前言
环境:
centos 7.9 harbor-offline-installer-v2.4.3.tgz
下载harbor版本
harbor
的官网:
https://goharbor.io/
,点下载按钮其实会跳转到github上,
https://github.com/goharbor/harbor/releases/
下载自己所需的版本即可。 也可以直接在虚拟机上
wget https://github.com/goharbor/harbor/releases/download/v2.4.3/harbor-offline-installer-v2.4.3.tgz
联网下载。
检查环境并创建证书
查看官方安装文档:
https://goharbor.io/docs/2.4.0/
查看安装先决条件:
https://goharbor.io/docs/2.4.0/install-config/installation-prereqs/
,需要
Docker engine Version 17.06.0-ce+ or higher 、 Docker Compose Version 1.18.0 or higher、Openssl Latest is preferred
。
需要先安装
docker、docker-compose
,这里不再体现,默认你已经安装好了
docker和docker-compose
,如果不会安装
docker
和
docker-compose
,请参考
https://blog.csdn.net/MssGuo/article/details/122694156
。
[root@harbor ~]# mkdir /data #创建一个data目录,用作harbor的数据存储目录
[root@harbor ~]# mkdir /data/harbor/ssl/ -p #创建一个ssl目录,用于存放秘钥文件
#默认情况下,harbor如果要使用https登陆,需要有证书,可以自签证书
[root@harbor ~]#cd /data/harbor/ssl/ #进入/data/harbor/ssl/目录创建证书
[root@harbor ssl]# openssl genrsa -out ca.key 4096
[root@harbor ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xiaoming.com" \ #这里的xiaoming.com写上你的域名,没有域名写上ip地址也可以
-key ca.key \
-out ca.crt
[root@harbor ~]# tar zxvf harbor-offline-installer-v2.4.3.tgz #上传安装包到服务器上并解压安装包
[root@harbor ~]# cd harbor #进入到解压后的目录
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml #将官方的harbor配置文件模板复制一份作为harbor的配置文件
harbor配置文件讲解
[root@harbor ~]# vim harbor.yml #编辑harbor.yml,具体修改如下所示
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.118.129 #这里配置ip地址或域名,官方建议不用使用localhost or 127.0.0.1
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80 #这是http端口,默认80端口,如果https启用,那么http会重定向到https
# https related config
https:
# https port for harbor, default is 443
port: 443 #这是https端口,默认443端口,启动https需要有证书
# The path of cert and key files for nginx
certificate: /data/harbor/ssl/ca.crt #访问harbor的证书,这里要改为上面生成的证书
private_key: /data/harbor/ssl/ca.key #访问harbor的私钥,这里要改为上面生成的证书
# # Uncomment following will enable tls communication between all harbor components
# internal_tls: #是否启用Harbor组件之间的tls通信,默认禁用状态
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy #是否启用外部代理
# And when it enabled the hostname will no longer used #如果启用,那么主机名将不再使用,默认禁用,值为外部代理的地址
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin #管理员admin的初始密码,默认为Harbor12345
# It only works in first time to install harbor #该初始密码只在第一次安装harbor时起作用
# Remember Change the admin password from UI after launching Harbor.#登录Harbor UI管理界面后,为保证密码安全,强烈建议修改admin密码
harbor_admin_password: Harbor12345
# Harbor DB configuration #harbor数据库配置部分,harbor使用postgresql作为数据库
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123 #数据库root用户的密码,生产环境建议修改
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100 #空闲连接池中的最大连接数,如果小于等于0,则不保留空闲连接
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900 #打开数据库的最大连接数,如果小于等于0,则对打开的连接数没有限制
# The default data volume
data_volume: /data #数据存储目录,harbor中的每个组件的数据都存储在该指定路径下的子目录中
# Harbor Storage settings by default is using /data dir on local filesystem #Harbor的存储默认在本地文件系统的/data目录
# Uncomment storage_service setting If you want to using external storage #如果需要使用外部存储,则将该部分的注释去掉,生产环境建议使用外部存储
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle: #自定义根ca证书的路径,该证书将被注入信任库
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem: #存储后端,默认为文件系统,选项包括文件系统、azure、gcs、s3、swift、NFS和oss存储
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect: #是否启用重定向
# disabled: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
offline_scan: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10 #job服务的最大数量
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10 # webhook job的最大重试次数
chart: #harbor不仅可以存储镜像,还可以存Chart,当helm服务器使用
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled #是否启用
# Log configurations
log: #日志相关配置
# options are debug, info, warning, error, fatal
level: info #日志级别
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor #日志存放位置
# Uncomment following lines to enable external syslog endpoint. #是否启用外部系统日志
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp #用于将日志传输到外部端点的协议,选项为tcp或udp
# # The host of external endpoint
# host: localhost #外部主机的地址(主机IP)
# # Port of external endpoint
# port: 5140 #外部主机的端口号
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.4.0
# Uncomment external_database if using external database. #是否使用外部数据库,需要使用请取消下面的注释
# external_database: #外部数据库配置
# harbor:
# host: harbor_db_host #外部数据库ip地址
# port: harbor_db_port #外部数据库端口
# db_name: harbor_db_name #数据库名
# username: harbor_db_username #用户名
# password: harbor_db_password #密码
# ssl_mode: disable #是否启用SSL模式
# max_idle_conns: 2 #最大空闲连接数
# max_open_conns: 0 #最大连接数,0表不限制
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server #启用外部redis缓存服务器则取消下面的注释
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379 # redis的地址:端口
# password: # 连接外部redis服务的密码
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # timeout: 10s
安装harbor
配置文件修改完成,我们开始安装harbor,如下所示:
[root@harbor harbor]# ./prepare #先执行./prepare检查一下,看看有没有报错,有报错就解决
prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v2.4.3' locally
v2.4.3: Pulling from goharbor/prepare
9fc3011f8f61: Pull complete
eb8eda8a9731: Pull complete
77da97ebcff1: Pull complete
8f78fd5a419a: Pull complete
5fef0d95753f: Pull complete
36dec2a7f11d: Pull complete
1d33225e2038: Pull complete
6421e1da01ae: Pull complete
Digest: sha256:a34acf3f79ac5b1b31b695435f6eb948eb3c50bc967c020058c31bcf1425be08
Status: Downloaded newer image for goharbor/prepare:v2.4.3
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@harbor harbor]# ./install.sh --with-trivy #上面检查没有报错,就开始开始安装,同时安装trivy镜像漏洞扫描器
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.9
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
................................
Loaded image: goharbor/chartmuseum-photon:v2.4.3
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating redis ... done
Creating harbor-core ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating registryctl ...
Creating harbor-db ...
Creating registry ...
Creating harbor-portal ...
Creating redis ...
Creating harbor-core ...
Creating nginx ...
Creating harbor-jobservice ...
✔ ----Harbor has been installed and started successfully.---- #最后看到这一条显示安装完成,表示harbor安装成功
安装过程报错
如果在安装过程中出现下面的报错:
解决办法为:
vim /etc/rsyslog.conf
$ModLoad imtcp #取消注释
$InputTCPServerRun 1514 #取消注释并修改为1514
systemctl restart rsyslog.service #重启rsyslog
继续执行安装harbor即可
网页登录
网页输入
https://ip地址
,选择下面的继续前往,
注意:前面配置文件说过,如果启用了
https
,那么即使输入
http://192.168.44.133:80
也会重定向到
https://192.168.44.133:443
。
输入账号密码即可登录,账号是
admin
,密码是
harbor.yml
文件里配置的初始密码
强烈建议立即修改默认密码,不然容易受到攻击
启动、停止harbor
#harbor也是使用容器启动的,如下所示,查看harbor的容器
[root@harbor ~]# docker ps -a #查看harbor的容器,显示启动了9个容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97841cf6c2d9 goharbor/harbor-jobservice:v2.4.3 "/harbor/entrypoint.…" 42 minutes ago Up 42 minutes (healthy) harbor-jobservice
dee0a10dd2a9 goharbor/nginx-photon:v2.4.3 "nginx -g 'daemon of…" 42 minutes ago Up 42 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
358552731a7c goharbor/harbor-core:v2.4.3 "/harbor/entrypoint.…" 42 minutes ago Up 42 minutes (healthy) harbor-core
576686126dba goharbor/redis-photon:v2.4.3 "redis-server /etc/r…" 42 minutes ago Up 42 minutes (healthy) redis
67be92debee1 goharbor/harbor-portal:v2.4.3 "nginx -g 'daemon of…" 42 minutes ago Up 42 minutes (healthy) harbor-portal
e507864c7150 goharbor/registry-photon:v2.4.3 "/home/harbor/entryp…" 42 minutes ago Up 42 minutes (healthy) registry
1836823f54c8 goharbor/harbor-registryctl:v2.4.3 "/home/harbor/start.…" 42 minutes ago Up 42 minutes (healthy) registryctl
54ae00f87d97 goharbor/harbor-db:v2.4.3 "/docker-entrypoint.…" 42 minutes ago Up 42 minutes (healthy) harbor-db
97639626f2fe goharbor/harbor-log:v2.4.3 "/bin/sh -c /usr/loc…" 42 minutes ago Up 42 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@harbor ~]#
#停止harbor
[root@harbor ~]# cd /root/harbor #进入到harbor的安装目录才能启动停止,有一个docker-compose.yml文件
[root@harbor harbor]# docker-compose down -v #停止harbor
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping registry ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing redis ... done
Removing harbor-portal ... done
Removing registry ... done
Removing registryctl ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[root@harbor harbor]#
#启动harbor
[root@harbor ~]# cd /root/harbor #进入到harbor的安装目录才能启动停止,有一个docker-compose.yml文件
[root@harbor harbor]# docker-compose up -d #启动harbor
Creating harbor-log ... done
Creating network "harbor_harbor" with the default driver
Creating harbor-log ...
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating registryctl ...
Creating harbor-portal ...
Creating registry ...
Creating redis ...
Creating harbor-db ...
Creating harbor-core ...
Creating nginx ...
Creating harbor-jobservice ...
[root@harbor harbor]#
docker推送镜像到harbor镜像仓库、docker从harbor镜像仓库下载镜像
下面来验证
docker
推送镜像到
harbor
镜像仓库、
docker
从
harbor
镜像仓库下载镜像,如下:
首先在页面创建一个我们自己的私有仓库(默认有一个library公开仓库),这里创建了一个叫
my_harbor
的私有仓库。
1、添加仓库地址、重启docker
在一台需要上传镜像到镜像仓库或要从镜像仓库下载镜像的服务器上做下面的操作,这台服务器也是要安装有docker的。
#在/etc/docker/daemon.json文件添加镜像仓库地址
[root@master ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["192.168.44.133:443"] #添加这一句,把镜像仓库地址端口添加到docker daemon
}
#注意:如果使用的是域名,那么可以这样写 "insecure-registries": ["xiaoming.com"],当然这个域名要能解析到harbor服务器ip地址,这里
#直接写域名,默认的是http的80端口,前面我们也说过,会重定向到https的;如果没有DNS解析,那可以做本地域名解析 echo '192.168.44.133
# xiaoming.com' >> /etc/hosts
[root@master ~]# systemctl daemon-reload #重新加载系统配置
[root@master ~]# systemctl restart docker #要重启docker服务
2、登录镜像仓库、退出镜像仓库
#使用docker login命令登录镜像仓库,指定仓库地址端口,如果是域名的话,直接使用域名登录即可docker login -u admin xiaoming.com
[root@master ~]# docker login -u admin 192.168.44.133:443 #使用docker login命令登录镜像仓库,指定仓库地址端口
Password: #输入账号密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded #显示登录成功了
#从上面登录成功的信息中我们可以看出,账号密码被保存在 /root/.docker/config.json下
[root@master ~]# cat /root/.docker/config.json #查看config.json,里面保存了我们登录的账号密码信息
{
"auths": {
"192.168.44.133:443": { #这就是我们的仓库地址账号密码,这种加密方式其实是使用base64加密的,不安全
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
[root@master ~]# echo "YWRtaW46SGFyYm9yMTIzNDU=" | base64 -d #使用base64解密就能清晰的看到账号密码
admin:Harbor12345[root@master ~]#
#为了安全,我们要及时退出登录
[root@master ~]# docker logout 192.168.44.133:443 #退出登录我们的镜像仓库
Removing login credentials for 192.168.44.133:443
[root@master ~]# cat /root/.docker/config.json #查看/root/.docker/config.json,已经没了登录信息
{
"auths": {}
}
[root@master ~]#
3、推送镜像到远程harbor仓库
#这台机器上有一个busybox:latest的镜像,我们要把它推送到我们的harbor镜像仓库
#首先我们要给镜像打一个标签,标签格式为:镜像仓库域名/仓库名/镜像:tag ,这种格式是固定的,因为后面我们使用docker push的时候默认就是推
# 送到这样的仓库地址上去的
#如果使用域名的话,直接打标签即可docker tag nginx:1.7.9 xiaoming.com/my_harbor/nginx:1.0.0
[root@master ~]# docker tag busybox:latest 192.168.44.133:443/my_harbor/busybox:1.0.2 #为镜像打标签
[root@master ~]# docker images #查看已经打好标签的镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.44.133:443/my_harbor/busybox 1.0.2 beae173ccac6 7 months ago 1.24MB
[root@master ~]#
#推送镜像到harbor镜像仓库,前提是已经登录了镜像仓库
#如果使用域名的话,直接推送即可docker push xiaoming.com/my_harbor/nginx:1.0.0
[root@master ~]# docker push 192.168.44.133:443/my_harbor/busybox:1.0.2 #推送镜像到harbor镜像仓库
The push refers to repository [192.168.44.133:443/my_harbor/busybox]
01fd6df81c8e: Pushed
1.0.2: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
4、下载镜像,从harbor远程镜像仓库下载镜像
[root@master ~]# docker rmi 192.168.44.133:443/my_harbor/busybox:1.0.2 #先删除busybox:1.0.2镜像
Untagged: 192.168.44.133:443/my_harbor/busybox:1.0.2
[root@master ~]# docker images 192.168.44.133:443/my_harbor/busybox:1.0.2 #现在已经没有busybox:1.0.2这个镜像了
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@master ~]#
[root@master ~]#
[root@master ~]# docker pull 192.168.44.133:443/my_harbor/busybox:1.0.2 #下载busybox:1.0.2镜像,已经成功下载了
1.0.2: Pulling from my_harbor/busybox
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for 192.168.44.133:443/my_harbor/busybox:1.0.2
192.168.44.133:443/my_harbor/busybox:1.0.2
[root@master ~]# docker images 192.168.44.133:443/my_harbor/busybox:1.0.2 #已经成功下载了busybox:1.0.2镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.44.133:443/my_harbor/busybox 1.0.2 beae173ccac6 7 months ago 1.24MB
[root@master ~]#
总结
1、前提条件:安装好docker、docker-compose
[root@harbor ~]# mkdir /data #创建一个data目录,用作harbor的数据存储目录
[root@harbor ~]# mkdir /data/harbor/ssl/ -p #在data目录下创建一个ssl目录,用于存放秘钥文件
#默认情况下,harbor如果要使用https登陆,需要有证书,可以自签证书
[root@harbor ~]# cd /data/harbor/ssl/ #切换目录
[root@harbor ssl]# openssl genrsa -out ca.key 4096
[root@harbor ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xiaoming.com" \ #这里的xiaoming.com写上你的域名,没有域名写上ip地址也可以
-key ca.key \
-out ca.crt
[root@harbor ~]# tar zxvf harbor-offline-installer-v2.4.3.tgz #上传安装包到服务器上并解压安装包
[root@harbor ~]# cd harbor #进入到解压后的目录
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml #将官方的harbor配置文件模板复制一份作为harbor的配置文件
2、编辑harbor.yml配置文件
# 主要修改以下节点即可,其它参数根据实际情况修改:
hostname: 192.168.118.129 #这里配置ip地址或域名,官方建议不用使用localhost or 127.0.0.1
certificate: /data/harbor/ssl/ca.crt #访问harbor的证书,这里要改为上面生成的证书
private_key: /data/harbor/ssl/ca.key #访问harbor的私钥,这里要改为上面生成的证书
3、安装harbor
[root@harbor ~]# cd harbor #进入到解压后的harbor目录
[root@harbor harbor]# ./prepare #先执行./prepare检查一下,看看有没有报错,有报错就解决
[root@harbor harbor]# ./install.sh #上面检查没有报错,就开始开始安装
4、网页登录
网页输入https://ip地址,默认账目为admin,初始密码是harbor.yml文件里面设置的初始密码
创建自己的私有镜像仓库
5、启动、停止harbor
#harbor也是使用容器启动的,如下所示,查看harbor的容器
[root@harbor ~]# docker ps -a #查看harbor的容器,显示启动了9个容器
#启动停止harbor都要进入到harbor的安装目录,因为里面有一个docker-compose.yml文件
#停止harbor
[root@harbor ~]# cd /root/harbor
[root@harbor harbor]# docker-compose down -v #停止harbor
#启动harbor
[root@harbor ~]# cd /root/harbor
[root@harbor harbor]# docker-compose up -d #启动harbor
6、推送镜像到harbor远程仓库、从harbor远程镜像仓库下载镜像
(1)、添加仓库地址、重启docker
在一台需要上传镜像到镜像仓库或要从镜像仓库下载镜像的服务器上做下面的操作,这台服务器也是要安装有docker的
#在/etc/docker/daemon.json文件添加镜像仓库地址
[root@master ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["192.168.44.133:443"] #添加这一句,把镜像仓库地址端口添加到docker daemon
}
[root@master ~]# systemctl restart docker #要重启docker服务
(2)、登录镜像仓库、退出镜像仓库
[root@master ~]# docker login -u admin 192.168.44.133:443 #使用docker login命令登录创建查看,指定仓库地址端口
[root@master ~]# docker logout 192.168.44.133:443 #退出登录我们的镜像仓库
(3)、推送镜像到远程harbor仓库
#这台机器上有一个busybox:latest的镜像,我们要把它推送到我们的harbor镜像仓库
#首先我们要给镜像打一个标签,标签格式为:镜像仓库域名/仓库名/镜像:tag ,这种格式是固定的,因为后面我们使用docker push的时候默认就是推
# 送到这样的仓库地址上去的
[root@master ~]# docker tag busybox:latest 192.168.44.133:443/my_harbor/busybox:1.0.2 #为镜像打标签
#推送镜像到harbor镜像仓库,前提是已经登录了镜像仓库
[root@master ~]# docker push 192.168.44.133:443/my_harbor/busybox:1.0.2 #推送镜像到harbor镜像仓库
The push refers to repository [192.168.44.133:443/my_harbor/busybox]
01fd6df81c8e: Pushed
1.0.2: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
(4)、下载镜像,从harbor远程镜像仓库下载镜像
[root@master ~]# docker pull 192.168.44.133:443/my_harbor/busybox:1.0.2 #下载busybox:1.0.2镜像,已经成功下载了
1.0.2: Pulling from my_harbor/busybox
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for 192.168.44.133:443/my_harbor/busybox:1.0.2
192.168.44.133:443/my_harbor/busybox:1.0.2
7、使用域名配置镜像仓库地址
使用域名和使用ip地址配置没有什么不同,因为harbor.yml配置文件中已经说明了如果启用了https,那么http访问还是会重定向到https。所以,直接使用域名配置harbor镜像仓库地址其实会重定向到https。
[root@master ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["xiaoming.com"] #使用域名配置,相当于http://xiaoming.com:80
}
[root@master ~]# echo '192.168.44.133 xiaoming.com' >>/etc/hosts #设置本地域名解析
[root@master ~]# systemctl daemon-reload #重新加载系统配置
[root@master ~]# systemctl restart docker #要重启docker服务
[root@master ~]# docker login -u admin xiaoming.com #登录
[root@master ~]# docker tag nginx:1.7.9 xiaoming.com/my_harbor/nginx:1.0.0 #给镜像打tag
[root@master ~]# docker push xiaoming.com/my_harbor/nginx:1.0.0 #推送镜像