使用docker-compose创建，此方法简单，问题是无法做到高可用。

环境准备：

Harbor使用最新版本的harbor-offline-installer-v2.0.2.tgz

下载链接：

https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz

软件要求：

docker 17.06.0-ce+ and docker-compose 1.18.0+

服务器硬件要求：

服务器最低要求2核4G内存，40G磁盘

搭建步骤：

1.安装docker,yum添加docker.repo

[docker]baseurl = https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stableenabled = 1gpgcheck = 1gpgkey = https://mirrors.aliyun.com/docker-ce/linux/centos/gpgname = Docker CE Stable - $basearch

sudo yum install docker-ce -y

sudo systemctl enable docker && sudo systemctl start docker

2.安装docker-compose

sudo curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-composesudo chmod +x /usr/local/bin/docker-compose

3.解压harbor文件到/usr/local/

sudo tar xvf harbor-offline-installer-v2.0.2.tgz -C /usr/local/

4.编辑harbor.yml

cd /usr/local/harbor

cp harbor.yml.tmpl harbor.yml

修改harbor.yml

# Configuration file of Harbor# The IP address or hostname to access admin UI and registry service.# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.#hostname: reg.mydomain.comhostname: registry.test.com# http related confighttp:  # port for http, default is 80. If https enabled, this port will redirect to https port  port: 80# https related config#https:  # https port for harbor, default is 443#  port: 443  # The path of cert and key files for nginx#  certificate: /your/certificate/path#  private_key: /your/private/key/path# # Uncomment following will enable tls communication between all harbor components# internal_tls:#   # set enabled to true means internal tls is enabled#   enabled: true#   # put your cert and key files on dir#   dir: /etc/harbor/tls/internal# Uncomment external_url if you want to enable external proxy# And when it enabled the hostname will no longer used# external_url: https://reg.mydomain.com:8433# The initial password of Harbor admin# It only works in first time to install harbor# Remember Change the admin password from UI after launching Harbor.harbor_admin_password: xxxxxxx# Harbor DB configurationdatabase:  # The password for the root user of Harbor DB. Change this before any production use.  password: root123  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.  max_idle_conns: 50  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.  # Note: the default number of connections is 100 for postgres.  max_open_conns: 100# The default data volumedata_volume: /data#data_volume:# Harbor Storage settings by default is using /data dir on local filesystem# Uncomment storage_service setting If you want to using external storage#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.#   ca_bundle:storage_service:#    ca_bundle:  oss:    accesskeyid: xxxxxx    accesskeysecret: xxxxxxx    region: oss-cn-xxxxx-internal.aliyuncs.com    endpoint: harbor-aliyun.oss-cn-xxxxx-internal.aliyuncs.com#    internal: true    bucket: harbor-aliyun#      redirect:#        disable: false#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/#   filesystem:#     maxthreads: 100#   # set disable to true when you want to disable registry redirect#   redirect:#     disabled: false# Clair configurationclair:  # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.  updaters_interval: 12# Trivy configurationtrivy:  # ignoreUnfixed The flag to display only fixed vulnerabilities  ignore_unfixed: false  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub  #  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.  # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the  # /home/scanner/.cache/trivy/db/trivy.db path.  skip_update: false  #  # insecure The flag to skip verifying registry certificate  insecure: false  # github_token The GitHub access token to download Trivy DB  #  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.  # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached  # in the local file system (/home/scanner/.cache/trivy/db/trivy.db). In addition, the database contains the update  # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.  # Currently, the database is updated every 12 hours and published as a new release to GitHub.  #  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult  # https://developer.github.com/v3/#rate-limiting  #  # You can create a GitHub token by following the instuctions in  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line  #  # github_token: xxxjobservice:  # Maximum number of job workers in job service  max_job_workers: 10notification:  # Maximum retry count for webhook job  webhook_job_max_retry: 10chart:  # Change the value of absolute_url to enabled can enable absolute url in chart  absolute_url: disabled# Log configurationslog:  # options are debug, info, warning, error, fatal  level: info  # configs for logs in local storage  local:    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.    rotate_count: 50    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G    # are all valid.    rotate_size: 200M    # The directory on your host that store log    location: /var/log/harbor  # Uncomment following lines to enable external syslog endpoint.  # external_endpoint:  #   # protocol used to transmit log to external endpoint, options is tcp or udp  #   protocol: tcp  #   # The host of external endpoint  #   host: localhost  #   # Port of external endpoint  #   port: 5140#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!_version: 2.0.0# Uncomment external_database if using external database.# external_database:#   harbor:#     host: harbor_db_host#     port: harbor_db_port#     db_name: harbor_db_name#     username: harbor_db_username#     password: harbor_db_password#     ssl_mode: disable#     max_idle_conns: 2#     max_open_conns: 0#   clair:#     host: clair_db_host#     port: clair_db_port#     db_name: clair_db_name#     username: clair_db_username#     password: clair_db_password#     ssl_mode: disable#   notary_signer:#     host: notary_signer_db_host#     port: notary_signer_db_port#     db_name: notary_signer_db_name#     username: notary_signer_db_username#     password: notary_signer_db_password#     ssl_mode: disable#   notary_server:#     host: notary_server_db_host#     port: notary_server_db_port#     db_name: notary_server_db_name#     username: notary_server_db_username#     password: notary_server_db_password#     ssl_mode: disable# Uncomment external_redis if using external Redis server# external_redis:#   host: redis#   port: 6379#   password:#   # db_index 0 is for core, it's unchangeable#   registry_db_index: 1#   jobservice_db_index: 2#   chartmuseum_db_index: 3#   clair_db_index: 4#   trivy_db_index: 5#   idle_timeout_seconds: 30# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.# uaa:#   ca_file: /path/to/ca# Global proxy# Config http proxy for components, e.g. http://my.proxy.com:3128# Components doesn't need to connect to each others via http proxy.# Remove component from `components` array if want disable proxy# for it. If you want use proxy for replication, MUST enable proxy# for core and jobservice, and set `http_proxy` and `https_proxy`.# Add domain to the `no_proxy` field, when you want disable proxy# for some special registry.proxy:  http_proxy:  https_proxy:  no_proxy:  components:    - core    - jobservice    - clair    - trivy

核心配置是

hostname: registry.test.com

harbor_admin_password: xxxxxxxx

下面是添加oss作为仓库的存储后端：

storage_service:# ca_bundle:oss:accesskeyid: xxxxxxaccesskeysecret: xxxxxxxregion: oss-cn-xxxxx-internal.aliyuncs.comendpoint: harbor-aliyun.oss-cn-xxxxx-internal.aliyuncs.com# internal: truebucket: harbor-aliyun

以上配置的值可以在阿里云OSS控制台上查找获取。

5.生产docker-compose文件，并启用镜像漏洞扫描trivy以及helm的chart仓库支持

./prepare --with-clair --with-trivy --with-chartmuseum  

6. 启动harbor

docker-compose up -d