Harbor Installation Guide

发表于

在容器的江湖里, 始终都离不开容器的分发和存储这一环, 自己用的时候你大可直接使用Docker Store, 但你如果想使用企业级的 Registry 服务器, 那么你不得不知道 Harbor 这个开源的工具.

Harbor 介绍

Harbor 是 VMware 公司开源的企业级 Docker Registry 项目,项目地址为 Harbor。其目标是帮助用户迅速搭建一个企业级的 Docker registry 服务。它以 Docker 公司开源的 registry 为基础,提供了管理UI,基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Auditlogging) 等企业用户需求的功能,同时还原生支持中文。Harbor 的每个组件都是以 Docker 容器的形式构建的,使用 Docker Compose 来对它进行部署。

环境准备

  • Centos 7.5
  • Docker 18.06.1-ce
  • Docker-compose 1.22.0

    前面有介绍 Docker Installation 大家可以参考这篇文章

Harbor 安装

Harbor 下载

在 Harbor 项目的 release, 查看最新版本的 Harbor offline installer, 目前最新版本的是 v1.5.4

1
2
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.4.tgz
tar -zxvf harbor-offline-installer-v1.1.2.tgz

Harbor 配置修改

解压后, 进入 harbor 目录, 创建 data 目录, 用于后续数据管理

1
2
cd harbor
mkdir data

此目录中会看到 harbor.cfg 文件,该文件就是 Harbor 的配置文件。

修改 hostname 参数, 内网使用, 可不启用 https, 避免配置繁琐

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version = 1.5.0
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 10.1.10.217:1080 #--- 这里是我自己的宿主机的服务器IP, 端口 1080 是自己定义的 Harbor访问端口, 建议修改端口, 因为默认是 80 端口

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http #--- 内网可不修改此项配置

#Maximum number of job workers in job service
max_job_workers = 50

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key

#The path of secretkey storage
secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
log_rotate_count = 50
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
#are all valid.
log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128
#Clair doesn't need to connect to harbor ui container via http proxy.
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui

##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345



Harbor compose 文件修改

因为上文中 Harbor 的默认端口修改为 1080, 所以 compose 文件中 proxy 对应的端口也需要修改, 也修改部分 volumes 默认的配置(Optional)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
version: '2'
services:
  log:
    image: vmware/harbor-log:v1.5.4
    container_name: harbor-log
    restart: always
    volumes:
      - /var/log/harbor/:/var/log/docker/:z
      - ./common/config/log/:/etc/logrotate.d/:z
    ports:
      - 127.0.0.1:1514:10514
    networks:
      - harbor
    dns_search: .
  registry:
    image: vmware/registry-photon:v2.6.2-v1.5.4
    container_name: registry
    restart: always
    volumes:
      - /home/harbor/data/registry:/storage:z # 对应上文中数据位置的修改
      - ./common/config/registry/:/etc/registry/:z
    networks:
      - harbor
    dns_search: .
    environment:
      - GODEBUG=netdns=cgo
    command:
      ["serve", "/etc/registry/config.yml"]
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"
  mysql:
    image: vmware/harbor-db:v1.5.4
    container_name: harbor-db
    restart: always
    volumes:
      - /home/harbor/data/database:/var/lib/mysql:z # 对应上文中数据位置的修改
    networks:
      - harbor
    dns_search: .
    env_file:
      - ./common/config/db/env
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "mysql"
  adminserver:
    image: vmware/harbor-adminserver:v1.5.4
    container_name: harbor-adminserver
    env_file:
      - ./common/config/adminserver/env
    restart: always
    volumes:
      - /home/harbor/data/config/:/etc/adminserver/config/:z # 对应上文中数据位置的修改
      - /home/harbor/data/secretkey:/etc/adminserver/key:z # 对应上文中数据位置的修改
      - /home/harbor/data/:/data/:z # 对应上文中数据位置的修改
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "adminserver"
  ui:
    image: vmware/harbor-ui:v1.5.4
    container_name: harbor-ui
    env_file:
      - ./common/config/ui/env
    restart: always
    volumes:
      - ./common/config/ui/app.conf:/etc/ui/app.conf:z
      - ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
      - ./common/config/ui/certificates/:/etc/ui/certificates/:z
      - /home/harbor/data/secretkey:/etc/ui/key:z # 对应上文中数据位置的修改
      - /home/harbor/data/ca_download/:/etc/ui/ca/:z # 对应上文中数据位置的修改
      - /home/harbor/data/psc/:/etc/ui/token/:z # 对应上文中数据位置的修改
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
      - adminserver
      - registry
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "ui"
  jobservice:
    image: vmware/harbor-jobservice:v1.5.4
    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
    volumes:
      - /home/harbor/data/job_logs:/var/log/jobs:z # 对应上文中数据位置的修改
      - ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
    networks:
      - harbor
    dns_search: .
    depends_on:
      - redis
      - ui
      - adminserver
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "jobservice"
  redis:
    image: vmware/redis-photon:v1.5.4
    container_name: redis
    restart: always
    volumes:
      - /home/harbor/data/redis:/data # 对应上文中数据位置的修改
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "redis"
  proxy:
    image: vmware/nginx-photon:v1.5.4
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z
    networks:
      - harbor
    dns_search: .
    ports:
      - 1080:80 # 对应上文中端口的修改
      - 443:443
      - 4443:4443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"
networks:
  harbor:
    external: false

Harbor 启动

检查配置是否有错

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

启动 harbor 服务

因为我重复启动过, 所以没有看到拉取镜像的过程, 第一次安装会下载 N 多镜像, 会比较多时间, 国内用户考虑用下加速器啥的吧 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 18.06.1

Note: docker-compose version: 1.22.0

[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-jobservice:v1.5.4
Loaded image: vmware/harbor-adminserver:v1.5.4
Loaded image: vmware/harbor-db:v1.5.4
Loaded image: vmware/redis-photon:v1.5.4
Loaded image: vmware/nginx-photon:v1.5.4
Loaded image: vmware/clair-photon:v2.0.6-v1.5.4
Loaded image: vmware/harbor-ui:v1.5.4
Loaded image: photon:1.0
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.4
Loaded image: vmware/mariadb-photon:v1.5.4
Loaded image: vmware/harbor-log:v1.5.4
Loaded image: vmware/registry-photon:v2.6.2-v1.5.4
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.4
Loaded image: vmware/postgresql-photon:v1.5.4
Loaded image: vmware/harbor-migrator:v1.5.0


[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...

Note: stopping existing Harbor instance ...
Stopping harbor-jobservice  ... done
Stopping nginx              ... done
Stopping harbor-ui          ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping registry           ... done
Stopping redis              ... done
Stopping harbor-log         ... done
Removing harbor-jobservice  ... done
Removing nginx              ... done
Removing harbor-ui          ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing registry           ... done
Removing redis              ... done
Removing harbor-log         ... done
Removing network harbor_harbor


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating harbor-db          ... done
Creating registry           ... done
Creating redis              ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://10.1.10.217:1080 .
For more details, please visit https://github.com/vmware/harbor .

Harbor 访问

登录 Harbor Web http://10.1.10.217:1080

  • username : admin
  • username : Harbor12345 (harbor.cfg中有, 可修改)

Harbor UI

Docker & Harbor Usage

首先将 Harbor URL 添加到 Docker Insecure registries 中

笔者电脑是 Mac, 因此通过 Docker for Mac 的 Preference 直接 UI 添加, 其他同学如果不一样, 可自行谷歌添加, 添加好以后, 记得重启 Docker service

Docker Registries

配置好重启后, 测试是否能成功登录

1
2
3
4
5
docker logout http://10.1.10.217:1080
docker login http://10.1.10.217:1080
Username: admin
Password: Harbor12345
Login Succeeded

镜像打 tag 并 push 到 harbor

sky/es-consumer:latest 是笔者自己测试的打包镜像, 大家可以另行选用本地已存在的镜像

1
2
3
4
5
6
7
docker tag sky/es-consumer:latest 10.1.10.217:1080/library/es-consumer:1.0
docker push 10.1.10.217:1080/library/es-consumer:1.0
09d41c84e278: Pushed
ed6f0bd39121: Pushed
0c3170905795: Pushed
df64d3292fd6: Pushed
1.0: digest: sha256:a73eb1924688c6af098211ab3b5f0dcc41c73cf3e673b6f19372169d1cfadc6e size: 1159

Push Result

为了测试能够成功从私服中 pull 镜像, 笔者还做了以下测试, 利用一台同事的笔记本, 添加好我们的私服地址, 并重启 Docker 服务后, 做 pull 动作, 查看是否正常拉取

1
2
3
4
5
6
7
8
9
10
11
12
13
docker login http://10.1.10.217:1080
Username: admin
Password: Harbor12345
Login Succeeded

docker pull 10.1.10.217:1080/library/es-consumer:1.0
1.0: Pulling from library/es-consumer
4fe2ade4980c: Already exists
6fc58a8d4ae4: Already exists
ef87ded15917: Already exists
39bf45ddf6f0: Pull complete
Digest: sha256:a73eb1924688c6af098211ab3b5f0dcc41c73cf3e673b6f19372169d1cfadc6e
Status: Downloaded newer image for 10.1.10.217:1080/library/es-consumer:1.0

结果发现可以成功获取, 哈哈哈, Harbor 安装就此结束, Have fun~

阅读参考

基于 Harbor 搭建 Docker 私有镜像仓库

Docker镜像仓库Harbor之搭建及配置