Centos8 部署Harbor仓库

大鹏一日同风起，扶摇直上九万里。这篇文章主要讲述Centos8 部署Harbor仓库相关的知识，希望能为你提供帮助。
Centos8 部署Harbor私有仓库
背景介绍Harbor是VMware公司开源的企业级Docker Registry项目，是一个用于存储和分发Docker镜像的企业级Registry服务器，可以用来构建企业内部的Docker镜像仓库。它在Docker的开源项目 Distribution的基础上，添加了一些企业需要的功能特性，如镜像同步复制、漏洞扫描和权限管理等。Harbor是CNCF维护的一个项目，它提供了遵从性、性能和互操作性，帮助您在Kubernetes和Docker等云本地计算平台上一致和安全地管理工件。使命是成为Kubernetes受信任的本地云存储库
Harbor架构

文章图片

如上图所描述，Harbor由6个大的模块所组成：

Proxy: Harbor的registry、UI、token services等组件，都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
Registry: 负责存储Docker镜像，以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制，在每一次push/pull请求时，Registry会强制要求客户端从token service那里获得一个有效的token。
Core services: Harbor的核心功能，主要包括如下3个服务:
UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。
1) WebHook是在registry中配置的一种机制，当registry中镜像发生改变时，就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。
2) Token service会根据该用户在一个工程中的角色，为每一次的push/pull请求分配对应的token。假如相应的请求并没有包含token的话，registry会将该请求重定向到token service。
3) Database 用于存放工程元数据、用户数据、角色数据、同步策略以及镜像元数据。
Job services: 主要用于镜像复制，本地镜像可以被同步到远程Harbor实例上。
Log collector: 负责收集其他模块的日志到一个地方环境部署

服务器	IP	组件
Harbor	192.168.169.204	docker-ce、docker-compose、harbor-offline
client	192.168.169.203	docker-ce

部署docker服务

#安装yum-utils yum install -y yum-utils #添加docker-ce.repo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo #安装docker-ce yum install -y docker-ce docker-ce-cli containerd.io --allowerasing #启用docker服务，开机自启动 systemctl enable docker --now #配置docker镜像加速 mkdir -p /etc/docker cat > /etc/docker/daemon.json < < EOF { "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"] } EOF #重启docker服务 systemctl daemon-reload systemctl restart docker

部署Docker-Compose服务

#进入官网下载compose https://github.com/docker/compose/releases

文章图片

#用winscp等软件，上传compose包到/usr/local/bin/ #修改名字 [root@localhost bin]# mv docker-compose-linux-x86_64 docker-compose #修改权限，查看版本 [root@localhost bin]# chmod 755 docker-compose [root@localhost ~]# docker-compose version

创建自签证书创建自签证书用于tls加密，后面将用于对请求进行校验。
首先找到OpenSSL工具配置文件openssl.cnf，对于Centos,目录在/etc/pki/tls/中

文章图片

修改openssl.cnf配置文件
编辑openssl.cnf,在[v3_ca]后面添加：subjectAltName = IP:域名|IP地址，大概位置在245行左右

#可是域名或者IP subjectAltName = IP:192.168.169.204

文章图片

创建自签证书
方法一：-subj指定证书信息

#创建证书存放目录 mkdir /data/cert/ -p cd /data/cert/ openssl req -subj /C=CN/ST=BeiJing/L=BeiJing/CN=192.168.169.204 -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt # -subj 通过C指定国家、ST指定省份、L指定区、CN指定域名或者IP

方法二：交互式生成

[root@localhost cert]# openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry2.key -out registry2.crt Generating a RSA private key ......................+++++ ........+++++ writing new private key to registry2.key ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [XX]:CN string is too long, it needs to be no more than 2 bytes long Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:ex Organizational Unit Name (eg, section) []:ex Common Name (eg, your name or your servers hostname) []:192.168.169.204 #输入Harbor服务器的IP或者域名 Email Address []:admin@example.com

部署Harbor 安装Harbor

#官网下载镜像，可选择离线安装包和在线安装文件，此文档选择下载离线安装包 https://github.com/goharbor/harbor/releases

文章图片

#用winscp等工具，上传安装包至/usr/local/ [root@localhost bin]# cd /usr/local/ #解压Harbor [root@localhost local]# tar -zxvf harbor-offline-installer-v2.3.4.tgz harbor/harbor.v2.3.4.tar.gz harbor/prepare harbor/LICENSEHarbor harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl

修改安装脚本

[root@localhost cert]# cd /usr/local/harbor/ #复制配置样例harbor.yml.tmpl为harbor.yml，并修改harbor.yml文件 [root@localhost harbor]# cp harbor.yml.tmpl harbor.yml #修改Harbor hostname 域名或者IP [root@localhost harbor]# cat harbor.yml | grep hostname hostname: 192.168.169.204 #修改自签证书存放路径 [root@localhost harbor]# cat harbor.yml | grep registry certificate: /data/cert/registry.crt private_key: /data/cert/registry.key #Harbor 默认用户名admin 密码Harbor12345#创建日志目录 [root@localhost harbor]# mkdir /var/log/harbor/ #修改完成后，运行安装脚本 [root@localhost harbor]# ./install.sh[Step 0]: checking if docker is installed ...#检查docker是否安装Note: docker version: 20.10.11[Step 1]: checking docker-compose is installed ... #检查docker-compose是否安装Note: docker-compose version: 2.1.1[Step 2]: loading Harbor images ... #拉取Harbor需要的容器 103405848fd2: Loading layer [==================================================> ]37.24MB/37.24MB bab588f83459: Loading layer [==================================================> ]8.75MB/8.75MB 5f0fc8804b08: Loading layer [==================================================> ]11.64MB/11.64MB c28f2daf5359: Loading layer [==================================================> ]1.688MB/1.688MB Loaded image: goharbor/harbor-portal:v2.3.4 ....... [Step 3]: preparing environment ... #准备环境[Step 4]: preparing harbor configs ... #配置环境 prepare base dir is set to /usr/local/harbor [Step 5]: starting Harbor ... #启动各个服务 [+] Running 9/9 ? Container harbor-logStarted7.0s ...... ? ----Harbor has been installed and started successfully.----

文章图片

登录
网页登录https://IP或域名，用户名为配置文件中的admin/Harbor12345,如有修改用修改后的密码。

文章图片

文章图片

测试上传下载镜像本机测试
登录测试

[root@localhost harbor]# docker login http://127.0.0.1 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

上传镜像

#daemon.json新增私有库地址 [root@localhost harbor]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"], "insecure-registries":["192.168.169.204"] } #重启docker服务 [root@localhost harbor]# systemctl restart docker #重命名容器名 [root@localhost harbor]# docker tag centos 192.168.169.202/library/centos [root@localhost harbor]# docker images | grep centos centoslatest5d0da3dc97642 months ago231MB 192.168.169.202/library/centoslatest5d0da3dc97642 months ago231MB #修改/root/.docker/config.json配置文件 [root@Harbor harbor]# cat /root/.docker/config.json { "auths": { "192.168.169.204": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } } } [root@localhost harbor]# docker push 192.168.169.202/library/centos

客户端测试
登录测试

#配置私有仓库地址 [root@client ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"], "insecure-registries":["192.168.169.204"] } [root@client ~]# systemctl restart docker [root@client ~]# docker login 192.168.169.204 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

上传镜像

[root@client ~]# docker pull 192.168.169.204/library/centos Using default tag: latest latest: Pulling from library/centos a1d0c7532777: Pull complete Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc Status: Downloaded newer image for 192.168.169.204/library/centos:latest 192.168.169.204/library/centos:latest

下载镜像

[root@client ~]# docker pull httpd Using default tag: latest latest: Pulling from library/httpd eff15d958d66: Pull complete ba1caf8ba86c: Pull complete ab86dc02235d: Pull complete 600feb748d3c: Pull complete 635a49ba2501: Pull complete Digest: sha256:758c3132b4775e8449ee5959240066546bda47be163f16c2493eb9dc1a148d05 Status: Downloaded newer image for httpd:latest docker.io/library/httpd:latest [root@client ~]# docker tag httpd 192.168.169.204/library/httpd [root@client ~]# docker push 192.168.169.204/library/httpd Using default tag: latest The push refers to repository [192.168.169.204/library/httpd]

文章图片

常见报错 x509: cannot validate certificate for < ipaddress> because it doesnt contain any IP SANs

#OpenSSL工具配置文件openssl.cnf，对于Centos,目录在/etc/pki/tls/中 #可是域名或者IP vim /etc/pki/tls/openssl.cnf subjectAltName = IP:192.168.169.204

未创建Harbor日志目录

#Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /var/log/harbor/

x509: certificate signed by unknown authority
解决方法：daemon.json新增私有库地址，每一段用逗号隔开

[root@localhost harbor]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"], "insecure-registries":["192.168.169.204"] } #重启docker服务，再进行测试 [root@localhost harbor]# systemctl restart docker

action: push: unauthorized to access repository
【Centos8 部署Harbor仓库】当Harbor配置完成后，发现无法push。原因是/root/.docker/config.json 和daemon.json 中insecure-registries设的主机名不一致导致的。

#authorized: unauthorized to access repository: library/centos, action: push: unauthorized to access repository: library/centos, action: push[root@Harbor harbor]# cat /root/.docker/config.json { "auths": { "192.168.169.204": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } } } [root@Harbor harbor]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://5ufvppm7.mirror.aliyuncs.com"], "insecure-registries":["192.168.169.204"] }