什么是Harbor?

Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理 (RBAC)LDAP审计管理界面自我注册HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。

作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

  • 基于角色的访问控制 - 用户与 Docker 镜像仓库通过 “项目” 进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
  • 镜像复制 - 镜像可以在多个 Registry 实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  • 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前 Docker 镜像仓库,管理项目和命名空间。
  • AD/LDAP 支持 - Harbor 可以集成企业内部已有的 AD/LDAP,用于鉴权认证管理。
  • 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  • 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
  • RESTful API - RESTful API 提供给管理员对于 Harbor 更多的操控,使得与其它管理软件集成变得更容易。
  • 部署简单 - 提供在线和离线两种安装工具, 也可以安装到 vSphere 平台 (OVA 方式) 虚拟设备。

部署环境

名称
系统版本 Centos7.9
IP地址 192.168.40.101
Harbor版本 1.10.3
Harbor安装目录 /data/harbor

部署

下载docker-ce镜像源并安装

#下载docker-ce
cd /etc/yum.repos.d/ && wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 
#安装docker 并设置开机自启
yum install -y docker-ce && systemctl enable docker && systemctl start docker

配置docker镜像加速

mkdir -p /etc/docker

#配置阿里云镜像加速:
tee /etc/docker/daemon.json <<-'EOF'
{
  "exec-opts": ["native.cgroupdriver=systemd"],	
  "registry-mirrors": [
    "https://du3ia00u.mirror.aliyuncs.com",
    "https://hub-mirror.c.163.com",
    "https://mirror.baidubce.com",
    "https://registry.docker-cn.com"
  ],
  "live-restore": true,
  "log-driver":"json-file",
  "log-opts": {"max-size":"500m", "max-file":"3"},
  "max-concurrent-downloads": 10,
  "max-concurrent-uploads": 5,
  "storage-driver": "overlay2"
}
EOF

#使之生效并重启docker
systemctl daemon-reload
systemctl restart docker

安装Harbor私有镜像仓库

github项目地址:https://github.com/goharbor/harbor

初始化环境配置

[root@harbor ~]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.40.101 hub.nues.cn

安装docker-compose

#使用curl命令下载最新的Docker Compose二进制文件
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
这将从Docker Compose的GitHub存储库下载最新版本的二进制文件,并将其保存到/usr/local/bin/docker-compose路径下。
#授予执行权限
sudo chmod +x /usr/local/bin/docker-compose
#验证安装:
docker-compose --version

安装Harbor镜像仓库

下载HarBor离线安装包

wget https://github.com/goharbor/harbor/releases/download/v1.10.3/harbor-offline-installer-v1.10.3.tgz
#下载HarBor离线安装包
wget https://github.com/goharbor/harbor/releases/download/v1.10.3/harbor-offline-installer-v1.10.3.tgz

#解压harbor离线安装包
tar xzvf harbor-offline-installer-v1.10.3.tgz  -C /data/
cd /data/harbor/

#修改harbor配置文件
vim harbor.yml
------------------------------------------------------------------------
hostname: hub.nues.cn
http:
  port: 80
https:
  port: 443
  certificate: /data/harbor/cert/server.crt
  private_key: /data/harbor/cert/server.key
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 50
  max_open_conns: 100
data_volume: /data/harbor/data
clair:
  updaters_interval: 12
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 1.10.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - clair

创建harhorhttps证书

# 创建harbor证书以及持久化目录
mkdir -p /data/harbor/{data,cert}

#创建私有证书
cd /data/harbor/cert/

#生成私钥
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................+++
......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:				123456
Verifying - Enter pass phrase for server.key:	 123456


## 创建证书请求CSR
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................+++
......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@Centos7 cert]# openssl  req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN					# 国家名
State or Province Name (full name) []:ShangHai			 # 省份
Locality Name (eg, city) [Default City]:ShangHai		 # 市
Organization Name (eg, company) [Default Company Ltd]:nues.cn	# 组织
Organizational Unit Name (eg, section) []:nnv5.cn			   # 机构
Common Name (eg, your name or your server's hostname) []:hub.nues.cn	# 完全合格域名
Email Address []:admin@nues.cn					# 管理员邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:							# 是否改密码直接回车
An optional company name []:						# 是否改密码直接回车


# 备份私钥
cp server.key  server.key.org

#去除私钥密码
openssl rsa -in server.key.org  -out server.key
Enter pass phrase for server.key.org:	123456			# 前面设置的私钥密码			
writing RSA key	

# 将证书签名
openssl  x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=s\x08SHANGHAI/L=SHANGHAI/O=nues.cn/OU=nues.cn/CN=hub.nues.cn/emailAddress=admin@nues.cn
Getting Private key


# 将证书赋予执行权限
chmod +x server.*

安装harbor并启动harbor服务

cd /data/harbor/
./install.sh
#结果如下
[root@harbor harbor]# ./install.sh 

[Step 0]: checking if docker is installed ...

Note: docker version: 24.0.7

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.5.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-core:v1.10.3
Loaded image: goharbor/harbor-db:v1.10.3
Loaded image: goharbor/clair-photon:v1.10.3
Loaded image: goharbor/harbor-registryctl:v1.10.3
Loaded image: goharbor/redis-photon:v1.10.3
Loaded image: goharbor/nginx-photon:v1.10.3
Loaded image: goharbor/clair-adapter-photon:v1.10.3
Loaded image: goharbor/harbor-log:v1.10.3
Loaded image: goharbor/notary-server-photon:v1.10.3
Loaded image: goharbor/notary-signer-photon:v1.10.3
Loaded image: goharbor/harbor-migrator:v1.10.3
Loaded image: goharbor/chartmuseum-photon:v1.10.3
Loaded image: goharbor/prepare:v1.10.3
Loaded image: goharbor/harbor-portal:v1.10.3
Loaded image: goharbor/harbor-jobservice:v1.10.3
Loaded image: goharbor/registry-photon:v1.10.3


[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /data/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir



[Step 5]: starting Harbor ...
[+] Running 10/10
 ⠿ Network harbor_harbor        Created                                                                                    0.4s
 ⠿ Container harbor-log         Started                                                                                    0.5s
 ⠿ Container harbor-portal      Started                                                                                    0.9s
 ⠿ Container redis              Started                                                                                    1.1s
 ⠿ Container registry           Started                                                                                    1.2s
 ⠿ Container registryctl        Started                                                                                    1.0s
 ⠿ Container harbor-db          Started                                                                                    1.0s
 ⠿ Container harbor-core        Started                                                                                    1.3s
 ⠿ Container harbor-jobservice  Started                                                                                    1.6s
 ⠿ Container nginx              Started                                                                                    1.7s
✔ ----Harbor has been installed and started successfully.----  #成功安装


## 查看是否安装成功

[root@harbor harbor]# docker-compose  ps 
NAME                COMMAND                  SERVICE             STATUS              PORTS
harbor-core         "/harbor/harbor_core"    core                running (healthy)   
harbor-db           "/docker-entrypoint.…"   postgresql          running (healthy)   5432/tcp
harbor-jobservice   "/harbor/harbor_jobs…"   jobservice          running (healthy)   
harbor-log          "/bin/sh -c /usr/loc…"   log                 running (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       "nginx -g 'daemon of…"   portal              running (healthy)   8080/tcp
nginx               "nginx -g 'daemon of…"   proxy               running (healthy)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp, :::80->8080/tcp, :::443->8443/tcp
redis               "redis-server /etc/r…"   redis               running (healthy)   6379/tcp
registry            "/home/harbor/entryp…"   registry            running (healthy)   5000/tcp
registryctl         "/home/harbor/start.…"   registryctl         running (healthy)   
[root@harbor harbor]# 

## harbor服务常用命令

docker-compose ps 
docker-compose stop
docker-compose up -d

访问验证

浏览器访问

访问验证:https://192.168.40.101 默认账号:admin Harbor12345

如图