Docker Private Warehouse Deployment and Management
Structure of this chapter:
Introduction to Harbor
Deploying the Docker Compose service on which Harbor depends
Deploy Harbor Service
Harbor Daily Operations Management
Harbor Management Life Cycle
Introduction to Harbor
Harbor is an open source enterprise Docker Registry project for VMware
Advantages of Harbor
Role-based Control
Mirror-based replication strategies
Support LDAP Directory Service/AD Domain Service
Image deletion and garbage collection
Graphical UI (Web interface accessible)
audit
RESTful API
Harbor architecture composition
Proxy:
Unify browser, Docker client requests through a front-end reverse proxy and forward requests to different services on the back-end
Registry: Warehouse
Responsible for storing Docker images and handling docker push/pull commands
Core services:
Core features of Harbor, including UI, webhook, token services
Database: mysql
Provide database services for core services
Log collector:
Responsible for collecting log s for other components for future analysis
Docker Private Warehouse Architecture Topology:
Process description:
Before accessing the warehouse, access the Core service with an account. The UI supports the web interface. After the first successful login, token issues authentication tokens. Later users access the database warehouse directly with the distributed token to view the image. If not, return directly to the no-mirror name (hub public warehouse download). If it exists, use the webhook callback, the warehouse sends information back to the client and finally returns it to the client.All operational information is recorded in the log collector
Noun Interpretation
webhook:
Callback mechanism in microservices
Token generation:
1. The server gives the serial number, which is then verified by the server directly.
2. Generate a string based on the client's MAC address. Each time a parameter is passed, the server will verify the MAC address. If it has been validated before, it can pass directly through
database:
Store user information, including permissions, mirrored property information
Deploy Harbor Service
Download the Harbor installer:
wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz tar xvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
Configure the Harbor parameter file:
Parameters are in file/usr/local/harbor/harbor.cfg
Required parameters for Harbor:
hostname ,ui_url_protocol,max_job_workers
db_password,customize_crt,ssl_cert,ssl_cert_key
secretkey_path
Harbor optional parameters:
E-mail settings, harbour_admin_password, auth_mode
self_registration,token_expiration
project_creation_restriction,verify_remote_cert
Start and install Harbor:
[root@localhost harbor]# sh /usr/local/harbor/install.sh
View the Harbor boot image and visit the administration page
Create a new project:
Log in to Harbor first
tag mirror image
Upload mirror to Harbor
All of the above operations are local to Harbor. If other clients operate Harbor, they will get errors and need to modify the configuration on Docker clients other than Harbor, then restart Docker
Demo:Harbor Private Warehouse Deployment
doncker private library: CentOS 7-3:192.168.18.128
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install yum-utils device-mapper-persistent-data lvm2 -y
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum install -y docker-ce
[root@localhost ~]# systemctl start docker.service
[root@localhost ~]# systemctl enable docker.service
[root@localhost ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://w1ogxqvl.mirror.aliyuncs.com"]
}
EOF
[root@localhost ~]# vim /etc/sysctl.conf
`Insert the following in the next line of the last line`
net.ipv4.ip_forward=1
#Press Esc to exit insert mode, enter: wq save to exit
[root@localhost ~]# service network restart
Restarting network (via systemctl): [ Determine ]
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# mkdir /aaa
[root@localhost ~]# mount.cifs //192.168.0.105/rpm /aaa
Password for root@//192.168.0.105/rpm:
[root@localhost ~]# cd /aaa/docker/
[root@localhost docker]# cp docker-compose /usr/local/bin/
[root@localhost docker]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3Deploy Harbor Service
[root@localhost docker]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
[root@localhost docker]# cd /usr/local/
[root@localhost local]# ls
bin etc games harbor include lib lib64 libexec sbin share src
#There is now a harbor directory
[root@localhost local]# cd harbor/
[root@localhost harbor]# ls
common docker-compose.yml harbor.v1.2.2.tar.gz NOTICE
docker-compose.clair.yml harbor_1_1_0_template install.sh prepare
docker-compose.notary.yml harbor.cfg LICENSE upgrade
[root@localhost harbor]# vim harbor.cfg
hostname = 192.168.18.128 #Change the hostname on line 5 to the IP address of your client
harbor_admin_password = Harbor12345 #Line 59 default user name is admin and password is Harbor12345
[root@localhost harbor]# sh /usr/local/harbor/install.sh
[root@localhost harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/harbor-log v1.2.2 36ef78ae27df 2 years ago 200MB
vmware/harbor-jobservice v1.2.2 e2af366cba44 2 years ago 164MB
vmware/harbor-ui v1.2.2 39efb472c253 2 years ago 178MB
vmware/harbor-adminserver v1.2.2 c75963ec543f 2 years ago 142MB
vmware/harbor-db v1.2.2 ee7b9fa37c5d 2 years ago 329MB
vmware/nginx-photon 1.11.13 6cc5c831fc7f 2 years ago 144MB
vmware/registry 2.6.2-photon 5d9100e4350e 2 years ago 173MB
vmware/postgresql 9.6.4-photon c562762cbd12 2 years ago 225MB
vmware/clair v2.0.1-photon f04966b4af6c 2 years ago 297MB
vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 2 years ago 324MB
vmware/notary-photon signer-0.5.0 b1eda7d10640 2 years ago 156MB
vmware/notary-photon server-0.5.0 6e2646682e3c 2 years ago 157MB
photon 1.0 e6e4e4a2ba1b 3 years ago 128MB
#At this point we can see all the downloaded images
[root@localhost harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd6e948955f2 vmware/harbor-jobservice:v1.2.2 "/harbor/harbor_jobs..." 3 minutes ago Up 3 minutes harbor-jobservice
45d02b396e2f vmware/nginx-photon:1.11.13 "nginx -g 'daemon of..." 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
0538aa954b1f vmware/harbor-ui:v1.2.2 "/harbor/harbor_ui" 3 minutes ago Up 3 minutes harbor-ui
ed741e609d5a vmware/harbor-adminserver:v1.2.2 "/harbor/harbor_admi..." 3 minutes ago Up 3 minutes harbor-adminserver
f0c689bedc71 vmware/registry:2.6.2-photon "/entrypoint.sh serv..." 3 minutes ago Up 3 minutes 5000/tcp #Port 5000 registry for private libraries
516f88c68b93 vmware/harbor-db:v1.2.2 "docker-entrypoint.s..." 3 minutes ago Up 3 minutes 3306/tcp #3306 port harbor-db of database
47a2fa42392c vmware/harbor-log:v1.2.2 "/bin/sh -c 'crond &..." 3 minutes ago Up 3 minutes 127.0.0.1:1514->514/tcp harbor-log
#All containers are in the Up state at this time
`Complete mirroring download and container startup by orchestrating one step`
[root@localhost harbor]# pwd
/usr/local/harbor #Under Working Directory
[root@localhost harbor]# docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------
harbor-adminserver /harbor/harbor_adminserver Up
harbor-db docker-entrypoint.sh mysqld Up 3306/tcp
harbor-jobservice /harbor/harbor_jobservice Up
harbor-log /bin/sh -c crond && rm -f ... Up 127.0.0.1:1514->514/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp,
0.0.0.0:80->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcpVerify: Go back to the host and use the browser to access 192.168.18.128 pages to access Harbor pages
There is no mirror in the private library at this time, so we need to choose a new project
Log in using the CentOS 7-5 client:
[root@localhost harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #Show login success at this time [root@localhost harbor]# docker pull cirros #Download Mirror [root@localhost harbor]# docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1 #Label [root@localhost harbor]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 127.0.0.1/myproject-kgc/cirros v1 bc94bceaae77 12 months ago 10.3MB [root@localhost harbor]# docker push 127.0.0.1/myproject-kgc/cirros:v1 #Upload Mirror The push refers to repository [127.0.0.1/myproject-kgc/cirros] abbd6d6ac643: Pushed 75b99987219d: Pushed 0cc237193a30: Pushed v1: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
When you return to the private library page, you will see the uploaded mirror file:
Client client: CentOS 7-5:192.168.18.145
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install yum-utils device-mapper-persistent-data lvm2 -y
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum install -y docker-ce
[root@localhost ~]# systemctl start docker.service
[root@localhost ~]# systemctl enable docker.service
[root@localhost ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://w1ogxqvl.mirror.aliyuncs.com"]
}
EOF
[root@localhost ~]# vim /etc/sysctl.conf
`Insert the following in the next line of the last line`
net.ipv4.ip_forward=1
#Press Esc to exit insert mode, enter: wq save to exit
[root@localhost ~]# service network restart
Restarting network (via systemctl): [ Determine ]
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart dockerAt this point we use the CentOS 7-5 client to access:
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.18.128 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://192.168.18.129/v2/: dial tcp 192.168.18.129:443: connect: connection refused `At this point, if we use the login command to login directly, we will get an error. The solution is as follows` #You need to specify the instance address of the private warehouse before you can connect using its sock file [root@localhost ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.18.128 --containerd=/run/con tainerd/containerd.sock #Add private library instance address in the middle of line 14 [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker [root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.18.128 Login Succeeded #The login is successful.
Download the mirror using:
[root@localhost ~]# docker pull cirros [root@localhost ~]# docker pull 192.168.18.128/myproject-kgc/cirros:v1 v1: Pulling from myproject-kgc/cirros Digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd Status: Downloaded newer image for 192.168.18.128/myproject-kgc/cirros:v1 192.168.18.128/myproject-kgc/cirros:v1 [root@localhost ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.18.128/myproject-kgc/cirros v1 bc94bceaae77 12 months ago 10.3MB cirros latest bc94bceaae77 12 months ago 10.3MB `Label. Note that when labeling, the item name must match the previously uploaded image. Here is 192.168.18.128/myproject-kgc/` [root@localhost ~]# docker tag cirros:latest 192.168.18.128/myproject-kgc/cirros:v2 #Label [root@localhost ~]# docker push 192.168.18.128/myproject-kgc/cirros:v2 #upload The push refers to repository [192.168.18.128/myproject-kgc/cirros] abbd6d6ac643: Layer already exists 75b99987219d: Layer already exists 0cc237193a30: Layer already exists v2: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
Now when we refresh to the private repository page, we can see two mirror files, which contain the v2 image we just uploaded
[root@localhost ~]# docker pull nginx [root@localhost ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest f7bb5701a33c 6 days ago 126MB [root@localhost ~]# docker tag nginx:latest 192.168.18.128/myproject-kgc/nginx:new [root@localhost ~]# docker push 192.168.18.128/myproject-kgc/nginx:new The push refers to repository [192.168.18.128/myproject-kgc/nginx] 75248c0d5438: Pushed 49434cc20e95: Pushed 556c5fb0d91b: Pushed new: digest: sha256:36b77d8bb27ffca25c7f6f53cadd059aca2747d46fb6ef34064e31727325784e size: 948
maintenance management
(1). Operations in CentOS 7-3
[root@localhost harbor]# docker-compose down -v #Close Container Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-ui ... done Stopping harbor-db ... done Stopping harbor-adminserver ... done Stopping registry ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-ui ... done Removing harbor-db ... done Removing harbor-adminserver ... done Removing registry ... done Removing harbor-log ... done Removing network harbor_harbor `Modify Profile` vim harbor.cfg [root@localhost harbor]# ./prepare #Load Profile [root@localhost harbor]# docker-compose up -d #start-up Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating registry ... done Creating harbor-db ... done Creating harbor-adminserver ... done Creating harbor-ui ... done Creating nginx ... done Creating harbor-jobservice ... done
(2). Create new users:
Next we try to log in with the client:
`You need to log out before you log in again` [root@localhost ~]# docker logout http://192.168.18.128 #Logout Removing login credentials for 192.168.18.128 [root@localhost ~]# docker login http://192.168.18.128 #Logon Username: kgc-zhou #Enter user name kgc-zhou Password: #Enter password Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #Show login success
(3). Create a project developer:
