# 企业级镜像私有仓库Harbor Habor是由VMWare公司开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制,AD/LDAP集成以及审计日志等,足以满足基本企业需求。[官方网站](https://vmware.github.io/harbor/cn/) ### **Harbor部署:** 安装docker ``` # 设置hostname [root@localhost ~]# hostnamectl set-hostname harbor.example.com #安装依赖包 [root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2 vim net-tools vim wget epel-release #设置yum源 [root@localhost ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo #更新yum缓存 [root@localhost ~]# yum makecache fast #安装docker-ce [root@localhost ~]# yum -y install docker-ce #启动docker后台服务 [root@localhost ~]# systemctl start docker [root@localhost ~]# systemctl enable docker #配置镜像加速 [root@localhost ~]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker ``` 安装docker-compose ``` [root@localhost ~]# curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose [root@localhost ~]# chmod +x /usr/local/bin/docker-compose [root@localhost ~]# docker-compose --version [root@localhost ~]# docker-compose version 1.23.1, build b02f1306 ``` 安装harbor ``` #下载安装包 自行选择要安装的包 [root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-offline-installer-v1.6.2.tgz [root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.6.tgz [root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0.tgz [root@localhost ~]# wget https://storage.googleapis.com/harbor-releases/release-1.9.0/harbor-offline-installer-v1.9.0.tgz [root@localhost ~]# tar xf harbor-offline-installer-v1.6.2.tgz [root@localhost ~]# cd harbor #使用https访问harbor配置 #获得证书授权 [root@localhost harbor]# mkdir ssl && cd ssl [root@localhost ssl]# openssl genrsa -out ca.key 4096 [root@localhost ssl]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=harbor.example.com" -key ca.key -out ca.crt #创建自己的私钥 [root@localhost ssl]# openssl genrsa -out harbor.example.com.key 4096 #生成证书签名请求 [root@localhost ssl]# openssl req -sha512 -new -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=harbor.example.com" -key harbor.example.com.key -out harbor.example.com.csr #生成注册表主机证书 [root@localhost ssl]# vim v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.example.com DNS.2=harbor.example DNS.3=hostname [root@localhost ssl]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.example.com.csr -out harbor.example.com.crt #配置服务器证书和密钥 [root@localhost ssl]# mkdir /data/cert/ [root@localhost ssl]# cp harbor.example.com.crt /data/cert/ [root@localhost ssl]# cp harbor.example.com.key /data/cert/ #为docker配置证书密钥和CA [root@localhost ssl]# mkdir -p /etc/docker/certs.d/harbor.example.com [root@localhost ssl]# cp harbor.example.com.crt /etc/docker/certs.d/harbor.example.com/ [root@localhost ssl]# cp harbor.example.com.key /etc/docker/certs.d/harbor.example.com/ #配置harbor [root@localhost harbor]# vim harbor.cfg hostname = harbor.example.com ui_url_protocol = https ssl_cert = /data/cert/harbor.example.com.crt ssl_cert_key = /data/cert/harbor.example.com.key #生成harbor配置文件 [root@localhost harbor]# ./prepare #开始安装 [root@localhost harbor]# ./install.sh # 如果想换成公有证书,可以去阿里云申请免费的证书,然后下载nginx配置 [root@localhost harbor]# vim harbor.cfg hostname = harbor.example.com ui_url_protocol = https ssl_cert = /data/cert/harbor.example.com.crt ssl_cert_key = /data/cert/harbor.example.com.key #生成harbor配置文件 [root@localhost harbor]# ./prepare #开始安装 [root@localhost harbor]# ./install.sh ``` 查看harbor状态 ``` [root@reg harbor]# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------------- harbor-adminserver /harbor/start.sh Up (healthy) harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp harbor-ui /harbor/start.sh Up (healthy) nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp 组件                功能 harbor-adminserver      配置管理中心 harbor-db           Mysql数据库 harbor-jobservice      负责镜像复制 harbor-log          记录操作日志 harbor-ui           Web管理页面和API nginx             前端代理,负责前端页面和镜像上传/下载转发 redis             会话 registry           镜像存储 ``` 访问harbor 注意:如果没有DNS服务器,需要自己本地设置hosts User:admin Pass:Harbor12345 ![](/files/-LpfesWjCLSrWsQ8hRvS) ![](/files/-LpfexSmUmhyBAfufr3R) 新建项目 ![](/files/-Lpff0Vb8xuMigdJQRdr) 新建用户 ![](/files/-LpffFYv1AACaAFI15Gz) 项目中添加成员 ![](/files/-LpffInILMjWbQzmarBJ) docker登陆harbor仓库 ``` [root@harbor harbor]# docker login harbor.example.com Username: wangzhenghui Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded ``` 上传镜像 ``` [root@localhost ~]# docker pull nginx [root@harbor harbor]# docker tag nginx:latest harbor.example.com/devops/nginx:v1 [root@harbor harbor]# docker push harbor.example.com/devops/nginx:v1 The push refers to repository [harbor.example.com/devops/nginx] ce3539cc1849: Pushed 16d1b1dd2a23: Pushed 2db44bce66cd: Pushed v1: digest: sha256:55e7a6f2bb43e38cc34285af03b4973d61f523d26cd8a57e9d00cf4154792d20 size: 948 [root@harbor ~]# docker pull tomcat [root@harbor ~]# docker tag tomcat:latest harbor.example.com/devops/tomcat:v1 [root@harbor ~]# docker push harbor.example.com/devops/tomcat:v1 ``` 查看仓库 ![](/files/-LpffSUyaSRrmGR563g_) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.k8stech.net/qi-ye-ji-jing-xiang-cang-ku-harbor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.