Harbor 是由 VMware 公司中国团队为企业用户设计的企业级私有 Registry 服务,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
安装Harbor
harbor的安装依赖docker和docker-compose,确认基础环境已安装好docker和docker-compose后,访问harbor官方git仓库Releases · goharbor/harbor (github.com)下载release版本:
下载完成后,解压出的目录内,有prepare可执行文件,用来做安装前的环境检查,将harbor.yml.tmpl文件重命名为harbor.yml,编辑该文件,修改内容如下:
-
hostname: reg.mydomain.com,修改为当前服务器IP,或者为harbor准备的域名,用来访问harbor -
如果不使用https,需要注释掉https的所有项,不建议使用harbor提供的https,应当通过nginx反向代理实现https:
https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /your/certificate/path private_key: /your/private/key/path -
harbor_admin_password: Harbor12345:harbor的UI后台管理员密码; -
数据库配置,数据库密码安装完成后无法修改,所以安装前必须设置:
database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 50 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 1024 for postgres of harbor. max_open_conns: 1000 -
数据存储配置,默认harbor的数据卷配置为/data,建议修改为其他路径:
data_volume: /data/harbor/db -
日志相关配置,建议修改日志保存位置:
log: # options are debug, info, warning, error, fatal level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, thesize is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor -
如果使用外部反向代理访问harbor,则需要取消
external_url选项的注释,然后配置相应的URL
配置完成后,依次执行./prepare(添加扫描模块) ,./install进行安装。安装完成后,就可以通过ip或域名访问harbor,如果要使用harbor的镜像扫描器,那么需要重新执行./prepare --with-clair添加harbor自带的扫描器,然后使用docker-compose -f docker-compose.yml up -d重新创建容器。
Harbor https配置
在实际的生产环境中,服务器上可能同时还运行着其他的站点,通过nginx反代或者负载均衡器访问,所以我们通过配置nginx反向代理来实现harbor的https访问。
harbor配置
首先修改harbor.yml,将hostname修改为域名,并将默认的http监听的80端口改成其他端口,然后打开external_uarl配置,其他配置和之前保持一致:
hostname: harbor.evobot.cn
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 8081
# https related config
#https:
# https port for harbor, default is 443
# port: 4433
# The path of cert and key files for nginx
# certificate: /data/harbor/ssl/harbor.evobot.cn_chain.crt
# private_key: /data/harbor/ssl/harbor.evobot.cn_key.key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
external_url: https://harbor.evobot.cn
然后依次执行./prepare,./install 进行安装,安装完成后,harbor的各个容器会自动启动,因为修改了默认的http端口,所以在安装完成后,还需要修改common/config/core/env文件,否则在执行docker login时会出现如下报错:
Error response from daemon: Get https://harbor.evobot.cn/v2/: Get http://harbor.evobot:8081/service/token?account=hill.li&client_id=docker&offline_token=true&service=harbor-registry: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) (Client.Timeout exceeded while awaiting headers)
env文件中的EXT_ENDPOINT默认是http并且带有修改后端口的值,如果这个端口在服务器上没有开放访问,那么会导致我们无法成功执行docker push:
EXT_ENDPOINT=http://harbor.evobot.cn:8081
将地址改为我们的https地址,并删除端口号如下:
EXT_ENDPOINT=https://harbor.evobot.cn
保存后,执行docker-compose up -d重新启动harbor容器。
nginx配置
upstream harbor {
server localhost:8081 weight=1;
}
server{
listen 80;
server_name harbor.evobot.cn;
return 301 https://harbor.evobot.cn$request_uri;
}
server {
listen 443 ssl http2;
server_name harbor.evobot.cn;
ssl_certificate /etc/nginx/conf.d/ssl/harbor.evobot.cn_chain.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/harbor.evobot.cn_key.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://harbor;
$proxy_add_x_forwarded_for;
client_max_body_size 2g;
client_body_buffer_size 512k;
proxy_buffer_size 4k;
proxy_buffers 6 32k;
proxy_buffering off;
proxy_request_buffering off;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 512k;
#proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
}
}
nginx的配置中,需要注意两个配置:
- 一个是
client_max_body_size,这个值如果配置的过小,会导致docker push体积比较大的镜像时失败,所以根据实际需求配置相应的大小; - 第二个是
proxy_set_header Host $host;,这个配置是注释掉的,如果打开这个配置,会导致docker push镜像时报错unknown blob。
配置完成后启动nginx就可以使用https进行镜像的pull和push。
镜像操作
推送
默认docker是禁止使用http进行镜像推送和拉取的,所以如果没有配置https,需要在/etc/docker/daemon.json中添加配置:
{
"registry-mirrors": ["http://harbor.evobot.cn"],
"insecure-registries": ["harbor.evobot"]
}
然后使用下面的命令给镜像打tag:
docker tag mysql:5.7 harbor.evobot.cn/library/mysql:5.7
接着使用docker登陆到harbor:
docker login harbor.evobot.cn
执行push:
docker push harbor.evobot.cn/library/mysql:5.7
拉取
在harbor仓库里得镜像,harbor提供了直接命令可以直接拉取:
docker pull harbor.evobot.cn/library/mysql@sha256:82a3bf0e57ad53ae65cef3b0aa3a93a1508490e20db0cf6c4e8da776f1e1f48d