Harbor部署和使用
2020-03-26 20:18:52
晏顺
- 基础环境
root@k8s:/home/k8s/harbor# docker -v
Docker version 18.09.7, build 2d0083d
root@k8s:/home/k8s/harbor# docker-compose -v
docker-compose version 1.22.0, build f46880fe
- 下载离线安装包:
wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
- 解压后进入harbor目录,对harbor.yml进行配置。主要针对主机名,监听端口和https证书参数进行调整
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 10.1.10.130
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 8880
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/dcerts/http.crt
private_key: /opt/dcerts/http.key
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
附: 自签发证书生成
openssl genrsa -out private/cakey.pem 2048
openssl genrsa -out /opt/dcerts/cakey.pem 2048
openssl req -x509 -new -key /opt/dcerts/cakey.pem -out cacert.pem -days 3650
(umask 077; openssl genrsa -out http.key 2048 )
openssl req -new -key http.key -out http.csr
openssl x509 -req -days 365 -in http.csr -signkey http.key -out http.crt
- 运行./install.sh安装harbor
- 访问定义的地址/主机名字,登录harbor界面
- 登录镜像仓库时报如下错误:
docker login 10.1.10.130:8880
Username: admin
Password:
Error response from daemon: Get https://10.1.10.130/v2/: x509: cannot validate certificate for 10.1.10.130 because it doesn't contain any IP SANs
在安装harbor那台服务器的安装目录,在registry模块上添加ports: - 5000:5000 (由于harbor是由docker-compose管理,因此,进入到harbor目录下,查看docker-compose.yml)
registry:
image:
goharbor/registry-photon:v2.7.1-patch-2819-v1.8.2
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- /data/registry:/storage:z
-
./common/config/registry/:/etc/registry/:z
- type: bind
source:
/data/secret/registry/root.crt
target:
/etc/registry/root.crt
networks:
- harbor
ports:
- 5000:5000
同时在harbor和client的docker配置添加 insecure-registries: harbor_IP。需要重启docker服务生效。
vim /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"],
"insecure-registries":
["10.1.10.130:8880"]
}
客户端使用的是Docker Desktop,在以下界面更改。
重启harbor 的 docker-compose 并查看状态。
root@k8s:/home/k8s/harbor# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
root@k8s:/home/k8s/harbor# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (health: starting)
harbor-db /docker-entrypoint.sh Up (health: starting) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice Up (health: starting)
...
harbor-log /bin/sh -c /usr/local/bin/ Up (healthy) 127.0.0.1:1514->10514/tcp
...
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (health: starting) 0.0.0.0:8880->8080/tcp,
0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (health: starting) 6379/tcp
registry /home/harbor/entrypoint.sh Up (health: starting) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
- 上传本地的镜像到habor仓库。
docker login 10.1.10.130:8880
Username: admin
Password:
Login Succeeded
docker tag nginxplus 10.1.10.130:8880/nginxplus/nginx-plus:latest
docker push 10.1.10.130:8880/nginxplus/nginx-plus
The push refers to repository [10.1.10.130:8880/nginxplus/nginx-plus]
5f4c53cffb62: Pushed
6acd865cd4d2: Pushed
8d58d7c09654: Pushed
ccbdea1e9200: Pushed
c93644b5d9c3: Pushed
e0db3ba0aaea: Pushed
latest: digest: sha256:2e176d3c15231f345fd07c518d97d25e13457dfd8447872fef70735e0d9722da size: 1572
- 从harbor中拉取镜像
8.1 docker方式拉取并运行:
docker run -d -p 8888:80 10.1.10.130:8880/web/blue
Unable to find image '10.1.10.130:8880/web/blue:latest' locally
latest: Pulling from web/blue
Digest: sha256:6fb5c7707f99eaad516ca651d44b13c801a3cf49a5b89d5a12d7d0c946421653
Status: Downloaded newer image for 10.1.10.130:8880/web/blue:latest
C22a6917b4a71c9ba3dc4ca9d34619a60de1ce524baa348e1ff7a13f45351b3b
8.2 kubernetes 中运行
kubectl create secret docker-registry registry-secret --namespace=default --docker-server=http://10.1.10.130:8880 --docker-username=admin --docker-password=Harbor12345 --docker-email=username@abcd.com
secret/registry-secret created
k8s@k8s:~/harbor$ kubectl get secret registry-secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
{"auths":{"http://10.1.10.130:8880":{"username":"admin","password":"Harbor12345","email":"username@abcd.com","auth":"YWRtaW46SGFyYm9yMTIzNDU="}}}
more green.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: green
name: green
spec:
replicas: 1
selector:
matchLabels:
app: green
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: green
spec:
containers:
- image: 10.1.10.130:8880/web/green:latest
name: green
imagePullSecrets:
- name: registry-secret
kubectl apply -f green.yaml
deployment.apps/green created
kubectl expose deployment green --port=80 --type=NodePort
service/green exposed
k8s@k8s:~/harbor$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
green NodePort 10.110.231.31 <none> 80:31721/TCP 4s
发布评论 加入社群
相关文章
通过REST API获取连接表
Will Tang
2021-01-19 14:53:25 
983
Ansible 部署/删除 nginx
晏顺
2020-04-06 19:56:17 670
Harbor部署和使用
晏顺
2020-03-26 20:18:52 1404
回复评论
发布评论