网站收录提交入口大全,情侣wordpress模板,南京发布最新通报,wordpress纯手工注入Harbor私有仓库 文章目录 Harbor私有仓库Harbor简介#xff1a;Harbor 提供了以下主要功能和特性#xff1a;优缺点#xff1a;环境说明#xff1a;部署harbor1.永久关闭防火墙和seliux#xff0c;配置阿里云源#xff0c;添加映射关系2.安装docker#xff0c;开启docke…Harbor私有仓库 文章目录 Harbor私有仓库Harbor简介Harbor 提供了以下主要功能和特性优缺点环境说明部署harbor1.永久关闭防火墙和seliux配置阿里云源添加映射关系2.安装docker开启docker服务并添加加速器3.进入Docker Compose官网查看安装部署流程4.进入harbor官网拉取harbor二进制包5.复制出一份harbor.yml文件编辑/usr/local/harbor/下的harbor.yml文件6.执行install.sh文件7.将harbor设置为开机自启8.登录到docker的私有镜像仓库harbor9.拉取一个官方镜像将官方镜像名称更改后上传到我们的私有仓库10.测试以拉取的镜像制作一个容器 Harbor简介
无论是使用Docker-distribution去自建仓库还是通过官方镜像跑容器的方式去自建仓库通过前面的演示我们可以发现其是非常的简陋的还不如直接使用官方的Docker Hub去管理镜像来得方便至少官方的Docker Hub能够通过web界面来管理镜像还能在web界面执行搜索还能基于Dockerfile利用Webhooks和Automated Builds实现自动构建镜像的功能用户不需要在本地执行docker build而是把所有build上下文的文件作为一个仓库推送到github上让Docker Hub可以从github上去pull这些文件来完成自动构建。
但无论官方的Docker Hub有多强大它毕竟是在国外所以速度是最大的瓶颈我们很多时候是不可能去考虑使用官方的仓库的但是上面说的两种自建仓库方式又十分简陋不便管理所以后来就出现了一个被 CNCF 组织青睐的项目其名为Harbor。
Harbor 提供了以下主要功能和特性
容器镜像存储Harbor 允许用户存储 Docker 镜像使其能够轻松地管理和分享容器镜像。访问控制Harbor 支持灵活的访问控制策略可以定义用户和团队对镜像的访问权限包括读取和写入权限。这有助于维护镜像的安全性和隐私性。复制和同步Harbor 支持镜像的复制和同步功能允许用户将镜像从一个 Harbor 实例复制到另一个以便在多个地理位置或环境之间共享。漏洞扫描Harbor 集成了漏洞扫描工具可以检查镜像中的漏洞并提供关于安全问题的报告有助于确保容器镜像的安全性。存储策略用户可以配置存储策略包括镜像的保留策略和自动清理机制以控制存储资源的使用。多租户支持Harbor 支持多租户架构允许不同团队或项目在同一个 Harbor 实例上创建和管理他们自己的私有镜像仓库。活动审计Harbor 记录了所有对镜像仓库的操作以提供审计功能帮助跟踪谁在何时访问和修改了镜像。LDAP/AD集成Harbor 支持与LDAP和Active Directory集成方便组织内部管理用户和团队的访问权限。
优缺点
优点
安全性Harbor 提供强大的访问控制和漏洞扫描功能有助于确保镜像的安全性。隐私组织可以轻松创建和管理私有仓库控制其镜像的访问权限确保敏感数据不会泄露。灵活性Harbor 可以在多云环境或本地部署适用于各种部署场景。多租户支持多租户使不同项目或团队能够在同一实例上管理他们自己的仓库。容器镜像管理提供了丰富的容器镜像管理功能包括复制、同步、存储策略等。
缺点
维护成本部署和维护 Harbor 需要一定的工作量和资源尤其是在大规模使用时。学习曲线对于新用户来说配置和管理 Harbor 可能需要一些学习和时间。性能在处理大量镜像时性能可能成为一个问题需要适当的硬件和调优。
环境说明
主机名称IP地址所需服务充当角色harbor.com192.168.195.135dockerharbor需先安装docker私有镜像仓库docker192.168.195.136docker客户机
部署harbor
[Docker Compose官方文档]
Harbor官方文档
1.永久关闭防火墙和seliux配置阿里云源添加映射关系
在所有主机上操作
//此处用harbor.com主机上演示
[rootharbor ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[rootharbor ~]# vim /etc/selinux/config
[rootharbor ~]# grep ^SELINUX /etc/selinux/config
SELINUXdisabled
[rootharbor ~]# reboot //重启后重新连接[rootharbor ~]# rm -rf /etc/yum.repos.d/*
[rootharbor ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 2495 100 2495 0 0 2720 0 --:--:-- --:--:-- --:--:-- 2717
[rootharbor ~]# yum clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
12 files removed
[rootharbor ~]# yum makecache
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
CentOS-8.5.2111 - Base - mirrors.aliyun.com 3.0 MB/s | 4.6 MB 00:01
CentOS-8.5.2111 - Extras - mirrors.aliyun.com 33 kB/s | 10 kB 00:00
CentOS-8.5.2111 - AppStream - mirrors.aliyun.com 2.2 MB/s | 8.4 MB 00:03
Metadata cache created.
[rootharbor ~]# vim /etc/hosts
[rootharbor ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.195.135 harbor.com
192.168.195.136 docker2.安装docker开启docker服务并添加加速器
在所有主机上操作
//此处在harbor.com主机上演示
[rootharbor ~]# dnf config-manager --add-repohttps://download.docker.com/linux/centos/docker-ce.repo
[rootharbor ~]# dnf repolist -v //查看是否启用
[rootharbor ~]# dnf list docker-ce --showduplicates | sort -r //查看可安装版本
[rootharbor ~]# yum -y install docker-ce-24.0.6-1.el8 --allowerasing //安装所需版本
[rootharbor ~]# systemctl enable --now docker.service //启动docker服务
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[rootharbor ~]#添加加速器
阿里云登录页 (aliyun.com)
在所有主机上操作
//此处在harbor.com主机上演示
[rootharbor ~]# vim /etc/docker/daemon.json
[rootharbor ~]# cat /etc/docker/daemon.json
{dns: [114.114.114.114],registry-mirrors: [https://d5qafvab.mirror.aliyuncs.com]
}
[rootharbor ~]# systemctl restart docker.service //重启docker服务生效
[rootharbor ~]# docker info . . .Registry Mirrors:https://d5qafvab.mirror.aliyuncs.com/ //出现这串信息则表示添加加速器成功Live Restore Enabled: false[rootharbor ~]#3.进入Docker Compose官网查看安装部署流程
[Docker Compose官方文档]
[rootharbor ~]# curl -SL https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed0 0 0 0 0 0 0 0 --:--:-- 0:00:16 --:--:-- 0
curl: (52) Empty reply from server
[rootharbor ~]# chmod x /usr/local/bin/docker-compose //添加执行权限
[rootharbor ~]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose //将其链接到/usr/bin/下面能够使用docker-compose --help则表示成功
4.进入harbor官网拉取harbor二进制包
[Harbor官方文档](Releases · goharbor/harbor (github.com))
*下载完成后将该压缩包传到harbor.com主机中
[rootharbor ~]# ls
anaconda-ks.cfg harbor-offline-installer-v2.9.1.tgz//解压压缩包
[rootharbor harbor]# tar xf harbor.v2.9.1.tar.gz -C /usr/local/5.复制出一份harbor.yml文件编辑/usr/local/harbor/下的harbor.yml文件
//修改文件中的hostname并注释掉有关https的信息
[rootharbor local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
[rootharbor local]# cd harbor/ ls
common docker-compose.yml install.sh prepare common.sh harbor.v2.9.1.tar.gz harbor.yml.tmpl LICENSE
[rootharbor harbor]# cp harbor.yml.tmpl harbor.yml
[rootharbor local]# cd harbor/ ls
common docker-compose.yml harbor.yml install.sh prepare
common.sh harbor.v2.9.1.tar.gz harbor.yml.tmpl LICENSE//修改如下配置
[rootharbor harbor]# vim harbor.yml
[rootharbor harbor]# grep ^hostname harbor.yml
hostname: harbor.com //改为自己的主机名
[rootharbor harbor]# grep -A6 ^# https related config harbor.yml
# https related config //注释掉https的信息
#https:# https port for harbor, default is 443#port: 443# The path of cert and key files for nginx#certificate: /your/certificate/path#private_key: /your/private/key/path
[rootharbor harbor]# grep -A1 # The default data volume harbor.yml
# The default data volume
data_volume: /data //此处可以修改存放位置尽量选择空间较大的位置
[rootharbor harbor]# grep -A1 # insecure The flag to skip verifying registry certificate harbor.yml# insecure The flag to skip verifying registry certificateinsecure: true //跳过验证证书6.执行install.sh文件
[rootharbor harbor]# ./install.sh [Step 0]: checking if docker is installed ...Note: docker version: 24.0.7[Step 1]: checking docker-compose is installed ...Note: Docker Compose version v2.21.0[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-jobservice:v2.9.1
Loaded image: goharbor/harbor-registryctl:v2.9.1
Loaded image: goharbor/harbor-core:v2.9.1
Loaded image: goharbor/harbor-log:v2.9.1
Loaded image: goharbor/harbor-db:v2.9.1
Loaded image: goharbor/harbor-exporter:v2.9.1
Loaded image: goharbor/redis-photon:v2.9.1
Loaded image: goharbor/nginx-photon:v2.9.1
Loaded image: goharbor/registry-photon:v2.9.1
Loaded image: goharbor/trivy-adapter-photon:v2.9.1
Loaded image: goharbor/prepare:v2.9.1
Loaded image: goharbor/harbor-portal:v2.9.1[Step 3]: preparing environment ...[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dirNote: stopping existing Harbor instance ...
[] Running 10/10✔ Container harbor-jobservice Removed 0.3s ✔ Container nginx Removed 0.3s ✔ Container registryctl Removed 0.3s ✔ Container harbor-portal Removed 0.2s ✔ Container harbor-core Removed 0.2s ✔ Container redis Removed 0.2s ✔ Container harbor-db Removed 0.2s ✔ Container registry Removed 0.2s ✔ Container harbor-log Removed 10.1s ✔ Network harbor_harbor Removed 0.1s [Step 5]: starting Harbor ...
[] Running 10/10✔ Network harbor_harbor Created 0.1s ✔ Container harbor-log Started 0.0s ✔ Container harbor-portal Started 0.0s ✔ Container harbor-db Started 0.0s ✔ Container redis Started 0.0s ✔ Container registryctl Started 0.0s ✔ Container registry Started 0.0s ✔ Container harbor-core Started 0.0s ✔ Container nginx Started 0.0s ✔ Container harbor-jobservice Started 0.0s
✔ ----Harbor has been installed and started successfully.----
[rootharbor harbor]#//查看启动的容器
[rootharbor harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
350ca8862054 goharbor/harbor-jobservice:v2.9.1 /harbor/entrypoint.… 5 minutes ago Up 5 minutes (healthy) harbor-jobservice
b72bc2f82a68 goharbor/nginx-photon:v2.9.1 nginx -g daemon of… 5 minutes ago Up 5 minutes (healthy) 0.0.0.0:80-8080/tcp, :::80-8080/tcp nginx
44f7ef47465b goharbor/harbor-core:v2.9.1 /harbor/entrypoint.… 5 minutes ago Up 5 minutes (healthy) harbor-core
1b21077159ba goharbor/harbor-portal:v2.9.1 nginx -g daemon of… 5 minutes ago Up 5 minutes (healthy) harbor-portal
e806f3263cd6 goharbor/registry-photon:v2.9.1 /home/harbor/entryp… 5 minutes ago Up 5 minutes (healthy) registry
e88001619f8b goharbor/harbor-db:v2.9.1 /docker-entrypoint.… 5 minutes ago Up 5 minutes (healthy) harbor-db
3b0dc2c89b77 goharbor/harbor-registryctl:v2.9.1 /home/harbor/start.… 5 minutes ago Up 5 minutes (healthy) registryctl
dd19f6c1fbfa goharbor/redis-photon:v2.9.1 redis-server /etc/r… 5 minutes ago Up 5 minutes (healthy) redis
e6ebc7e08482 goharbor/harbor-log:v2.9.1 /bin/sh -c /usr/loc… 5 minutes ago Up 5 minutes (healthy) 127.0.0.1:1514-10514/tcp harbor-log//镜像存放位置镜像都存放在我们指定的/data目录下面
[rootharbor harbor]# ls /data
ca_download database job_logs redis registry secret通过IP访问harbor的web界面 使用Harbor的注意事项
在客户端上传镜像时一定要记得执行docker login进行用户认证否则无法直接push在客户端使用的时候如果不是用的https则必须要在客户端的/etc/docker/daemon.json配置文件中配置insecure-registries参数数据存放路径应在配置文件中配置到一个容量比较充足的共享存储中Harbor是使用docker-compose命令来管理的如果需要停止Harbor也应用docker-compose stop来停止其他参数请–help
7.将harbor设置为开机自启
//由于想要关闭或开启harbor需要进入到有docker-compose.yml文件的目录下执行所以我们将该命令放到虚拟机启动最后执行的一个文件中去也就是/etc/rc.local文件中[rootharbor harbor]# vim /etc/rc.local
[rootharbor harbor]# head -5 /etc/rc.local
#!/bin/bash
cd /usr/local/harbor/ docker-compose start
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
[rootharbor harbor]# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Mar 24 2020 /etc/rc.local - rc.d/rc.local
[rootharbor harbor]# chmod x /etc/rc.d/rc.local
[rootharbor harbor]# ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 520 Nov 7 22:29 /etc/rc.d/rc.local//将cd /usr/local/harbor/ docker-compose start写入到这个文件中后他就会在开启这个虚拟机的时候执行进入/usr/local/harbor/目录中执行开启harbor的命令8.登录到docker的私有镜像仓库harbor
//在登录我们的harbor私有仓库时需在/etc/docker/daemon.json文件中添加harbor仓库的信息指定我们设置的harbor.com这个主机名
[rootdocker local]# vim /etc/docker/daemon.json
[rootdocker local]# cat /etc/docker/daemon.json
{dns: [114.114.114.114],insecure-registries: [harbor.com], //添加此行 registry-mirrors: [https://d5qafvab.mirror.aliyuncs.com]
}
[rootdocker local]# systemctl restart docker.service //重启生效[rootdocker ~]# docker login harbor.com //登录到私有镜像仓库
Username: admin
Password: //此处密文密码为Harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded //登录成功
[rootdocker ~]#9.拉取一个官方镜像将官方镜像名称更改后上传到我们的私有仓库
[rootdocker ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
a2abf6c4d29d: Pull complete
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[rootdocker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 605c77e624dd 22 months ago 141MB
[rootdocker ~]# docker tag nginx:latest harbor.com/library/nginx:v0.1 //更改名称
[rootdocker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 605c77e624dd 22 months ago 141MB
harbor.com/library/nginx v0.1 605c77e624dd 22 months ago 141MB
[rootdocker ~]# docker push harbor.com/library/nginx:v0.1 //上传到私有仓库
The push refers to repository [harbor.com/library/nginx]
d874fd2bc83b: Pushed
32ce5f6a5106: Pushed
f1db227348d0: Pushed
b8d6e692a25e: Pushed
e379e8aedd4d: Pushed
2edcec3590a4: Pushed
v0.1: digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 size: 1570
[rootdocker ~]#进入私有仓库查看
删除现存镜像尝试从私有仓库拉取镜像
[rootdocker ~]# docker rmi -f $(docker images -q)
Untagged: nginx:latest
Untagged: nginxsha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31
Untagged: harbor.com/library/nginx:v0.1
Untagged: harbor.com/library/nginxsha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Deleted: sha256:605c77e624ddb75e6110f997c58876baa13f8754486b461117934b24a9dc3a85
Deleted: sha256:b625d8e29573fa369e799ca7c5df8b7a902126d2b7cbeb390af59e4b9e1210c5
Deleted: sha256:7850d382fb05e393e211067c5ca0aada2111fcbe550a90fed04d1c634bd31a14
Deleted: sha256:02b80ac2055edd757a996c3d554e6a8906fd3521e14d1227440afd5163a5f1c4
Deleted: sha256:b92aa5824592ecb46e6d169f8e694a99150ccef01a2aabea7b9c02356cdabe7c
Deleted: sha256:780238f18c540007376dd5e904f583896a69fe620876cabc06977a3af4ba4fb5
Deleted: sha256:2edcec3590a4ec7f40cf0743c15d78fb39d8326bc029073b41ef9727da6c851f
[rootdocker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[rootdocker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[rootdocker ~]# docker pull harbor.com/library/nginx:v0.1
v0.1: Pulling from library/nginx
a2abf6c4d29d: Pull complete
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Status: Downloaded newer image for harbor.com/library/nginx:v0.1
harbor.com/library/nginx:v0.1//由于是以图文的方式展示无法凸显出从私有仓库拉取镜像的效率但正常情况下从私有仓库拉取镜像比从官方拉取镜像速度快10.测试以拉取的镜像制作一个容器
[rootdocker ~]# docker run -d -p 80:80 harbor.com/library/nginx:v0.1
ac1593a13a916fe20acf57a14bb5cb67b998d449e5d6b080a98c6dd29099f735
[rootdocker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ac1593a13a91 harbor.com/library/nginx:v0.1 /docker-entrypoint.… 2 minutes ago Up 2 minutes 0.0.0.0:80-80/tcp, :::80-80/tcp awesome_ellis在浏览器中通过80端口进行访问 访问成功
总的来说Harbor 私有仓库是一个功能丰富、安全可靠的容器镜像管理工具适用于组织和开发团队特别是那些需要严格控制镜像访问权限和确保安全性的情况。然而它需要考虑到部署和维护成本以及对性能的关注。
