在CentOS/Debian/Ubuntu上安装Harbor Container Image Registry
时间:2020-02-23 14:31:34 来源:igfitidea点击:
如何在CentOS/Debian/Ubuntu Linux上安装Harbor容器注册表?
Harbor是一个开源的云原生注册表,用于存储,签名和扫描容器镜像中的漏洞。
如果我们正在寻找企业Docker镜像注册表,那么Harbor是适合工具。
它具有某些最佳功能,这些功能仅在Quay等商业注册表产品中可用。
Harbor为无法使用公共或者基于云的注册表的应用程序和组织填补了空白。
我们将在所有云平台上享受一致的体验。
本教程将引导我们逐步在任何支持Docker的系统上安装Harbor。
Harbor Registry的特点
多租户支持安全和漏洞分析支持可扩展的API和Web UI内容签名和验证跨多个Harbor实例的图像复制身份集成和基于角色的访问控制
我们需要什么
我们需要一个支持docker并满足以下系统要求的操作系统:
硬件
| CPU | 最少2个CPU | 4 CPU优先 |
| 内存 | 最小4GB | 首选8GB |
| 磁盘 | 最小40GB | 首选160GB |
软件
|||
| --- - | --- |
| Docker引擎|版本17.06.0-CE +或者更高版本|
| Docker compose |版本1.18.0或者更高版本|
| openssl |最新是首选|
网络端口
| 443 | HTTPS |
| 4443 | HTTPS |
| 80 | HTTP |
现在开始在Linux系统(CentOS,Ubuntu和Debian Linux发行版)上安装Harbor。
储存准备(可选)
我将使用辅助磁盘作为所有容器镜像的数据存储–/dev/sdb
$lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 74G 0 part ├─rhel-root 253:0 0 10G 0 lvm / ├─rhel-swap 253:1 0 16G 0 lvm [SWAP] ├─rhel-home 253:2 0 4G 0 lvm /home ├─rhel-var 253:3 0 20G 0 lvm /var ├─rhel-var_log 253:4 0 10G 0 lvm /var/log ├─rhel-var_log_audit 253:5 0 2G 0 lvm /var/log/audit ├─rhel-tmp 253:6 0 8G 0 lvm /tmp └─rhel-var_tmp 253:7 0 4G 0 lvm /var/tmp sdb 8:16 0 200G 0 disk sr0 11:0 1 1024M 0 rom
让我们准备并安装该磁盘。
sudo parted -s -a optimal -- /dev/sdb mklabel gpt sudo parted -s -a optimal -- /dev/sdb mkpart primary 0% 100% sudo parted -s -- /dev/sdb align-check optimal 1 sudo pvcreate /dev/sdb1 sudo vgcreate vg0 /dev/sdb1 sudo lvcreate -n harbor -l +100%FREE vg0 sudo mkfs.xfs /dev/vg0/harbor sudo mkdir /data echo "/dev/vg0/harbor /data xfs defaults 0 0" | sudo tee -a /etc/fstab
安装并确认:
$sudo mount -a $df -hT /data/ Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/vg0-harbor xfs 200G 1.5G 199G 1% /data
步骤1:安装Docker Engine
在Debian 10 Buster上安装Docker和Docker Compose。
如何在Ubuntu/Debian/CentOS上安装Docker CE。
在Fedora上安装Docker CE。
在CentOS 8上安装Docker CE。
RHEL 8
步骤2:安装Docker Compose
我们的下一个安装是针对docker-compose命令的。
这在系统存储库上不可用。
请遵循以下我们之前的教程中共享的说明。
如何在Linux上安装最新的Docker Compose
步骤3:下载并安装Harbor
下载港口
curl -s https://api.github.com/repos/goharbor/harbor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\.tgz$' | wget -i
我们也可以从下载页面中获取最新的Harbor版本。
解压缩下载的Harbor文件。
tar xvzf harbor-offline-installer*.tgz
更改为文件解压缩后创建的港口。
cd harbor
没有SSL的港湾安装
在第一个设置中,我们将考虑不使用TLS/SSL进行安装。
复制配置模板:
cp harbor.yml.tmpl harbor.yml
编辑港口配置文件,并进行如下设置。
$nano harbor.yml .... # The IP address or hostname to access admin UI and registry service. hostname: registry.theitroad.com harbor_admin_password: Hyman@theitroad$d # Harbor DB configuration database: password: Hyman@theitroad$d
使用Let’s Encrypt SSL安装Harbor
如果服务器具有公共IP,则可以使用 Let’s Encrypt 的免费SSL证书。
首先,请安装certbot-auto工具。
wget https://dl.eff.org/certbot-auto chmod +x certbot-auto sudo mv certbot-auto /usr/local/bin
然后获取SSL证书。
export DOMAIN="registry.theitroad.com" export EMAIL="Hyman@theitroad" certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
配置HTTPS相关配置。
hostname: registry.theitroad.com harbor_admin_password: Hyman@theitroad$d # Harbor DB configuration database: password: Hyman@theitroad$d http: port: 80 https: port: 443 certificate: /etc/letsencrypt/live/registry.theitroad.com/fullchain.pem private_key: /etc/letsencrypt/live/registry.theitroad.com/privkey.pem
港口安装用自签名的SSL证书
对于自签名证书,创建证书配置文件 - 修改文件以匹配值。
$cd /etc/pki/tls/certs $sudo vim harbor_certs.cnf [ req ] default_bits = 4096 default_md = sha512 default_keyfile = harbor_registry.key prompt = no encrypt_key = no distinguished_name = req_distinguished_name # distinguished_name [ req_distinguished_name ] countryName = "KE" localityName = "Nairobi" stateOrProvinceName = "Nairobi" organizationName = "theitroad" commonName = "registry.theitroad.com" emailAddress = "Hyman@theitroad"
生成密钥和CSR:
sudo openssl req -out harbor_registry.csr -newkey rsa:4096 --sha512 -nodes -keyout harbor_registry.key -config harbor_certs.cnf
使用10年的到期日期创建自我录制的证书:
sudo openssl x509 -in harbor_registry.csr -out harbor_registry.crt -req -signkey harbor_registry.key -days 3650
要查看证书详细信息,请使用命令:
$openssl x509 -text -noout -in harbor_registry.crt
配置HTTPS相关配置。
hostname: registry.theitroad.com harbor_admin_password: Hyman@theitroad$d # Harbor DB configuration database: password: Hyman@theitroad$d http: port: 80 https: port: 443 certificate: ./harbor_registry.crt private_key: ./harbor_registry.key
安装码头码头图像注册表
一旦港口和存储后端(可选)配置,安装和启动码头使用 install.sh脚本。
$sudo ./install.sh
请注意,默认安装不包括公证或者Clair服务。
这些服务用于漏洞扫描。
请参阅安装程序选项,运行:
$./install.sh --help Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients. Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. Please set --with-clair if needs enable Clair in Harbor Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
示例,启用Clair和ChartMuseum:
$sudo ./install.sh --with-notary --with-clair --with-chartmuseum
要包含公证服务,必须在Harbour.yml中启用和配置HTTPS。
[Step 0]: checking installation environment ... Note: docker version: 19.03.1 Note: docker-compose version: 1.24.1 [Step 1]: loading Harbor images ... Loaded image: goharbor/harbor-core:v1.8.1 Loaded image: goharbor/harbor-registryctl:v1.8.1 Loaded image: goharbor/redis-photon:v1.8.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.8.1 Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.8.1 Loaded image: goharbor/harbor-db:v1.8.1 Loaded image: goharbor/harbor-jobservice:v1.8.1 Loaded image: goharbor/nginx-photon:v1.8.1 Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1 Loaded image: goharbor/harbor-migrator:v1.8.1 Loaded image: goharbor/prepare:v1.8.1 Loaded image: goharbor/harbor-portal:v1.8.1 Loaded image: goharbor/harbor-log:v1.8.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.8.1 Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1 [Step 2]: preparing environment ... prepare base dir is set to /root/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /config/clair/postgres_env Generated configuration file: /config/clair/config.yaml Generated configuration file: /config/clair/clair_env Create config folder: /config/chartserver Generated configuration file: /config/chartserver/env Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 3]: starting Harbor ... ✔ ----Harbor has been installed and started successfully.--- Now you should be able to visit the admin portal at http://registry.theitroad.com. For more details, please visit https://github.com/goharbor/harbor .
确认所有容器都已启动。
..... [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating network "harbor_harbor-clair" with the default driver Creating network "harbor_harbor-notary" with the default driver Creating network "harbor_harbor-chartmuseum" with the default driver Creating network "harbor_notary-sig" with the default driver Creating harbor-log ... done Creating registry ... done Creating registryctl ... done Creating harbor-db ... done Creating redis ... done Creating harbor-portal ... done Creating chartmuseum ... done Creating notary-signer ... done Creating clair ... done Creating harbor-core ... done Creating notary-server ... done Creating clair-adapter ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---
港口日志文件存储在目录/var/log/harbour /:
$ls -1 /var/log/harbor/ chartmuseum.log clair.log core.log jobservice.log portal.log postgresql.log proxy.log redis.log registryctl.log registry.log
第4步:访问港口
安装成功后,在https://registry_domain上访问Harbour Web控制台。
登录:
Username: admin Password: Set-in-harbor.yml
你应该到留着码头仪表板。
使用让我们加密SSL:
第5步:管理港口的生命周期
List运行港口服务容器:
$sudo docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------------------------------------
chartmuseum ./docker-entrypoint.sh Up (healthy)
clair ./docker-entrypoint.sh Restarting
clair-adapter /home/clair-adapter/entryp ... Up (healthy)
harbor-core /harbor/entrypoint.sh Up (health: starting)
harbor-db /docker-entrypoint.sh Up (healthy)
harbor-jobservice /harbor/entrypoint.sh Up (health: starting)
harbor-log /bin/sh -c /usr/local/bin/... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
notary-server /bin/sh -c migrate-patch - ... Up
notary-signer /bin/sh -c migrate-patch - ... Up
redis redis-server /etc/redis.conf Up (healthy)
registry /home/harbor/entrypoint.sh Up (healthy)
registryctl /home/harbor/start.sh Up (healthy)
我们可以使用Docker-Compose来管理港口的生命周期。
请参见下面的示例。
港口:
$sudo docker-compose stop topping nginx ... Stopping harbor-jobservice ... done Stopping harbor-portal ... done Stopping clair ... done Stopping chartmuseum ... done Stopping harbor-core ... done Stopping harbor-db ... done Stopping redis ... done Stopping registry ... done Stopping registryctl ... done Stopping harbor-log ... done
停止后重新启动港口:
$sudo docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting core ... done Starting portal ... done Starting redis ... done Starting jobservice ... done Starting proxy ... done Starting clair ... done Starting chartmuseum ... done
更新港口的配置:更改港口的配置,首先,停止现有的港口实例和更新Harbour.yml。
然后运行准备脚本以填充配置。
然后重新创建和启动港口实例:
$sudo docker-compose down -v $nano harbor.yml $sudo prepare $sudo docker-compose up -d
当harbor安装有Notary,Clair和图表存储库服务时:
$sudo docker-compose down -v $nano harbor.yml $sudo ./prepare --with-notary --with-clair --with-chartmuseum $sudo docker-compose up -d
有关故障排除,请在目录/var/log/harbour中检查有问题的容器服务的日志文件。
$tail -n 100 /var/log/harbor/clair.log
