##Docker CE installation
System recommended version: Ubuntu 16.04
Official installation document connection: https://docs.docker.com/install/linux/docker-ce/ubuntu/#prerequisites
Auto match system version installation:
apt-get install -y docker.io
ubuntu search:
apt-cache madison kubeadm
##The installation steps are as follows in the shell. If kubernetes is used, version 17.03 is recommended (this recommendation comes from K8S official: https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-docker).
apt-get update apt-get install -y \ apt-transport-https \ ca-certificates \ curl \ software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - add-apt-repository \ "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \ $(lsb_release -cs) \ stable" apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
Then execute the docker info command. If successful, you should see the details of the installed docker.
When using the official image to install docker, the speed will be slow. You can use the domestic Alibaba source address to install it.
Ubuntu 14.04 16.04 (install using apt get):
# step 1: install some necessary system tools apt-get update apt-get -y install apt-transport-https ca-certificates curl software-properties-common # step 2: install GPG certificate curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | apt-key add - # Or use Tsinghua's source curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | apt-key add - # Step 3: write software source information add-apt-repository "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -cs) stable" # add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" # Step 4: update and install docker CE apt-get -y update apt-get -y install docker-ce # Install the specified version of Docker-CE: # Step 1: find the version of docker Ce: # apt-cache madison docker-ce # docker-ce | 17.03.1~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages # docker-ce | 17.03.0~ce-0~ubuntu-xenial | http://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial/stable amd64 Packages # Step 2: install the specified version of docker Ce: (version, for example, 17.03.1 ~ ce-0 ~ Ubuntu xenial above) apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
CentOS 7 (install using yum)
# step 1: install some necessary system tools yum install -y yum-utils device-mapper-persistent-data lvm2 ca-certificates # Step 2: add software source information yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo #Or use the image of Tsinghua University yum-config-manager --add-repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo # Step 3: update and install docker CE yum makecache fast yum -y install docker-ce # Step 4: open Docker service sudo service docker start # be careful: # By default, the latest software is enabled in the official software source. You can get the software packages of various versions by editing the software source. For example, the official does not set the source of the test version as available. You can open it in the following way. In the same way, various tests or edge versions can be opened. # vim /etc/yum.repos.d/docker-ce.repo # Change enabled=0 under [docker CE test] to enabled=1 #Or execute Yum config Manager -- enable docker CE edge #Or Yum config Manager -- enable docker CE test # Install the specified version of Docker-CE: # Step 1: find the version of docker Ce: # yum list docker-ce.x86_64 --showduplicates | sort -r # Loading mirror speeds from cached hostfile # Loaded plugins: branch, fastestmirror, langpacks # docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable # docker-ce.x86_64 17.03.1.ce-1.el7.centos @docker-ce-stable # docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable # Available Packages # Step 2: install the specified version of docker Ce: (version, for example, 17.03.0.ce.1-1.el7.centos above) # sudo yum -y install docker-ce-[VERSION]
##harbor installation
Harbor is an enterprise level registration server, which is used to save and manage docker image files. Harbor mainly provides the WEB management interface of Dcoker Registry, supports image synchronization among multiple registration servers, and provides advanced security features, such as user management, access control and activity audit.
There are two ways to install harbor: online source installation and offline installation. Because the package is relatively large, it is recommended to use offline installation. Official download address: https://github.com/vmware/harbor/releases , you can also use the domestic image address: http://harbor.orientsoft.cn Download.
wget http://harbor.orientsoft.cn/harbor-v1.4.0/harbor-offline-installer-v1.4.0.tgz
After downloading, extract the offline installation package.
###To generate a free TLS certificate, you can apply for a free certificate on the Internet at: https://freessl.org, if there is a domain name, you can use DNS for verification, and you need to specify the TXT record of the domain name.
Click verify to get the following information:
Save the following information to the server. Respectively saved as / data/harbor_cert/server.crt, / data/harbor_cert/server.key. ###When installing docker compose harbor, you need to install docker compose tool in advance.
apt-get install python-pip -y && pip install docker-compose
###Modify profile
The configuration file is harbor.cfg:
## Configuration file of Harbor #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. ##The domain name you want to use is modified here. This article uses the existing domain name. hostname = harbor.jdpoc.com #The protocol for accessing the UI and token/notification service, by default it is http. #It can be set to https if ssl is enabled on nginx. #If you have a TLS certificate, you can configure it here as https ui_url_protocol = https #Maximum number of job workers in job service #Number of background task processes, max_job_workers = 5 #Determine whether or not to generate certificate for the registry's token. #If the value is on, the prepare script creates new root cert and private key #for generating token to access the registry. If the value is off the default key/cert will be used. #This flag also controls the creation of the notary signer's cert. customize_crt = on #The path of cert and key files for nginx, they are applied only the protocol is set to https #Configure https certificate location here ssl_cert = /data/harbor_cert/server.crt ssl_cert_key = /data/harbor_cert/server.key #The path of secretkey storage #Key storage location secretkey_path = /data #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone admiral_url = NA #Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. log_rotate_count = 50 #Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. #If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G #are all valid. log_rotate_size = 200M #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES #only take effect in the first boot, the subsequent changes of these properties #should be performed on web ui #************************BEGIN INITIAL PROPERTIES************************ #Email account settings for sending out password resetting emails. #Email server uses the given username and password to authenticate on TLS connections to host and act as identity. #Identity left blank to act as username. email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false email_insecure = false ##The initial password of Harbor admin, only works for the first time when Harbor starts. #It has no effect after the first launch of Harbor. #Change the admin password from UI after launching Harbor. #Configure the administrator password for the harbor web UI harbor_admin_password = Harbor12345 ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database. #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server. #The authentication mode is configured here. The default is db_auth, which is mysql authentication. It also supports local file or LDAP authentication. auth_mode = db_auth #The url for an ldap endpoint. #LDAP access address ldap_url = ldaps://ldap.mydomain.com #A user's DN who has the permission to search the LDAP/AD server. #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd. #LDAP/AD basic query location unit #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #the password of the ldap_searchdn #ldap_search_pwd = password #The base DN from which to look up a user in LDAP/AD ldap_basedn = ou=people,dc=mydomain,dc=com #Search filter for LDAP/AD, make sure the syntax of the filter is correct. #ldap_filter = (objectClass=person) # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD ldap_uid = uid #the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE ldap_scope = 2 #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds. ldap_timeout = 5 #Verify certificate from LDAP server ldap_verify_cert = true #Turn on or off the self-registration feature self_registration = on #The expiration time (in minute) of token created by token service, default is 30 minutes token_expiration = 30 #The flag to control what users have permission to create projects #The default value "everyone" allows everyone to creates a project. #Set to "adminonly" so that only admin user can create project. project_creation_restriction = everyone #************************END INITIAL PROPERTIES************************ #######Harbor DB configuration section####### #The address of the Harbor database. Only need to change when using external db. #Configuration information of harbor MySQL database db_host = mysql #The password for the root user of Harbor DB. Change this before any production use. db_password = root123 #The port of Harbor database host db_port = 3306 #The user name of Harbor database db_user = root ##### End of Harbor DB configuration####### #The redis server address. Only needed in HA installation. redis_url = ##########Clair DB configuration############ #Clair DB host address. Only change it when using an exteral DB. clair_db_host = postgres #The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair. #Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database. clair_db_password = password #Clair DB connect port clair_db_port = 5432 #Clair DB username clair_db_username = postgres #Clair default database clair_db = postgres ##########End of Clair DB configuration############ #The following attributes only need to be set when auth mode is uaa_auth uaa_endpoint = uaa.mydomain.org uaa_clientid = id uaa_clientsecret = secret uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem ### Docker Registry setting ### #registry_storage_provider can be: filesystem, s3, gcs, azure, etc. registry_storage_provider_name = filesystem #registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2". #Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration. registry_storage_provider_config =
###After installing harbor and modifying the configuration file, execute install.sh:
/opt/harbor/install.sh
The following is the interface for successful installation:
Specify DNS:
Visit https://harbor.jdpoc.com , can be accessed normally, and the Chrome browser prompt is safe. Here is the page
The user name is admin, and the default password is harbor 12345. If it has been modified in the configuration file, please use the previously configured password.
After landing:
###Harbor's daily operation and maintenance management harbor's daily operation and maintenance management is completed by docker compose. Harbor itself has multiple service processes, which are run in the docker container. We can view them through the docker ps command.
####Daily maintenance order
#Start service docker-compose start #Out of Service docker-compose stop #Restart service docker-compose restart #After modifying the configuration file, restart it. By default, if the container of the service already exists, docker compose up will stop and try to recreate them (keep the volumes from the mounted volume) to ensure the modification of docker compose.yml takes effect. docker-compose up -d
###How to use harbor? Create a project to log in to harbor website and create a project. You can choose whether to make it public or not. If you don't choose to make it public, other users can't access it.
####Harbor local settings copy the previously applied crt public key to / etc/docker/certs.d/harbor.jdpoc.com
mkdir -p /etc/docker/certs.d/harbor.jdpoc.com cp /data/harbor_cert/server.crt !$
Then test whether the login is successful:
docker login harbor.jdpoc.com
Then enter the user name and password. If the key configuration is correct, you will be prompted to log in successfully.
Download a test image from the hub and modify the tag:
docker pull alpine:latest && docker tag alpine:latest harbor.jdpoc.com/poctest/alpine:latest
View the local image as follows:
Then push to the warehouse project we created:
docker push harbor.jdpoc.com/poctest/alpine:latest
push succeeded.
pull image, for example, the admin account has a image of the plant / photon: 1.0:
docker pull harbor.jdpoc.com/poctest/photon:1.0
To view the image:
Of course, we can also see in the web page:
####The client is used in the same way as the native setting, that is:
- The client creates the / etc/docker/certs.d/harbor.jdpoc.com directory.
- copy the crt key of the domain name harbor.jdpoc.com to the created directory.
- docker login harbor.jdpoc.com can be uploaded and downloaded.
####Access rights management Harbor users is a simple authentication method. After creating users in Harbor user management interface, users can be assigned different project rights.
It can realize multi-user authority control.
####Some pits in harbor
#####After modifying the database password and installing Harbor for the first time, mysql data will be stored in the / data/database folder. If you want to change the mysql root password (no matter whether you reinstall it or not), you must delete / data/database first, otherwise the UI container will always report the error of "Access denied", even if you re install the image, it cannot be solved. It is strongly recommended to configure various environmental parameters in advance to avoid changes.
#####Nginx port modify the nginx port of Harbor to map to port 80 of the host. If you don't want port 80 to be occupied, such as replacing port 80 with 9999, you need to modify the docker-compose.yml file:
proxy: image: nginx:1.9 container_name: nginx restart: always volumes: -./common/config/nginx:/etc/nginx ports: - 9999:80 - 443:443 depends_on: - mysql - registry - ui - log
The common/templates/registry/config.yml file must also be modified:
auth: token: issuer:registry-token-issuer realm: $ui_url:9999/service/token rootcertbundle:/etc/registry/root.crt service: token-service
After modification, execute * * sudo. / prepare * * to regenerate the configuration file.
#####Modify the registry port (not required). According to the Convention, open the 5000 port to registry, modify the docker-compose.yml file, and add the posts attribute to the registry node. The steps are the same as modifying the Nginx configuration.
#####By default, when setting the trust list, the operation of docker to the registry is based on the https protocol, while Harbor is accessed by the http protocol by default. If you do not configure the https certificate, you will get the following error message when you perform the operation of docker login:
Error response from daemon: Get https://xx.xxx.xx.xx/v1/users/: dial tcp xx.xxx.xx.xx:443:getsockopt: connection refused
At this time, you need to modify the startup file of docker. Under Ubuntu 16.04, the file is / lib/systemd/system/docker.service:
# Modified,origin: ExecStart=/usr/bin/dockerd -H fd:// ExecStart=/usr/bin/docker daemon -H fd:// --insecure-registry xx.xxx.xx.xx:5000
Then execute the command:
sudo systemctl daemon-reload sudo systemctl restart docker