使用Harbor搭建Docker私有仓库

Harbor 企业级私有仓库搭建

环境说明

Harbor 被部署为多个 Docker 容器。目标主机需要安装 Docker 和 Docker Compose。

硬件要求

硬件	最低配置	推荐配置
CPU	2 核	4 核或更高
内存	4G	8G 或更高
硬盘	40G	160G 或更高

软件要求

软件	版本	描述
Docker	23.0.1	容器
Docker Compose	v2.16.0	编排
OpenSSL	优先选择最新	用于为 Harbor 生成证书和密钥
Harbor	2.6.4	仓库系统

安装前准备

开始安装 Harbor 之前，需要对操作系统环境进行一些配置和安装相关组件。

修改 YUM 源

• 移除当前的 yum 源

  rm -rfv /etc/yum.repos.d/*

• 拉取阿里云的 yum 源

  curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

• 更新软件列表和系统内核

  yum -y update

• 安装 yum 工具包

  yum install -y yum-utils wget

• 配置 Docker 的 yum 源

  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

安装或更新 OpenSSL

• 查看当前的 OpenSSL 版本

  如果 OpenSSL 没有安装过，则安装，否则更新。

  openssl version

• 安装 OpenSSL

  yum install -y openssl

• 更新 OpenSSL

  yum update openssl

操作系统配置

• 关闭 SELinux

  # 临时禁用SELinux（不管是永久关闭还是临时关闭，此命令都最好执行一下）
  setenforce 0
  
  # 永久关闭SELinux（重启后将不会再开启）
  sed -i "s/SELINUX=permissive/SELINUX=disabled/" /etc/sysconfig/selinux
  sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

• 关闭防火墙

  # 临时禁用防火墙
  systemctl stop firewalld
  
  # 永久禁用防火墙
  systemctl disable firewalld

安装和配置 Docker

本次安装的 Docker 是社区版。

• 安装 Docker

  yum install -y docker-ce-23.0.1-1.el7 docker-ce-cli-23.0.1-1.el7 containerd.io-6.18-3.1.el7

• 修改 Docker 配置

  Docker 默认是通过 cgroup 来管理容器的，默认驱动为 cgroupfs，而 Kubernetes 使用的是 systemd ，因此我们需要将驱动改为 systemd。并且使用国内加速源来下载镜像。

  vi /etc/docker/daemon.json

  输入以下内容，其中包含驱动的修改及镜像源的配置

  {
    "registry-mirrors":["https://registry.docker-cn.com"]
  }

• 启动 Docker 服务

  # 启动 Docker
  systemctl start docker
  
  # 设置 Docker 开机自启动
  systemctl enable docker
  
  # 如果之前已经启动过 docker，那么修改配置之后，可以执行下面两个命令。
  systemctl daemon-reload
  systemctl restart docker

• 查看 Docker 状态和版本

  # 通过 systemctl status 命令查看是否运行成功
  # 如果返回有：Active: active (running) since 五 2020-12-04 02:36:23 CST; 16s ago信息说明启动成功。
  systemctl status docker
  
  # 我们也可以通过 docker version 命令来查看版本信息，看看是否存在问题。
  docker version

安装 Docker Compose

检查操作系统

Docker Compose 的版本很多，需要根据系统的类型及指令集架构来下载相应的版本。

uname -s -m

命令执行结果如下：

-- console log --
Linux x86_64

我这里使用是 x86_64 的 Linux 系统。

开始安装

• 下载对应的软件包

  # 自动匹配操作系统的下载方法
  curl -L "https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-$(uname -s)-$(uname -m)" -o docker-compose
  
  # 明确操作系统的下载方法
  curl -L "https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64" -o docker-compose

• 将软件包移动到/usr/local/bin目录下

  mv docker-compose /usr/local/bin/docker-compose

• 对 docker-compse 目录授权

  chmod +x /usr/local/bin/docker-compose

• 查看版本

  docker-compose -v

  命令执行结果如下：

  -- console log --
  Docker Compose version v2.16.0

安装和配置 Harbor

下载离线安装软件包

• 下载离线软件包

  wget https://github.com/goharbor/harbor/releases/download/v2.6.4/harbor-offline-installer-v2.6.4.tgz

  Harbor 的软件包比较大，下载需要比较长的时间。建议用自己的电脑下载下来之后再上传到服务器。这样可以节省一点时间。

  如果是下载到本地再上传服务器，可以用下面的命令上传。

  scp harbor-offline-installer-v2.6.4.tgz root@<IP地址>:/root/

• 解压软件包

  tar xvf harbor-offline-installer-v2.6.4.tgz

修改配置文件

# 进入解压的目录
cd harbor/

# 复制临时配置，作为正式部署配置
cp harbor.yml.tmpl harbor.yml

# 编辑配置文件
vi harbor.yml

配置文件内容如下：

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 172.16.3.91

# http related config
http:
    # port for http, default is 80. If https enabled, this port will redirect to https port
    port: 80

# https related config
# https:
#   # https port for harbor, default is 443
#   port: 443
#   # The path of cert and key files for nginx
#   certificate: /your/certificate/path
#   private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: admin123

# Harbor DB configuration
database:
    # The password for the root user of Harbor DB. Change this before any production use.
    password: root123
    # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
    max_idle_conns: 100
    # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
    # Note: the default number of connections is 1024 for postgres of harbor.
    max_open_conns: 900

# The default data volume
data_volume: /data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
    # ignoreUnfixed The flag to display only fixed vulnerabilities
    ignore_unfixed: false
    # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
    #
    # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
    # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
    # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
    skip_update: false
    #
    # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
    # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
    # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
    # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
    # It would work if all the dependencies are in local.
    # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
    offline_scan: false
    #
    # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
    security_check: vuln
    #
    # insecure The flag to skip verifying registry certificate
    insecure: false
    # github_token The GitHub access token to download Trivy DB
    #
    # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
    # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
    # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
    # https://developer.github.com/v3/#rate-limiting
    #
    # You can create a GitHub token by following the instructions in
    # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
    #
    # github_token: xxx

jobservice:
    # Maximum number of job workers in job service
    max_job_workers: 10

notification:
    # Maximum retry count for webhook job
    webhook_job_max_retry: 10

chart:
    # Change the value of absolute_url to enabled can enable absolute url in chart
    absolute_url: disabled

# Log configurations
log:
    # options are debug, info, warning, error, fatal
    level: info
    # configs for logs in local storage
    local:
        # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
        rotate_count: 50
        # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
        # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
        # are all valid.
        rotate_size: 200M
        # The directory on your host that store log
        location: /var/log/harbor

    # Uncomment following lines to enable external syslog endpoint.
    # external_endpoint:
    #   # protocol used to transmit log to external endpoint, options is tcp or udp
    #   protocol: tcp
    #   # The host of external endpoint
    #   host: localhost
    #   # Port of external endpoint
    #   port: 5140

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.6.0

# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
    http_proxy:
    https_proxy:
    no_proxy:
    components:
        - core
        - jobservice
        - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metrics

# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
#   enabled: true
#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
#   sample_rate: 1
#   # # namespace used to differenciate different harbor services
#   # namespace:
#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
#   # attributes:
#   #   application: harbor
#   # # jaeger should be 1.26 or newer.
#   # jaeger:
#   #   endpoint: http://hostname:14268/api/traces
#   #   username:
#   #   password:
#   #   agent_host: hostname
#   #   # export trace data by jaeger.thrift in compact mode
#   #   agent_port: 6831
#   # otel:
#   #   endpoint: hostname:4318
#   #   url_path: /v1/traces
#   #   compression: false
#   #   insecure: true
#   #   timeout: 10s

# enable purge _upload directories
upload_purging:
    enabled: true
    # remove files in _upload directories which exist for a period of time, default is one week.
    age: 168h
    # the interval of the purge operations
    interval: 24h
    dryrun: false

# cache layer configurations
# If this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which can especially help to improve the performance of high concurrent
# manifest pulling.
# NOTICE
# If you are deploying Harbor in HA mode, make sure that all the harbor
# instances have the same behaviour, all with caching enabled or disabled,
# otherwise it can lead to potential data inconsistency.
cache:
    # not enabled by default
    enabled: false
    # keep cache for one day by default
    expire_hours: 24

上面给出的是示例配置文件，主要修改下面几个参数：

• hostname：访问地址，配置成当前主机的 IP 地址即可。如果有云服务器且购买过域名，也可以配置成域名。
• harbor_admin_password：管理员账户的密码
• https：使用 https 访问时可以保留，如果不使用 https，则需要将 https 及其子项注释掉。

安装 Harbor

这一步的所有操作都需要在已经解压的 harbor 目录下完成。

• 检查和更新配置文件

  ./prepare

  执行这个命令会有如下提示

  WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https。

  这是因为我们没有配置 https 访问导致的。可以忽略。

• 安装 harbor

  ./install.sh

  这个命令执行会自动进行 5 步操作，知道提示下面的信息就说明安装已完成。

  -- console log --
  [Step 0]: checking if docker is installed ...
  
  Note: docker version: 23.0.1
  
  [Step 1]: checking docker-compose is installed ...
  
  Note: Docker Compose version v2.16.0
  
  [Step 2]: loading Harbor images ...
  ...
  Loaded image: goharbor/harbor-log:v2.6.4
  ...
  Loaded image: goharbor/harbor-jobservice:v2.6.4
  ...
  Loaded image: goharbor/redis-photon:v2.6.4
  ...
  Loaded image: goharbor/notary-signer-photon:v2.6.4
  Loaded image: goharbor/prepare:v2.6.4
  ...
  Loaded image: goharbor/harbor-core:v2.6.4
  ...
  Loaded image: goharbor/harbor-db:v2.6.4
  ...
  Loaded image: goharbor/harbor-exporter:v2.6.4
  ...
  Loaded image: goharbor/nginx-photon:v2.6.4
  ...
  Loaded image: goharbor/notary-server-photon:v2.6.4
  ...
  Loaded image: goharbor/chartmuseum-photon:v2.6.4
  ...
  Loaded image: goharbor/harbor-portal:v2.6.4
  ...
  Loaded image: goharbor/harbor-registryctl:v2.6.4
  ...
  Loaded image: goharbor/registry-photon:v2.6.4
  ...
  Loaded image: goharbor/trivy-adapter-photon:v2.6.4
  
  [Step 3]: preparing environment ...
  
  [Step 4]: preparing harbor configs ...
  ...
  
  Note: stopping existing Harbor instance ...
  
  [Step 5]: starting Harbor ...
  [+] Running 10/10
   ⠿ Network harbor_harbor        Created                                                                                                    0.6s
   ⠿ Container harbor-log         Started                                                                                                   25.7s
   ⠿ Container harbor-portal      Started                                                                                                   23.4s
   ⠿ Container registry           Started                                                                                                   23.4s
   ⠿ Container harbor-db          Started                                                                                                   17.7s
   ⠿ Container redis              Started                                                                                                   17.9s
   ⠿ Container registryctl        Started                                                                                                   23.3s
   ⠿ Container harbor-core        Started                                                                                                   23.2s
   ⠿ Container nginx              Started                                                                                                   25.6s
   ⠿ Container harbor-jobservice  Started                                                                                                   25.6s
  ✔ ----Harbor has been installed and started successfully.----

访问测试

在浏览器输入http://<ip>，就可以打开 Harbor 的页面了。

管理员用户名：admin

管理员密码：配置文件harbor_admin_password配置的密码。

客户端使用配置

一般情况下客户端的 Docker 会安装在 Linux 系统或 Mac 系统下。Windows 环境也基本上使用的是 VisualBox 上的 Linux 系统。不管是哪种操作系统，配置几乎都是一样的。主要是配置daemon.json来实现。

Linux 系统客户端配置

修改/etc/docker/daemon.json文件，如果没有可以新增一个。

{
    "registry-mirrors": ["https://registry.docker-cn.com"],
    "insecure-registries": ["http://<Harbor服务器IP地址或域名>"]
}

这里主要是增加了一个insecure-registries的配置。值指向我们安装好的 Harbor 访问地址。

配置完成后，重启 Docker。

# 重载配置
systemctl daemon-reload
# 重启 Docker
systemctl restart docker

Mac 系统客户端配置

如果你使用的是命令行安装的 Docker，可以参考 Linux 的配置方法。如果是二进制安装，即是一个可视化的软件。只需要找到这个软件的设置界面，进入 Docker Engine，在原来的配置基础上增加即可。

同样的，修改完毕后，要重新启动 Docker。