一、docker仓库之分布式 Harbor
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,由vmware开源,其通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控,另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
vmware官方开源服务列表地址:https://vmware.github.io/harbor/cn/
harbor官方github地址:https://github.com/vmware/harbor
harbor官方网址:https://goharbor.io/
1.1 安装验证
下载地址:https://github.com/vmware/harbor/releases
1.1.1 安装docker
root@ubuntu-node1:~# curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
root@ubuntu-node1:~# add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
root@ubuntu-node1:~# apt-get -y update
root@ubuntu-node1:~# apt-cache madison docker-ce
root@ubuntu-node1:~# apt-get -y install docker-ce=18.06.3~ce~3-0~ubuntu
1.1.2 安装docker-compose
root@ubuntu-node1:~# apt install python-pip -y
root@ubuntu-node1:~# pip install --upgrade pip
root@ubuntu-node1:~# pip install docker-compose
1.1.3 下载安装Harbor
root@ubuntu-node1:/usr/local# cd src/
root@ubuntu-node1:/usr/local/src# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.6.tgz
root@ubuntu-node1:/usr/local/src# tar xf harbor-offline-installer-v1.7.6.tgz
root@ubuntu-node1:/usr/local/src# ln -sv /usr/local/src/harbor /usr/local/
root@ubuntu-node1:/usr/local/src# cd /usr/local/harbor
1.1.4 编辑配置文件
root@ubuntu-node1:/usr/local/harbor# grep "^[a-Z]" harbor.cfg
hostname = 10.10.100.141 #访问地址,可以配置域名
ui_url_protocol = http
max_job_workers = 10
customize_crt = on
#https证书,不使用https不需要配置
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
log_rotate_count = 50
log_rotate_size = 200M
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,core,registry
#邮箱配置
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = false
#harbor默认登入密码
harbor_admin_password = 12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_uid = uid
ldap_scope = 2
ldap_timeout = 5
ldap_verify_cert = true
ldap_group_basedn = ou=group,dc=mydomain,dc=com
ldap_group_filter = objectclass=group
ldap_group_gid = cn
ldap_group_scope = 2
self_registration = on
token_expiration = 30
project_creation_restriction = everyone
#数据库配置
db_host = postgresql
db_password = root123
db_port = 5432
db_user = postgres
redis_host = redis
redis_port = 6379
redis_password =
redis_db_index = 1,2,3
clair_db_host = postgresql
clair_db_password = root123
clair_db_port = 5432
clair_db_username = postgres
clair_db = postgres
clair_updaters_interval = 12
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
registry_storage_provider_name = filesystem
registry_storage_provider_config =
registry_custom_ca_bundle =
1.1.5 执行安装脚本
root@ubuntu-node1:/usr/local/harbor# ./install.sh
root@ubuntu-node1:/usr/local/harbor# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-core /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (unhealthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
1.1.6 web访问Harbor界面
默认管理员账号admin,密码为刚刚配置文件设置的默认密码
新建项目,且设置公开
1.1.7 验证docker使用harbor仓库上传下载镜像
注:如果harbor配置的是https的话,本地docker不需要配置insecure-registries,可直接访问
root@docker-node1:~# vim /etc/docker/daemon.json
{
"insecure-registries": ["10.10.100.141"]
}
#修改后重启docker
root@docker-node1:~# systemctl restart docker
#登入到harbor仓库
root@docker-node1:~# docker login 10.10.100.141
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
1.1.7.1 上传镜像
**上传镜像到harbor需要修改images的名称,不修改成指定格式无法将镜像上传到harbor仓库,格式为: Harbor IP/项目名/image名字:版本号: **
root@docker-node1:~# docker tag nginx-alpine:v1 10.10.100.141/web/nginx-alpine:v1
root@docker-node1:~# docker push 10.10.100.141/web/nginx-alpine:v1
The push refers to repository [10.10.100.141/web/nginx-alpine]
ddc309cf59d3: Pushed
9969af496b6e: Pushed
4b86e0a77a34: Pushed
2ec87f690297: Pushed
934c77b2ea92: Pushed
d07dbd491380: Pushed
eea6ac42165e: Pushed
f1dd685eb59e: Pushed
v1: digest: sha256:e6595a10e3a81a904b6208111e8fca1c02017ebbde0af19e6cbc8da262e79a4c size: 1994
登入到harbor界面可以看到刚刚上传的镜像
1.1.7.1 下载镜像
在另外一台docker服务器拉取刚刚上传的镜像
root@ubuntu-node1:~# vim /etc/docker/daemon.json
{
"insecure-registries": ["10.10.100.141"]
}
root@ubuntu-node1:~# systemctl restart docker
root@ubuntu-node1:~# docker pull 10.10.100.141/web/nginx-alpine:v1
v1: Pulling from web/nginx-alpine
4e9f2cdf4387: Pull complete
7a753d57e56e: Pull complete
bb84b807b575: Pull complete
3647e32e5f4b: Pull complete
736998b92547: Pull complete
7bdf93fd3edc: Pull complete
9a79e359db13: Pull complete
43373424221d: Pull complete
Digest: sha256:e6595a10e3a81a904b6208111e8fca1c02017ebbde0af19e6cbc8da262e79a4c
Status: Downloaded newer image for 10.10.100.141/web/nginx-alpine:v1
root@ubuntu-node1:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.10.100.141/web/nginx-alpine v1 1e6b3b403914 47 hours ago 216MB
二、实现harbor高可用
2.1 高可用实现方式
Harbor支持基于策略的Docker镜像复制功能,这类似于MySQL的主从同步,其可以实现不同的数据中心、不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作,已经有用很多互联网公司使用harbor搭建内网docker仓库的案例,并且还有实现了双向复制的案列,本文将实现单向复制的部署
2.2 实现单向复制
在10.10.100.142安装harbor,实现从刚刚安装的10.10.100.141到142的单向复制
安装好好登入到harbor
登入到web界面新建web项目
2.2.1 新建目录
在主仓库管理界面新建需要复制的目标
2.2.2 新建复制规则
2.2.3 查看主同步状态
2.2.4 从harbor查看镜像
2.3 实现双向同步
2.3.1 从harbor创建同步规则
规则方式与主harbor相同,写对方的IP+用户名密码,然后点测试连接,确认可以测试连接通过。