Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中,确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

  • 基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
  • 镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  • 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
  • AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
  • 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  • 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
  • RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
  • 部署简单 - 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。

官网地址:https://vmware.github.io/harbor/cn/
官方下载地址:https://github.com/vmware/harbor/releases
vmware harbor v1.3.0-rc4百度网盘,密码:m2mi
安装向导:https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
用户使用指南:https://github.com/vmware/harbor/blob/master/docs/user_guide.md
https配置:https://github.com/vmware/harbor/blob/master/docs/configure_https.md

安装docker-compose

docker-compose版本需要大于1.7.1+

1
2
# curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose

生成证书

1
2
3
4
5
6
mkdir -p /data/cert
cd /data/cert
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr
echo subjectAltName = IP:192.168.1.196 > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out server.crt

部署Vmware Harbor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# tar -zxf harbor-offline-installer-v1.3.0-rc4.tgz
# cd harbor
# grep -iv '^#' harbor.cfg | grep -iv '^$'
hostname = 192.168.1.196 #如果用购买的证书需要写域名
ui_url_protocol = https #http改成https
db_password = root123 #密码不能改,否则有些容器起不来
max_job_workers = 3
customize_crt = on
ssl_cert = /data/cert/server.crt #指定证书路径
ssl_cert_key = /data/cert/server.key #同上,下面全默认即可
secretkey_path = /data
admiral_url = NA
clair_db_password = password
log_rotate_count = 50
log_rotate_size = 200M
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 3
ldap_timeout = 5
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
db_host = mysql
db_port = 3306
db_user = root
uaa_endpoint = uaa.mydomain.org
uaa_clientid= id
uaa_clientsecret= secret
uaa_ca_root= /path/to/uaa_ca.pem
#

Docker版本大于1.6.0

1
2
3
4
5
6
# cat /etc/docker/daemon.json
{ "insecure-registries":["192.168.1.196"] } #如果harbor.cfg里填的是域名,这里要保持一致
#
systemctl enable docker
systemctl start docker
./install.sh #安装Vmware Harbor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@localhost ~]# docker images | grep -i vmware
vmware/harbor-log v1.3.0-rc4 58aa9393b1cd 3 weeks ago 207MB
vmware/harbor-jobservice v1.3.0-rc4 b3664e837ab8 3 weeks ago 197MB
vmware/harbor-ui v1.3.0-rc4 5f6e4c4b41da 3 weeks ago 211MB
vmware/harbor-adminserver v1.3.0-rc4 a907519f7baf 3 weeks ago 174MB
vmware/harbor-db v1.3.0-rc4 83b013940805 3 weeks ago 586MB
vmware/photon 1.0 7b154bf6f104 3 weeks ago 130MB
vmware/clair v2.0.1-photon 7a633033c5b1 5 weeks ago 365MB
vmware/postgresql 9.6.5-photon a5c79b0473d9 6 weeks ago 285MB
vmware/registry 2.6.2-photon c38af846a0da 6 weeks ago 240MB
vmware/mariadb-photon 10.2.10 eaaae71dea19 6 weeks ago 586MB
vmware/notary-photon signer-0.5.1 064b309ad822 6 weeks ago 246MB
vmware/notary-photon server-0.5.1 b8cc51024379 6 weeks ago 247MB
vmware/nginx-photon 1.11.13 2971c92cc1ae 6 weeks ago 200MB
vmware/harbor-db-migrator 1.3 6cac2b89f086 6 weeks ago 1.11GB
[root@localhost ~]#
1
2
3
4
5
6
7
8
9
[root@localhost ~]# docker ps -a | grep -i vmware
ea6b2d79bd4b vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
3e1e767e3095 vmware/harbor-jobservice:v1.3.0-rc4 "/harbor/start.sh" About a minute ago Up About a minute (healthy) harbor-jobserviced
08ae8e864d9 vmware/harbor-ui:v1.3.0-rc4 "/harbor/start.sh" About a minute ago Up About a minute (healthy) harbor-ui
e2abd8a9f45d vmware/harbor-db:v1.3.0-rc4 "/usr/local/bin/dock…" About a minute ago Up About a minute (healthy) 3306/tcp harbor-db
5337d7d2cb0a vmware/harbor-adminserver:v1.3.0-rc4 "/harbor/start.sh" About a minute ago Up About a minute (healthy) harbor-adminserver
cf85ac001f1f vmware/registry:2.6.2-photon "/entrypoint.sh serv…" About a minute ago Up About a minute (healthy) 5000/tcp registry
d6075f9aa12c vmware/harbor-log:v1.3.0-rc4 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@localhost ~]#

登陆时如果报下面错误,则需要修改/etc/docker/daemon.json文件
Error response from daemon: Get https://192.168.1.196/v2/: x509: certificate signed by unknown authority
参考:https://github.com/vmware/harbor/blob/master/docs/user_guide.md#pulling-and-pushing-images-using-docker-client

上传镜像

1
2
3
4
5
6
7
# docker login 192.168.1.196
Username: admin
Password:
Login Succeeded
#
# docker tag nginx:latest 192.168.1.196/library/nginx:latest
# docker push 192.168.1.196/library/nginx:latest

下载镜像

1
2
3
4
5
# docker rmi 192.168.1.196/library/nginx nginx
# docker pull 192.168.1.196/library/nginx:latest
# docker images | grep -i nginx
192.168.1.196/library/nginx latest 3f8a4339aadd 2 weeks ago 108MB
#

效果图

访问:https://192.168.1.196 打开vmware Harbor
默认用户名密码:admin / Harbor12345
vmware harbor
vmware harbor
vmware harbor
vmware harbor
vmware harbor
vmware harbor
vmware harbor
vmware harbor

卸载

1
2
3
# pwd
/root/harbor
# docker-compose -f docker-compose.yml down

本作品采用知识共享署名 2.5 中国大陆许可协议进行许可,欢迎转载,但转载请注明来自Jack Wang Blog,并保持转载后文章内容的完整。本人保留所有版权相关权利。
打赏
本文出自”Jack Wang Blog”:http://www.yfshare.vip/2018/01/11/自建docker私有仓库-Vmware-Harbor/