1 harbor

1.1 单机部署

1.1.1 安装

1.安装docker和docker-compose
yum install -y docker-ce docker-compose
2.下载harbor安装包到/opt目录下并解压
[root@docker01 opt]# tar xf harbor-offline-installer-v1.8.3.tgz
3.修改harbor.cfg配置文件
hostname = 10.0.0.210
harbor_admin_password = abc123..
4.执行install.sh

1.1.2 使用方法

1.修改各个节点的docker配置文件
{
“registry-mirrors”: [“https://“],
“insecure-registries”: [“10.0.0.210:5000”,”10.0.0.210”],
“live-restore”: true
}
2.重启docker服务
systemctl restart docker
3.在harbor中添加项目
image.png
4.制作镜像并上传到harbor
[root@docker01 ~]# docker tag centos:6.9 10.0.0.210/scxiang/centos6:v1
[root@docker01 ~]# docker login 10.0.0.210
[root@docker01 ~]# docker push 10.0.0.210/scxiang/centos6:v1
image.png
5.其他客户端拉取镜像
[root@docker02 ~]# docker pull 10.0.0.210/scxiang/centos6:v1

1.2 高可用部署

1.2.1 架构图

数据同步有两种方式可以实现,第一种是Harbor界面提供了同步复制的配置方法,类似与数据库的主从数据同步
image.png
第二种方法是两台Harbor挂载同一个NFS目录,这样就可实现使用同一个存储,实现数据共享
image.png

1.2.2 高可用部署

主机 IP
SLB 10.0.0.200
Harbor01 10.0.0.201
Harbor02 10.0.0.202

以同步复制为例
1、安装docker和docker-compose
[root@harbor01 ~]# yum install -y docker-ce docker-compose
[root@harbor02 ~]# yum install -y docker-ce docker-compose
2、将harbor上传至服务器并解压
3、修改配置文件harbor.yml,harbor02配置一样,修改hostname即可

  1. hostname: 10.0.0.201
  2. http:
  3.   port: 80
  4. #  https:
  5. #  port: 443
  6. #  certificate: /your/certificate/path
  7. #  private_key: /your/private/key/path
  8. harbor_admin_password: abc123..
  9. data_volume: /harbor

4、安装
[root@harbor01 harbor]# ./install.sh
5、在harbor01上做配置,仓库管理—>新建目标
image.png
6、复制管理—>新建规则,创建复制规则
image.png
7、同理在harbor02上做以上相同的配置
8、测试,在harbor01上传镜像看harbor02是否同步
1)修改配置,并登录harbor

  1. [root@Infrastructure ~]# cat /etc/docker/daemon.json 
  2. {
  3.         "insecure-registries": ["10.0.0.201"]
  4. }
  5. [root@Infrastructure ~]# systemctl daemon-reload 
  6. [root@Infrastructure ~]# systemctl restart docker
  7. [root@Infrastructure ~]# docker login 10.0.0.201
  8. Username: admin
  9. Password: 
  10. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
  11. Configure a credential helper to remove this warning. See
  12. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
  14. Login Succeeded

2)添加标签,推送到Harbor01

  1. [root@Infrastructure ~]# docker tag 2218fcda1ff0 10.0.0.201/evnrepo/nginx-photon:v1
  2. [root@Infrastructure ~]# docker images
  3. REPOSITORY                        TAG       IMAGE ID       CREATED       SIZE
  4. 10.0.0.201/evnrepo/nginx-photon   v1        2218fcda1ff0   6 weeks ago   45MB
  5. goharbor/nginx-photon             v2.3.4    2218fcda1ff0   6 weeks ago   45MB
  6. [root@Infrastructure ~]# docker push 10.0.0.201/evnrepo/nginx-photon:v1
  7. The push refers to repository [10.0.0.201/evnrepo/nginx-photon]
  8. e1768f3b0fc8: Pushed 
  9. 103405848fd2: Pushed 
  10. v1: digest: sha256:fde18ca6ae5fd7fb0bf69aaab9a24acdd7d9a5b8725fa612be5a2aa3cab7d3ca size: 74

3)在Harbor02上检查,已经看到从Harbor01复制过来的镜像
image.png
9、配置高可用负载均衡
1)配置nginx反向代理
vim /etc/nginx/conf.d/slb.conf

  • 负载均衡的模式配置为基于IP的hash,可以将一个请求代理到相同的后端;
  • 一定要配置client_max_body_size 500m;否则推送镜像时会提示如下错误,具体大小依据镜像大小而定
  • image.png
    1. upstream harborgp {
    2.       ip_hash;
    3.       server 10.0.0.201:80;
    4.       server 10.0.0.202:80;
    5. } 
    6. server{
    7.       listen 80;
    8.       server_name 10.0.0.200;
    9.       client_max_body_size 500m;
    10.       location / {
    11.               proxy_pass http://harborgp;
    12.       }
    13. }
    2)通过nginx反向代理的IP进行推送镜像 ```shell [root@Infrastructure ~]# cat /etc/docker/daemon.json
    {
    1.   "insecure-registries": ["10.0.0.200"]
    } [root@Infrastructure ~]# systemctl restart docker
    [root@Infrastructure ~]# docker login 10.0.0.200 Username: admin Password: Error response from daemon: login attempt to http://10.0.0.200/v2/ failed with status: 401 Unauthorized [root@Infrastructure ~]# systemctl daemon-reload [root@Infrastructure ~]# systemctl restart docker [root@Infrastructure ~]# docker login 10.0.0.200
    Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded [root@Infrastructure ~]# docker tag 41f7fb260d0d 10.0.0.200/evnrepo/exporter:v1 [root@Infrastructure ~]# docker push 10.0.0.200/evnrepo/exporter:v1 The push refers to repository [10.0.0.200/evnrepo/exporter] c8fa87f0c432: Pushed 30cf2783eb4e: Layer already exists 90182ef8d6af: Pushed 1fce02e2f0b2: Pushed 103405848fd2: Pushed v1: digest: sha256:7e2332f1d90a31e0aa1a775aaa81ba4e60651c4676918253286cfc9cd77685c4 size: 1369

  1. 3)查看镜像,后端harbor上已成功上传<br />![image.png](https://cdn.nlark.com/yuque/0/2021/png/913070/1640588632855-436d2064-a82e-4ca1-801c-0ef69eadd7c3.png#clientId=u5ad8aaa0-5624-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=514&id=u0488e8c9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1028&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=171713&status=done&style=none&taskId=uc10b696f-4cc9-4a6a-9c52-3dae28832ee&title=&width=960)<br />4)同时也可通过10.0.0.200的地址进行登录<br />![image.png](https://cdn.nlark.com/yuque/0/2021/png/913070/1640588868611-8b58de3b-e74e-48b2-ae06-d3426a496dc7.png#clientId=u5ad8aaa0-5624-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=515&id=u5488cc1e&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1030&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=181595&status=done&style=none&taskId=u2ce87efa-4177-4316-b412-b989f546c6d&title=&width=960)
  2. <a name="tuQAY"></a>
  3. ### 1.2.3 给主机添加根证书
  4. 因为上面的部署采用了域名的方式,且使用了https,因此会涉及到证书的问题,需要给其他拉取镜像的节点添加受信任的根证书,否则在docker login的时候会出现问题
  5. ```shell
  6. #CentOS主机:
  7. #将根证书拷贝至下面的目录
  8. mv CA.crt /etc/pki/ca-trust/source/anchors/
  9. #更新证书
  10. update-ca-trust
  12. #ubuntu主机
  13. #将根证书拷贝至下面的目录
  14. mv CA.crt /usr/local/share/ca-certificates/
  15. #更新证书
  16. update-ca-certificates