一、安装docker
下载地址:https://download.docker.com/linux/static/stable/x86_64/docker-23.0.4.tgz
1.1 解压二进制包
wget https://download.docker.com/linux/static/stable/x86_64/docker-23.0.4.tgz
tar zxvf docker-23.0.4.tgz
mv docker/* /usr/bin1.2 systemd管理docker
cat > /usr/lib/systemd/system/docker.service << EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd -H --insecure-registry 192.168.8.111
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF1.3 创建配置文件
mkdir /etc/docker
cat > /etc/docker/daemon.json <<'EOF'
{
"registry-mirrors": [
"https://jkfdsf2u.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://dockerhub.azk8s.cn",
"http://hub-mirror.c.163.com"
],
"insecure-registries":["core.harbor.domain:32388"],
"max-concurrent-downloads": 10,
"max-concurrent-uploads": 5,
"log-driver": "json-file",
"log-opts": {
"max-size": "300m",
"max-file": "2"
},
"live-restore": true
}
EOF
# docker优化
# registry-mirrors 自定义的镜像地址
# 修改docker Cgroup Driver 为systemtd启动管理,是k8s需要,默认是cgroupfs
# max-concurrent-downloads: 最大并发下载
# max-concurrent-uploads: 最大并发上传
# log-driver: 日志格式化为 JSON。这是 Docker 默认的日志驱动程序。
# log-opts: 日志设置,单文件最大,最大几个文件
# 容器的日志都在 /var/lib/docker/containers/容器名/xxx.log
# live-restore: 在docker守护进程不可用时使容器保持活动状态- registry-mirrors: 阿里云镜像加速器
- insecure-registries: 本机ip地址,不加docker login时会拒绝连接
1.4 启动并设置开机启动
systemctl daemon-reload
systemctl restart docker
systemctl enable docker
systemctl status docker二、docker-compose安装
下载地址:https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64
2.1 授权并移动
curl -L "https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ll -h /usr/local/bin/docker-compose2.2 查看是否生效
docker-compose version
Docker Compose version v2.17.3
docker-py version: 4.4.4
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019三、Harbor安装
下载地址:https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz
3.1 生成证书(可以不配置)
1.添加hosts
wget https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz
echo "192.168.8.111 core.harbor.domain" >> /etc/hosts
cat /etc/hosts2.生成证书
#!/bin/bash
# 生成证书的路径
mkdir -p /data/cert
cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor19" -key ca.key -out ca.crt
openssl genrsa -out core.harbor.domain.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor19" -key core.harbor.domain.key -out core.harbor.domain.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor19
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in core.harbor.domain.csr -out core.harbor.domain.crt
openssl x509 -inform PEM -in core.harbor.domain.crt -out core.harbor.domain.cert
cp core.harbor.domain.crt /etc/pki/ca-trust/source/anchors/core.harbor.domain.crt
update-ca-trust查看生成文件
[root@host cert]# ls /data/cert/
ca.crt ca.key ca.srl core.harbor.domain.cert core.harbor.domain.crt core.harbor.domain.csr core.harbor.domain.key v3.ext3.把这三个复制到docke下
mkdir -p /etc/docker/certs.d/core.harbor.domain/
cp /data/cert/core.harbor.domain.cert /etc/docker/certs.d/core.harbor.domain/
cp /data/cert/core.harbor.domain.key /etc/docker/certs.d/core.harbor.domain/
cp /data/cert/ca.crt /etc/docker/certs.d/core.harbor.domain/3.2 安装
1.解压
[root@localhost ~]# tar -zxvf harbor-offline-installer-v2.8.0.tgz -C /usr/local/
harbor/harbor.v2.8.0.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl2.修改配置
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost /usr/local/harbor]# ls /usr/local/harbor/
common.sh harbor.yml.tmpl LICENSE
harbor.v2.8.0.tar.gz install.sh prepare
[root@localhost /usr/local/harbor]# cp harbor.yml.tmpl harbor.yml //配置模板信息
[root@localhost /usr/local/harbor]# cat harbor.yml.tmpl | grep -v '#' | grep -v '^$' > harbor.yml
[root@localhost /usr/local/harbor]# vim harbor.ymlhostname: core.harbor.domain //修改为当前的主机ip
http:
port: 32388 //修改为当前的主机端口
# https related config //https通讯协议,不考虑对外进行关闭
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
harbor_admin_password: Harbor12345 //默认密码
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
conn_max_lifetime: 5m
conn_max_idle_time: 0
data_volume: /data //数据库存放路径
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
security_check: vuln
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 3
log: //日志容器
level: info //为最低级别的日志
local:
rotate_count: 50 //最多滚动50个日志
rotate_size: 200M //每次滚动超过200M后将重新生成
location: /var/log/harbor //日志的存放目录
_version: 2.8.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
upload_purging:
enabled: true
age: 168h
interval: 24h
dryrun: false
cache:
enabled: false
expire_hours: 24
3. 安装
[root@localhost /usr/local/harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 23.0.4
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.17.3
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-log:v2.8.0
Loaded image: goharbor/notary-signer-photon:v2.8.0
Loaded image: goharbor/harbor-registryctl:v2.8.0
Loaded image: goharbor/harbor-exporter:v2.8.0
Loaded image: goharbor/redis-photon:v2.8.0
Loaded image: goharbor/notary-server-photon:v2.8.0
Loaded image: goharbor/prepare:v2.8.0
Loaded image: goharbor/harbor-jobservice:v2.8.0
Loaded image: goharbor/trivy-adapter-photon:v2.8.0
Loaded image: goharbor/registry-photon:v2.8.0
Loaded image: goharbor/harbor-portal:v2.8.0
Loaded image: goharbor/harbor-core:v2.8.0
Loaded image: goharbor/harbor-db:v2.8.0
Loaded image: goharbor/nginx-photon:v2.8.0
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.8s
✔ Container redis Started 1.6s
✔ Container harbor-portal Started 1.8s
✔ Container registry Started 1.9s
✔ Container registryctl Started 2.0s
✔ Container harbor-db Started 1.9s
✔ Container harbor-core Started 2.4s
✔ Container nginx Started 3.3s
✔ Container harbor-jobservice Star... 3.2s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]# ./install.sh
[root@localhost /usr/local/harbor]# docker-compose stop # 停止harbor
[+] Running 9/9
✔ Container harbor-jobservice Stop... 0.2s
✔ Container registryctl Stopped 10.2s
✔ Container nginx Stopped 0.2s
✔ Container harbor-core Stopped 0.2s
✔ Container harbor-portal Stopped 0.2s
✔ Container redis Stopped 0.3s
✔ Container harbor-db Stopped 0.3s
✔ Container registry Stopped 0.2s
✔ Container harbor-log Stopped 10.2s
[root@localhost /usr/local/harbor]# docker-compose start # 启动harbor
[+] Running 9/9
✔ Container harbor-log Started 0.5s
✔ Container harbor-db Started 1.0s
✔ Container registry Started 1.1s
✔ Container registryctl Started 1.1s
✔ Container redis Started 1.1s
✔ Container harbor-portal Started 1.0s
✔ Container harbor-core Started 0.4s
✔ Container harbor-jobservice Star... 0.7s
✔ Container nginx Started 0.6s3.4 访问Harbor
浏览器输入ip地址,用户名默认:admin,密码是harbor.yml中配置的
浏览器输入网址:http://192.168.8.111:32388/account/sign-in?redirect_url=%2Fharbor%2Fprojects
输入用户名:admin 密码:Harbor12345
Harbor界面登录成功
四 、登录harbor
4.1 将证书分发到客户端(harbor上操作)
scp /data/cert/ca.crt root@192.168.1.21:/etc/pki/ca-trust/source/anchors/4.2 客户端登录
#添加hosts
echo "192.168.8.111 core.harbor.domain" >> /etc/hosts
#更新证书
update-ca-trust extract
#重启docker
systemctl restart docker
#登录
docker login http://core.harbor.domain:32388
输入用户名:admin 密码:Harbor12345
在 hosts 文件添加如下一行,然后保存即可
192.168.8.111 core.harbor.domain
4.3 Harbor镜像仓库使用
所有基础镜像都会放在 library 里面,这是一个公开的镜像仓库。
1)新建项目—>起个项目名字 test(把访问级别公开那个选中,让项目才可以被公开使用)
4.4 node1上测试使用 core.harbor.domain 的 harbor 镜像仓库
1)修改 docker 配置
mkdir /etc/docker
cat > /etc/docker/daemon.json <<'EOF'
{
"registry-mirrors": [
"https://jkfdsf2u.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://dockerhub.azk8s.cn",
"http://hub-mirror.c.163.com"
],
"insecure-registries":["core.harbor.domain:32388"],
"max-concurrent-downloads": 10,
"max-concurrent-uploads": 5,
"log-driver": "json-file",
"log-opts": {
"max-size": "300m",
"max-file": "2"
},
"live-restore": true
}
EOF2)重启docker,查看docker是否启动成功
systemctl daemon-reload && systemctl restart docker
systemctl status docker3)登录harbor,验证
[root@localhost ~]# docker login 192.168.8.111:32388
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded4)导入 nginx 镜像
[root@localhost /data]# ls
mysql.tar
[root@localhost /data]# docker load -i mysql.tar
[root@localhost /data]# docker images | grep mysql
mysql 5.7 718a6da099d8 2 years ago 448MB
[root@localhost ~]# docker tag mysql:5.7 core.harbor.domain:32388/test/mysql:5.7
[root@localhost ~]# docker push core.harbor.domain:32388/test/mysql:5.7 #执行命令把mysql:5.7上传到 harbor 里的 test 项目下
The push refers to repository [core.harbor.domain:32388/test/mysql]
f6bef35c0067: Pushed
a6ea401b7864: Pushed
94bd7d7999de: Pushed
8df989cb6670: Pushed
f358b00d8ce7: Pushed
ae39983d39c4: Pushed
b55e8d7c5659: Pushed
e8fd11b2289c: Pushed
e9affce9cbe8: Pushed
316393412e04: Pushed
d0f104dc0a1f: Pushed
5.7: digest: sha256:d3418a353847c7b34e3b082d1ea35a9d12fd1244d3d841d8cfe076e72c216b00 size: 2621
Docker 推送命令
在项目中标记镜像:
docker tag SOURCE_IMAGE[:TAG] core.harbor.domain:32388/test/REPOSITORY[:TAG]
推送镜像到当前项目:
docker push core.harbor.domain:32388/test/REPOSITORY[:TAG]
Helm 推送命令
在项目中打包 chart
helm package CHART_PATH
推送 chart 到当前项目
helm push CHART_PACKAGE oci://core.harbor.domain:32388/test
CNAB 推送命令
推送 CNAB 到当前项目
cnab-to-oci push CNAB_PATH --target core.harbor.domain:32388/test/REPOSITORY[:TAG] --auto-update-bundle注:默认管理员就有项目的管理权限
推送命令:点击镜像仓库可以看到推送命令,这里包含有docker以及k8s的Helm
5)Harbor仓库,可以查看到nginx镜像
6)从 Harbor 仓库下载镜像
[root@localhost ~]# docker rmi -f core.harbor.domain:32388/test/mysql:5.7 #删除镜像
[root@localhost ~]# docker pull core.harbor.domain:32388/test/mysql:5.7 #拉取镜像
5.7: Pulling from test/mysql
bf5952930446: Pull complete
8254623a9871: Pull complete
938e3e06dac4: Pull complete
ea28ebf28884: Pull complete
f3cef38785c2: Pull complete
894f9792565a: Pull complete
1d8a57523420: Pull complete
5f09bf1d31c1: Pull complete
1b6ff254abe7: Pull complete
74310a0bf42d: Pull complete
d398726627fd: Pull complete
Digest: sha256:d3418a353847c7b34e3b082d1ea35a9d12fd1244d3d841d8cfe076e72c216b00
Status: Downloaded newer image for core.harbor.domain:32388/test/mysql:5.7
core.harbor.domain:32388/test/mysql:5.7
[root@localhost ~]# docker images | grep mysql
core.harbor.domain:32388/test/mysql 5.7 718a6da099d8 2 years ago 448MB
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
