如果Docker hub相当于github,那么Harbor就是gitlab,主要用于搭建私服,做内外网镜像的跳板使用。
0.官网
goharbor.io
1.部署
wget https://github.com/goharbor/harbor/releases/download/v1.10.0-rc2/harbor-offline-installer-v1.10.0-rc2.tgz
tar -zxvf harbor-offline-installer-v1.10.0-rc2.tgz //解压后生成 harbor文件夹
mv harbor /usr/local/
cd /usr/local/harbor
编辑 harbor.yml 文件的主机名,并可看到默认UI登录的账号密码:admin Harbor12345
vi harbor.yml # Configuration file of Harbor# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: master001
.....
# The path of cert and key files for nginx
certificate: /your/certificate/path
private_key: /your/private/key/path
.....
可以看出还需要配置 certificate 和 private_key 的路径
配置SSL
mkdir /usr/local/harbor/cert
cd cert//创建CA证书
openssl genrsa -out ca.key 4096 //创建签名证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=master001" \
-key ca.key \
-out ca.crt//生成服务器的私钥
openssl genrsa -out master001.key 4096//CSR签名文件
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=master001" \
-key master001.key \
-out master001.csr//生成服务器证书
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=master001
EOFopenssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in master001.csr \
-out master001.crt
[root@master001 cert]# ll cert
total 28
-rw-r--r-- 1 root root 2029 Dec 8 14:27 ca.crt
-rw-r--r-- 1 root root 3243 Dec 8 14:25 ca.key
-rw-r--r-- 1 root root 17 Dec 8 14:31 ca.srl
-rw-r--r-- 1 root root 2061 Dec 8 14:31 master001.crt
-rw-r--r-- 1 root root 1704 Dec 8 14:29 master001.csr
-rw-r--r-- 1 root root 3243 Dec 8 14:28 master001.key
-rw-r--r-- 1 root root 231 Dec 8 14:30 v3.ext
继续配置 harbor.yml 文件的 certificate 和 private_key 路径:
certificate: /usr/local/harbor/cert/master001.crt
private_key: /usr/local/harbor/cert/master001.key
docker镜像文件编排:https://docs.docker.com/compose/install/
curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
systemctl start docker
sh /usr/local/harbor/install.sh
# ……
# Harbor has been installed and started successfully.
Harbor启动成功后,会在当前目录生成 docker-compose.yml 文件。
这时可以登录Harbor的WebUI界面,直接输入IP地址就行。
注意:执行 docker-compose 命令时,当前目录下必须要有docker-compose.yml文件。
2.登录harbor
先配置本地的/etc/hosts文件
mkdir -p /etc/docker/certs.d/master001/
cd /usr/local/harbor/cert/
openssl x509 -inform PEM -in master001.crt -out master001.cert
cp master001.cert /etc/docker/certs.d/master001/
cp master001.key /etc/docker/certs.d/master001/
cp ca.crt /etc/docker/certs.d/master001/
systemctl restart docker
cd /usr/local/harbor
docker-compose up -d
docker login -u admin -p Harbor12345 master001
docker login -u admin -p Harbor12345 172.21.65.102 //此时用IP登录会报错
vi /etc/docker/daemon.json
{
"registry-mirrors":["https://master001"],
"insecure-registries":["172.21.65.102"]
}systemctl restart docker
docker-compose up -d
docker login -u admin -p Harbor12345 172.21.65.102
当IP和主机名都能登录 harbor 私服后,查看如下文件,会根据是否登录而动态变化。
cat ~/.docker/config.json
{"auths": {"172.21.65.102": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="},"master001": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}},"HttpHeaders": {"User-Agent": "Docker-Client/19.03.5 (linux)"}
}docker logout master001
cat ~/.docker/config.json
{"auths": {"172.21.65.102": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}},"HttpHeaders": {"User-Agent": "Docker-Client/19.03.5 (linux)"}
}
3.案例
在Harbor的UI页面点击创建项目 testdata 私有化项目,从docker hub官网拉去 hello-world 镜像,然后推到我们创建的 testdata 项目中。
docker pull hello-world
docker tag hello-world:latest 172.21.65.102/testdata/hello-world:v1
docker login -u admin -p Harbor12345 172.21.65.102 //登录私服后,即可推送
docker push 172.21.65.102/testdata/hello-world:v1
push成功后,我们尝试用当前机器从私服拉取镜像。
docker rmi 172.21.65.102/testdata/hello-world:v1 //先删除本地镜像
docker pull 172.21.65.102/testdata/hello-world:v1 //拉取
docker run 172.21.65.102/testdata/hello-world:v1 //运行
注意: 这里都是用IP做的 push操作,而没有用 hostname 做push,因为有坑在里面。
因为主机名一般没有配置域名,如:hostname.xxx
需要运维人员配置/etc/hosts和/etc/resolv.conf解析文件
172.21.65.102 master001.com master001
那如何用其他机器拉取镜像呢?
首先,需要新机器也装有docker,在新机器运行如下命令:
//创建相同的文件夹名字
mkdir -p /etc/docker/certs.d/master001///从部署harbor的机器上复制证书文件到新机器
scp /etc/docker/certs.d/master001/* 172.21.65.103:/etc/docker/certs.d/master001/scp /etc/docker/daemon.json 172.21.65.103:/etc/docker/systemctl restart docker//配置hosts文件
vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6172.21.65.102 master001
172.21.65.103 master002
然后就可以登录私服、拉取镜像了
docker login -u admin -p Harbor12345 172.21.65.102docker pull 172.21.65.102/testdata/hello-world:v1//查看拉取的镜像
docker images//运行
docker run 172.21.65.102/testdata/hello-world:v1