Harbor deployment and simple application
Introduction to Harbor
Although Docker officially provides a public image repository, it is also very necessary to deploy the Registry in our private environment in terms of security and efficiency.
Harbor is an open-source enterprise Docker Registry management project of VMware company. Compared with docker official, harbor has richer authority and perfect architecture design. It is suitable for large-scale docker cluster deployment and provides warehouse services.
It mainly provides the Dcoker Registry management interface UI, which can be based on role access control, image replication, AD/LDAP integration, log audit and other functions. It fully supports Chinese.
Main functions of Harbor
-
Role based access control
- Users and Docker image warehouses are organized and managed through "project". A user can have different permissions on multiple image warehouses in the same namespace (project).
-
Mirror based replication policy
- Images can be replicated in multiple Registry instances (the images in the warehouse can be synchronized to the remote Harbor, similar to MySQL master-slave synchronization function). It is especially suitable for load balancing, high availability, mixed cloud and multi cloud scenarios.
-
Graphical user interface
- Users can browse through the browser, retrieve the current Docker image warehouse, and manage projects and namespaces.
-
AD/LDAP support
- Harbor can integrate the existing AD/LDAP in the enterprise for authentication management.
-
Image deletion and garbage collection
- Harbor supports deleting images on the Web, reclaiming useless images and freeing disk space. Images can be deleted and the space occupied by images can be reclaimed.
-
Audit management
- All operations on the mirror warehouse can be recorded and traced for audit management.
-
RESTful API
- RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
-
Simple deployment
- It provides online and offline installation tools, and can also be installed to vSphere platform (OVA) virtual devices. All components of Harbor are deployed in Docker, so Harbor can be quickly deployed using Docker Compose.
Note: since Harbor is based on Docker Registry V2 version, docker version must be > = 1.10 0 docker-compose >= 1.6. 0
Docker Compose (orchestration tool)
It is very difficult to deploy Harbor on physical machines. In order to simplify Harbor applications, Harbor officials directly make Harbor into applications running in containers. Moreover, this container relies on many storage systems such as redis, mysql and pgsql in Harbor, so it needs to arrange many containers to work together. Therefore, when deploying and using VMWare Harbor, It needs to be implemented with the help of Docker compose.
Compose is a tool for defining and running multi container Docker applications. With compose, you can use YAML files to configure the services of your application. Then, with one command, you can create and start all the services in the configuration.
Docker compose official document
Harbor deployment
Harbor official documents
Environmental description:
| host name | ip address | Applications to install |
|---|---|---|
| docker | 192.168.200.140 | docekr-ce |
| harbor | 192.168.200.141 | docker-ce ,docker-compose,Harbor |
harbor host operation
// Turn off firewall and selinux [root@harbor ~# systemctl stop firewalld [root@harbor ~]# vim /etc/sysconfig/selinux # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: [root@harbor ~]# setenforce 0 [root@harbor ~]# reboot [root@harbor ~]# getenforce Disabled
// Configure docker CE source
[root@harbor yum.repos.d]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- -- 0 0 0 0 0 0 0 0 --:--:-- 0100 1919 100 1919 0 0 1265 0 0:00:01 0:00:01 --:--:-- 1265
[root@harbor yum.repos.d]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' docker-ce.repo
// Install docker CE and dependent packages and tools
[root@harbor ~]# dnf -y install yum-utils device-mapper-persistent-data lvm2
[root@harbor ~]# yum -y install docker-ce --allowerasing
// After installation, use the docker version command to view the docker version information
[root@harbor ~]# docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:22 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
// Configure mirror acceleration
[root@harbor ~]# mkdir -p /etc/docker
[root@harbor ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://7z2g0ixw.mirror.aliyuncs.com"]
}
[root@harbor ~]# systemctl daemon-reload
[root@harbor ~]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
Install compose and harbor on the harbor host
[root@harbor ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose [root@harbor ~]# chmod +x /usr/local/bin/docker-compose [root@harbor ~]# docker-compose --version docker-compose version 1.29.2, build 5becea4c [root@harbor ~]# vi /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.200.141 harbor.example.com [root@harbor ~]# ping harbor.example.com PING harbor.example.com (192.168.200.141) 56(84) bytes of data. 64 bytes from harbor.example.com (192.168.200.141): icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from harbor.example.com (192.168.200.141): icmp_seq=2 ttl=64 time=0.042 ms ^C --- harbor.example.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 20ms rtt min/avg/max/mdev = 0.042/0.045/0.049/0.007 ms // Unzip the harbor package and view install SH script and XXX compose yml [root@harbor ~]# cd /usr/src/ [root@harbor src]# ls debug harbor-offline-installer-v2.3.5.tgz kernels [root@harbor src]# tar xf harbor-offline-installer-v2.3.5.tgz -C /usr/local/ [root@harbor src]# cd /usr/local/harbor/ [root@harbor harbor]# ls common.sh harbor.yml.tmpl LICENSE harbor.v2.3.5.tar.gz install.sh prepare // Modify the harbor configuration file [root@harbor harbor]# vi harbor.yml # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: harbor.example.com //Modify here to the local host name # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config #https: / / note here, when no certificate is used # https port for harbor, default is 443 # port: 443 / / note here, when the certificate is not used # The path of cert and key files for nginx # certificate: /your/certificate/path / / note here, when the certificate is not used #private_key: /your/private/key/path / / note here, when the certificate is not used ......ellipsis n that 's ok harbor_admin_password: Harbor12345 //Password of admin user in web interface # Harbor DB configuration database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 // Password for database # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 100 //Maximum idle connections # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 1024 for postgres of harbor. max_open_conns: 900 //maximum connection # The default data volume data_volume: /data //Data mount directory // Execute install SH installation script for installation [root@harbor harbor]# ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.12 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.26.2 [Step 2]: loading Harbor images ... .......ellipsis n that 's ok [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-portal ... done Creating registry ... done Creating harbor-db ... done Creating registryctl ... done Creating redis ... done Creating harbor-core ... done Creating nginx ... done Creating harbor-jobservice ... done ✔ ----Harbor has been installed and started successfully.---- //This installation succeeded // Start harbor [root@harbor harbor]# docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting portal ... done Starting redis ... done Starting core ... done Starting jobservice ... done Starting proxy ... done
Use docker ps -a to view the newly created container
[root@harbor harbor]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 284275316b01 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint...." 2 minutes ago Up 2 minutes (healthy) harbor-jobservice cb0c4603a22d goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of..." 2 minutes ago Up 2 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx 8ed5937e548a goharbor/harbor-core:v2.3.5 "/harbor/entrypoint...." 2 minutes ago Up 2 minutes (healthy) harbor-core 501795de1f4a goharbor/harbor-db:v2.3.5 "/docker-entrypoint...." 2 minutes ago Up 2 minutes (healthy) harbor-db f0b7eaf6d883 goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of..." 2 minutes ago Up 2 minutes (healthy) harbor-portal 9513ab79fb65 goharbor/redis-photon:v2.3.5 "redis-server /etc/r..." 2 minutes ago Up 2 minutes (healthy) redis 246b97aee305 goharbor/registry-photon:v2.3.5 "/home/harbor/entryp..." 2 minutes ago Up 2 minutes (healthy) registry ec325af742f2 goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start...." 2 minutes ago Up 2 minutes (healthy) registryctl 571bcbdc2222 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc..." 2 minutes ago Up 2 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log // Both ports and containers are in a normal state [root@harbor harbor]# ss -anlt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN0 128 0.0.0.0:80 0.0.0.0:* LISTEN0 128 0.0.0.0:22 0.0.0.0:* LISTEN0 128 127.0.0.1:1514 0.0.0.0:* LISTEN0 128 [::]:80 [::]:* LISTEN0 128 [::]:22 [::]:*
Visit the web page (default user: admin Password: Harbor12345)
Successfully logged in
docker host operation
Upload image to harbor warehouse
Turn off firewall
[root@docekr ~]# systemctl stop firewalld [root@docekr ~]# vim /etc/sysconfig/selinux # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: [root@docekr ~]# setenforce 0 [root@docekr ~]# reboot [root@docekr ~]# getenforce Disabled
Install docekr CE on docker host
[root@docekr ~]# cd /etc/yum.repos.d/
[root@docekr ~]# curl -o docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
[root@docekr ~]# sed -i 's@https://download.docker.com@https://mirrors.tuna.tsinghua.edu.cn/docker-ce@g' docker-ce.repo
install docker-ce And dependent packages and tools
[root@docekr ~]# dnf -y install yum-utils device-mapper-persistent-data lvm2
[root@docekr ~]# yum -y install docker-ce --allowerasing
#After installation, use the docker version command to view the docker version information
[root@docekr ~]# docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:22 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
#Configure mirror acceleration
[root@docekr ~]# mkdir -p /etc/docker
[root@docekr ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://7z2g0ixw.mirror.aliyuncs.com"]
}
[root@docekr ~]# systemctl daemon-reload
[root@docekr ~]# systemctl enable --now docker
Add http support using the insert registers parameter
[root@docker ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://7z2g0ixw.mirror.aliyuncs.com"],
"insecure-registries": ["harbor.example.com"] //Add this row
}
[root@docker ~]# systemctl daemon-reload
[root@docker ~]# systemctl restart docker
// Map the harbor host domain name
[root@docker ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.141 harbor.example.com
[[root@docker ~]# ping harbor.example.com
PING harbor.example.com (192.168.200.141) 56(84) bytes of data.
64 bytes from harbor.example.com (192.168.200.141): icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from harbor.example.com (192.168.200.141): icmp_seq=2 ttl=64 time=0.430 ms
^C
--- harbor.example.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.430/0.674/0.918/0.244 ms
Pull busybox image
[root@docker ~]# docker pull busybox Using default tag: latest latest: Pulling from library/busybox Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a Status: Image is up to date for busybox:latest docker.io/library/busybox:latest [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED busybox latest ffe9d497c324 8 days ago 1.24MB
Rename it
[root@docker ~]# docker tag busybox:latest harbor.example.com/library/busybox:latest [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox latest ffe9d497c324 8 days ago 1.24MB harbor.example.com/library/busybox latest ffe9d497c324 8 days ago 1.24MB
docker login log in to the harbor Library (the user password is consistent with the web side)
[root@docker ~]# docker login harbor.example.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
Upload image
[root@docker ~]# docker push harbor.example.com/library/busybox Using default tag: latest The push refers to repository [harbor.example.com/library/busybox] 64cac9eaf0da: Pushed latest: digest: sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9 size: 527
web page viewing
user management
Create a new tom user, set it as a guest, and compare the administrator permissions
After the user is created, add it to the project
Make it a guest
Permission comparison
Switch tom user
When tom logs in as a guest, he cannot do anything about the project.
harbor boot auto start
Because the harbor service is composed of docker - compose. In / usr/local/harbor / The YML configuration file and the container in docker are provided. Therefore, we need to start the container in this directory when setting boot auto start.
Container start, stop and restart commands
[root@harbor ~]# cd /usr/local/harbor/ [root@harbor harbor]# docker-compose stop Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-core ... done Stopping harbor-db ... done Stopping harbor-portal ... done Stopping redis ... done Stopping registry ... done Stopping registryctl ... done Stopping harbor-log ... done [root@harbor harbor]# docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting portal ... done Starting redis ... done Starting core ... done Starting jobservice ... done Starting proxy ... done
Write a harbor_start.sh script
[root@harbor harbor]# vi harbor_start.sh #! /bin/bash cd /usr/local/harbor docker-compose start // Grant execution permission [root@harbor harbor]# chmod +x harbor_start.sh [root@harbor harbor]# ll Total consumption 594172 drwxr-xr-x 3 root root 20 12 June 16-19:01 common -rw-r--r-- 1 root root 3361 12 October 15:42 common.sh -rw-r--r-- 1 root root 5996 12 June 16-19:04 docker-compose.yml -rwxr-xr-x 1 root root 56 12 June 16-19:43 harbor_start.sh -rw-r--r-- 1 root root 608376493 12 October 15:42 harbor.v2.3.5.tar.gz -rw-r--r-- 1 root root 7849 12 June 16-19:04 harbor.yml -rw-r--r-- 1 root root 7840 12 October 15:42 harbor.yml.tmpl -rwxr-xr-x 1 root root 2500 12 October 15:42 install.sh -rw-r--r-- 1 root root 11347 12 October 15:42 LICENSE -rwxr-xr-x 1 root root 1881 12 October 15:42 prepare
Write it to RC Local file
[root@harbor harbor]# vim /etc/rc.local #!/bin/bash /bin/bash /usr/local/harbor/harbor_start.sh // Add this row # THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES # # It is highly advisable to create own systemd services or udev rules # to run scripts during boot instead of using this file. # # In contrast to previous versions due to parallel execution during boot # this script will NOT be run after all other services. # # Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure # that this script will be executed during boot. touch /var/lock/subsys/local //Grant execution permission [root@harbor harbor]# chmod +x /etc/rc.local [root@harbor harbor]# ll /etc/rc.local lrwxrwxrwx. 1 root root 13 11 September 2019 /etc/rc.local -> rc.d/rc.local
Restart the host and verify
[root@harbor harbor]# reboot Last login: Thu Dec 16 18:51:17 2021 from 192.168.200.1 [root@harbor ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 284275316b01 goharbor/harbor-jobservice:v2.3.5 "/harbor/entrypoint...." 42 minutes ago Up 2 seconds (health: starting) harbor-jobservice cb0c4603a22d goharbor/nginx-photon:v2.3.5 "nginx -g 'daemon of..." 42 minutes ago Up 2 seconds (health: starting) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx 8ed5937e548a goharbor/harbor-core:v2.3.5 "/harbor/entrypoint...." 42 minutes ago Up 4 seconds (health: starting) harbor-core 501795de1f4a goharbor/harbor-db:v2.3.5 "/docker-entrypoint...." 42 minutes ago Up 4 seconds (health: starting) harbor-db f0b7eaf6d883 goharbor/harbor-portal:v2.3.5 "nginx -g 'daemon of..." 42 minutes ago Up 5 seconds (health: starting) harbor-portal 9513ab79fb65 goharbor/redis-photon:v2.3.5 "redis-server /etc/r..." 42 minutes ago Up 5 seconds (health: starting) redis 246b97aee305 goharbor/registry-photon:v2.3.5 "/home/harbor/entryp..." 42 minutes ago Up 4 seconds (health: starting) registry ec325af742f2 goharbor/harbor-registryctl:v2.3.5 "/home/harbor/start...." 42 minutes ago Up 5 seconds (health: starting) registryctl 571bcbdc2222 goharbor/harbor-log:v2.3.5 "/bin/sh -c /usr/loc..." 42 minutes ago Up 5 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
Docker Compose syntax
Introduction to docker compose
docker compose Structure: docker compose Divide the managed containers into three layers,namely engineering project: A complete business unit composed of a set of associated application containers docker-compose.yml Defined in. service service: An application container can actually include several container instances running the same image. container container. Docker Compose Run all files in the directory( docker-compose.yml)Form a project,A project contains multiple services. Each service defines the image, parameters and dependencies of the container. A service can include multiple container instances. docker compose Purpose: responsible for achieving Docker Rapid orchestration of container clusters
Common commands and configurations of docker compose
docker-compose ps List all running containers docker-compose logs View service log output docker-compose port http 8080 output http Public port bound to service port 8080 docker-compose build Build or rebuild services docker-compose start|stop eureka start-up|Stops a container that already exists for the specified service docker-compose rm eureka Deletes the container for the specified service docker-compose up Build, start container docker-compose kill eureka By sending SIGKILL Signal to stop the container of the specified service docker-compose scale user=3 movie=3 Set the number of specified service containers to service=num Form designation docker-compose run web bash Execute a command on a service
docker-compose.yml attribute
version: appoint docker-compose.yml Writing format of file
services: Multiple container collections
build: When configuring a build, Compose It is used to automatically build the image, which can be a path or an object to specify Dockerfile parameter
build: ./dir
perhaps
build:
context: ./dir
dockerfile: Dockerfile
args:
buildno: 1
command: Overrides the default command executed after the container is started
command: bundle exec thin -p 3000 #shell format
perhaps
command: [bundle,exec,thin,-p,3000] #List format
dns: to configure dns Server, which can be a value or list
dns: 8.8.8.8 #value
perhaps
dns: #List format
- 8.8.8.8
- 9.9.9.9
environment: Environment variables can be configured in array or dictionary
environment: #Array format
RACK_ENV: development
SHOW: 'ture'
perhaps
environment: #Dictionary format
- RACK_ENV=development
- SHOW=ture
env_file: Get the environment variable from the file. You can specify a file path or a list of paths whose priority is lower than environment Specified environment variables
env_file: .env
perhaps
env_file:
- ./common.env
expose: Expose the port. Only expose the port to the connected service, not to the host
expose:
- "3000"
- "8000"
image: Specifies the image used by the service
network_mode: Set network mode
network_mode: "bridge"
network_mode: "host"
network_mode: "none"
network_mode: "service:[service name]"
network_mode: "container:[container name/id]"
ports: Exposed port definitions, and expose corresponding
ports: # Exposed port information - "host port: container exposed port"
- "8763:8763"
- "8763:8763"
links: To connect the specified container to the current connection, you can set an alias to avoid ip Failure to connect due to dynamic change of container restart caused by mode
links: # Specify Service Name: alias
- docker-compose-eureka-server:compose-eureka
volumes: Volume mount path
volumes:
- /lib
- /var