官方概述
Harbor 是一个开源的企业级 Docker 镜像存储和管理工具,可以帮助企业快速、安全地构建和发布 Docker 镜像。Harbor 提供了安全的访问控制、镜像复制和扩展性等功能,使得团队内部可以方便地共享和管理 Docker 镜像。
系统平台
CentOS Linux 7 (Core)
Linux 3.10.0-1160.90.1.el7.x86_64
在安装部署 Harbor 服务之前,有个前置条件,必须要确保先安装好了 Docker 和 Docker Compose 然后才能安装 Harbor ,如下是我系统安装的信息。
下载安装
直接点击官网的 Download now 按钮,会直接跳转到 github 系统的 Harbor 仓库下。
https://github.com/goharbor/harbor
也可以看到 github 仓库下有 271 个 tags 版本,点击 tags 查看发布的版本。
尽量不要下载 -rc1 这样的版本,找稳定的版本进行下载,如下所示。
我下载的是 harbor-offline-installer-v2.8.3.tgz 版本
下载到安装服务器后,进行解压。
解压到指定的安装目录后,查看解压后的目录。
harbor.yml.tmpl 文件跟 install.sh 文件是非常重要的两个文件,后面安装都需要用到。
直接把 harbor.yml.tmpl 文件 copy 一份叫 harbor.yml 文件,然后进行编辑。
主要就是修改绿色箭头指的两处地方,修改成自己服务器的IP ,然后在确认端口号即可。
执行安装
上面的工作都准备就绪后,就可以执行安装了,直接执行 ./install.sh 就开始进行安装了。
可以先查看一下此文件内容
可以看到需要 DOCKER_COMPOSE=docker-compose ,也就是文章之前说的,前置条件是要先安装好了 Docker 和 Docker Compose 环境。
好了,执行安装吧。
可以看到,安装过程中,直接 pull docker 镜像,然后启动好了容器。
查看镜像,可以看到已经拉取了很多相关的 harbor 镜像,查看启动的 harbor 容器也都正常运行了。
访问 harbor 系统,看看长什么样。
登录的账户密码,也都在 harbor.yml.tmpl 文件里,直接访问系统登录即可。
PUSH 镜像
然后在制作个 docker 镜像版本,push 到 harbor 仓库里即可。
# 制作镜像执行
# docker tag cfebf02ebc7d 192.168.59.151:80/repository/mytest:v0.0.1
# 就可以做好一个叫 192.168.59.151:80/repository/mytest 的 docker 镜像,版本是 v0.0.1下面把刚才制作的镜像,在 push 到 harbor 仓库里。
# 执行下面的指令 push 镜像
# docker push 192.168.59.151:80/repository/mytest:v0.0.1
# 可以看到上面执行的指令,报了一个小的错误,提示说没有权限 push 镜像文件到仓库里。这个小问题很好解决,就是在终端下登录访问一下 harbor 系统。
# 登录 harbor 服务
# docker login -u admin -p Harbor12345 192.168.59.151:80
# 这里也有个前置条件,就是要配置 /etc/docker/daemon.json 文件,在这文件中添加如下的一行。
{
"insecure-registries": ["192.168.59.151:80"]
}daemon.json 文件修改好之后,重新执行上面的登录指令。
可以看到登录之后,再次 push 镜像,就顺利 push 到仓库里了。
如上就是 push 上去的镜像,点击仓库就可以看到里的 docker 镜像及版本了。
在分享一下 docker-compose.yml 文件
# cat docker-compose.yml
version: '2.3'
services:
log:
image: goharbor/harbor-log:v2.8.3
container_name: harbor-log
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /var/log/harbor/:/var/log/docker/:z
- type: bind
source: ./common/config/log/logrotate.conf
target: /etc/logrotate.d/logrotate.conf
- type: bind
source: ./common/config/log/rsyslog_docker.conf
target: /etc/rsyslog.d/rsyslog_docker.conf
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: goharbor/registry-photon:v2.8.3
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: /data/secret/registry/root.crt
target: /etc/registry/root.crt
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "registry"
registryctl:
image: goharbor/harbor-registryctl:v2.8.3
container_name: registryctl
env_file:
- ./common/config/registryctl/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: ./common/config/registryctl/config.yml
target: /etc/registryctl/config.yml
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "registryctl"
postgresql:
image: goharbor/harbor-db:v2.8.3
container_name: harbor-db
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /data/database:/var/lib/postgresql/data:z
networks:
harbor:
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "postgresql"
shm_size: '1gb'
core:
image: goharbor/harbor-core:v2.8.3
container_name: harbor-core
env_file:
- ./common/config/core/env
restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
volumes:
- /data/ca_download/:/etc/core/ca/:z
- /data/:/data/:z
- ./common/config/core/certificates/:/etc/core/certificates/:z
- type: bind
source: ./common/config/core/app.conf
target: /etc/core/app.conf
- type: bind
source: /data/secret/core/private_key.pem
target: /etc/core/private_key.pem
- type: bind
source: /data/secret/keys/secretkey
target: /etc/core/key
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
harbor:
depends_on:
- log
- registry
- redis
- postgresql
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "core"
portal:
image: goharbor/harbor-portal:v2.8.3
container_name: harbor-portal
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- type: bind
source: ./common/config/portal/nginx.conf
target: /etc/nginx/nginx.conf
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "portal"
jobservice:
image: goharbor/harbor-jobservice:v2.8.3
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/job_logs:/var/log/jobs:z
- type: bind
source: ./common/config/jobservice/config.yml
target: /etc/jobservice/config.yml
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
- harbor
depends_on:
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "jobservice"
redis:
image: goharbor/redis-photon:v2.8.3
container_name: redis
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/redis:/var/lib/redis
networks:
harbor:
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "redis"
proxy:
image: goharbor/nginx-photon:v2.8.3
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
- harbor
ports:
- 80:8080
depends_on:
- registry
- core
- portal
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "proxy"
networks:
harbor:
external: false
#
#在分享一下执行启动的文件 install.sh
# cat install.sh
#!/bin/bash
set -e
DIR="$(cd "$(dirname "$0")" && pwd)"
source $DIR/common.sh
set +o noglob
usage=$'Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor.
Please do NOT set --with-chartmuseum, as chartmusuem has been deprecated and removed.'
item=0
# notary is not enabled by default
with_notary=$false
# clair is deprecated
with_clair=$false
# trivy is not enabled by default
with_trivy=$false
# flag to using docker compose v1 or v2, default would using v1 docker-compose
DOCKER_COMPOSE=docker-compose
while [ $# -gt 0 ]; do
case $1 in
--help)
note "$usage"
exit 0;;
--with-notary)
with_notary=true;;
--with-clair)
with_clair=true;;
--with-trivy)
with_trivy=true;;
*)
note "$usage"
exit 1;;
esac
shift || true
done
if [ $with_clair ]
then
error "Clair is deprecated please remove it from installation arguments !!!"
exit 1
fi
workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd $workdir
h2 "[Step $item]: checking if docker is installed ..."; let item+=1
check_docker
h2 "[Step $item]: checking docker-compose is installed ..."; let item+=1
check_dockercompose
if [ -f harbor*.tar.gz ]
then
h2 "[Step $item]: loading Harbor images ..."; let item+=1
docker load -i ./harbor*.tar.gz
fi
echo ""
h2 "[Step $item]: preparing environment ..."; let item+=1
if [ -n "$host" ]
then
sed "s/^hostname: .*/hostname: $host/g" -i ./harbor.yml
fi
h2 "[Step $item]: preparing harbor configs ..."; let item+=1
prepare_para=
if [ $with_notary ]
then
prepare_para="${prepare_para} --with-notary"
fi
if [ $with_trivy ]
then
prepare_para="${prepare_para} --with-trivy"
fi
./prepare $prepare_para
echo ""
if [ -n "$DOCKER_COMPOSE ps -q" ]
then
note "stopping existing Harbor instance ..."
$DOCKER_COMPOSE down -v
fi
echo ""
h2 "[Step $item]: starting Harbor ..."
if [ $with_notary ]
then
warn "
Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
You can use cosign for signature instead since Harbor v2.5.0.
Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612"
fi
$DOCKER_COMPOSE up -d
success $"----Harbor has been installed and started successfully.----"
#
#到此,Linux 安装部署 harbor 服务就算完成了,希望对各位有所帮助。