Harbor是什么?

Harbor是基于角色策略访问控制的开源镜像管理工具,通过扫描镜像确保镜像安全无漏洞,帮助你安全管理云原生平台。

Harbor的优势

Harbor和Registry都是Docker的镜像仓库,但是Harbor作为更多企业的选择,是因为相比较于Regisrty来说,它具有很多的优势。

  • 提供分片传输机制,优化网络传输,Docker镜像是是分片的,每次传输全量文件不经济。
  • 提供WEB界面,优化用户体验。
  • 支持水平扩展集群,分担服务器压力。
  • 支持权限控制,为不同身份的人员分配不同的权限,使操作更安全
  • 提供基于角色的访问控制机制,并通过项目来对镜像进行组织和访问权限的控制。

    Harbor安装

    1.去Harbor下载页面,下载最新的安装包与asc公钥。

    ```shell

    create directory for harbor

    mkdir -p harbor/data mkdir -p harbor/logs

download harbor installer and correspond asc file

cd harbor wget -b https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz.asc wget -b https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz

  1. <a name="yXAgL"></a>
  2. ## 2.获取 *.asc公钥文件
  3. ```shell
  4. gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 644FF454C0B4115C
  1. gpg: 下载密钥‘C0B4115C’,从 hkps 服务器 keyserver.ubuntu.com
  2. gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
  3. gpg: 密钥 C0B4115C:公钥“Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>”已导入
  4. gpg: 合计被处理的数量:1
  5. gpg:           已导入:1  (RSA: 1)

3.验证下载的.asc文件

  1. gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-v2.4.1.tgz.asc
  1. gpg: 假定被签名的数据是‘harbor-offline-installer-v2.4.1.tgz
  2. gpg:  20211216 星期四 122454 CST 创建的签名,使用 RSA,钥匙号 C0B4115C
  3. gpg: 使用 PGP 信任模型
  4. gpg: 完好的签名,来自于“Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>”
  5. gpg: 警告:这把密钥未经受信任的签名认证!
  6. gpg:       没有证据表明这个签名属于它所声称的持有者。
  7. 主钥指纹: 7722 D168 DAEC 4578 06C9  6FF9 644F F454 C0B4 115C
  8. gpg: 二进制 签名,散列算法 SHA512

4.解压安装包

  1. tar xzvf harbor-offline-installer-v2.4.1.tgz

5.配置harbor.yml

  1. hostname: 192.168.101.181
  3. http:
  4.   port: 8083
  6. harbor_admin_password: your-login-pass
  8. database:
  9.   password: your-db-pass
  10.   max_idle_conns: 50
  11.   max_open_conns: 500
  13. data_volume: /www/pre/harbor/data
  15. trivy:
  16.   ignore_unfixed: false
  17.   skip_update: false
  18.   insecure: false
  20. jobservice:
  21.   max_job_workers: 10
  23. notification:
  24.   webhook_job_max_retry: 10
  26. chart:
  27.   absolute_url: disabled
  29. log:
  30.   level: info
  31.   local:
  32.     rotate_count: 50
  33.     rotate_size: 200M
  34.     location: /www/pre/harbor/logs
  36. _version: 2.4.0

注:一定要确保端口号未被占用,否则执行下一步操作时会报错

6.配置Docker

6.1 开启RemoteApi

  1. vim /usr/lib/systemd/system/docker.service

注释docker.service13行,并下方加上ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock这行,暴露2375端口,如果服务器防火墙是开启状态,需要放行2375端口。

  1. [Unit]
  2. Description=Docker Application Container Engine
  3. Documentation=https://docs.docker.com
  4. After=network-online.target firewalld.service containerd.service
  5. Wants=network-online.target
  6. Requires=docker.socket containerd.service
  8. [Service]
  9. Type=notify
  10. # the default is not to use systemd for cgroups because the delegate issues still
  11. # exists and systemd currently does not support the cgroup feature set required
  12. # for containers run by docker
  13. #ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
  14. ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
  15. ExecReload=/bin/kill -s HUP $MAINPID
  16. TimeoutSec=0
  17. RestartSec=2
  18. Restart=always
  20. # Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
  21. # Both the old, and new location are accepted by systemd 229 and up, so using the old location
  22. # to make them work for either version of systemd.
  23. StartLimitBurst=3
  25. # Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
  26. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
  27. # this option work for either version of systemd.
  28. StartLimitInterval=60s
  30. # Having non-zero Limit*s causes performance problems due to accounting overhead
  31. # in the kernel. We recommend using cgroups to do container-local accounting.
  32. LimitNOFILE=infinity
  33. LimitNPROC=infinity
  34. LimitCORE=infinity
  36. # Comment TasksMax if your systemd version does not support it.
  37. # Only systemd 226 and above support this option.
  38. TasksMax=infinity
  40. # set delegate yes so that systemd does not reset the cgroups of docker containers
  41. Delegate=yes
  43. # kill only the docker process, not all processes in the cgroup
  44. KillMode=process
  45. OOMScoreAdjust=-500
  47. [Install]
  48. WantedBy=multi-user.target

6.2 配置http访问

如果不想使用https安全访问模式,需要设置insecure-registries

  1. vim /etc/docker/daemon.json
  1. {
  2.     "registry-mirrors":[
  3.         "https://hhfivgbp.mirror.aliyuncs.com"
  4.     ],
  5.     "insecure-registries":[
  6.         "192.168.101.181:8083"
  7.     ],
  8.     "live-restore":true
  9. }
  1.      - `registry-mirrors`镜像加速地址在这里找:[https://cr.console.aliyun.com/cn-beijing/instances/mirrors](https://cr.console.aliyun.com/cn-beijing/instances/mirrors)
  2.      - `live-restore`重载docker守护进程而不重启容器。

6.3 重启docker

  1. systemctl daemon-reload
  2. systemctl restart docker

7.运行安装脚本

  1. sh install.sh
  1. [Step 0]: checking if docker is installed ...
  3. Note: docker version: 20.10.12
  5. [Step 1]: checking docker-compose is installed ...
  7. Note: docker-compose version: 1.29.2
  9. [Step 2]: loading Harbor images ...
  10. Loaded image: goharbor/registry-photon:v2.4.1
  11. Loaded image: goharbor/notary-signer-photon:v2.4.1
  12. Loaded image: goharbor/harbor-core:v2.4.1
  13. Loaded image: goharbor/redis-photon:v2.4.1
  14. Loaded image: goharbor/harbor-jobservice:v2.4.1
  15. Loaded image: goharbor/harbor-registryctl:v2.4.1
  16. Loaded image: goharbor/nginx-photon:v2.4.1
  17. Loaded image: goharbor/notary-server-photon:v2.4.1
  18. Loaded image: goharbor/harbor-log:v2.4.1
  19. Loaded image: goharbor/harbor-db:v2.4.1
  20. Loaded image: goharbor/harbor-exporter:v2.4.1
  21. Loaded image: goharbor/trivy-adapter-photon:v2.4.1
  22. Loaded image: goharbor/chartmuseum-photon:v2.4.1
  23. Loaded image: goharbor/prepare:v2.4.1
  24. Loaded image: goharbor/harbor-portal:v2.4.1
  27. [Step 3]: preparing environment ...
  29. [Step 4]: preparing harbor configs ...
  30. prepare base dir is set to /mnt/1068cb5c-d183-48ef-b545-5717408aba10/www/pre/harbor/harbor
  31. WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
  32. Clearing the configuration file: /config/registry/root.crt
  33. Clearing the configuration file: /config/registry/passwd
  34. Clearing the configuration file: /config/registry/config.yml
  35. Clearing the configuration file: /config/nginx/nginx.conf
  36. Clearing the configuration file: /config/jobservice/env
  37. Clearing the configuration file: /config/jobservice/config.yml
  38. Clearing the configuration file: /config/portal/nginx.conf
  39. Clearing the configuration file: /config/registryctl/env
  40. Clearing the configuration file: /config/registryctl/config.yml
  41. Clearing the configuration file: /config/log/logrotate.conf
  42. Clearing the configuration file: /config/log/rsyslog_docker.conf
  43. Clearing the configuration file: /config/core/env
  44. Clearing the configuration file: /config/core/app.conf
  45. Clearing the configuration file: /config/db/env
  46. Generated configuration file: /config/portal/nginx.conf
  47. Generated configuration file: /config/log/logrotate.conf
  48. Generated configuration file: /config/log/rsyslog_docker.conf
  49. Generated configuration file: /config/nginx/nginx.conf
  50. Generated configuration file: /config/core/env
  51. Generated configuration file: /config/core/app.conf
  52. Generated configuration file: /config/registry/config.yml
  53. Generated configuration file: /config/registryctl/env
  54. Generated configuration file: /config/registryctl/config.yml
  55. Generated configuration file: /config/db/env
  56. Generated configuration file: /config/jobservice/env
  57. Generated configuration file: /config/jobservice/config.yml
  58. loaded secret from file: /data/secret/keys/secretkey
  59. Generated configuration file: /compose_location/docker-compose.yml
  60. Clean up the input dir
  63. Note: stopping existing Harbor instance ...
  64. Stopping harbor-jobservice ... done
  65. Stopping harbor-core       ... done
  66. Stopping registry          ... done
  67. Stopping redis             ... done
  68. Stopping registryctl       ... done
  69. Stopping harbor-portal     ... done
  70. Stopping harbor-db         ... done
  71. Stopping harbor-log        ... done
  72. Removing harbor-jobservice ... done
  73. Removing nginx             ... done
  74. Removing harbor-core       ... done
  75. Removing registry          ... done
  76. Removing redis             ... done
  77. Removing registryctl       ... done
  78. Removing harbor-portal     ... done
  79. Removing harbor-db         ... done
  80. Removing harbor-log        ... done
  81. Removing network harbor_harbor
  84. [Step 5]: starting Harbor ...
  85. Creating network "harbor_harbor" with the default driver
  86. Creating harbor-log ... done
  87. Creating harbor-portal ... done
  88. Creating registry      ... done
  89. Creating harbor-db     ... done
  90. Creating redis         ... done
  91. Creating registryctl   ... done
  92. Creating harbor-core   ... done
  93. Creating nginx             ... done
  94. Creating harbor-jobservice ... done
  95.  ----Harbor has been installed and started successfully.----

8.Harbor Web

打开浏览器访问 http://192.168.101.181:8083/,账号默认是admin,密码是harbor.yml中配置的密码。
image.png

发布镜像

安装Dockerfile使用镜像

  1. docker pull bitnami/java:1.8.312

Dockerfile

  1. FROM bitnami/java:1.8.312
  3. MAINTAINER menglt@yeah.net
  5. ENV TZ=Asia/Shanghai
  6. ENV JAVA_OPTS="-Xms512m -Xmx1024m -Djava.security.egd=file:/dev/./urandom"
  8. RUN ln -sf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
  10. RUN mkdir -p /your-project
  12. WORKDIR /project-module
  14. EXPOSE 4000
  16. ADD ./target/project-module-api.jar ./
  18. CMD sleep 60;java $JAVA_OPTS -jar project-module-api.jar

Maven插件

spring-boot-maven-plugin

  1. <!--spring boot 默认插件-->
  2. <plugin>
  3.   <groupId>org.springframework.boot</groupId>
  4.   <artifactId>spring-boot-maven-plugin</artifactId>
  5.   <version>${spring-boot.version}</version>
  6.   <executions>
  7.     <execution>
  8.       <goals>
  9.         <goal>repackage</goal>
  10.       </goals>
  11.     </execution>
  12.   </executions>
  13. </plugin>

docker-maven-plugin

  1. <properties>        
  2.     <docker.registry>192.168.101.181:8083</docker.registry>
  3.   <docker.host>http://192.168.101.181:2375</docker.host>
  4.   <!-- namespace对应harbor中的项目 -->
  5.   <docker.namespace>your-namespace</docker.namespace>
  6.   <docker.username>admin</docker.username>
  7.   <docker.password>your-password</docker.password>
  8. </properties>
  10. <!-- maven docker 打包插件 -->
  11. <plugin>
  12.   <groupId>io.fabric8</groupId>
  13.   <artifactId>docker-maven-plugin</artifactId>
  14.   <version>${docker.plugin.version}</version>
  15.   <configuration>
  16.     <dockerHost>${docker.host}</dockerHost>
  17.     <registry>${docker.registry}</registry>
  18.     <authConfig>
  19.       <push>
  20.         <username>${docker.username}</username>
  21.         <password>${docker.password}</password>
  22.       </push>
  23.     </authConfig>
  24.     <images>
  25.       <image>
  26.         <name>${docker.registry}/${docker.namespace}/${project.name}:${project.version}</name>
  27.         <build>
  28.           <dockerFile>${project.basedir}/Dockerfile</dockerFile>
  29.         </build>
  30.       </image>
  31.     </images>
  32.   </configuration>
  33. </plugin>

Maven命令

  1. mvn install docker:build
  2. mvn docker:push

附录

[

](http://192.168.101.181:8083/)