准备

apt install python3-pip
ln -s /usr/bin/python3 /usr/bin/python
安装docker-compose
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -U docker-compose
查看docker-compose版本
**docker-compose -v**

安装Harbor

下载harbor
wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-offline-installer-v2.5.0.tgz
解压离线安装包
tar -zxf harbor-offline-installer-v2.5.0.tgz
修改配置文件
cd harbor
cp harbor.yml.tmpl harbor.yml

  1. # mkdir -p /opt/application/harbor     //用于存放harbor的持久化数据
  2. harbor.yml配置文件主要修改参数如下:
  3. vim harbor.yml
  4. hostname: 192.168.0.8         //设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost。默认情况下,harbor使用的端口是80,若使用自定义的端口,除了要改docker-compose.yml文件中的配置外,这里的hostname也要加上自定义的端口,否则在docker login、push时会报错
  5. #http配置
  6. http:
  7. # port for http, default is 80. If https enabled, this port will redirect to https port
  8. port: 9999                      
  10. #https配置(如不需要可不配置,注释掉)
  11. # https related config
  12. #https:
  13. # https port for harbor, default is 443
  14.  #port: 443
  15. # The path of cert and key files for nginx
  16.  #certificate: /your/certificate/path
  17.  #private_key: /your/private/key/path
  19. #external_url: https://reg.mydomain.com:8433      //如果要启用外部代理,比如外层的NGINX、LB等,请取消注释external_url,当它启用时,hostname将不再使用。
  21. harbor_admin_password: Harbor12345         //admin密码
  25. #数据库配置
  26. database:
  27. # The password for the root user of Harbor DB. Change this before any production use.
  28. password: root123
  29. # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  30. max_idle_conns: 50
  31. # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  32. # Note: the default number of connections is 100 for postgres.
  33. max_open_conns: 100
  36. #持久化数据目录
  38. data_volume: /opt/application/harbor
  1. 默认是使用 HTTP 协议,我们可以配置证书并使用 HTTPS 来访问 Harbor
  3. 2.3 配置HTTPS
  4. 说实话我开始是抵触的,我不想去使用它,但是当我考虑到,我不可能暂停我所有已经运行的容器来修改配置,来解决 docker login的问题,所有我只能老老实实的来配置 HTTPS ,这个烦人的 HTTPS
  6. 官方配置文档: https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
  8. 我们这里演示的是创建自己的 证书,实际生产环境中我们可以去阿里云或者其他云服务器厂商申请免费的 证书。
  10. 创建证书
  11. # 创建存放证书的目录
  12. mkdir -p /data/cert/
  13. cd   /data/cert/
  14. # 创建自签名证书key文件
  15. openssl genrsa -out ca.key 4096
  16. openssl req -x509 -new -nodes -sha512 -days 3650 \
  17.     -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=192.168.15.170" \
  18.     -key ca.key \
  19.     -out ca.crt #CN 替换为你的仓库域名
  21. 修改配置
  22. #配置 HTTPS 配置
  23. https:
  24. #   # https port for harbor, default is 443
  25.    port: 443
  26. #   # The path of cert and key files for nginx
  27.    certificate: /data/cert/ca.crt
  28.    private_key: /data/cert/ca.key
  30. 重新初始化 Harbor
  31. # 暂停
  32. docker-compose down -v
  33. prepare  # 生成配置文件,根据 harbor.yml 配置生成docker-compose文件。
  34. docker-compose up -d  # 后台启动
  35. 客户端配置

开始安装
./install.sh
用浏览器访问前面配置的hostname测试是否安装成功

Harbor如何停止与启动
# cd /root/harbor //切换到harbor安装包目录
# docker-compose stop //停止Harbor
# docker-compose start //启动Harbor
# docker-compose restart //重启Harbor

上传和下载

客户机添加安全仓库
docker1.4版本以后docker registry使用的是https,但是Harbor默认使用的是http方式,上传下载时会报错,可以通过修改本机/etc/docker/daemon.json文件解决

  1. vim /etc/docker/daemon.json
  2. # 将安全仓库设为服务器ip
  3. {
  4.   "insecure-registries": ["192.168.68.20:8520"]
  5. }
  6. # 重启docker使配置生效
  7. systemctl restart docker

进入网页创建用户和一个私有项目,并把用户加入私有项目中

将本地镜像重写tag
docker tag hello-world:latest 192.168.68.20:8520/cs/hello-world:v1
新tag格式为:服务器IP/项目名/镜像名:版本

登陆harbor仓库,并上传下载

  1. docker login 192.168.68.20:8520
  2. # 然后根据提示输入用户名和密码
  3. docker pull hello-world:latest
  4. docker tag hello-world:latest 192.168.68.20:8520/cs/hello-world:v1
  5. # 下载和上传
  6. docker push 192.168.68.20:8520/cs/hello-world:v1
  7. docker pull 192.168.68.20:8520/cs/hello-world:v1

harbor开机自启

  1. sudo vim /etc/rc.local
  2. 添加
  3. cd $HOME/harbor && docker-compose up -d

Harbor使用外部代理

harbor默认只能使用harbor.yml中hostname指定的ip或主机名作为web访问地址,但在实际使用过程中,一般不允许ip地址或者主机名直接暴露在外访问,故需要配置nginx代理,通过代理后指定的地址进行访问。
配置方式:
修改harbor.yml,把https相关的注释(如果没有注释,http会自动重定向到https,导致多次重定向),然后添加external_url配置:

  1. # Configuration file of Harbor
  3. # The IP address or hostname to access admin UI and registry service.
  4. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
  5. hostname: 192.168.0.8:9999
  7. # http related config
  8. http:
  9.   # port for http, default is 80. If https enabled, this port will redirect to https port
  10.   port: 9999
  12. # https related config
  13. #https:
  14.   # https port for harbor, default is 443
  15.   #port: 443
  16.   # The path of cert and key files for nginx
  17.   #certificate: /your/certificate/path
  18.   #private_key: /your/private/key/path
  20. # # Uncomment following will enable tls communication between all harbor components
  21. # internal_tls:
  22. #   # set enabled to true means internal tls is enabled
  23. #   enabled: true
  24. #   # put your cert and key files on dir
  25. #   dir: /etc/harbor/tls/internal
  27. # Uncomment external_url if you want to enable external proxy
  28. # And when it enabled the hostname will no longer used
  29. external_url: https://harbor.xxx.cn                     #如果这里是https,nginx代理就需要配置ssl……

修改配置后docker-compose down停止所有服务,删除当前配置目录:rm -rf ./common/config下配置清单,重新执行install.sh生成配置

NGINX外部代理配置文件:

  1. server {
  2.     listen 80;
  3.     server_name  harbor.xxx.cn;
  4.     #client_max_body_size 1000M;
  5.     access_log /data/wwwlogs/harbor.xxx.cn_access.log combined;
  6.     rewrite ^(.*) https://$server_name$1 permanent;
  7.     location / {
  8.         #proxy_redirect off;
  9.         #proxy_set_header Host $host;
  10.         #proxy_set_header X-Real-IP $remote_addr;
  11.         #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  12.         proxy_pass http://127.0.0.1:9999;
  13. }
  14. }
  17. ##########################ssl#######################
  18. server {
  19.     listen 443 ssl;
  20.     server_name  harbor.xxx.cn;
  21.     ssl_certificate  sslkey/harbor.xxx.cn_chain.crt;
  22.     ssl_certificate_key sslkey/harbor.xxx.cn_key.key;
  23.     ssl_session_cache shared:SSL:1m;
  24.     ssl_session_timeout 5m;
  25.     ssl_ciphers HIGH:!aNULL:!MD5;
  26.     ssl_prefer_server_ciphers on;   
  27.     access_log /data/wwwlogs/harbor.xxx.cn_access.log combined;
  28.     location / {
  29.         #proxy_redirect off;
  30.         #proxy_set_header Host $host;
  31.         #proxy_set_header X-Real-IP $remote_addr;
  32.         #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  33.         proxy_pass http://127.0.0.1:9999;
  34. }
  35. }

注意:这几项配置都不要,注释掉,否则在pull和push镜像的时候会报错。

  1.         #proxy_redirect off;
  2.         #proxy_set_header Host $host;
  3.         #proxy_set_header X-Real-IP $remote_addr;
  4.         #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

具体报错如下:
# docker push harbor.xxx.cn/xxx/ubuntu
The push refers to repository [harbor.xxx.cn/xxx/ubuntu]
7555a8182c42: Pushing [==================================================>] 72.78MB/72.78MB
unknown blob

docker push harbor.xxx.cn/xxx/ubuntu
The push refers to repository [harbor.xxx.cn/xxx/ubuntu]
7555a8182c42: Pushing [==================================================>] 72.78MB/72.78MB
dial tcp 127.0.0.1:9999: connect: connection refused

另外一个报错:push的镜像文件比较大的时候
error parsing HTTP 413 response body: invalid character ‘<’ looking for beginning of value: “\r\n\r\n\r\n

413 Request Entity Too Large

\r\n
nginx
\r\n\r\n\r\n”
解决方式:
修改外部代理nginx配置文件:nginx.conf
client_max_body_size默认为0, 修改0为特定的大小即可。如 client_max_body_size 102400M