harbor仓库的搭建
- 前言
- 一、准备
- 二、registry私有仓库
- 拉取registry镜像
- 上传镜像
- 下载镜像
- 添加私有仓库解析
- 配置使用非加密端口
- 拉取镜像
- 三、仓库加密
- 域名保持一致
- 部署客户端证书,不然会报错
- 验证
- 仓库认证
- 删除registry,重建
- 登录仓库,不然无法上传下载
- 验证
- 四、harbor企业级私有仓库
- 拷贝证书
- 部署docker-compose
- 部署harbor
- 上传镜像,首先需要执行docker login
- 客户端配置默认私有仓库
- 匿名拉取镜像
- 创建私有仓库
前言
Harbor是一个开源的容器镜像仓库,它提供了一个安全、可靠的平台来存储和分发Docker镜像。与Docker Hub不同的是,Harbor允许用户将私有镜像存储在本地环境中,并且能够对镜像进行访问控制和审计等管理操作,可以帮助组织更好地管理和保护他们的镜像资源,也更适合在企业内部使用。
Harbor支持各种云平台和容器管理平台,如Docker、Kubernetes、Mesos等,同时还支持LDAP、AD等多种认证方式。它还具备高可用性、数据备份、镜像复制等特性,可以满足复杂的部署需求。
一、准备
官方仓库:https://hub.docker.com配置镜像加速器
[root@k8s1 ~]# vim /etc/docker/daemon.json
{"registry-mirrors": ["https://registry.docker-cn.com"]
}[root@k8s1 ~]# systemctl restart docker[root@k8s1 ~]# docker info
二、registry私有仓库
拉取registry镜像
[root@k8s1 ~]# docker pull registry
运行registry仓库
[root@k8s1 docker]# docker run -d -p 5000:5000 --restart=always --name registry registry
上传镜像
[root@k8s1 ~]# docker tag nginx:latest localhost:5000/nginx:latest
[root@k8s1 ~]# docker push localhost:5000/nginx[root@k8s1 ~]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
下载镜像
[root@k8s1 ~]# docker pull localhost:5000/nginxinsecure registry
添加私有仓库解析
[root@k8s2 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.171 k8s1 reg.westos.org
192.168.56.172 k8s2
配置使用非加密端口
[root@k8s2 ~]# vim /etc/docker/daemon.json
{"insecure-registries" : ["reg.westos.org:5000"]
}[root@k8s2 docker]# systemctl restart docker
拉取镜像
[root@k8s2 docker]# docker pull reg.westos.org:5000/nginx
三、仓库加密
升级软件包
[root@k8s1 ~]# yum install -y openssl11-1.1.1k-2.el7.x86_64.rpm openssl11-libs-1.1.1k-2.el7.x86_64.rpm[root@k8s1 ~]# mkdir certs
[root@k8s1 ~]# openssl11 req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -addext "subjectAltName = DNS:reg.westos.org" -x509 -days 365 -out certs/westos.org.crt
域名保持一致
[root@k8s1 ~]# docker run -d -p 443:443 --restart=always --name registry -v /opt/registry:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
部署客户端证书,不然会报错
[root@k8s1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest
[root@k8s1 ~]# docker push reg.westos.org/nginx:latest The push refers to repository [reg.westos.org/nginx]
Get "https://reg.westos.org/v2/": x509: certificate signed by unknown authority[root@k8s1 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org/
[root@k8s1 ~]# cp /root/certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
验证
[root@k8s1 ~]# docker push reg.westos.org/nginx:latest[root@k8s1 reg.westos.org]# curl -k https://reg.westos.org/v2/_catalog
{"repositories":["nginx"]}
仓库认证
[root@k8s1 ~]# yum install -y httpd-tools
[root@k8s1 ~]# mkdir auth
[root@k8s1 ~]# htpasswd -Bc auth/htpasswd admin
New password:
Re-type new password:
Adding password for user admin[root@k8s1 ~]# htpasswd -B auth/htpasswd wxh
New password:
Re-type new password:
Adding password for user wxh[root@k8s1 ~]# cat auth/htpasswd
admin:$2y$05$Wm2LHttPY5a6i2KMG0fShe92d/PjnaBbGitiClcE3wqHmwO8dIDFm
wxh:$2y$05$9rE9CXyZ1fdcMammhh7f6.soDHgKdSsi0DXBgkRW5sKRw5sEJo1lK
删除registry,重建
[root@k8s1 ~]# docker rm -f registry
[root@k8s1 ~]# docker run -d -p 443:443 --restart=always --name registry -v /opt/registry:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v /root/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
登录仓库,不然无法上传下载
[root@k8s1 ~]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@k8s1 ~]# cat .docker/config.json
{"auths": {"reg.westos.org": {"auth": "YWRtaW46d2VzdG9z"}}
}
验证
[root@k8s1 ~]# docker tag busybox:latest reg.westos.org/busybox:latest
[root@k8s1 ~]# docker push reg.westos.org/busybox:latest[root@k8s1 ~]# curl -k https://reg.westos.org/v2/_catalog -u admin:westos
{"repositories":["busybox","nginx"]}登出
[root@k8s1 ~]# docker logout reg.westos.org
四、harbor企业级私有仓库
删除之前部署的registry,不然会冲突
[root@k8s1 ~]# docker rm -f registry[root@k8s1 ~]# tar zxf harbor-offline-installer-v2.5.0.tgz
[root@k8s1 ~]# cd harbor/
[root@k8s1 harbor]# cp harbor.yml.tmpl harbor.yml
[root@k8s1 harbor]# vim harbor.yml
hostname: reg.westos.orghttp:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /data/certs/westos.org.crtprivate_key: /data/certs/westos.org.keyharbor_admin_password: westos
拷贝证书
[root@k8s1 ~ ]# mkdir /data
[root@k8s1 ~ ]# cp -r certs /data
部署docker-compose
[root@k8s1 ~]# mv docker-compose-linux-x86_64-v2.5.0 /usr/local/bin/docker-compose
[root@k8s1 ~]# chmod +x /usr/local/bin/docker-compose
部署harbor
[root@k8s1 harbor]# ./install.sh --with-chartmuseum
使用浏览器登录仓库 用户名:admin 密码是上面配置文件设置的westos
上传镜像,首先需要执行docker login
[root@k8s1 ~]# docker push reg.westos.org/library/nginx:latest
[root@k8s1 ~]# docker push reg.westos.org/library/busybox:latest
客户端配置默认私有仓库
[root@k8s2 ~]# vim /etc/docker/daemon.json
{"registry-mirrors": ["https://reg.westos.org"]
}[root@k8s2 ~]# systemctl restart docker
匿名拉取镜像
[root@k8s2 ~]# docker pull nginx
创建私有仓库
私有仓库上传和下载镜像都需要用户认证
[root@k8s2 ~]# docker login reg.westos.org
从私有仓库下载时需要指定仓库地址
[root@k8s2 ~]# docker pull reg.westos.org/westos/game2048:latest
