搭建docker鏡像倉庫(二):使用harbor搭建本地鏡像倉庫

目錄

一.系統環境

伺服器版本 docker軟體版本 CPU架構
CentOS Linux release 7.4.1708 (Core) Docker version 20.10.12 x86_64

二.前言

在使用Docker拉取鏡像時,Docker首先默認從Docker Hub官方下載鏡像,很多時候我們的鏡像都是使用Dockerfile自定義私有鏡像,不對外公開,而且為了安全起見,docker可能在內網環境下運行,所以我們有必要搭建一套docker本地私有鏡像倉庫,以供整個內網集群環境使用。

搭建鏡像倉庫主流的有兩種方法,一種是使用docker官方提供的registry鏡像搭建倉庫,簡單快捷,但是功能有限;另一種是使用harbor搭建本地鏡像倉庫,harbor功能更強,使用範圍更廣,這裡介紹使用harbor搭建本地鏡像倉庫。

關於使用registry搭建本地鏡像倉庫請查看部落格《搭建docker鏡像倉庫(一):使用registry搭建本地鏡像倉庫》//www.cnblogs.com/renshengdezheli/p/16646969.html。

三.Harbor

Harbor是由VMware公司開源的企業級的Docker鏡像倉庫管理項目,它包括許可權管理(RBAC)、LDAP、日誌審核、管理介面、自我註冊、鏡像複製和中文支援等功能。Harbor官網地址://github.com/goharbor/harbor

Harbor在架構上主要由6個組件構成:

Proxy:Harbor的registry, UI, token等服務,通過一個前置的反向代理統一接收瀏覽器、Docker客戶端的請求,並將請求轉發給後端不同的服務。

Registry: 負責儲存Docker鏡像,並處理docker push/pull 命令。由於我們要對用戶進行訪問控制,即不同用戶對Docker image有不同的讀寫許可權,Registry會指向一個token服務,強制用戶的每次docker pull/push請求都要攜帶一個合法的token, Registry會通過公鑰對token 進行解密驗證。

Core services: 這是Harbor的核心功能,主要提供以下服務:

  • UI:提供圖形化介面,幫助用戶管理registry上的鏡像(image), 並對用戶進行授權。
  • webhook:為了及時獲取registry 上image狀態變化的情況, 在Registry上配置webhook,把狀態變化傳遞給UI模組。
  • token 服務:負責根據用戶許可權給每個docker push/pull命令簽發token. Docker 客戶端向Regiøstry服務發起的請求,如果不包含token,會被重定向到這裡,獲得token後再重新向Registry進行請求。

Database:為core services提供資料庫服務,負責儲存用戶許可權、審計日誌、Docker image分組資訊等數據。

Job Services:提供鏡像遠程複製功能,可以把本地鏡像同步到其他Harbor實例中。

Log collector:為了幫助監控Harbor運行,負責收集其他組件的log,供日後進行分析。

各個組件之間的關係如下圖所示:

image-20220901175901010

四.使用harbor搭建私有鏡像倉庫

4.1 環境介紹

架構:k8smaster作為harbor鏡像倉庫,k8sworker1作為客戶端

伺服器 作業系統版本 CPU架構 進程 功能描述
k8smaster/192.168.110.137 CentOS Linux release 7.4.1708 (Core) x86_64 harbor harbor鏡像倉庫
k8sworker1/192.168.110.138 CentOS Linux release 7.4.1708 (Core) x86_64 docker docker客戶端

4.2 k8smaster節點安裝配置harbor

4.2.1 安裝harbor離線包

首先配置k8smaster節點,注釋:harbor默認埠為80

由於harbor依賴於docker-compose,所以需要先安裝docker-compose

[root@k8smaster ~]# yum -y install docker-compose
......
正在解決依賴關係
--> 正在檢查事務
---> 軟體包 docker-compose.noarch.0.1.18.0-4.el7 將被 安裝
--> 正在處理依賴關係 python(abi) = 3.6,它被軟體包 docker-compose-1.18.0-4.el7.noarch 需要
......
已安裝:
  docker-compose.noarch 0:1.18.0-4.el7                                                                                                                                                                           
......
完畢!

harbor下載:去網上//github.com/goharbor/harbor/releases/tag/v2.4.1下載harbor離線包:harbor-offline-installer-v2.4.1.tgz

image-20220901181014335

解壓harbor離線包

[root@k8smaster ~]# ll -t
總用量 1137380
-rw-r--r--  1 root root 612698835 1月   5 11:39 harbor-offline-installer-v2.4.1.tgz

[root@k8smaster ~]# tar xf harbor-offline-installer-v2.4.1.tgz

[root@k8smaster ~]# cd harbor

#harbor.v2.4.1.tar.gz這個壓縮包里包含harbor所需的鏡像
#harbor.yml.tmpl是harbor配置文件範例
[root@k8smaster harbor]# ls
common.sh  harbor.v2.4.1.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare

harbor.v2.4.1.tar.gz這個壓縮包里包含harbor所需的鏡像,載入鏡像harbor.v2.4.1.tar.gz

[root@k8smaster harbor]# docker load -i harbor.v2.4.1.tar.gz
1e3f0dc884e2: Loading layer [==================================================>]  39.45MB/39.45MB
3fd9ccd5eeaa: Loading layer [==================================================>]  5.275MB/5.275MB
......
Loaded image: goharbor/prepare:v2.4.1
eb57d0945b2e: Loading layer [==================================================>]  7.192MB/7.192MB
dd9069fd53a8: Loading layer [==================================================>]  7.355MB/7.355MB
e779dab1d180: Loading layer [==================================================>]  1.754MB/1.754MB
Loaded image: goharbor/harbor-portal:v2.4.1

harbor.yml.tmpl是harbor配置文件範例,複製一份配置文件

[root@k8smaster harbor]#  ls
common.sh  harbor.v2.4.1.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare

[root@k8smaster harbor]# cp harbor.yml.tmpl harbor.yml

修改配置文件harbor.yml

[root@k8smaster harbor]# vim harbor.yml
harbor配置文件harbor.yml修改內容如下:
#hostname修改為私有倉庫所在的主機名
hostname: k8smaster
#https的配置直接刪除或者注釋掉
   # https related config
   #https:
      #  # https port for harbor, default is 443
      #  port: 443#  
      # The path of cert and key files for nginx
      #  certificate: /your/certificate/path
      #  private_key: /your/private/key/path

image-20220901162857576

harbor的帳號密碼

#harbor的帳號密碼:
harbor_admin_password: Harbor12345

安裝harbor

[root@k8smaster harbor]# ./prepare 
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

#安裝
[root@k8smaster harbor]# ./install.sh 

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.7

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.18.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/registry-photon:v2.4.1
Loaded image: goharbor/notary-signer-photon:v2.4.1
......
Loaded image: goharbor/chartmuseum-photon:v2.4.1
Loaded image: goharbor/prepare:v2.4.1
Loaded image: goharbor/harbor-portal:v2.4.1


[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
......
Creating harbor-jobservice ... 
Creating nginx ... 
✔ ----Harbor has been installed and started successfully.----

4.2.2 配置harbor用戶資訊,項目資訊

Harbor安裝好之後在瀏覽器介面登錄,直接在瀏覽器輸入所在主機IP地址://192.168.110.137/,打開主頁輸入帳號admin,密碼:Harbor12345進行登錄

image-20220901163111341

harbor登錄之後,主介面如下:

image-20220905111126607

創建用戶:點擊用戶管理–>創建用戶

image-20220901163205919

填寫用戶資訊

image-20220901163241280

用戶創建成功

image-20220905111857240

設置用戶為管理員

image-20220901163348505

新建項目

image-20220905112059325

填寫項目資訊:訪問級別不勾選公開則是私有,存儲容量-1表示沒有容量限制

image-20220901163437512

bigdata項目創建成功,點擊bigdata進入項目

image-20220905112352556

因為bigdata這個項目是私有的,需要把lizhien用戶添加進來,不然lizhien沒有許可權拉取/推送鏡像

把lizhien這個用戶添加到bigdata項目里:點擊成員–>+用戶

image-20220905112528978

把lizhien添加進來

image-20220901163553789

這時,用戶lizhien就具有bigdata項目的許可權了

image-20220901163618444

4.3 k8sworker1節點配置從harbor私有倉庫上傳和拉取鏡像

4.3.1 上傳鏡像到harbor私有倉庫

配置docker客戶端的harbor私有倉庫地址

#由於harbor默認埠為80,所以修改/etc/docker/daemon.json的insecure-registries
[root@k8sworker1 ~]# cat /etc/docker/daemon.json
{ 
"registry-mirrors": ["//frz7i079.mirror.aliyuncs.com"],
"insecure-registries":["192.168.110.137"]
}

重啟docker使配置文件生效

[root@k8sworker1 ~]# systemctl restart docker

[root@k8sworker1 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since 三 2022-01-05 11:28:02 CST; 8s ago
     Docs: //docs.docker.com
 Main PID: 28037 (dockerd)
   Memory: 48.9M
   CGroup: /system.slice/docker.service
           └─28037 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

查看docker本地鏡像,如果本地沒有鏡像,直接docker pull 拉取鏡像即可

[root@k8sworker1 ~]# docker images
REPOSITORY                                                TAG       IMAGE ID       CREATED         SIZE
192.168.110.137:5000/boke/wordpress                       latest    dccaeccfba36   4 years ago     406MB
192.168.110.137:5000/web/tomcat                           v1        72d2be374029   4 years ago     292MB
nginx                                                     1.8       0d493297b409   5 years ago     133MB

修改鏡像的別名

[root@k8sworker1 ~]# docker tag 192.168.110.137:5000/boke/wordpress:latest k8smaster/bigdata/wordpress:latest

[root@k8sworker1 ~]# docker tag 192.168.110.137:5000/web/tomcat:v1  k8smaster/bigdata/tomcat:v1

[root@k8sworker1 ~]# docker images
REPOSITORY                                                TAG       IMAGE ID       CREATED         SIZE
192.168.110.137:5000/boke/wordpress                       latest    dccaeccfba36   4 years ago     406MB
k8smaster/bigdata/wordpress                               latest    dccaeccfba36   4 years ago     406MB
192.168.110.137:5000/web/tomcat                           v1        72d2be374029   4 years ago     292MB
k8smaster/bigdata/tomcat                                  v1        72d2be374029   4 years ago     292MB
nginx                                                     1.8       0d493297b409   5 years ago     133MB

推送鏡像到harbor倉庫,發現推送到了docker.io/k8smaster/bigdata/wordpress,明顯是不對的,推送失敗

[root@k8sworker1 ~]# docker push k8smaster/bigdata/wordpress:latest
The push refers to repository [docker.io/k8smaster/bigdata/wordpress]
53e16fa1f104: Preparing 
562dd11ed871: Preparing 
6671cb9eb6b3: Preparing 
4214911d5945: Preparing 
fed26d7fe7b9: Preparing 
c8c6d352c96e: Waiting 
5a151fa4136e: Waiting 
8747705a74d9: Waiting 
adfd7c98cdf6: Waiting 
354b4ef9664b: Waiting 
2da371244fc1: Waiting 
315db89f9acb: Waiting 
3d2582fdede2: Waiting 
53da01089a82: Waiting 
0fd7a67d49b3: Waiting 
f0c367fa8636: Waiting 
ddd6dcab19ff: Waiting 
2c40c66f7667: Waiting 
^C

重新修改tag,把主機名修改為IP

[root@k8sworker1 ~]# docker tag 192.168.110.137:5000/boke/wordpress:latest 192.168.110.137/bigdata/wordpress:latest

[root@k8sworker1 ~]# docker tag 192.168.110.137:5000/web/tomcat:v1 192.168.110.137/bigdata/tomcat:v1

[root@k8sworker1 ~]# docker images
REPOSITORY                                                TAG       IMAGE ID       CREATED         SIZE
192.168.110.137/bigdata/wordpress                         latest    dccaeccfba36   4 years ago     406MB
192.168.110.137:5000/boke/wordpress                       latest    dccaeccfba36   4 years ago     406MB
k8smaster/bigdata/wordpress                               latest    dccaeccfba36   4 years ago     406MB
192.168.110.137/bigdata/tomcat                            v1        72d2be374029   4 years ago     292MB
192.168.110.137:5000/web/tomcat                           v1        72d2be374029   4 years ago     292MB
k8smaster/bigdata/tomcat                                  v1        72d2be374029   4 years ago     292MB
nginx                                                     1.8       0d493297b409   5 years ago     133MB

繼續推送鏡像,但是unauthorized,需要登錄才能推送鏡像

[root@k8sworker1 ~]# docker push 192.168.110.137/bigdata/wordpress:latest
The push refers to repository [192.168.110.137/bigdata/wordpress]
53e16fa1f104: Preparing 
562dd11ed871: Preparing 
6671cb9eb6b3: Preparing 
4214911d5945: Preparing 
fed26d7fe7b9: Waiting 
c8c6d352c96e: Waiting 
5a151fa4136e: Waiting 
8747705a74d9: Waiting 
adfd7c98cdf6: Waiting 
354b4ef9664b: Waiting 
2da371244fc1: Waiting 
315db89f9acb: Waiting 
3d2582fdede2: Waiting 
53da01089a82: Waiting 
0fd7a67d49b3: Waiting 
f0c367fa8636: Waiting 
ddd6dcab19ff: Waiting 
2c40c66f7667: Waiting 
unauthorized: unauthorized to access repository: bigdata/wordpress, action: push: unauthorized to access repository: bigdata/wordpress, action: push

登錄harbor

#使用主機名登錄失敗
[root@k8sworker1 ~]# docker login k8smaster
Username: lizhien
Password: 
Error response from daemon: Get //k8smaster/v2/: dial tcp 192.168.110.137:443: connect: connection refused

#使用IP登錄成功,使用剛才創建的lizhien用戶登錄
[root@k8sworker1 ~]# docker login 192.168.110.137
Username: lizhien
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
//docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

#此時家目錄下會多了一個.docker/config.json 文件
[root@k8sworker1 ~]# ls .docker/
config.json
[root@k8sworker1 ~]# cat .docker/config.json 
{
        "auths": {
                "192.168.110.137": {
                        "auth": "bGl6aGllbjpMaXpoaWVuNjY2"
                }
        }
}

再次推送鏡像,此時推送鏡像成功

[root@k8sworker1 ~]# docker push 192.168.110.137/bigdata/wordpress:latest
The push refers to repository [192.168.110.137/bigdata/wordpress]
53e16fa1f104: Pushed 
562dd11ed871: Pushed 
......
f0c367fa8636: Pushed 
ddd6dcab19ff: Pushed 
2c40c66f7667: Pushed 
latest: digest: sha256:ca4cf4692b7bebd81f229942c996b1c4e6907d6733e977e93d671a54b8053a22 size: 4078

[root@k8sworker1 ~]# docker push 192.168.110.137/bigdata/tomcat:v1
The push refers to repository [192.168.110.137/bigdata/tomcat]
f79699072473: Pushed 
8cb01d738d7e: Pushed 
......
fe40be59465f: Pushed 
cf4ecb492384: Pushed 
v1: digest: sha256:6241d7435b5c4e9d54be7d61e834836a71b1934b5403e01eff8768f0e2bcf210 size: 3045

到harbor介面上查看,發現bigdata項目下已經存在鏡像了

image-20220901163948706

4.3.2 從harbor私有倉庫里拉取鏡像

首先刪除本地鏡像

[root@k8sworker1 ~]# docker rmi 192.168.110.137:5000/web/tomcat:v1 192.168.110.137:5000/boke/wordpress:latest 192.168.110.137/bigdata/wordpress:latest

[root@k8sworker1 ~]# docker images
REPOSITORY                                                TAG       IMAGE ID       CREATED         SIZE

從倉庫拉取鏡像,如果之前退出登錄harbor了,則需要docker login 192.168.110.137登錄倉庫

[root@k8sworker1 ~]# docker pull 192.168.110.137/bigdata/tomcat:v1
v1: Pulling from bigdata/tomcat
a2149b3f2ac2: Pull complete 
.....
321b0457f24e: Pull complete 
0f83e948f35a: Pull complete 
8dbb09972def: Pull complete 
Digest: sha256:6241d7435b5c4e9d54be7d61e834836a71b1934b5403e01eff8768f0e2bcf210
Status: Downloaded newer image for 192.168.110.137/bigdata/tomcat:v1
192.168.110.137/bigdata/tomcat:v1

[root@k8sworker1 ~]# docker images
REPOSITORY                                                TAG       IMAGE ID       CREATED         SIZE
192.168.110.137/bigdata/wordpress                         latest    dccaeccfba36   4 years ago     406MB
192.168.110.137/bigdata/tomcat                            v1        72d2be374029   4 years ago     292MB

自此harbor倉庫搭建完畢也可以正常上傳和拉取鏡像了

Tags:

VirMach 便宜 VPS

QNews

QNews