Jenkins (七) - Docker Harbor
Harbor
下载 Harbor v2.10.1 离线安装包
解压
解压到 /home/tester/app/
$ ls -l
total 633784
-rw-r--r-- 1 tester tester 11347 Mar 13 18:01 LICENSE
drwxr-xr-x 3 root root 4096 Apr 7 11:42 common
-rw-r--r-- 1 tester tester 3643 Mar 13 18:01 common.sh
-rw-r--r-- 1 root root 5845 Apr 7 11:54 docker-compose.yml
-rw-r--r-- 1 tester tester 648902394 Mar 13 18:01 harbor.v2.10.1.tar.gz
-rw-r--r-- 1 tester tester 14013 Apr 7 11:36 harbor.yml.tmpl
-rwxr-xr-x 1 tester tester 1975 Mar 13 18:01 install.sh
-rwxr-xr-x 1 tester tester 1882 Mar 13 18:01 prepare
配置Harbor
- 生成
harbor.yml
$ cp harbor.yml.tmpl harbor.yml
- 修改
harbor.yml中的hostname及http.port, hostname 设置为本机IP。
# ...
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
#hostname: reg.mydomain.com
hostname: 192.168.56.102
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
# port: 80
port: 5100
# 用不上https则,注释https,否则会安装失败 - ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
...
安装Harbor
- 非root用户使用sudo安装
sudo ./install.sh
$ sudo ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 24.0.7
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.21.0
[Step 2]: loading Harbor images ...
...
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.2s
✔ Container harbor-log Started 0.2s
✔ Container registry Started 0.2s
✔ Container registryctl Started 0.2s
✔ Container harbor-db Started 0.2s
✔ Container redis Started 0.2s
✔ Container harbor-portal Started 0.3s
✔ Container harbor-core Started 0.1s
✔ Container harbor-jobservice Started 0.1s
✔ Container nginx Started 0.2s
✔ ----Harbor has been installed and started successfully.---
$ cat << EOF | sudo tee /etc/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=docker compose --file /home/tester/app/harbor/docker-compose.yml up
ExecStop=docker compose --file /home/tester/app/harbor/docker-compose.yml down
[Install]
EOF
验证Harbor
http://192.168.56.102:5100
默认账号密码 admin/Harbor12345 可以从 harbor.yml文件中找到
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
新建Harbor用户
Users->New User
username: tester
password: Tester123456
- 设为管理员
远程命令行登录
$ sudo docker login 192.168.56.102:5100
Username: tester
Password:
WARNING! Your password will be stored unencrypted in /home/tester/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
验证本地推送
新建一个自定义的工程
ProjectName: p_pub,
Access Level: Public
- Public: 所有用户对于公开项目都有读权限,此种方式可以仓库分享给他人。
- Private: 私有项目只能被有特定用户权限的人去访问。
PUSH COMMAND给出了打包推送的命令
docker tag SOURCE_IMAGE[:TAG] 192.168.56.102:5100/p_pub/REPOSITORY[:TAG]
docker push 192.168.56.102:5100/p_pub/REPOSITORY[:TAG]
给用户tester设置可以推送,拉取p_pub仓库权限
官网的Members图描述了各个Role能做什么
$ sudo docker pull hello-world
[sudo] password for tester:
Using default tag: latest
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:53641cd209a4fecfc68e21a99871ce8c6920b2e7502df0a20671c6fccc73a7c6
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.56.102:5100/p_pub/hello-world v1.0 d2c94e258dcb 11 months ago 13.3kB
hello-world latest d2c94e258dcb 11 months ago 13.3kB
# 给镜像打标,后续推入私服
$ sudo docker tag hello-world:latest 192.168.56.102/p_pub/hello-world:v1.0
# 推送入私服
$ sudo docker push 192.168.56.102:5100/p_pub/hello-world:v1.0
The push refers to repository [192.168.56.102:5100/p_pub/hello-world]
ac28800ec8bb: Pushed
v1.0: digest: sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7 size: 524
验证本地拉取
# 删除已有的镜像
$ sudo docker rmi 192.168.56.102:5100/p_pub/hello-world:v1.0
Untagged: 192.168.56.102:5100/p_pub/hello-world:v1.0
Untagged: 192.168.56.102:5100/p_pub/hello-world@sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
# 查看已删除的镜像
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest d2c94e258dcb 11 months ago 13.3kB
# 从服务器上拉取
$ sudo pull 192.168.56.102:5100/p_pub/hello-world:v1.0
sudo: pull: command not found
$ sudo docker pull 192.168.56.102:5100/p_pub/hello-world:v1.0
v1.0: Pulling from p_pub/hello-world
Digest: sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
Status: Downloaded newer image for 192.168.56.102:5100/p_pub/hello-world:v1.0
192.168.56.102:5100/p_pub/hello-world:v1.0
# 查看已拉取的镜像
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.56.102:5100/p_pub/hello-world v1.0 d2c94e258dcb 11 months ago 13.3kB
hello-world latest d2c94e258dcb 11 months ago 13.3kB
安装错误提示
ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
解决:禁用harbor.ymlhttps 相关配置
$ ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 24.0.7
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.21.0
[Step 2]: loading Harbor images ...
...
ace40209f742: Loading layer [==================================================>] 227.3MB/227.3MB
Loaded image: goharbor/trivy-adapter-photon:v2.10.1
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /home/tester/app/harbor
Error happened in config validation...
ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
- harbor/common/config/registryctl/env: permission denied
解决:提升账户权限或者使用root用户
[Step 4]: `preparing harbor configs ...`
prepare base dir is set to /home/tester/app/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
Failed to load /home/tester/app/harbor/common/config/registryctl/env: open /home/tester/app/harbor/common/config/registryctl/env: permission denied
- 本地docker 登入Harbor失败
Error response from daemon: Get “https://192.168.56.102/v2/”: dial tcp 192.168.56.102:443: connect: connection
tester@tester:~/app/harbor$ docker login 192.168.56.102
Username: tester
Password:
Error response from daemon: Get "https://192.168.56.102/v2/": dial tcp 192.168.56.102:443: connect: connection refused
$ cat /etc/docker/daemon.json
cat: /etc/docker/daemon.json: No such file or directory
$ sudo vim /etc/docker/daemon.json
[sudo] password for tester:
$ sudo service docker restart
$ cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://hub-mirror.c.163.com"
],
"insecure-registries": [
"192.168.56.102:5100"
]
}
$ sudo docker compose down
[+] Running 10/10
✔ Container harbor-jobservice Removed 0.5s
✔ Container registryctl Removed 0.5s
✔ Container nginx Removed 0.6s
✔ Container harbor-core Removed 0.4s
✔ Container harbor-portal Removed 0.4s
✔ Container harbor-db Removed 0.7s
✔ Container redis Removed 0.6s
✔ Container registry Removed 0.5s
✔ Container harbor-log Removed 10.4s
✔ Network harbor_harbor Removed 0.3s
$ sudo docker compose up -d
[+] Running 10/10
✔ Network harbor_harbor Created 0.2s
✔ Container harbor-log Started 0.1s
✔ Container registry Started 0.2s
✔ Container registryctl Started 0.2s
✔ Container harbor-db Started 0.2s
✔ Container harbor-portal Started 0.2s
✔ Container redis Started 0.2s
✔ Container harbor-core Started 0.1s
✔ Container nginx Started 0.1s
✔ Container harbor-jobservice Started 0.1s
$ docker login 192.168.56.102:5100
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /home/tester/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 网段其他机器访问 dial unix /var/run/docker.sock: connect: permission denied
解决: 使用root用户或者提升当前用户权限sudo docker login 192.168.56.102:5100
$ docker login 192.168.56.102:5100
Username: tester
Password:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth": dial unix /var/run/docker.sock: connect: permission denied
$ sudo docker login 192.168.56.102:5100
Username: tester
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
HTTPS 证书配置
如果使用自签名的https证书,仍然会提示证书不受信任的问题。需要将自签名的ca证书发送到所有的docker客户端的指定目录。
关于使用自签名证书配置harbor的具体过程可以参考: https://goharbor.io/docs/2.10.0/install-config/configure-https/