Docker Harbor-a private warehouse with a unique UI interface

Article Directory

Introduction

  • Habor is an open source container mirror repository from VMWare. In fact, Habor has carried out a corresponding enterprise-level expansion on the Docker Registry, which has gained a wider range of applications
  • Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker, with registry as its core component.
  • Compared with the registry, Harbor has the following advantages: Harbor supports multiple functions, graphical interface management, multi-user permissions, role management mechanisms, and security mechanisms.
  • The server host needs to install Python, Docker and Docker Compose. The web environment supports PY language, so Python needs to be installed

Harbor architecture as a component introduction

Architecture introduction
Harbor mainly has 6 major modules. By default, each Harbor component is encapsulated into a docker container, so Harbor can be deployed through compose, which is divided into 8 containers to run, which can be viewed through docker-compose ps.

Insert picture description here


As shown in the figure above:
all All requests are passed through a proxy proxy, which is forwarded to Core services and Registry. Core services include UI interface, token and webhook web service functions. Registry mainly provides mirror storage functions. If you want to download and upload a mirror, you must pass the token verification and then obtain or upload the mirror from the Registry. Each download or upload will generate a log record, which will be recorded in the Log collector, and the user identity authority and some mirror language information will be stored in Database.
Component introduction

  • Proxy: Receive requests from browsers and Docker clients uniformly through a front-end reverse proxy, and forward the requests to different back-end services
  • Registry: Responsible for storing Docker images and processing docker push/pull commands
  • Core services: Harbor’s core functions, including UI, webhook, and token services
  • Database: Provide database services for core services
  • Log collector: Responsible for collecting logs of other components for future analysis

Harbor configuration file and related parameters

Harbor's configuration file is: /usr/local/harbor/harbor.cfg
There are two types of parameters in this configuration file: required parameters and optional parameters
Required parameters
1. hostname

  • Used to access the user interface and register services.
  • It should be the IP address or fully qualified domain name (FQDN) of the target machine
  • For example, 192.168.163.100 or test.com.
  • Do not use localhost or 127.0.0.1 as the host name.

2. ui_url_protocol (parameter options: http or https, the default is http)

  • The protocol used to access the UI and token/notification services.
  • If notarization is enabled, this parameter must be https.

3. max_job_workers

  • Mirror copy job thread.

4. db_password

  • The password of the root user of the MySQL database used for db_auth.

5. customize_crt

  • This property can be set to on or off, and it is on by default.
  • When opening this property, prepare a script to create a private key and root certificate for generating/verifying registry tokens.
  • When the key and root certificate are provided by an external source, set this property to off.

6. ssl_cert

  • The path of the SSL certificate is only applied when the protocol is set to https.

7. ssl_cert_key

  • The path of the SSL key is only applied when the protocol is set to https.

8. secretkey_path

  • The key path used to encrypt or decrypt the remote register password in the replication policy.
  • It is not recommended to configure, there is a great security risk

Optional parameters
These parameters are optional for updates, that is, users can leave them as default values ​​and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time. If you update these parameters later, Harbor.cfg will be ignored.
Note: If you choose to set these parameters through the UI, please make sure to perform this operation immediately after starting Harbour. Specifically, the required settings must be set before registering or creating any new users in Harbor

1, auth_mode

  • When there are users in the system (except the default admin user), auth_mode cannot be modified.

2. Email

  • Harbor needs this parameter in order to send a "password reset" email to users, and only when it is needed.
  • SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, then you should enable SSL by setting email_ssl = TRUE.

3. harbour_admin_password

  • The initial password of the administrator only takes effect when Harbour is started for the first time.
  • After that, this setting will be ignored, and the administrator's password should be set in the UI.
  • The default username/password is admin/Harbor12345.

4. auth_mode

  • Type of authentication used
  • By default, it is db_auth, which means the credentials are stored in the database.
  • For LDAP authentication, set it to ldap_auth.

5. self_registration

  • Enable/disable user registration function.
  • When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
  • Note: When auth_mode is set to ldap_auth, the self-registration function will always be disabled, and the flag will be ignored.

6. Token_expiration

  • The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
  • That is, login-after logging out, you can log in without entering a user name and password within 30 minutes, and you need to verify again after 30 minutes.

7. project_creation_restriction

  • A flag used to control which users have the right to create projects, indicating which users can create projects.
  • By default, everyone can create a project.
  • If the value is set to "adminonly", then only admin can create projects.

8. verify_remote_cert

  • Open or close, open by default.
  • This flag determines whether to verify the SSL/TLS certificate when Harbor communicates with the remote register instance.
  • Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate.
  • By default, Harbour stores images on the local file system. In a production environment, you can consider using other storage backends instead of the local file system.
  • For example: S3, Openstack, Swif, Ceph, etc. But need to update the common/template/registry/config.yml file.

Build Harbor Private Warehouse

1. Build the environment

Hostoperating systemIPMain software and version
Harbor (server)Centos 7192.168.238.15docker, docker-compose, harbor-offline-v1.1.2
clientCentos 7192.168.238.16docker

Experiment preparation:
Install docker on the server and docker-compose on the
client. Turn
off the firewall.
Modify the host name.

2. Download the Harbor installer

Harbor: 192.168.238.15
Harbor package

1、在线下载
wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz

2、也可以使用上面的链接下载
tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
Insert picture description here

3. Configure Harbor parameter file

Harbor: 192.168.238.15

vim /usr/local/harbor/harbor.cfg

第5行
hostname = 192.168.238.15
Insert picture description here

4. Start Harbor

Harbor: 192.168.238.15

sh /usr/local/harbor/install.sh

docker images

docker ps -a

cd /usr/local/harbor/
docker-compose ps 检索docker-compose.yml文件,检测当前应用的容器是否正常,此处检测harbor仓库的容器运行状态
Insert picture description here


Insert picture description here


Insert picture description here


Insert picture description here

5. The browser accesses the UI interface to create a project

log in

Insert picture description here


Add item

Insert picture description here


Insert picture description here


Insert picture description here

6. Test the warehouse function locally

Harbor: 192.168.238.15
You can use Docker commands to log in and push images locally through 127.0.0.1. By default, the
Register server listens on port 80.

  • Sign in and view key
docker login -u admin -p Harbor12345 http://127.0.0.1
Insert picture description here


Insert picture description here
  • Download the image for testing (take nginx as an example)
docker pull nginx
  • Mirror tagging
docker tag nginx 127.0.0.1/testproject/nginx:v1
Insert picture description here
  • Upload image to Harbor
docker push 127.0.0.1/testproject/nginx:v1
  • Verification is successful
Insert picture description here


Insert picture description here

7. The client uploads the mirror

client: 192.168.238.16

If other clients upload images to Harbor, they will report
an error. Because Docker Registry interaction uses HTTPS by default, but the
HTTP service is used by default to build a private image, so an error occurs when interacting with the private image.

Insert picture description here

Just specify the private warehouse address in the docker.service file

vim /usr/lib/systemd/system/docker.service

systemctl daemon-reload 
systemctl restart docker

docker login  -u admin -p Harbor12345 http://192.168.238.15
Insert picture description here


Insert picture description here


Client upload image

docker pull tomcat

docker images

docker tag tomcat 192.168.238.15/testproject/tomcat:v2

docker push 192.168.238.15/testproject/tomcat:v2
Insert picture description here


Insert picture description here

Maintenance Management Harbor

You can use docker-compose to manage Harbor. Some useful commands are shown below and must be run in the
same directory as docker-compose.yml.

Modify Harbor.cfg configuration file When
changing the configuration file of Harbor, first stop the existing Harbor instance and update Harbor.cfg; then
run the prepare script to fill the configuration; finally, recreate and start the Harbor instance.

1. Stop the Harbor instance

cd /usr/local/harbor
docker-compose down -v
Insert picture description here

2. Modify the Harbor.cfg configuration file

vim /usr/local/harbor/harbor.cfg
Insert picture description here

3. Run the prepare script to fill in the configuration

cd /usr/local/harbor
./prepare
Insert picture description here

4. Restart the service

docker-compose up -d
Insert picture description here

Create Harbor user

This operation is performed on the UI interface in the browser
Browser visit http://192.168.238.15

Insert picture description here


Insert picture description here


Insert picture description here


Create development members for the project

Insert picture description here


Insert picture description here


Insert picture description here


Insert picture description here


Test the newly created user on the client

Insert picture description here

Remove Harbor service container

Remove the Harbor service container while keeping the mirrored data/database
Harbor: 192.168.238.15

docker-compose down -v

#如果需要重新部署,需要移除Harbor服务容器全部数据
#持久数据,如镜像,数据库等在宿主机的/data目录下,日志在宿主机的/var/log/Harbor目录下
rm -rf /data/database
rm -rf /data/registry