellectual property are controlled within the company's internal network.In addition, Harbor provides advanced security features such as user management, access control, and activity auditing.
Official address: http://vmware.github.io/harbor/index_cn.html
Official github address: https://github.com/vmware/harbor
Official feature introduction for Harbor:
Role-based access control - Users and Docker mirror warehouses are organized and managed through Projects, and one user can have different permissions for multiple mirror warehouses in the same namespace (project).
Mirror Replication - Mirrors can be replicated (synchronized) across multiple Registry instances.Especially suited for load balanced, highly available, mixed and cloudy scenarios.
Graphical user interface - Users can browse through a browser, retrieve the current Docker mirror repository, manage items, and namespaces.
AD/LDAP Support - Harbor can integrate AD/LDAP already in the enterprise for authentication management.
Audit Management - All operations against the mirror warehouse can be logged back for audit management.
Internationalization - already has localized versions in English, Chinese, German, Japanese and Russian.More languages will be added.
RESTful API - The RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
Simple deployment - provides both online and offline installation tools, and can also be installed on vSphere platform (OVA mode) virtual devices.
Deploy Harbor 1.75 Distributed Cluster
Environmental preparation
System: centos7.6 Close firewall: systemctl stop firewalld Close selinux:setenforce 0 node1 IP: 192.168.8.156 node2 IP: 192.168.8.134
Install docker
Server 1
[root@node1 ~]#yum install docker -y [root@node1 ~]#vim /lib/systemd/system/docker.service #Add native IP address at the end of this line 14: ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.8.156 [root@node1 ~]#systemctl start docker [root@node1 ~]#systemctl enable docker
Server 2
[root@node2 ~]#yum install docker -y [root@node2 ~]#vim /lib/systemd/system/docker.service 14: ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.8.134 [root@node2 ~]#systemctl start docker [root@node2 ~]#systemctl enable docker
Download the Harbor offline installation package
Official installation documentation: https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
Server 1
[root@node1 ~]#cd /usr/local/src/ [root@node1 harbor]#wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz
Server 2
[root@node2 ~]#cd /usr/local/src/ [root@node2 harbor]#wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz
Configure Harbor
Server 1
[root@node1 ~]#cd /usr/local/harbor/ [root@node1 harbor]#tar xvf harbor-offline-installer-v1.7.5.tgz [root@node1 harbor]#vim harbor.cfg [root@node1 harbor]# grep "^[a-Z]" harbor.cfg #Local IP Address hostname = 192.168.8.156 #Communications Transport Protocol ui_url_protocol = http max_job_workers = 10 customize_crt = on ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA log_rotate_count = 50 #Log scroll size log_rotate_size = 200M http_proxy = https_proxy = no_proxy = 127.0.0.1,localhost,core,registry #Set notification mailbox address, or on the web interface email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false email_insecure = false #Set login password harbor_admin_password = 123456 auth_mode = db_auth ldap_url = ldaps://ldap.mydomain.com ldap_basedn = ou=people,dc=mydomain,dc=com ldap_uid = uid ldap_scope = 2 ldap_timeout = 5 ldap_verify_cert = true ldap_group_basedn = ou=group,dc=mydomain,dc=com ldap_group_filter = objectclass=group ldap_group_gid = cn ldap_group_scope = 2 self_registration = on token_expiration = 30 project_creation_restriction = everyone db_host = postgresql db_password = root123 db_port = 5432 db_user = postgres redis_host = redis redis_port = 6379 redis_password = redis_db_index = 1,2,3 clair_db_host = postgresql clair_db_password = root123 clair_db_port = 5432 clair_db_username = postgres clair_db = postgres clair_updaters_interval = 12 uaa_endpoint = uaa.mydomain.org uaa_clientid = id uaa_clientsecret = secret uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem registry_storage_provider_name = filesystem registry_storage_provider_config = registry_custom_ca_bundle = [root@node1 harbor]#./install.sh #Many mirrors will be downloaded after startup and it will take some time [Step 0]: checking installation environment ... Note: docker version: 18.09.7 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... f60840e24dbf: Loading layer [==================================================>] 33.23MB/33.23MB ea7b46fcd541: Loading layer [==================================================>] 8.959MB/8.959MB 79b1bab71f92: Loading layer [==================================================>] 15.6MB/15.6MB e44aff944dd8: Loading layer [==================================================>] 18.94kB/18.94kB 7f6318c65689: Loading layer [==================================================>] 15.6MB/15.6MB Loaded image: goharbor/harbor-adminserver:v1.7.5 [Step 0]: checking installation environment ...
Server 2 Configuration
[root@node2 ~]#cd /usr/local/harbor/ [root@node2 harbor]#tar xvf harbor-offline-installer-v1.7.5.tgz [root@node2 harbor]#vim harbor.cfg [root@node2 harbor]# grep "^[a-Z]" harbor.cfg hostname = 192.168.8.134 ui_url_protocol = http max_job_workers = 10 customize_crt = on ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA log_rotate_count = 50 log_rotate_size = 200M http_proxy = https_proxy = no_proxy = 127.0.0.1,localhost,core,registry email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false email_insecure = false harbor_admin_password = 123456 auth_mode = db_auth ldap_url = ldaps://ldap.mydomain.com ldap_basedn = ou=people,dc=mydomain,dc=com ldap_uid = uid ldap_scope = 2 ldap_timeout = 5 ldap_verify_cert = true ldap_group_basedn = ou=group,dc=mydomain,dc=com ldap_group_filter = objectclass=group ldap_group_gid = cn ldap_group_scope = 2 self_registration = on token_expiration = 30 project_creation_restriction = everyone db_host = postgresql db_password = root123 db_port = 5432 db_user = postgres redis_host = redis redis_port = 6379 redis_password = redis_db_index = 1,2,3 clair_db_host = postgresql clair_db_password = root123 clair_db_port = 5432 clair_db_username = postgres clair_db = postgres clair_updaters_interval = 12 uaa_endpoint = uaa.mydomain.org uaa_clientid = id uaa_clientsecret = secret uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem registry_storage_provider_name = filesystem registry_storage_provider_config = registry_custom_ca_bundle = [root@node2 harbor]#./install.sh
Note:
If the following prompt appears
[root@node1 harbor]#./install.sh Note: docker version: 18.09.7 ✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
Installation is required
[root@node1 ~]#yum -y install docker-compose
Log on to the web interface for configuration
Account is admin, password is the password set in the configuration file
New Project
This can be written publicly or privately, or later changed
Create Replication Target
Fill in the IP of the host to be copied and do not start the remote authentication certificate
Creation complete
Upload mirror on node1 node and verify
Log in to harbor account
[root@node1 ~]#docker login 192.168.8.156 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
Upload Mirror Test
[root@node1 ~]#docker tag test/nginx:v1 192.168.8.156/myimage/nginx:v1 [root@node1 ~]#docker push 192.168.8.156/myimage/nginx:v1
Common Harbor operations
Download harbor image
[root@node1 ~]#docker login 192.168.8.156 [root@node1 ~]#docker pull 192.168.8.156/myimage/nginx:v1
Stop and close harbor
[root@node1 ~]#cd /usr/local/src/harbor/ [root@node1 harbor]#docker-compose stop [root@node1 harbor]#docker-compose start
Note: You must enter this directory to execute, otherwise an error will occur
[root@node1 ~]#docker-compose start
ERROR:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml