簡(jiǎn)述：

Docker 官方鏡像倉(cāng)庫(kù)是用于管理公共鏡像的地方，大家可以在上面找到想要的鏡像，也可以把自己的鏡像推送上去。但是有時(shí)候服務(wù)器無(wú)法訪問(wèn)互聯(lián)網(wǎng)，或者不希望將自己的鏡像放到互聯(lián)網(wǎng)上，那么就需要用到 Docker Registry 私有倉(cāng)庫(kù)，它可以用來(lái)存儲(chǔ)和管理自己的鏡像。最近公司將項(xiàng)目全部打包成鏡像有部署私有倉(cāng)庫(kù)服務(wù)的需求，經(jīng)過(guò)幾輪商討，最終選擇 Docker Harbor，Docker Harbor 有可視化的 Web 管理界面可以方便管理Docker 鏡像操作也很方便簡(jiǎn)單，又提供了多個(gè)項(xiàng)目的鏡像權(quán)限管理控制功能等。

Harbor 架構(gòu)構(gòu)成

1. Proxy：Harbor 的 Registry、UI、token 等服務(wù)。通過(guò)一個(gè)前置的反向代理統(tǒng)一接收瀏覽器Docker 客戶端的請(qǐng)求，并將請(qǐng)求轉(zhuǎn)發(fā)給后端不同的服務(wù)。
2. Registry：負(fù)責(zé)儲(chǔ)存Docker鏡像，并處理 Docker push/pull 命令。由于要對(duì)用戶進(jìn)行訪問(wèn)控制，即不同用戶對(duì)Docker image有不同的讀寫權(quán)限，Registry會(huì)指向一個(gè) token服務(wù)，強(qiáng)制用戶的每次 Docker pull/push 請(qǐng)求都要攜帶一個(gè)合法的token,Registry會(huì)通過(guò)公鑰對(duì) token 進(jìn)行解密驗(yàn)證。

環(huán)境：

兩臺(tái)主機(jī)：

192.168.50.66????? master??????? 服務(wù)端

192.168.50.53????? lbin-nfs?????? 客戶端

兩臺(tái)主機(jī)同樣操作

關(guān)閉防火墻

[root@localhost ~]# iptables -F

[root@localhost ~]# setenforce 0

[root@localhost ~]# systemctl stop firewalld

更改主機(jī)名

[root@localhost ~]# hostname master

[root@localhost ~]# bash

創(chuàng)建dockers? rpm包目錄

[root@master ~]# mkdir docker

導(dǎo)入docker -ce

[root@master docker]# ll

總用量 97596

-rw-r--r--. 1 root root 30374084 9月 ?18 2020 containerd.io-1.3.7-3.1.el7.x86_64.rpm

-rw-r--r--. 1 root root ???40816 7月 ??6 2020 container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm

-rw-r--r--. 1 root root ??302564 5月 ?14 2020 device-mapper-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root ??195448 5月 ?14 2020 device-mapper-event-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root ??195004 5月 ?14 2020 device-mapper-event-libs-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root ??331908 5月 ?14 2020 device-mapper-libs-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root ??432624 4月 ??4 2020 device-mapper-persistent-data-0.8.5-2.el7.x86_64.rpm

-rw-r--r--. 1 root root 25268380 9月 ?18 2020 docker-ce-19.03.13-3.el7.x86_64.rpm

-rw-r--r--. 1 root root 40247476 10月 ?9 2020 docker-ce-cli-19.03.13-3.el7.x86_64.rpm

-rw-r--r--. 1 root root ?1384208 5月 ?14 2020 lvm2-2.02.186-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root ?1143916 5月 ?14 2020 lvm2-libs-2.02.186-7.el7_8.2.x86_64.rpm

[root@localhost docker]# yum -y install *.rpm

[root@localhost docker]# cd

重啟

[root@localhost ~]# ?systemctl start docker

[root@localhost ~]# ?systemctl enable docker

Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

配置阿里云鏡像加速

[root@localhost ~]# ?cat << END > /etc/docker/daemon.json

> {

> ????????"registry-mirrors":[ "https://nyakyfun.mirror.aliyuncs.com" ]

> }

> END

重啟服務(wù)

?

[root@localhost ~]# systemctl daemon-reload

[root@localhost ~]# systemctl restart docker

獲取Docker Compose容器的工具。

[root@localhost ~]# rz

[root@localhost ~]# mv docker-compose /usr/bin

[root@localhost ~]# ?chmod +x /usr/bin/docker-compose

[root@localhost ~]# docker-compose --version

docker-compose version 1.21.1, build 5a3f1a3

Harbor配置?? 服務(wù)端

?

[root@master ~]# tar xf harbor-offline-installer-v1.6.1.tgz

[root@master ~]# cd harbor

[root@master harbor]# tree

bash: tree: 未找到命令

[root@master harbor]# yum -y install tree

[root@master harbor]# tree ha
ha
├── docker-compose.clair.tpl
├── docker-compose.clair.yml
├── docker-compose.tpl
├── docker-compose.yml
├── initial-registry.sql
└── sample
??? ├── active_active
??? │?? ├── check.sh
??? │?? └── keepalived_active_active.conf
??? └── active_standby
??????? ├── check_harbor.sh
??????? └── keepalived_active_standby.conf

[root@master ]#? vim /root/harbor/harbor.cfg

?7 hostname = 192.168.50.66

[root@master harbor]#? sh install.sh

如果報(bào)錯(cuò)就更改下面文件

[root@master harbor]# cat ha/initial-registry.sql

CREATE DATABASE IF NOT EXISTS `registry` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';

成功

?查看

[root@master harbor]# docker-compose ps

???????Name ????????????????????Command ?????????????????State ???????????????????Ports ????????????

----------------------------------------------------------------------------------------------------

harbor-adminserver ??/harbor/start.sh ????????????????Up (healthy) ?????????????????????????????????

harbor-db ???????????/entrypoint.sh postgres ?????????Up (healthy) ??5432/tcp ??????????????????????

harbor-jobservice ???/harbor/start.sh ????????????????Up ???????????????????????????????????????????

harbor-log ??????????/bin/sh -c /usr/local/bin/ ... ??Up (healthy) ??127.0.0.1:1514->10514/tcp ?????

harbor-ui ???????????/harbor/start.sh ????????????????Up (healthy) ?????????????????????????????????

nginx ???????????????nginx -g daemon off; ????????????Up (healthy) ??0.0.0.0:443->443/tcp, ?????????

?????????????????????????????????????????????????????????????????????0.0.0.0:4443->4443/tcp, ???????

?????????????????????????????????????????????????????????????????????0.0.0.0:80->80/tcp ????????????

redis ???????????????docker-entrypoint.sh redis ... ??Up ????????????6379/tcp ??????????????????????

registry ????????????/entrypoint.sh /etc/regist ... ??Up (healthy) ??5000/tcp ?

瀏覽器訪問(wèn)

如果一切都正常，應(yīng)該可以打開瀏覽器訪問(wèn)192.168.50.66的管理頁(yè)面，默認(rèn)的管理員用戶名和密碼是 admin/Harbor12345

創(chuàng)建一個(gè)新項(xiàng)目

1. 輸入用戶名和密碼登錄界面后可以創(chuàng)建一個(gè)新項(xiàng)目。點(diǎn)擊“+項(xiàng)目”按鈕。
2. 

?

?點(diǎn)擊“確定”按鈕，成功創(chuàng)建

?

?可以使用 Docker 命令在Harbor本地通過(guò) 127.0.0.1 來(lái)登錄和推送鏡像了。默認(rèn)情況下， Register 服務(wù)器在端口 80 上

登陸 harbor

[root@master harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下載鏡像準(zhǔn)備測(cè)試

[root@master harbor]# docker pull cirros

Using default tag: latest

latest: Pulling from library/cirros

d0b405be7a32: Pull complete

bd054094a037: Pull complete

c6a00de1ec8a: Pull complete

Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47

Status: Downloaded newer image for cirros:latest

docker.io/library/cirros:latest

給鏡像打tag

[root@master harbor]# docker tag cirros 127.0.0.1/cccoooo/cirros:v1

上傳到 harbor

[root@master harbor]# docker push 127.0.0.1/cccoooo/cirros:v1

The push refers to repository [127.0.0.1/cccoooo/cirros]

984ad441ec3d: Pushed

f0a496d92efa: Pushed

e52d19c3bee2: Pushed

v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

查看一下有沒(méi)有

[root@master harbor]# docker images

REPOSITORY ?????????????????????TAG ????????????????IMAGE ID ???????????CREATED ????????????SIZE

127.0.0.1/cccoooo/cirros ???????v1 ?????????????????f9cae1daf5f6 ???????2 years ago ????????12.6MB

刷新查看

客戶端上傳鏡像

?修改配置文件

?vim /usr/lib/systemd/system/docker.service

?14 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ?--insecure-reg istry192.168.50.66

重啟服務(wù)

[root@localhost ~]# systemctl daemon-reload

[root@localhost ~]# systemctl restart docker

登陸訪問(wèn)

第一種

[root@lbin-nfs ~]# ?docker login -u admin -p Harbor12345 http://192.168.50.66

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

第二種

[root@lbin-nfs ~]# docker login -u admin -p Harbor12345 192.168.50.66

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下載鏡像準(zhǔn)備測(cè)試

[root@lbin-nfs ~]# docker pull cirros

Using default tag: latest

latest: Pulling from library/cirros

d0b405be7a32: Pull complete

bd054094a037: Pull complete

c6a00de1ec8a: Pull complete

Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47

Status: Downloaded newer image for cirros:latest

docker.io/library/cirros:latest

打標(biāo)簽

[root@lbin-nfs ~]# docker tag cirros 192.168.50.66/cccoooo/cirros:v22

上傳

[root@lbin-nfs ~]# docker push 192.168.50.66/cccoooo/cirros:v22

The push refers to repository [192.168.50.66/cccoooo/cirros]

984ad441ec3d: Layer already exists

f0a496d92efa: Layer already exists

e52d19c3bee2: Layer already exists

v22: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

瀏覽器查看

?Harbor 日常操作管理

點(diǎn)擊“+項(xiàng)目”時(shí)按規(guī)范填寫項(xiàng)目名稱。項(xiàng)目級(jí)別：私有即不勾選(勾選后會(huì)變?yōu)?#34;公開")。如果設(shè)置為公共倉(cāng)庫(kù)，則所有人對(duì)此項(xiàng)目下的鏡像擁有讀權(quán)限，命令行中不需要執(zhí)行"Docker login"即可下載鏡像，鏡像操作與Docker hub 一致。

創(chuàng)建用戶

?

設(shè)置權(quán)限

?首先退出當(dāng)前用戶，然后使用上述創(chuàng)建的賬戶 登錄。

退出

[root@lbin-nfs ~]# ?docker logout 192.168.50.66

Removing login credentials for 192.168.50.66

登陸

[root@lbin-nfs ~]# docker login 192.168.50.66

Username: asd

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下載v1鏡像

[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1

Error response from daemon: pull access denied for 192.168.50.66/cccoooo/cirros, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1

v1: Pulling from cccoooo/cirros

Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22

Status: Downloaded newer image for 192.168.50.66/cccoooo/cirros:v1

192.168.50.66/cccoooo/cirros:v1

查看

[root@lbin-nfs ~]# docker images

REPOSITORY ????????????????????TAG ????????????????IMAGE ID ???????????CREATED ????????????SIZE

postgres ??????????????????????latest ?????????????07e2ee723e2d ???????19 months ago ??????374MB

mysql ?????????????????????????5.6 ????????????????dd3b2a5dcb48 ???????19 months ago ??????303MB

redis ?????????????????????????alpine ?????????????3900abf41552 ???????20 months ago ??????32.4MB

192.168.50.66/cccoooo/cirros ??v1 ?????????????????f9cae1daf5f6 ???????2 years ago ????????12.6MB

?查看日志

?

管理 Harbor

可以使用 docker-compose來(lái)管理Harbor。一些有用的命令如下所示（必須在與docker-compose.yml 相同的目錄中運(yùn)行）。

停止/啟動(dòng)/重啟 Harbor

[root@master harbor]# ?docker-compose stop | start | restart