doina

一个小菜鸟运维工程师.

使用Harbor1.8.1搭建docker私有镜像仓库,并在k8s中使用

harbor介绍

Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。

Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。

harbor需要安装docker和docker-compose才能使用

部署Harbot

角色 IP地址
harbor 192.168.1.155
client 192.168.1.156

安装docker

yum -y install yum-utils
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce-18.06.1.ce-3.el7
systemctl start docker

# docker -v
Docker version 18.06.1-ce, build e68fc7a

安装docker-compose

wget https://github.com/docker/compose/releases/download/1.24.0/docker-compose-Linux-x86_64
chmod +x docker-compose-Linux-x86_64
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose

# docker-compose -v
docker-compose version 1.24.0, build 0aa59064

部署harbor

wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz
tar -xf harbor-offline-installer-v1.8.1.tgz -C /usr/local/

harbor配置文件

cd /usr/local/harbor/
vim harbor.cfg
hostname = harbor.baiyongjie.com                 
ui_url_protocol = https                          
db_password = baiyongjie                       
harbor_admin_password = baiyongjie               
ssl_cert = /usr/local/harbor/cert/harbor.baiyongjie.com.crt      
ssl_cert_key = /usr/local/harbor/cert/harbor.baiyongjie.com.key   

# grep -Ev '#|^$' harbor.yml 
hostname: harbor.baiyongjie.com     # 本机外网IP或域名,该地址供用户通过UI进行访问,不要使用127.0.0.1
https:                             # 用户访问私仓时使用的协议,默认时http,配置成https
  port: 443                        # https使用的端口
  certificate: /usr/local/harbor/cert/harbor.baiyongjie.com.crt    # 设置证书文件路径
  private_key: /usr/local/harbor/cert/harbor.baiyongjie.com.key    # 设置证书密钥文件路径
harbor_admin_password: baiyongjie   # harbor的管理员账户密码
database:
  password: root123     # 指定mysql数据库管理员密码
data_volume: /data      # image存储目录
clair: 
  updaters_interval: 12
  http_proxy:
  https_proxy:
  no_proxy: 127.0.0.1,localhost,core,registry
jobservice:
  max_job_workers: 10
chart:
  absolute_url: disabled
log:
  level: info
  rotate_count: 50
  rotate_size: 200M
  location: /var/log/harbor
_version: 1.8.0

生成harbor证书

mkdir /usr/local/harbor/cert/
cd /usr/local/harbor/cert/

# 生成根证书
openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/L=Shanghai/O=harbor/CN=harbor-registry"

# 生成一个证书签名, 设置访问域名为 harbor.baiyongjie.com
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.baiyongjie.com.key -out server.csr -subj "/C=CN/L=Shanghai/O=harbor/CN=harbor.baiyongjie.com"

# 生成主机证书
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.baiyongjie.com.crt

执行自动安装脚本

# 添加本地解析到hosts
# echo "192.168.1.155 harbor.baiyongjie.com" >> /etc/hosts

# cd /usr/local/harbor
# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 18.06.1

Note: docker-compose version: 1.24.0

[Step 1]: loading Harbor images ...
ba58b7bb3f17: Loading layer [==================================================>]  33.32MB/33.32MB
1351a2c39b77: Loading layer [==================================================>]  8.967MB/8.967MB
13b531e88128: Loading layer [==================================================>]  46.85MB/46.85MB
664abb325748: Loading layer [==================================================>]  5.632kB/5.632kB
9f20c7a04d55: Loading layer [==================================================>]  27.14kB/27.14kB
594e8fcaaae3: Loading layer [==================================================>]  46.85MB/46.85MB
Loaded image: goharbor/harbor-core:v1.8.1
779e79e64bef: Loading layer [==================================================>]  8.968MB/8.968MB
8a9aeb8fc32b: Loading layer [==================================================>]  3.072kB/3.072kB
a4ae88938e21: Loading layer [==================================================>]   20.1MB/20.1MB
28b6b0ffc1f1: Loading layer [==================================================>]  3.072kB/3.072kB
c1e7908f331a: Loading layer [==================================================>]  7.465MB/7.465MB
a19f7fb04672: Loading layer [==================================================>]  27.56MB/27.56MB
Loaded image: goharbor/harbor-registryctl:v1.8.1
54861210f3e5: Loading layer [==================================================>]  73.51MB/73.51MB
501c77bcbdac: Loading layer [==================================================>]  3.072kB/3.072kB
7d3ce9039ed2: Loading layer [==================================================>]   59.9kB/59.9kB
7bba9a15dc1c: Loading layer [==================================================>]  61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v1.8.1
fc559a3fef74: Loading layer [==================================================>]  8.967MB/8.967MB
ee2a0fed7764: Loading layer [==================================================>]  5.143MB/5.143MB
900c7f7491cb: Loading layer [==================================================>]  15.13MB/15.13MB
f0a444f2ab35: Loading layer [==================================================>]  26.47MB/26.47MB
c5f0e5f3f9f4: Loading layer [==================================================>]  22.02kB/22.02kB
26506d175699: Loading layer [==================================================>]  3.072kB/3.072kB
47bcfef1acb5: Loading layer [==================================================>]  46.74MB/46.74MB
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.8.1
1b052a5ea7be: Loading layer [==================================================>]  8.972MB/8.972MB
f4fa6cca061e: Loading layer [==================================================>]  35.77MB/35.77MB
c5dc6f364e18: Loading layer [==================================================>]  2.048kB/2.048kB
b79be0e51f9b: Loading layer [==================================================>]  3.072kB/3.072kB
82899453e467: Loading layer [==================================================>]  35.77MB/35.77MB
Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.8.1
7674fdf3aec8: Loading layer [==================================================>]  63.36MB/63.36MB
f89719511663: Loading layer [==================================================>]  49.81MB/49.81MB
746254f5dca5: Loading layer [==================================================>]  6.656kB/6.656kB
3669f0dbd54b: Loading layer [==================================================>]  2.048kB/2.048kB
d0c83bbc6fd5: Loading layer [==================================================>]   7.68kB/7.68kB
a7cb2e952968: Loading layer [==================================================>]   2.56kB/2.56kB
563892d38354: Loading layer [==================================================>]   2.56kB/2.56kB
95da7578c175: Loading layer [==================================================>]   2.56kB/2.56kB
Loaded image: goharbor/harbor-db:v1.8.1
d4f0ba4c6978: Loading layer [==================================================>]  8.967MB/8.967MB
f20b432a6985: Loading layer [==================================================>]  38.81MB/38.81MB
16b52efd4bf9: Loading layer [==================================================>]  38.81MB/38.81MB
Loaded image: goharbor/harbor-jobservice:v1.8.1
61982ee954e7: Loading layer [==================================================>]  3.548MB/3.548MB
Loaded image: goharbor/nginx-photon:v1.8.1
195156f64002: Loading layer [==================================================>]  8.968MB/8.968MB
6f093bbedbfe: Loading layer [==================================================>]  3.072kB/3.072kB
4ecbf9bd0f9b: Loading layer [==================================================>]   2.56kB/2.56kB
970d58a16ac9: Loading layer [==================================================>]   20.1MB/20.1MB
fe6015e1e3fc: Loading layer [==================================================>]   20.1MB/20.1MB
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1
b0feb119f01c: Loading layer [==================================================>]  343.7MB/343.7MB
4c5027462195: Loading layer [==================================================>]  106.5kB/106.5kB
Loaded image: goharbor/harbor-migrator:v1.8.1
d3d89de23de4: Loading layer [==================================================>]   2.56kB/2.56kB
d6cb22cc0142: Loading layer [==================================================>]  1.536kB/1.536kB
45c2997b6abf: Loading layer [==================================================>]  68.74MB/68.74MB
ece1a297b8bf: Loading layer [==================================================>]  39.75MB/39.75MB
270978aebbde: Loading layer [==================================================>]  144.4kB/144.4kB
475e8090da36: Loading layer [==================================================>]  3.005MB/3.005MB
Loaded image: goharbor/prepare:v1.8.1
085f0cf72aa7: Loading layer [==================================================>]  3.548MB/3.548MB
5050c82f527e: Loading layer [==================================================>]  6.569MB/6.569MB
50bcc42e4e95: Loading layer [==================================================>]  160.8kB/160.8kB
1b057a9ff0e2: Loading layer [==================================================>]    215kB/215kB
107182cd08af: Loading layer [==================================================>]  3.584kB/3.584kB
Loaded image: goharbor/harbor-portal:v1.8.1
b3e2294bd95f: Loading layer [==================================================>]  50.51MB/50.51MB
e680ad267b80: Loading layer [==================================================>]  3.584kB/3.584kB
f15b30041974: Loading layer [==================================================>]  3.072kB/3.072kB
ade63a9f91ea: Loading layer [==================================================>]   2.56kB/2.56kB
22574174ff2f: Loading layer [==================================================>]  3.072kB/3.072kB
b6e99a8f129f: Loading layer [==================================================>]  3.584kB/3.584kB
75b8d23356d1: Loading layer [==================================================>]  12.29kB/12.29kB
Loaded image: goharbor/harbor-log:v1.8.1
60d61848f566: Loading layer [==================================================>]  13.72MB/13.72MB
6301ffbcd8c1: Loading layer [==================================================>]  26.47MB/26.47MB
e31c20fcae09: Loading layer [==================================================>]  22.02kB/22.02kB
ce48b434a471: Loading layer [==================================================>]  3.072kB/3.072kB
acaabaff778a: Loading layer [==================================================>]  45.33MB/45.33MB
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.8.1
f606e390eada: Loading layer [==================================================>]    113MB/113MB
39c63b1a9659: Loading layer [==================================================>]  10.94MB/10.94MB
fcbb83300f3e: Loading layer [==================================================>]  2.048kB/2.048kB
2d3a6f2b11a0: Loading layer [==================================================>]  48.13kB/48.13kB
e268609393f5: Loading layer [==================================================>]  3.072kB/3.072kB
a9aed4bfce3f: Loading layer [==================================================>]  10.99MB/10.99MB
Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1


[Step 2]: preparing environment ...
prepare base dir is set to /usr/local/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir



[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis       ... done
Creating registryctl ... done
Creating harbor-db   ... done
Creating registry    ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating harbor-portal     ... done
Creating nginx             ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://harbor.baiyongjie.com. 
For more details, please visit https://github.com/goharbor/harbor .

# docker-compose ps 
      Name                     Command                  State                        Ports
------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up (healthy)
harbor-db           /entrypoint.sh postgres          Up (healthy)   5432/tcp
harbor-jobservice   /harbor/start.sh                 Up
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   80/tcp
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
redis               docker-entrypoint.sh redis ...   Up             6379/tcp
registry            /entrypoint.sh /etc/regist ...   Up (healthy)   5000/tcp
registryctl         /harbor/start.sh                 Up (healthy)

修改本机解析,访问harbor

修改本机hosts文件, 添加对应解析
《使用Harbor1.8.1搭建docker私有镜像仓库,并在k8s中使用》

创建一个普通账号,用了login仓库
《使用Harbor1.8.1搭建docker私有镜像仓库,并在k8s中使用》

使用新建的账号创建一个项目,这里不选择公开,需要login后才能能pull/push
《使用Harbor1.8.1搭建docker私有镜像仓库,并在k8s中使用》

测试harbor仓库

    1. 证书配置
    1. login仓库
    1. 修改image tag
    1. push/pull image

登录仓库

# 登录仓库前需要添加解析到/etc/hosts文件中
# echo "192.168.1.155 harbor.baiyongjie.com" >> /etc/hosts  

# 因为没有配置证书
# docker login harbor.baiyongjie.com
Username: baiyongjie
Password: 
Error response from daemon: Get https://harbor.baiyongjie.com/v2/: x509: certificate signed by unknown authority

# 添加证书, 192.168.1.155操作
cd /usr/local/harbor/cert/
mkdir harbor.baiyongjie.com
cp harbor.baiyongjie.com.crt harbor.baiyongjie.com
tar zcvf harbor.cert.tar.gz harbor.baiyongjie.com

# 192.168.1.156操作
# 将harbor.cert.tar.gz解压到/etc/docker/certs.d目录中

# tar zxvf harbor.cert.tar.gz
# ll
total 4.0K
drwxr-xr-x. 2 root root   39 Jul  5 16:59 harbor.baiyongjie.com
-rw-r--r--. 1 root root 1.6K Jul  5 17:00 harbor.cert.tar.gz

# 在重新登录已经登录成功
# docker login harbor.baiyongjie.com  
Username: baiyongjie
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

push测试

# pull一个ubunt的镜像, 然后修改tag, push到私有仓库
# docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
5b7339215d1d: Pull complete 
14ca88e9f672: Pull complete 
a31c3b1caad4: Pull complete 
b054a26005b7: Pull complete 
Digest: sha256:9b1702dcfe32c873a770a32cfd306dd7fc1c4fd134adfb783db68defc8894b3c
Status: Downloaded newer image for ubuntu:18.04

# docker tag ubuntu:18.04 harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
# docker push harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
The push refers to repository [harbor.baiyongjie.com/baiyongjie/ubuntu]
75e70aa52609: Pushed 
dda151859818: Pushed 
fbd2732ad777: Pushed 
ba9de9d8475e: Pushed 
18.04: digest: sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395 size: 1152

pull测试

# 删除image,然后从镜像中pull

# docker rmi harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
Untagged: harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
Untagged: harbor.baiyongjie.com/baiyongjie/ubuntu@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395

# docker pull  harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
18.04: Pulling from baiyongjie/ubuntu
5b7339215d1d: Pull complete 
14ca88e9f672: Pull complete 
a31c3b1caad4: Pull complete 
b054a26005b7: Pull complete 
Digest: sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
Status: Downloaded newer image for harbor.baiyongjie.com/baiyongjie/ubuntu:18.04

在kubernetes中使用

登录docker仓库

[root@master ~]# docker login harbor.baiyongjie.com -u baiyongjie
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@master ~]# cat /root/.docker/config.json
{
        "auths": {
                "harbor.baiyongjie.com": {
                        "auth": "YmFpeW9uag12ppas4MjM5MDhNaW4="
                },
                "https://index.docker.io/v1/": {
                        "auth": "YmFpeWsf123ZTo4MjM5MDhtaW4="
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.06.1-ce (linux)"
        }
}

生产base64编码的认证信息

[root@master ~]# cat /root/.docker/config.json | base64
ewoJImF1dGhzIjogewoJCSJo1221asdJfSwKCQkiaHR0cHM6Ly9pbmRleC5kb2NrZXIu
aW8vdjEvIjogewasRlcnMiOiB7CgkJsadVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4w
Ni4xLWNlIChsaW51eCkiCgl9Cn0=

创建Secret yaml文件

[root@master yaml]# vim regsecret.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: regsecret
  namespace: default
data:
  .dockerconfigjson: ewoJImF123fsakJasdHRhVzQ9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4wNi4xLWNlIChsaW51eCkiCgl9Cn0=

[root@master yaml]# kubectl apply -f regsecret.yaml 
secret/regsecret created

创建pod测试

[root@master yaml]# vim harbor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: harbor-test
  namespace: default
spec:
  containers:
  - name: harbor-test
    image: harbor.baiyongjie.com/baiyongjie/ubuntu:18.04
    command: ["/bin/sh"]
    args: ["-c", "sleep 1800"]
  imagePullSecrets:
  - name: regsecret

[root@master yaml]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
harbor-test   1/1     Running   0          3s


[root@master yaml]# kubectl get pods -o wide
NAME          READY   STATUS    RESTARTS   AGE   IP             NODE     NOMINATED NODE   READINESS GATES
harbor-test   1/1     Running   0          5s    10.244.2.147   node02   <none>           <none>
点赞

发表评论

电子邮件地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据