- Harbor architecture as a component introduction
- Harbor configuration file and related parameters
- Build Harbor Private Warehouse
- 1. Build the environment
- 2. Download the Harbor installer
- 3. Configure Harbor parameter file
- 4. Start Harbor
- 5. The browser accesses the UI interface to create a project
- 6. Test the warehouse function locally
- 7. The client uploads the mirror
- Maintenance Management Harbor
- 1. Stop the Harbor instance
- 2. Modify the Harbor.cfg configuration file
- 3. Run the prepare script to fill in the configuration
- 4. Restart the service
- Create Harbor user
- Remove Harbor service container
- Habor is an open source container mirror repository from VMWare. In fact, Habor has carried out a corresponding enterprise-level expansion on the Docker Registry, which has gained a wider range of applications
- Harbor is deployed as multiple Docker containers, so it can be deployed on any Linux distribution that supports Docker, with registry as its core component.
- Compared with the registry, Harbor has the following advantages: Harbor supports multiple functions, graphical interface management, multi-user permissions, role management mechanisms, and security mechanisms.
- The server host needs to install Python, Docker and Docker Compose. The web environment supports PY language, so Python needs to be installed
Harbor architecture as a component introduction
Harbor mainly has 6 major modules. By default, each Harbor component is encapsulated into a docker container, so Harbor can be deployed through compose, which is divided into 8 containers to run, which can be viewed through docker-compose ps.
As shown in the figure above:
all All requests are passed through a proxy proxy, which is forwarded to Core services and Registry. Core services include UI interface, token and webhook web service functions. Registry mainly provides mirror storage functions. If you want to download and upload a mirror, you must pass the token verification and then obtain or upload the mirror from the Registry. Each download or upload will generate a log record, which will be recorded in the Log collector, and the user identity authority and some mirror language information will be stored in Database.
- Proxy: Receive requests from browsers and Docker clients uniformly through a front-end reverse proxy, and forward the requests to different back-end services
- Registry: Responsible for storing Docker images and processing docker push/pull commands
- Core services: Harbor’s core functions, including UI, webhook, and token services
- Database: Provide database services for core services
- Log collector: Responsible for collecting logs of other components for future analysis
Harbor configuration file and related parameters
Harbor's configuration file is: /usr/local/harbor/harbor.cfg
There are two types of parameters in this configuration file: required parameters and optional parameters
- Used to access the user interface and register services.
- It should be the IP address or fully qualified domain name (FQDN) of the target machine
- For example, 192.168.163.100 or test.com.
- Do not use localhost or 127.0.0.1 as the host name.
2. ui_url_protocol (parameter options: http or https, the default is http)
- The protocol used to access the UI and token/notification services.
- If notarization is enabled, this parameter must be https.
- Mirror copy job thread.
- The password of the root user of the MySQL database used for db_auth.
- This property can be set to on or off, and it is on by default.
- When opening this property, prepare a script to create a private key and root certificate for generating/verifying registry tokens.
- When the key and root certificate are provided by an external source, set this property to off.
- The path of the SSL certificate is only applied when the protocol is set to https.
- The path of the SSL key is only applied when the protocol is set to https.
- The key path used to encrypt or decrypt the remote register password in the replication policy.
- It is not recommended to configure, there is a great security risk
These parameters are optional for updates, that is, users can leave them as default values and update them on the Web UI after starting Harbor.
If you enter Harbor.cfg, it will only take effect when Harbor is started for the first time. If you update these parameters later, Harbor.cfg will be ignored.
Note: If you choose to set these parameters through the UI, please make sure to perform this operation immediately after starting Harbour. Specifically, the required settings must be set before registering or creating any new users in Harbor
- When there are users in the system (except the default admin user), auth_mode cannot be modified.
- Harbor needs this parameter in order to send a "password reset" email to users, and only when it is needed.
- SSL connection is not enabled by default. If the SMTP server requires SSL but does not support STARTTLS, then you should enable SSL by setting email_ssl = TRUE.
- The initial password of the administrator only takes effect when Harbour is started for the first time.
- After that, this setting will be ignored, and the administrator's password should be set in the UI.
- The default username/password is admin/Harbor12345.
- Type of authentication used
- By default, it is db_auth, which means the credentials are stored in the database.
- For LDAP authentication, set it to ldap_auth.
- Enable/disable user registration function.
- When disabled, new users can only be created by Admin users, and only administrator users can create new users in Harbour.
- Note: When auth_mode is set to ldap_auth, the self-registration function will always be disabled, and the flag will be ignored.
- The expiration time (minutes) of the token created by the token service. The default is 30 minutes.
- That is, login-after logging out, you can log in without entering a user name and password within 30 minutes, and you need to verify again after 30 minutes.
- A flag used to control which users have the right to create projects, indicating which users can create projects.
- By default, everyone can create a project.
- If the value is set to "adminonly", then only admin can create projects.
- Open or close, open by default.
- This flag determines whether to verify the SSL/TLS certificate when Harbor communicates with the remote register instance.
- Setting this property to off will bypass SSL/TLS verification, which is often used when the remote instance has a self-signed or untrusted certificate.
- By default, Harbour stores images on the local file system. In a production environment, you can consider using other storage backends instead of the local file system.
- For example: S3, Openstack, Swif, Ceph, etc. But need to update the common/template/registry/config.yml file.
Build Harbor Private Warehouse
1. Build the environment
|Host||operating system||IP||Main software and version|
|Harbor (server)||Centos 7||192.168.238.15||docker, docker-compose, harbor-offline-v1.1.2|
Install docker on the server and docker-compose on the
off the firewall.
Modify the host name.
2. Download the Harbor installer
1、在线下载 wget http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz 2、也可以使用上面的链接下载 tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
3. Configure Harbor parameter file
vim /usr/local/harbor/harbor.cfg 第5行 hostname = 192.168.238.15
4. Start Harbor
sh /usr/local/harbor/install.sh docker images docker ps -a cd /usr/local/harbor/ docker-compose ps 检索docker-compose.yml文件，检测当前应用的容器是否正常，此处检测harbor仓库的容器运行状态
5. The browser accesses the UI interface to create a project
6. Test the warehouse function locally
You can use Docker commands to log in and push images locally through 127.0.0.1. By default, the
Register server listens on port 80.
- Sign in and view key
docker login -u admin -p Harbor12345 http://127.0.0.1
- Download the image for testing (take nginx as an example)
docker pull nginx
- Mirror tagging
docker tag nginx 127.0.0.1/testproject/nginx:v1
- Upload image to Harbor
docker push 127.0.0.1/testproject/nginx:v1
- Verification is successful
7. The client uploads the mirror
If other clients upload images to Harbor, they will report
an error. Because Docker Registry interaction uses HTTPS by default, but the
HTTP service is used by default to build a private image, so an error occurs when interacting with the private image.
Just specify the private warehouse address in the docker.service file
vim /usr/lib/systemd/system/docker.service systemctl daemon-reload systemctl restart docker docker login -u admin -p Harbor12345 http://192.168.238.15
Client upload image
docker pull tomcat docker images docker tag tomcat 192.168.238.15/testproject/tomcat:v2 docker push 192.168.238.15/testproject/tomcat:v2
Maintenance Management Harbor
You can use docker-compose to manage Harbor. Some useful commands are shown below and must be run in the
same directory as docker-compose.yml.
Modify Harbor.cfg configuration file When
changing the configuration file of Harbor, first stop the existing Harbor instance and update Harbor.cfg; then
run the prepare script to fill the configuration; finally, recreate and start the Harbor instance.
1. Stop the Harbor instance
cd /usr/local/harbor docker-compose down -v
2. Modify the Harbor.cfg configuration file
3. Run the prepare script to fill in the configuration
cd /usr/local/harbor ./prepare
4. Restart the service
docker-compose up -d
Create Harbor user
This operation is performed on the UI interface in the browser
Browser visit http://192.168.238.15
Create development members for the project
Test the newly created user on the client
Remove Harbor service container
Remove the Harbor service container while keeping the mirrored data/database
docker-compose down -v #如果需要重新部署，需要移除Harbor服务容器全部数据 #持久数据，如镜像，数据库等在宿主机的/data目录下，日志在宿主机的/var/log/Harbor目录下 rm -rf /data/database rm -rf /data/registry