01-5.企业级镜像仓库Harbor

Harbor概述

Harbor是由VMware公司开源的容器镜像仓库。事实上，Harbor是在Docker Registry上进行了相应的企业级扩展，从而获得了更加广泛的应用，这些新的企业级特性包括：管理用户界面，基于角色的访问控制，AD/LDAP集成以及审计日志等，足以满足基本企业需求。
官方：https://goharbor.io/
GitHub：https://github.com/goharbor/harbor

Harbor部署先决条件

服务器硬件配置：
最低要求：CPU2核/内存4G/硬盘40GB
推荐：CPU4核/内存8G/硬盘160GB

软件：
Docker CE 17.06版本+
Docker Compose 1.18版本+

Harbor安装有2种方式：
在线安装：从Docker Hub下载Harbor相关镜像，因此安装软件包非常小
离线安装：安装包包含部署相关镜像，因此安装包较大

安装最新版的Harbor

wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
tar -xf harbor-offline-installer-v1.10.1.tgz
cd harbor
#导入镜像
docker load -i harbor.v1.10.1.tar.gz
#修改配置文件并把https去掉
vim harbor.yml
hostname = 192.168.10.130
#安装docker-compose
curl -L https://github.com/docker/compose/releases/download/1.24.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
./prepare
./install.sh
docker-compose start
docker-compose stop

Harbor部署HTTP

1、先安装Docker和Docker Compose
安装依赖包
yum install -y yum-utils
添加Docker软件包源
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
安装Docker CE
yum install -y docker-ce
启动Docker
systemctl start docker
systemctl enable docker
配置Docker加速器源
cat /etc/docker/daemon.json 
{
    "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
}
重启Docker
systemctl restart docker
安装Docker Compose
下载好docker-compose-Linux-x86_64
mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose
2、部署Harbor HTTP
tar -zxvf harbor-offline-installer-v2.0.0.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
配置内容如下：
hostname: reg.harbor.com
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80
#先注释掉https相关配置
# https related config
#https:
  # https port for harbor, default is 443
#  port: 443
harbor_admin_password: Harbor12345    #harbor密码
./prepare
./install.sh

Harbor部署HTTPS

1、生成SSL证书
cat cfssl.sh 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
cat certs.sh 
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cat > reg.harbor.com-csr.json <<EOF
{
  "CN": "reg.harbor.com",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing"
    }
  ]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes reg.harbor.com-csr.json | cfssljson -bare reg.harbor.com 
2、Harbor启动HTTPS
vi harbor.yml
配置内容如下：
#注释掉http
# http related config
#http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
#  port: 80
#启动https
# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /root/harbor/ssl/reg.harbor.com.pem
  private_key: /root/harbor/ssl/reg.harbor.com-key.pem
3、重新配置并部署Harbor
./prepare
docker-compose down
docker-compose up -d
4、将数字证书复制到Docker主机
mkdir -p /etc/docker/certs.d/reg.harbor.com
cp /root/ssl/reg.harbor.com.pem /etc/docker/certs.d/reg.harbor.com
5、验证
绑定本地hosts
vi /etc/hosts
192.168.211.128 reg.harbor.com
docker login reg.harbor.com
username: admin
password: Harbor12345
浏览器访问https://reg.harbor.com

Harbor镜像漏洞扫描

闲聊：我们知道 镜像安全也是容器化建设中一个很重要的环节，像一些商业软件如：Aqua就很专业但是收费也是很昂贵的，今天我们介绍下Harbor自带的镜像扫描器

添加扫描模块
./prepare --with-clair
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /config/clair/postgres_env
Generated configuration file: /config/clair/config.yaml
Generated configuration file: /config/clair/clair_env
Generated configuration file: /config/clair-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir


重启启动harbor服务（注意这里要指定docker-compose.yaml文件）
docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx             ... done
Stopping harbor-core       ... done
Stopping redis             ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-db         ... done
Stopping harbor-portal     ... done
Stopping harbor-log        ... done
Removing harbor-jobservice ... done
Removing nginx             ... done
Removing harbor-core       ... done
Removing redis             ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-db         ... done
Removing harbor-portal     ... done
Removing harbor-log        ... done
Removing network harbor_harbor
Removing network harbor_harbor-clair
WARNING: Network harbor_harbor-clair not found.

docker-compose -f docker-compose.yml up -d
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating redis         ... done
Creating registryctl   ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating harbor-core   ... done
Creating clair         ... done
Creating clair-adapter     ... done
Creating nginx             ... done
Creating harbor-jobservice ... done

测试扫描
可以看到在项目里面已经显示安装好了扫描器插件，不安装这里是没有的

docker tag df_java reg.harbor.com/dev/df_java
docker push reg.harbor.com/dev/df_java
The push refers to repository [reg.harbor.com/dev/df_java]
ae8399399072: Pushed 
86840743f5c8: Pushed 
a1e7033f082e: Pushed 
78075328e0da: Pushed 
9f8566ee5135: Pushed 
latest: digest: sha256:0c5886ed44504f08900a7a10327491e14b2d4d908cc2378b0770abb98db2a8c7 size: 1365

Harbor基本使用

1、配置http镜像仓库可信任
vi /etc/docker/daemon.json 
{
    "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
    "insecure-registries": ["reg.harbor.com"]
}

systemctl restart docker


2、打标签
docker tag centos:7 reg.harbor.com/library/centos:7

3、上传
docker push reg.harbor.com/library/centos:7

4、下载
docker pull reg.harbor.com/library/centos:7

Harbor运维

容器数据持久化目录：/data
日志文件目录：/var/log/harbor