1、部署简介
官网介绍的Harbor部署方式共三种
- Online installer:在线安装,由于网速等原因,本文不做介绍
- Offline installer: 离线安装
- OVA installer: 使用VMware自家的虚拟机技术部署,本文不做介绍
部署硬件要求和软件要求
Resource | Capacity | Description |
CPU | minimal 2 CPU | 4 CPU is prefered |
Mem | minimal 4GB | 8GB is prefered |
Disk | minimal 40GB | 160GB is prefered |
Software | Version | Description |
Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
Docker engine | version 1.10 or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
Docker Compose | version 1.6.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
Openssl | latest is prefered | Generate certificate and keys for Harbor |
2、安装步骤
安装分以下三步
1. 下载软件包;
1. 配置harbor.cfg;
1. 运行 install.sh安装harbor
安装文件下载地址:
https://github.com/vmware/harbor/releases
下载后解压文件包
$ tar xvf harbor-offline-installer-<version>.tgz
然后配置./harbor/harbor.cfg 配置文件
配置项分为必配和选配:
必选:
- hostname: 主机名,用来访问UI和registry服务,建议用IP地址;
- ui_url_protocol: (http 或 https. 默认 http)http协议;
- db_password:MySQL的密码;
- max_job_workers: (默认3) job service中worker的最大数量;
- customize_crt:(on or off. 默认 on)是否创建私钥;
- ssl_cert_key:是否创建公钥;
- secretkey_path:秘钥路径;
- log_rotate_count:日志存储版本
- log_rotate_size:日志存储容量
选配本文不做介绍;
官方的安装非常简单,配置完成后,执行安装命令,即可自动完成安装
$ sudo ./install.sh
安装完成后,可以使用访问部署IP的80端口进入UI界面,默认管理员:admin/Harbor12345
使用docker登陆后,即可push镜像到Harbor中
$ docker login reg.yourdomain.com
$ docker push reg.yourdomain.com/myproject/myrepo:mytag
注意:
1、在docker中,必须修改配置文件 /etc/sysconfig/docker 讲OPTION中加入选项“–selinux-enabled=false”和“–insecure-registry 172.16.7.48 ”才能登陆成功
2、在push镜像时,仓库后第一个分隔符后的内容必须在Harbor中创建项目才能push成功,否则会报“denied: requested access to the resource is denied”错误,例如“ docker push 172.16.7.48/google_containers/pause-amd64:3.0”之前,一定要创建名为google_containers的project
3、安装过程代码解析
首先分析install.sh的代码
install.sh的代码非常简单,首先会判断安装环境是否完备
h2 "[Step $item]: checking installation environment ..."; let item+=1
check_docker
check_dockercompose
然后检查用户可选的安装选项,之后调用同目录名为prepare的Python脚本进行环境准备工作,该脚本主要对数据库、依赖等做校验和自动准备工作,具体代码不做分析
h2 "[Step $item]: preparing environment ..."; let item+=1
if [ -n "$host" ]
then
sed "s/^hostname = .*/hostname = $host/g" -i ./harbor.cfg
fi
prepare_para=
if [ $with_notary ] && [ ! $harbor_ha ]
then
prepare_para="${prepare_para} --with-notary"
fi
if [ $with_clair ]
then
prepare_para="${prepare_para} --with-clair"
fi
if [ $harbor_ha ]
then
prepare_para="${prepare_para} --ha"
fi
./prepare $prepare_para
echo ""
最后使用docker-compose完成安装,并检验安装的正确性
h2 "[Step $item]: starting Harbor ..."
if [ $harbor_ha ]
then
mv docker-compose.yml docker-compose.yml.bak
cp ha/docker-compose.yml docker-compose.yml
mv docker-compose.clair.yml docker-compose.clair.yml.bak
cp ha/docker-compose.clair.yml docker-compose.clair.yml
fi
docker-compose $docker_compose_list up -d
protocol=http
hostname=reg.mydomain.com
if [[ $(cat ./harbor.cfg) =~ ui_url_protocol[[:blank:]]*=[[:blank:]]*(https?) ]]
then
protocol=${BASH_REMATCH[1]}
fi
if [[ $(grep 'hostname[[:blank:]]*=' ./harbor.cfg) =~ hostname[[:blank:]]*=[[:blank:]]*(.*) ]]
then
hostname=${BASH_REMATCH[1]}
fi
echo ""
success $"----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at ${protocol}://${hostname}.
For more details, please visit https://github.com/vmware/harbor .
"
接着分析docker-compose的yaml文件
首先,启动log容器,接管所有log的收集工作,因此,在使用docker log命令查看容器的日志时,会出现报错
"logs" command is supported only for "json-file" and "journald" logging drivers (got: syslog)
该报错为正常现象,要查看Harbor日志,可以直接查看部署机器的/var/log/harbor/*.log文件
启动日志容器配置如下:
log:
image: vmware/harbor-log:v1.4.0
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
启动日志文件后,依次启动其他容器,并将之前初始化的各种配置文件通过挂载的方式放进容器中,容器较多,只举例一个:
adminserver:
image: vmware/harbor-adminserver:v1.4.0
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
上述配置中可以看出,网络是用名为Harbor的docker网络,日志驱动使用syslog的方式。
值得注意的是,若网络未创建,则docker会自动创建网络
Pull image from Harbor in Kubernetes
Kubernetes users can easily deploy pods with images stored in Harbor. The settings are similar to that of another private registry. There are two major issues:
- When your Harbor instance is hosting http and the certificate is self signed. You need to modify daemon.json on each work node of your cluster, for details please refer to: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
- If your pod references an image under private project, you need to create a secret with the credentials of user who has permission to pull image from this project, for details refer to: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/