podman配置加速器

[root@192 ~]# cd /etc/containers/
[root@192 containers]# ls
certs.d  policy.json      registries.d
oci      registries.conf  storage.conf[root@192 containers]# cat registries.conf
......
[registries.search]
registries = ['docker.io']           #查找镜像的位置
......
[[registry]]                    #配置加速器
prefix = "docker.io"
location = "6xwxkj3n.mirror.aliyuncs.com"
......

harbor镜像仓库部署

Harbor简介

Harbor是由VMWare在Docker Registry的基础之上进行了二次封装，加进去了很多额外程序，而且提供了一个非常漂亮的web界面。

Project Harbor 是一个开源可信云原生注册表项目，用于存储、用户管理和搜索镜像
Harbor 通过添加用户通常需要的功能（例如安全性、身份和管理）来扩展开源 Docker Distribution。
Harbor 支持高级功能，例如用户管理、访问控制、活动监控和实例之间的复制

harbor的功能

多用户内容签名和验证
安全和漏洞分析
审计日志
身份集成和基于角色的访问控制
实例间镜像复制
可扩展的 API 和图形用户界面
国际化，支持多种语言

Docker compose

Harbor在物理机上部署是非常难的，而为了简化Harbor的应用，Harbor官方直接把Harbor做成了在容器中运行的应用，而且这个容器在Harbor中依赖类似redis、mysql、pgsql等很多存储系统，所以它需要编排很多容器协同起来工作，因此VMWare Harbor在部署和使用时，需要借助于Docker的单机编排工具(Docker compose)来实现。

Compose 是一个用于定义和运行多容器 Docker 应用程序的工具。借助 Compose，您可以使用 YAML 文件来配置应用程序的服务。然后，使用单个命令，从配置中创建并启动所有服务。

harbor镜像仓库部署

//添加域名解析
[root@docker ~]# hostname
docker.example.com
[root@docker ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.172.142 docker.example.com//安装docker-compose
[root@192 ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed0     0    0     0    0     0      0      0 --:--:-- -100   664  100   664    0     0   1488      0 --:--:-- --:--:-- --:--:--  1488//给文件执行权限
[root@192 ~]# cd /usr/local/bin/
[root@192 bin]# ls
docker-compose
[root@192 bin]# chmod +x docker-compose
[root@192 bin]# ll docker-compose
-rwxr-xr-x. 1 root root 12737304 Dec 16 11:22 docker-compose下载harbor并解压
[root@docker ~]# wget -c https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
--2021-12-16 11:43:00--  https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50613991/200e9396-9027-4eb7-be24-ca05ad569d54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211216%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211216T034259Z&X-Amz-Expires=300&X-Amz-Signature=630f59aa3fcdaa3ce8bda1370ad2534c7bb5e6a9a53fff88a0a6fd804369af6a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50613991&response-content-disposition=attachment%3B%20filename%3Dharbor-offline-installer-v2.3.5.tgz&response-content-type=application%2Foctet-stream [following]
--2021-12-16 11:43:00--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/50613991/200e9396-9027-4eb7-be24-ca05ad569d54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211216%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211216T034259Z&X-Amz-Expires=300&X-Amz-Signature=630f59aa3fcdaa3ce8bda1370ad2534c7bb5e6a9a53fff88a0a6fd804369af6a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50613991&response-content-disposition=attachment%3B%20filename%3Dharbor-offline-installer-v2.3.5.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 605228707 (577M) [application/octet-stream]
Saving to: 'harbor-offline-installer-v2.3.5.tgz'harbor-offlin 100% 577.19M  9.19MB/s    in 2m 2s       2021-12-16 11:45:05 (4.72 MB/s) - 'harbor-offline-installer-v2.3.5.tgz' saved [605228707/605228707][root@docker ~]# tar xf harbor-offline-installer-v2.3.5.tgz  -C /usr/local/[root@docker local]# cd harbor/
[root@docker harbor]# ls
LICENSE    harbor.v2.3.5.tar.gz  install.sh
common.sh  harbor.yml.tmpl       prepare
[root@docker harbor]# cp harbor.yml.tmpl harbor.yml[root@docker ~]# cat /usr/local/harbor/harbor.yml
# Configuration file of Harbor# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: docker.example.com        #主机域名# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related config
#https:         #没有证书，所以注释掉# https port for harbor, default is 443# port: 443# The path of cert and key files for nginx#certificate: /your/certificate/path#private_key: /your/private/key/path# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345          #web界面admin账户密码# Harbor DB configuration
database:# The password for the root user of Harbor DB. Change this before any production use.password: root123             #数据库密码# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.max_idle_conns: 100# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.# Note: the default number of connections is 1024 for postgres of harbor.max_open_conns: 900# The default data volume
data_volume: /data# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:# ignoreUnfixed The flag to display only fixed vulnerabilitiesignore_unfixed: false# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub## You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.skip_update: false## insecure The flag to skip verifying registry certificateinsecure: false# github_token The GitHub access token to download Trivy DB## Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult# https://developer.github.com/v3/#rate-limiting## You can create a GitHub token by following the instructions in# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line## github_token: xxxjobservice:# Maximum number of job workers in job servicemax_job_workers: 10notification:# Maximum retry count for webhook jobwebhook_job_max_retry: 10chart:# Change the value of absolute_url to enabled can enable absolute url in chartabsolute_url: disabled# Log configurations
log:# options are debug, info, warning, error, fatallevel: info# configs for logs in local storagelocal:# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.rotate_count: 50# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G# are all valid.rotate_size: 200M# The directory on your host that store loglocation: /var/log/harbor# Uncomment following lines to enable external syslog endpoint.# external_endpoint:#   # protocol used to transmit log to external endpoint, options is tcp or udp#   protocol: tcp#   # The host of external endpoint#   host: localhost#   # Port of external endpoint#   port: 5140#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.3.0# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:http_proxy:https_proxy:no_proxy:components:- core- jobservice- trivy# metric:
#   enabled: false
#   port: 9090
#   path: /metrics//执行harbor目录下的安装脚本
[root@docker harbor]# ./install.sh [Step 0]: checking if docker is installed ...Note: docker version: 20.10.12[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.29.2[Step 2]: loading Harbor images ...
......
✔ ----Harbor has been installed and started successfully.----//查看
[root@docker ~]# docker images
REPOSITORY                      TAG       IMAGE ID       CREATED      SIZE
goharbor/harbor-exporter        v2.3.5    1730c6f650e2   5 days ago   81.9MB
goharbor/chartmuseum-photon     v2.3.5    47004f032938   5 days ago   179MB
goharbor/redis-photon           v2.3.5    3d0cedc89a0d   5 days ago   156MB
goharbor/trivy-adapter-photon   v2.3.5    5c0212e98070   5 days ago   133MB
goharbor/notary-server-photon   v2.3.5    f20a76c65359   5 days ago   111MB
goharbor/notary-signer-photon   v2.3.5    b9fa38eef4d7   5 days ago   108MB
goharbor/harbor-registryctl     v2.3.5    7a52567a76ca   5 days ago   133MB
goharbor/registry-photon        v2.3.5    cf22d3e386b8   5 days ago   82.6MB
goharbor/nginx-photon           v2.3.5    5e3b6d9ce11a   5 days ago   45.7MB
goharbor/harbor-log             v2.3.5    a03e4bc963d6   5 days ago   160MB
goharbor/harbor-jobservice      v2.3.5    2ac32df5a2e0   5 days ago   211MB
goharbor/harbor-core            v2.3.5    23baee01156f   5 days ago   193MB
goharbor/harbor-portal          v2.3.5    bb545cdedf5a   5 days ago   58.9MB
goharbor/harbor-db              v2.3.5    9826c57a5749   5 days ago   221MB
goharbor/prepare                v2.3.5    a1ceaabe47b2   5 days ago   255MB[root@docker ~]# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED              STATUS                        PORTS                                   NAMES
f1dd4797aa94   goharbor/nginx-photon:v2.3.5         "nginx -g 'daemon of…"   About a minute ago   Up 54 seconds (healthy)       0.0.0.0:80->8080/tcp, :::80->8080/tcp   nginx
f4af4c01c8f8   goharbor/harbor-jobservice:v2.3.5    "/harbor/entrypoint.…"   About a minute ago   Up 54 seconds (healthy)                                               harbor-jobservice
c43d54396c94   goharbor/harbor-core:v2.3.5          "/harbor/entrypoint.…"   About a minute ago   Up 59 seconds (healthy)                                               harbor-core
79b26073d903   goharbor/redis-photon:v2.3.5         "redis-server /etc/r…"   About a minute ago   Up About a minute (healthy)                                           redis
5ce760e60920   goharbor/harbor-db:v2.3.5            "/docker-entrypoint.…"   About a minute ago   Up About a minute (healthy)                                           harbor-db
c199e22ddc1a   goharbor/harbor-portal:v2.3.5        "nginx -g 'daemon of…"   About a minute ago   Up About a minute (healthy)                                           harbor-portal
1bc00421e02d   goharbor/harbor-registryctl:v2.3.5   "/home/harbor/start.…"   About a minute ago   Up About a minute (healthy)                                           registryctl
349f84fb0dfd   goharbor/registry-photon:v2.3.5      "/home/harbor/entryp…"   About a minute ago   Up About a minute (healthy)                                           registry
811c85e23312   goharbor/harbor-log:v2.3.5           "/bin/sh -c /usr/loc…"   About a minute ago   Up About a minute (healthy)   127.0.0.1:1514->10514/tcp               harbor-log

web界面

IP访问

docker-compose

批量启动/关闭容器，必须在harbor安装目录

//关闭容器
[root@docker harbor]# docker-compose stop
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping redis             ... done
Stopping harbor-db         ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done//启动容器
[root@docker harbor]# docker-compose start
Starting log         ... done
Starting registry    ... done
Starting registryctl ... done
Starting postgresql  ... done
Starting portal      ... done
Starting redis       ... done
Starting core        ... done
Starting jobservice  ... done
Starting proxy       ... done