Docker Private Warehouse Deployment and Management

Posted by bilis_money on Sun, 05 Jan 2020 10:11:31 +0100

Docker Private Warehouse Deployment and Management

Structure of this chapter:

Introduction to Harbor

Deploying the Docker Compose service on which Harbor depends

Deploy Harbor Service

Harbor Daily Operations Management

Harbor Management Life Cycle

Introduction to Harbor

Harbor is an open source enterprise Docker Registry project for VMware
Advantages of Harbor

Role-based Control

Mirror-based replication strategies

Support LDAP Directory Service/AD Domain Service

Image deletion and garbage collection

Graphical UI (Web interface accessible)

audit

RESTful API

Harbor architecture composition

Proxy:

Unify browser, Docker client requests through a front-end reverse proxy and forward requests to different services on the back-end

Registry: Warehouse

Responsible for storing Docker images and handling docker push/pull commands

Core services:

Core features of Harbor, including UI, webhook, token services

Database: mysql

Provide database services for core services

Log collector:

Responsible for collecting log s for other components for future analysis

Docker Private Warehouse Architecture Topology:

Process description:

Before accessing the warehouse, access the Core service with an account. The UI supports the web interface. After the first successful login, token issues authentication tokens. Later users access the database warehouse directly with the distributed token to view the image. If not, return directly to the no-mirror name (hub public warehouse download). If it exists, use the webhook callback, the warehouse sends information back to the client and finally returns it to the client.All operational information is recorded in the log collector

Noun Interpretation

webhook:

Callback mechanism in microservices

Token generation:

1. The server gives the serial number, which is then verified by the server directly.

2. Generate a string based on the client's MAC address. Each time a parameter is passed, the server will verify the MAC address. If it has been validated before, it can pass directly through

database:

Store user information, including permissions, mirrored property information

Deploy Harbor Service

Download the Harbor installer:
wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
tar xvf harbor-offline-installer-v1.2.2.tgz -C /usr/local
Configure the Harbor parameter file:

Parameters are in file/usr/local/harbor/harbor.cfg

Required parameters for Harbor:

hostname ,ui_url_protocol,max_job_workers

db_password,customize_crt,ssl_cert,ssl_cert_key

secretkey_path

Harbor optional parameters:

E-mail settings, harbour_admin_password, auth_mode

self_registration,token_expiration

project_creation_restriction,verify_remote_cert

Start and install Harbor:

[root@localhost harbor]# sh /usr/local/harbor/install.sh

View the Harbor boot image and visit the administration page
Create a new project:

Log in to Harbor first

tag mirror image

Upload mirror to Harbor

All of the above operations are local to Harbor. If other clients operate Harbor, they will get errors and need to modify the configuration on Docker clients other than Harbor, then restart Docker

Demo:Harbor Private Warehouse Deployment

doncker private library: CentOS 7-3:192.168.18.128

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install yum-utils device-mapper-persistent-data lvm2 -y
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum install -y docker-ce
[root@localhost ~]# systemctl start docker.service
[root@localhost ~]# systemctl enable docker.service
[root@localhost ~]# tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://w1ogxqvl.mirror.aliyuncs.com"]
}
EOF

[root@localhost ~]# vim /etc/sysctl.conf
`Insert the following in the next line of the last line`
net.ipv4.ip_forward=1
#Press Esc to exit insert mode, enter: wq save to exit
[root@localhost ~]# service network restart
Restarting network (via systemctl):                        [  Determine  ]
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# mkdir /aaa
[root@localhost ~]# mount.cifs //192.168.0.105/rpm /aaa
Password for root@//192.168.0.105/rpm:
[root@localhost ~]# cd /aaa/docker/
[root@localhost docker]# cp docker-compose /usr/local/bin/
[root@localhost docker]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3
Deploy Harbor Service
[root@localhost docker]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
[root@localhost docker]# cd /usr/local/
[root@localhost local]# ls
bin  etc  games  harbor  include  lib  lib64  libexec  sbin  share  src
#There is now a harbor directory
[root@localhost local]# cd harbor/
[root@localhost harbor]# ls
common                     docker-compose.yml     harbor.v1.2.2.tar.gz  NOTICE
docker-compose.clair.yml   harbor_1_1_0_template  install.sh            prepare
docker-compose.notary.yml  harbor.cfg             LICENSE               upgrade
[root@localhost harbor]# vim harbor.cfg
hostname = 192.168.18.128       #Change the hostname on line 5 to the IP address of your client
harbor_admin_password = Harbor12345     #Line 59 default user name is admin and password is Harbor12345

[root@localhost harbor]# sh /usr/local/harbor/install.sh

[root@localhost harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-log           v1.2.2              36ef78ae27df        2 years ago         200MB
vmware/harbor-jobservice    v1.2.2              e2af366cba44        2 years ago         164MB
vmware/harbor-ui            v1.2.2              39efb472c253        2 years ago         178MB
vmware/harbor-adminserver   v1.2.2              c75963ec543f        2 years ago         142MB
vmware/harbor-db            v1.2.2              ee7b9fa37c5d        2 years ago         329MB
vmware/nginx-photon         1.11.13             6cc5c831fc7f        2 years ago         144MB
vmware/registry             2.6.2-photon        5d9100e4350e        2 years ago         173MB
vmware/postgresql           9.6.4-photon        c562762cbd12        2 years ago         225MB
vmware/clair                v2.0.1-photon       f04966b4af6c        2 years ago         297MB
vmware/harbor-notary-db     mariadb-10.1.10     64ed814665c6        2 years ago         324MB
vmware/notary-photon        signer-0.5.0        b1eda7d10640        2 years ago         156MB
vmware/notary-photon        server-0.5.0        6e2646682e3c        2 years ago         157MB
photon                      1.0                 e6e4e4a2ba1b        3 years ago         128MB
#At this point we can see all the downloaded images

[root@localhost harbor]# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                                              NAMES
bd6e948955f2        vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   3 minutes ago       Up 3 minutes                                                                           harbor-jobservice
45d02b396e2f        vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   3 minutes ago       Up 3 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
0538aa954b1f        vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      3 minutes ago       Up 3 minutes                                                                           harbor-ui
ed741e609d5a        vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   3 minutes ago       Up 3 minutes                                                                           harbor-adminserver
f0c689bedc71        vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   3 minutes ago       Up 3 minutes        5000/tcp    #Port 5000 registry for private libraries
516f88c68b93        vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   3 minutes ago       Up 3 minutes        3306/tcp    #3306 port harbor-db of database
47a2fa42392c        vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   3 minutes ago       Up 3 minutes        127.0.0.1:1514->514/tcp                                            harbor-log
#All containers are in the Up state at this time
`Complete mirroring download and container startup by orchestrating one step`

[root@localhost harbor]# pwd
/usr/local/harbor       #Under Working Directory
[root@localhost harbor]# docker-compose ps
       Name                     Command               State                       Ports
-----------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp
harbor-jobservice    /harbor/harbor_jobservice        Up
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp
harbor-ui            /harbor/harbor_ui                Up
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 
                                                              0.0.0.0:80->80/tcp
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp
Verify: Go back to the host and use the browser to access 192.168.18.128 pages to access Harbor pages

There is no mirror in the private library at this time, so we need to choose a new project

Log in using the CentOS 7-5 client:

[root@localhost harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded     #Show login success at this time
[root@localhost harbor]# docker pull cirros     #Download Mirror
[root@localhost harbor]# docker tag cirros 127.0.0.1/myproject-kgc/cirros:v1    #Label
[root@localhost harbor]# docker images
REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
127.0.0.1/myproject-kgc/cirros   v1                  bc94bceaae77        12 months ago       10.3MB
[root@localhost harbor]# docker push 127.0.0.1/myproject-kgc/cirros:v1      #Upload Mirror
The push refers to repository [127.0.0.1/myproject-kgc/cirros]
abbd6d6ac643: Pushed
75b99987219d: Pushed
0cc237193a30: Pushed
v1: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
When you return to the private library page, you will see the uploaded mirror file:

Client client: CentOS 7-5:192.168.18.145

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install yum-utils device-mapper-persistent-data lvm2 -y
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum install -y docker-ce
[root@localhost ~]# systemctl start docker.service
[root@localhost ~]# systemctl enable docker.service
[root@localhost ~]# tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://w1ogxqvl.mirror.aliyuncs.com"]
}
EOF
[root@localhost ~]# vim /etc/sysctl.conf
`Insert the following in the next line of the last line`
net.ipv4.ip_forward=1
#Press Esc to exit insert mode, enter: wq save to exit
[root@localhost ~]# service network restart
Restarting network (via systemctl):                        [  Determine  ]
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
At this point we use the CentOS 7-5 client to access:
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.18.128
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.18.129/v2/: dial tcp 192.168.18.129:443: connect: connection refused
`At this point, if we use the login command to login directly, we will get an error. The solution is as follows`

#You need to specify the instance address of the private warehouse before you can connect using its sock file
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.18.128 --containerd=/run/con    tainerd/containerd.sock
#Add private library instance address in the middle of line 14
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker login -u admin -p Harbor12345 http://192.168.18.128
Login Succeeded     #The login is successful.
Download the mirror using:
[root@localhost ~]# docker pull cirros
[root@localhost ~]# docker pull 192.168.18.128/myproject-kgc/cirros:v1
v1: Pulling from myproject-kgc/cirros
Digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd
Status: Downloaded newer image for 192.168.18.128/myproject-kgc/cirros:v1
192.168.18.128/myproject-kgc/cirros:v1
[root@localhost ~]# docker images
REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE
192.168.18.128/myproject-kgc/cirros   v1                  bc94bceaae77        12 months ago       10.3MB
cirros                                latest              bc94bceaae77        12 months ago       10.3MB

`Label. Note that when labeling, the item name must match the previously uploaded image. Here is 192.168.18.128/myproject-kgc/`
[root@localhost ~]# docker tag cirros:latest 192.168.18.128/myproject-kgc/cirros:v2     #Label

[root@localhost ~]# docker push 192.168.18.128/myproject-kgc/cirros:v2      #upload
The push refers to repository [192.168.18.128/myproject-kgc/cirros]
abbd6d6ac643: Layer already exists
75b99987219d: Layer already exists
0cc237193a30: Layer already exists
v2: digest: sha256:96137d51e0e46006243fa2403723eb47f67818802d1175b5cde7eaa7f19446bd size: 943
Now when we refresh to the private repository page, we can see two mirror files, which contain the v2 image we just uploaded

[root@localhost ~]# docker pull nginx
[root@localhost ~]# docker images
REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE
nginx                                 latest              f7bb5701a33c        6 days ago          126MB
[root@localhost ~]# docker tag nginx:latest 192.168.18.128/myproject-kgc/nginx:new
[root@localhost ~]# docker push 192.168.18.128/myproject-kgc/nginx:new
The push refers to repository [192.168.18.128/myproject-kgc/nginx]
75248c0d5438: Pushed
49434cc20e95: Pushed
556c5fb0d91b: Pushed
new: digest: sha256:36b77d8bb27ffca25c7f6f53cadd059aca2747d46fb6ef34064e31727325784e size: 948

maintenance management

(1). Operations in CentOS 7-3

[root@localhost harbor]# docker-compose down -v         #Close Container
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-db          ... done
Stopping harbor-adminserver ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-db          ... done
Removing harbor-adminserver ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor

`Modify Profile`
vim harbor.cfg
[root@localhost harbor]# ./prepare      #Load Profile
[root@localhost harbor]# docker-compose up -d       #start-up
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry           ... done
Creating harbor-db          ... done
Creating harbor-adminserver ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ... done

(2). Create new users:

Next we try to log in with the client:

`You need to log out before you log in again`
[root@localhost ~]# docker logout http://192.168.18.128 #Logout
Removing login credentials for 192.168.18.128

[root@localhost ~]# docker login http://192.168.18.128 #Logon
Username: kgc-zhou      #Enter user name kgc-zhou
Password:               #Enter password Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded         #Show login success

(3). Create a project developer:

Topics: Linux Docker Vmware Nginx yum