harbor仓库的构建及简单使用(修订版)
harbor仓库的构建及简单使用
前言:
首先,什么是harbor?
Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
好了,说人话,harbor是一个可供企业使用的私有仓库,提供权限管理。存储等功能,也就是说功能和docker官方仓库极为类似,但控制管理权都由搭建harbor者定义的高度可定制化的私人仓库。可以这么理解,harbor就是一个升级版的ftp服务器,只是这个服务器提供的服务是镜像存储,安装,多用户权限管理,并且由于该服务器可安装在企业内部网络中,镜像的传输效率是有绝对的保障。
另外,harbor还可以对镜像扫描漏洞,这个就比较nice了,自己制作的镜像质量也会有一定的保障了。
因为该项目是docker仓库项目,自然所有模块都是使用docker镜像来构建,其中使用到的docker镜像如下(主要是8个镜像):
vmware/harbor-log v1.2.0 c7887347f435 2 years ago 200MB#日志功能vmware/harbor-jobservice v1.2.0 1fb18427db11 2 years ago 164MB#工作流程控制vmware/harbor-ui v1.2.0 b7069ac3bd4b 2 years ago 178MB#web 的ui界面vmware/harbor-adminserver v1.2.0 a18331f0c1ae 2 years ago 142MB#harbor的管理员服务vmware/harbor-db v1.2.0 deb8033b1c86 2 years ago 329MB#harbor的数据库vmware/registry 2.6.2-photon 5d9100e4350e 2 years ago 173MB#harbor的注册功能vmware/postgresql 9.6.4-photon c562762cbd12 2 years ago 225MB#harbor的分布式关系型数据库vmware/clair v2.0.1-photon f04966b4af6c 2 years ago 297MB#harbor 的容器漏洞分析服务vmware/nginx-photon 1.11.13 285492ff20d6 3 years ago 147MB#NGINX的Python驱动vmware/harbor-notary-db mariadb-10.1.10 64ed814665c6 3 years ago 324MB#harbor的HTTPS证书服务vmware/notary-photon signer-0.5.0 b1eda7d10640 3 years ago 156MB#证书服务的Python驱动vmware/notary-photon server-0.5.0 6e2646682e3c 3 years ago 157MBphoton 1.0 e6e4e4a2ba1b 4 years ago 128MB#harbor的磁力链下载服务================================================================================================================================
环境简介:
本例使用的服务器IP地址是192.168.217.23,此服务器内安装了docker-compose和docker环境,操作系统是centos7
[root@node3 harbor]# docker version
Client: Docker Engine - CommunityVersion: 19.03.9API version: 1.40Go version: go1.13.10Git commit: 9d988398e7Built: Fri May 15 00:22:47 2020OS/Arch: linux/amd64Experimental: falseServer: Docker Engine - CommunityEngine:Version: 19.03.9API version: 1.40 (minimum version 1.12)Go version: go1.13.10Git commit: 9d988398e7Built: Fri May 15 00:28:17 2020OS/Arch: linux/amd64Experimental: falsecontainerd:Version: v1.2.13GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429runc:Version: 1.0.0-rc10GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dddocker-init:Version: 0.18.0GitCommit: fec3683
[root@node3 harbor]# docker-compose --version
docker-compose version 1.25.1, build a82fef07
安装包下载地址:
链接:https://pan.baidu.com/s/1yyFalQ4mVWILnsbqSXNvhw?pwd=star
提取码:star
本例使用的版本是 harbor-offline-installer-v1.5.0
================================================================================================================================
证书的制作:
新建一个目录专门用于存放证书,证书制作的命令都在这个目录下进行:
mkdir -p /opt/harbor/cert/
cd /opt/harbor/cert/1,
生成CA证书私钥
openssl genrsa -out ca.key 4096输出如下:
[root@node3 harbor]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................++
..................................................................................................................++
e is 65537 (0x10001)
2,
生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.217.23"\-key ca.key \-out ca.crt3,
生成服务器证书 1)生成私钥
openssl genrsa -out 192.168.217.23.key 40962)生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.217.23" \
-key 192.168.217.23.key \
-out 192.168.217.23.csr
3)生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.217.23
EOF4)使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in 192.168.217.23.csr -out 192.168.217.23.crt5)转换 192.168.217.23.crt 为192.168.217.23.cert,供Docker使用。
原因是
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书,很明显现在是客户端证书,因此需要转换一下。
openssl x509 -inform PEM -in 192.168.217.23.crt -out 192.168.217.23.cert总计证书相关文件有这些:
[root@node3 cert]# ls -al
total 32
drwxr-xr-x 2 root root 167 Nov 29 18:05 .
drwxr-xr-x 3 root root 18 Nov 29 17:18 ..
-rw-r--r-- 1 root root 2057 Nov 29 18:05 192.168.217.23.cert
-rw-r--r-- 1 root root 2057 Nov 29 17:36 192.168.217.23.crt
-rw-r--r-- 1 root root 1708 Nov 29 17:27 192.168.217.23.csr
-rw-r--r-- 1 root root 3243 Nov 29 17:23 192.168.217.23.key
-rw-r--r-- 1 root root 2033 Nov 29 17:20 ca.crt
-rw-r--r-- 1 root root 3243 Nov 29 17:20 ca.key
-rw-r--r-- 1 root root 17 Nov 29 17:36 ca.srl
-rw-r--r-- 1 root root 206 Nov 29 17:30 v3.ext
================================================================================================================================
证书的分发:
通过以上的证书制作,我们应该可以得到很多证书文件,docker也需要使用这些证书:
mkdir -p /etc/docker/certs.d/192.168.217.23
cp /opt/harbor/cert/192.168.217.23.cert /etc/docker/certs.d/192.168.217.23/
cp /opt/harbor/cert/192.168.217.23.key /etc/docker/certs.d/192.168.217.23/
cp /opt/harbor/cert/ca.crt /etc/docker/certs.d/192.168.217.23/
重启docker服务:
systemctl daemon-reload && systemctl restart dockerhttp://harbor.orientsoft.cn/
================================================================================================================================================================================================================================================================
OK,上面我们制作好了证书,那么,现在就可以进行正式的部署了,下载下来的安装包解压后的目录是这样的;
[root@node4 harbor]# pwd
/usr/local/harbor
[root@node3 harbor]# ls -al
total 854964
drwxr-xr-x 4 root root 4096 Nov 29 20:27 .
drwxr-xr-x. 15 root root 186 Nov 28 21:52 ..
drwxr-xr-x 4 root root 37 Nov 28 22:07 common
-rw-r--r-- 1 root root 1185 Nov 28 21:52 docker-compose.clair.yml
-rw-r--r-- 1 root root 1725 Nov 28 21:52 docker-compose.notary.yml
-rw-r--r-- 1 root root 3596 Nov 28 21:52 docker-compose.yml
drwxr-xr-x 3 root root 156 Nov 28 21:52 ha
-rw-r--r-- 1 root root 6714 Nov 29 19:17 harbor.cfg
-rw-r--r-- 1 root root 875401338 Nov 28 21:52 harbor.v1.5.0.tar.gz
-rwxr-xr-x 1 root root 5773 Nov 28 21:52 install.sh
-rw-r--r-- 1 root root 10771 Nov 28 21:52 LICENSE
-rw-r--r-- 1 root root 482 Nov 28 21:52 NOTICE
-rwxr-xr-x 1 root root 27379 Nov 28 21:52 prepare
主要是编辑主配置文件harbor.cfg的前面一部分(多余的注释我就去掉了,省的看的眼花):
这里注意,hostname要写IP,不使用域名,原因是证书没有使用域名。
证书的路径和前面证书制作的路径是对应的。
harbor_admin_password 的值是登陆用的admin的密码,如果是实际生产的话,建议复杂密码。
_version = 1.5.0
clients.
hostname = 192.168.217.23
ui_url_protocol = https
max_job_workers = 50
customize_crt = onssl_cert = /opt/harbor/cert/192.168.217.23.crt
ssl_cert_key = /opt/harbor/cert/192.168.217.23.keysecretkey_path = /dataadmiral_url = NAlog_rotate_count = 50
log_rotate_size = 200Mhttp_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,uiemail_identity = email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
email_insecure = falseharbor_admin_password = Harbor12345
配置文件按需修改完成后,保存即可,下面将开始初始化安装。
=======================================================================================
初始化安装harbor:
增加参数--with-clair 启用扫描漏洞功能:
./install.sh --with-clair此命令输出如下:
docker的版本是ce 19.0.3.9,如果低于18,应该会报错,不能初始化的。
docker-compose的版本是 1.25.1,如果低于1.6,应该会报错,不能初始化的。
harbor可以反复初始化,下面的输出也表示我是再次初始化的。
Now you should be able to visit the admin portal at https://192.168.217.23. 这一段表示harbor开启https是成功的。
[Step 0]: checking installation environment ...Note: docker version: 19.03.9Note: docker-compose version: 1.25.1[Step 1]: loading Harbor images ...
Loaded image: vmware/clair-photon:v2.0.1-v1.5.0
Loaded image: vmware/postgresql-photon:v1.5.0
Loaded image: vmware/harbor-adminserver:v1.5.0
Loaded image: vmware/registry-photon:v2.6.2-v1.5.0
Loaded image: vmware/photon:1.0
Loaded image: vmware/harbor-migrator:v1.5.0
Loaded image: vmware/harbor-ui:v1.5.0
Loaded image: vmware/redis-photon:v1.5.0
Loaded image: vmware/nginx-photon:v1.5.0
Loaded image: vmware/mariadb-photon:v1.5.0
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.0
Loaded image: vmware/harbor-log:v1.5.0
Loaded image: vmware/harbor-db:v1.5.0
Loaded image: vmware/harbor-jobservice:v1.5.0
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.0[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
Clearing the configuration file: ./common/config/clair/postgresql-init.d/README.md
Clearing the configuration file: ./common/config/clair/postgres_env
Clearing the configuration file: ./common/config/clair/config.yaml
Clearing the configuration file: ./common/config/clair/clair_env
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
Copying offline data file for clair DB
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.[Step 3]: checking existing instance of Harbor ...Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing clair ... done
Removing redis ... done
Removing harbor-db ... done
Removing harbor-adminserver ... done
Removing clair-db ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
Removing network harbor_harbor-clair[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... done
Creating clair-db ... done
Creating harbor-db ... done
Creating redis ... done
Creating harbor-adminserver ... done
Creating registry ... done
Creating clair ... done
Creating harbor-ui ... done
Creating nginx ... done
Creating harbor-jobservice ... done✔ ----Harbor has been installed and started successfully.----Now you should be able to visit the admin portal at https://192.168.217.23.
For more details, please visit https://github.com/vmware/harbor .
#######注:下面写的启停脚本有得时候并不太管用,初始化命令倒是可以反复执行,该命令不会清除任何已存在的数据,因此,如果遇到以下的情况,可以执行初始化命令,一般多来个几次就好了。
有一个服务是starting,web界面什么的也是不可用,当然了,push或者pull镜像也是无法用的,这个时候初始化几次即可
[root@centos4 harbor]# docker-compose psName Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (health: starting)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp 直到全部服务都是healthy,harbor才可以算作恢复正常使用:
[root@centos4 harbor]# docker-compose psName Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp ================================================================================================================================================================================================================================================================
验证初始化成果:
OK,正常初始化完毕后,需要告诉docker引擎这个私有仓库是可以使用的,因此,编辑docker的配置文件:
主要是添加这一行:"insecure-registries": ["192.168.217.23:443"], 当然,在其它的服务器上使用此harbor仓库,也需要配置这一行。
cat >/etc/docker/daemon.json<<EOF
{"registry-mirrors": ["https://b0j89uo8.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.217.23:443"],"exec-opts":["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"},"storage-driver": "overlay2"
}
EOF重启docker服务:
systemctl daemon-reload && systemctl restart docker1,
命令行登陆私有harbor仓库
docker login https://192.168.217.23输出如下(登陆成功):
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
2,
harbor UI 登陆:
https://192.168.217.23 即可登录 ,用户名是admin,密码是harbor.cfg里配置的初始登录密码
harbor的扫描漏洞功能:
登陆进入后,假设已经有一个上传到此私有仓库的镜像:
关于harbor的主配置文件更改问题:
主配置文件的某些地方做了调整后,不需要再次初始化
其实,比较的简单,在安装目录下执行prepare脚本后,在重启harbor即可:
[root@node3 harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.217.23.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
================================================================================================================================================================================================================================================================
harbor的维护工作:
1,
查看harbor各个组件的状态:
docker-compose ps
如下,全部up表示harbor正常工作:
[root@node3 harbor]# docker-compose psName Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp 2,
harbor的启停脚本(systemd):
cat >/usr/lib/systemd/system/harbor.service<<EOF[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF有了这个脚本后,harbor的启停就方便很多了:
systemctl enable harbor && systemctl start harbor3 ,
上传镜像到harbor:
先查看有哪些镜像:
[root@node4 harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.217.23/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
192.168.217.23/test/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
quay.io/coreos/flannel v0.13.0 e708f4bb69e3 2 years ago 57.2MB
上传到默认的那个项目也就是library内,因此,修改tag适配以私有 仓库:
docker tag quay.io/coreos/flannel:v0.13.0 192.168.217.23/library/flannel:0.13命令行登录harbor:
[root@node4 harbor]# docker login https://192.168.217.23
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
上传镜像:
[root@node4 harbor]# docker push 192.168.217.23/library/flannel:0.13
The push refers to repository [192.168.217.23/library/flannel]
1a6a4161ff3a: Mounted from test/flannel
8a984b390686: Mounted from test/flannel
bfb960ebd228: Mounted from test/flannel
24d8f5a426b6: Mounted from test/flannel
90679e912622: Mounted from test/flannel
0be670d27a91: Mounted from test/flannel
50644c29ef5a: Mounted from test/flannel
0.13: digest: sha256:34860ea294a018d392e61936f19a7862d5e92039d196cac9176da14b2bbd0fe3 size: 1785
在harbor的web端可以看到有镜像了:
4,
命令行查看默认的library项目内有哪些镜像:
用户名和密码可以随意填写,--insecure必须要有
[root@node3 harbor]# curl -u "admin:123456" -X GET -H "Content-Type: application/json" "https://192.168.217.23/api/search?" --insecure
{"project": [{"project_id": 1,"owner_id": 1,"name": "library","creation_time": "2022-11-28T14:07:11Z","update_time": "2022-11-28T14:07:11Z","deleted": 0,"owner_name": "","togglable": false,"current_user_role_id": 0,"repo_count": 1,"metadata": {"public": "true"}}],"repository": [{"project_id": 1,"project_name": "library","project_public": true,"pull_count": 0,"repository_name": "library/flannel","tags_count": 1}]
================================================================================================================================================================================================================================================================================================================================================================================================
附一:
简单的报错处理和
一,
unauthorized: authentication required
[root@node4 harbor]# docker login https://192.168.217.23
Authenticating with existing credentials...
Stored credentials invalid or expired
Username (admin):
Password:
Error response from daemon: Get https://192.168.217.23/v2/: unauthorized: authentication required
这个的错误是由于密码没有输入正确的原因,找到正确的密码输入即可登陆成功。
二,
Login did not succeed, error: Error response from daemon: Get https://192.168.217.23/v2/: x509: certificate signed by unknown authority
这样的报错原因是由于docker缺少证书导致的:
[root@node4 192.168.217.23]# pwd
/etc/docker/certs.d/192.168.217.23
[root@node4 192.168.217.23]# ls -al
total 8
drwxr-xr-x 2 root root 59 Nov 29 22:58 .
drwxr-xr-x 3 root root 28 Nov 29 22:17 ..
-rw-r--r-- 1 root root 2057 Nov 29 22:17 192.168.217.23.cert
-rw-r--r-- 1 root root 3243 Nov 29 22:17 192.168.217.23.key
因此,重新拷贝ca.crt 到此目录下即可解决。
稍作总结,ssl的登陆方式需要每个客户端都有证书的哦,当然了,这样的话,整个harbor的安全性会比较高的哦。
附二:
Harbor在架构上主要由6个组件构成:
Proxy:Harbor的registry, UI, token等服务,通过一个前置的反向代理统一接收浏览器、Docker客户端的请求,并将请求转发给后端不同的服务。
Registry: 负责储存Docker镜像,并处理docker push/pull 命令。由于我们要对用户进行访问控制,即不同用户对Docker image有不同的读写权限,Registry会指向一个token服务,强制用户的每次docker pull/push请求都要携带一个合法的token, Registry会通过公钥对token 进行解密验证。
Core services: 这是Harbor的核心功能,主要提供以下服务:
UI:提供图形化界面,帮助用户管理registry上的镜像(image), 并对用户进行授权。
webhook:为了及时获取registry 上image状态变化的情况, 在Registry上配置webhook,把状态变化传递给UI模块。
token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
Job Services:提供镜像远程复制功能,可以把本地镜像同步到其他Harbor实例中。
Log collector:为了帮助监控Harbor运行,负责收集其他组件的log,供日后进行分析。
[root@node3 harbor]#docker-compose psName Command State Ports
-------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /usr/local/bin/docker-entr ... Up (healthy) 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up (healthy) 5000/tcp - nginx:nginx负责流量转发和安全验证,对外提供的流量都是从nginx中转,所以开放https的443端口,它将流量分发到后端的ui和正在docker镜像存储的docker registry。
- harbor-jobservice:harbor-jobservice 是harbor的job管理模块,job在harbor里面主要是为了镜像仓库之前同步使用的;
- harbor-ui:harbor-ui是web管理页面,主要是前端的页面和后端CURD的接口;
- registry:registry就是docker原生的仓库,负责保存镜像。
- harbor-adminserver:harbor-adminserver是harbor系统管理接口,可以修改系统配置以及获取系统信息。
- harbor-db:harbor-db是harbor的数据库,这里保存了系统的job以及项目、人员权限管理。由于本harbor的认证也是通过数据,在生产环节大多对接到企业的ldap中;
- harbor-log:harbor-log是harbor的日志服务,统一管理harbor的日志。通过inspect可以看出容器统一将日志输出的syslog。
- redis 同harbor-db,只是分工有所不同罢了
这几个容器通过Docker link的形式连接在一起,在容器之间通过容器名字互相访问。对终端用户而言,只需要暴露proxy (即Nginx)的服务端口。
harbor仓库的构建及简单使用(修订版)相关推荐
- docker eclipse打包_【Docker】Maven打包SpringBoot项目成Docker镜像并上传到Harbor仓库(Eclipse、STS、IDEA、Maven通用)...
写在前面 最近,在研究如何使用Maven将SpringBoot项目打包成Docker镜像并发布到Harbor仓库,网上翻阅了很多博客和资料,发现大部分都是在复制粘贴别人的东西,没有经过实践的检验,根本 ...
- Harbor仓库镜像扫描原理
harbor仓库中的镜像扫描这个功能,看似很高大上,其实等你了解了它的底层原理与流程,你就会发现就是做了那么一件事而已,用通俗的一句话概括,就是找到每个镜像文件系统中已经安装的软件包与版本,然后跟官方 ...
- github密码格式_如何使用GitHub构建一个简单的网页 (不用框架版本)
1.申请GitHub账号 进入GitHub官网,点击右上角的Sign up进行注册, 注册很简单,只要填写好用户名,邮箱,密码就行(已注册的用户名,邮箱不能再进行注册) 下面有一个你是人类的验证(照着 ...
- 离线手动部署docker镜像仓库——harbor仓库(二)
前言: 在<离线手动部署docker镜像仓库--harbor仓库(一)>中,记录了离线部署harbor仓库的简单过程,这里主要记录修改默认访问端口80端口为1180端口的部署方式和注意点. ...
- idea通过maven使用docker插件生成镜像并推送到harbor仓库
windows有2种方式获取docker环境,使用VM构建linux环境并安装docker,另一种是安装dockertoolbox,再通过bash的方式创建虚拟的docker环境(本文使用后者) 1. ...
- CentOS7安装harbor仓库+修改默认用户+仓库登录报错
Docker安装和简单的使用_hrj的博客-CSDN博客 下面 搭建harbor仓库 1.安装docker-compose Linux 上我们可以从 Github 上下载它的二进制包来使用,最新发行的 ...
- docker--swarm集群管理(结合harbor仓库、docker stack部署、Portainer可视化)
文章目录 一.swarm结合harbor私有仓库 1.启动配置好的harbor仓库 2.在各个节点上配置私有仓库及证书 二.docker stack部署 1.docker stack与docker-c ...
- 【Yocto学习入门】02 - 构建一个简单的Poky参考嵌入式操作系统
[Yocto学习入门]02 - 构建一个简单的Poky参考嵌入式操作系统 一.开发环境准备 二.下载 Poky 代码 三.配置编译环境 3.1 下载失败情况处理 Failed to fetch URL ...
- harbor仓库部署
harbor仓库部署 文章目录 harbor仓库部署 1.**Harbor简介** 2.所需的部署条件 3.部署harbor 访问测试 4.设置开机自启 部署客户端 查看效果 1.Harbor简介 H ...
最新文章
- 使用FileUpload控件上传图片并自动生成缩略图、自动生成带文字和图片的水印图
- 3 文件读写 计时 我的烂电脑在1S钟能写70多MB的数据
- RHEL5下DNS配置详解3
- set python用法_Python set()用法及代码示例
- it : Tmaster (hook declined) error: failed to push some refs to https://xxx/biluo/xxx.git
- linux先cd到mysql的运行路径下,Linux常用的服务器运维命令
- 网络聊天室——低仿QQ
- 分享5个经典的数据可视化大屏应用案例
- KingbaseES和PostgreSQL兼容
- Office之word如何把尾注的上标加括号,尾注里的上标改为普通数字
- EasyBoot教程一:制作WIN7原版多重启动盘方法
- 【英语学习工具】程序员学习英语硬背硬记太难了, 在这里推荐 LeHoCat 提供免费的,看视频学英语的工具,制作英语教学课件的工具,帮助自学英语
- 2021-06-13
- lr0文法分析表示例_LR(0)文法项目集规范族、DFA和分析表的构建实例
- 盘点Scratch少儿编程的实用性
- 台式计算机开关键,台式电脑怎么开机
- 关于 ProgPoW:来自芯片工程师的观点
- js添加多marker 高德地图_web开发如何使用高德地图API(四)通过AMap.Marker自定义标点...
- c4d python 插件_好用的C4D插件都在这里了,还不赶紧收藏起来?
- 获取微信微信聊天记录相关文章