Shulou(Shulou.com)06/01 Report--

This article mainly introduces the use of Harbor in kubernetes, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

One: brief introduction

Harbor is an enterprise-class Registry server for storing and distributing Docker images.

The storage harbor of the image is done using the official docker registry (v2 named distribution) service. Harbor adds some security, access control and management functions on the basis of docker distribution to meet the needs of enterprises for image repositories. Harbor organizes components in the form of docker-compose specifications and starts and stops them through the docker-compose tool.

The registry of docker can be stored locally or in S3. The function of harbor is to provide user rights management, image replication and other functions to improve the efficiency of using registry. The mirror copy function of Harbor is copied through the API of docker registry, which shields the tedious underlying file operation, not only makes use of the existing docker registry function without having to repeat the wheel, but also solves the problem of conflict and consistency.

Second: Harbor architecture

Three: main components

Proxy: corresponding to the startup component nginx. It is a nginx reverse proxy, proxying Notary client (image authentication), Docker client (image upload and download, etc.) and browser access request (Core Service) to the back-end services

UI (Core Service): corresponds to the startup component harbor-ui. The underlying data store uses a mysql database and provides four main sub-functions:

UI: a web management page ui

API services exposed by API:Harbor

Auth: user authentication service. The user information in the token after decode is authenticated here. The auth backend can be authenticated by db, ldap and uaa.

Token service (not shown in the figure above): it is responsible for issuing a token for each docker push/pull command according to the user's role in each project. If the request sent from docker client to registry does not have a token,registry, it will redirect the request to the token service to create a token.

Registry: corresponding to the startup component registry. The pull/push command that is responsible for storing the image file and processing the image. Harbor forcefully controls the access to the image. Registry forwards every pull and push request from the client to the token service to obtain a valid token.

Admin Service: corresponding to the startup component harbor-adminserver. It is attached to the configuration management center of the system to check the storage usage. Ui and jobserver need to load the configuration of adminserver when starting up.

Job Sevice: corresponding to the startup component harbor-jobservice. Responsible for mirror replication, he communicates with registry, from one registry pull image to push to another registry, and records the job_log

Log Collector: corresponding to the startup component harbor-log. Log summary component, which aggregates logs together through docker's log-driver

Volnerability Scanning: corresponding to the startup component clair. Responsible for mirror scanning

Notary: corresponding to the startup component notary. Responsible for image authentication

DB: corresponding to the startup component harbor-db, it is responsible for storing metadata data of project, user, role, replication, image_scan, access, etc.

Four: installation

1. Install python-pip

Yum-y install epel-release

Yum-y install python-pip

2. Install docker-compose

Pip install docker-compose

After the installation is complete, execute the query version of the command to install docker-compose

Docker-compose version

3. Install Harbor

Wget https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-offline-installer-v1.4.0.tgz

Tar-zxvf harbor-offline-installer-v1.4.0.tgz

Profile harbor.cfg

Click (here) to collapse or open

# # Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.

# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

Hostname = 120.79.156.135

# The protocol for accessing the UI and token/notification service, by default it is http.

# It can be set to https if ssl is enabled on nginx.

Ui_url_protocol = http

# Maximum number of job workers in job service

Max_job_workers = 3

# Determine whether or not to generate certificate for the registry's token.

# If the value is on, the prepare script creates new root cert and private key

# for generating token to access the registry. If the value is off the default key/cert will be used.

# This flag also controls the creation of the notary signer's cert.

Customize_crt = on

# The path of cert and key files for nginx, they are applied only the protocol is set to https

Ssl_cert = / mnt/harbor/cert/server.crt

Ssl_cert_key = / mnt/harbor/cert/server.key

# The path of secretkey storage

Secretkey_path = / mnt/harbor

# Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone

Admiral_url = NA

# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

Log_rotate_count = 50

# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

# are all valid.

Log_rotate_size = 200m

# NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES

# only take effect in the first boot, the subsequent changes of these properties

# should be performed on web ui

# * BEGIN INITIAL PROPERTIES****

# Email account settings for sending out password resetting emails.

# Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

# Identity left blank to act as username.

Email_identity =

Email_server = smtp.mydomain.com

Email_server_port = 25

Email_username = sample_admin@mydomain.com

Email_password = abc

Email_from = admin

Email_ssl = false

Email_insecure = false

# # The initial password of Harbor admin, only works for the first time when Harbor starts.

# It has no effect after the first launch of Harbor.

# Change the admin password from UI after launching Harbor.

Harbor_admin_password = Weinong$2017

# # By default the auth mode is db_auth, i.e. The credentials are stored in a local database.

# Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.

Auth_mode = db_auth

# The url for an ldap endpoint.

Ldap_url = ldaps://ldap.mydomain.com

# A user's DN who has the permission to search the LDAP/AD server.

# If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.

# ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

# the password of the ldap_searchdn

# ldap_search_pwd = password

# The base DN from which to look up a user in LDAP/AD

Ldap_basedn = ou=people,dc=mydomain,dc=com

# Search filter for LDAP/AD, make sure the syntax of the filter is correct.

# ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD

Ldap_uid = uid

# the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

Ldap_scope = 2

# Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.

Ldap_timeout = 5

# Verify certificate from LDAP server

Ldap_verify_cert = true

# Turn on or off the self-registration feature

Self_registration = on

# The expiration time (in minute) of token created by token service, default is 30 minutes

Token_expiration = 30

# The flag to control what users have permission to create projects

# The default value "everyone" allows everyone to creates a project.

# Set to "adminonly" so that only admin user can create project.

Project_creation_restriction = everyone

# * END INITIAL PROPERTIES****

# Harbor DB configuration section#

# The address of the Harbor database. Only need to change when using external db.

Db_host = mysql

# The password for the root user of Harbor DB. Change this before any production use.

Db_password = Weinong$2017

# The port of Harbor database host

Db_port = 3306

# The user name of Harbor database

Db_user = root

# End of Harbor DB configuration#

# The redis server address. Only needed in HA installation.

Redis_url =

# Clair DB configuration#

# Clair DB host address. Only change it when using an exteral DB.

Clair_db_host = postgres

# The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.

# Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.

Clair_db_password = password

# Clair DB connect port

Clair_db_port = 5432

# Clair DB username

Clair_db_username = postgres

# Clair default database

Clair_db = postgres

# End of Clair DB configuration#

# The following attributes only need to be set when auth mode is uaa_auth

Uaa_endpoint = uaa.mydomain.org

Uaa_clientid = id

Uaa_clientsecret = secret

Uaa_verify_cert = true

Uaa_ca_cert = / path/to/ca.pem

# Docker Registry setting #

# registry_storage_provider can be: filesystem, s3, gcs, azure, etc.

Registry_storage_provider_name = filesystem

# registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".

# Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.

Registry_storage_provider_config =

Profile docker-compose.yml

Click (here) to collapse or open

Version:'2'

Services:

Log:

Image: vmware/harbor-log:v1.4.0

Container_name: harbor-log

Restart: always

Volumes:

-/ mnt/harbor/log/:/var/log/docker/:z

-. / common/config/log/:/etc/logrotate.d/:z

Ports:

-127.0.0.1 151414 10514

Networks:

-harbor

Registry:

Image: vmware/registry-photon:v2.6.2-v1.4.0

Container_name: registry

Restart: always

Volumes:

-/ mnt/harbor/registry:/storage:z

-. / common/config/registry/:/etc/registry/:z

Networks:

-harbor

Environment:

-GODEBUG=netdns=cgo

Command:

["serve", "/ etc/registry/config.yml"]

Depends_on:

-log

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "registry"

Mysql:

Image: vmware/harbor-db:v1.4.0

Container_name: harbor-db

Restart: always

Volumes:

-/ mnt/harbor/database:/var/lib/mysql:z

Networks:

-harbor

Env_file:

-. / common/config/db/env

Depends_on:

-log

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "mysql"

Adminserver:

Image: vmware/harbor-adminserver:v1.4.0

Container_name: harbor-adminserver

Env_file:

-. / common/config/adminserver/env

Restart: always

Volumes:

-/ mnt/harbor/config/:/etc/adminserver/config/:z

-/ mnt/harbor/secretkey:/etc/adminserver/key:z

-/ mnt/harbor/:/data/:z

Networks:

-harbor

Depends_on:

-log

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "adminserver"

Ui:

Image: vmware/harbor-ui:v1.4.0

Container_name: harbor-ui

Env_file:

-. / common/config/ui/env

Restart: always

Volumes:

-. / common/config/ui/app.conf:/etc/ui/app.conf:z

-. / common/config/ui/private_key.pem:/etc/ui/private_key.pem:z

-. / common/config/ui/certificates/:/etc/ui/certificates/:z

-/ mnt/harbor/secretkey:/etc/ui/key:z

-/ mnt/harbor/ca_download/:/etc/ui/ca/:z

-/ mnt/harbor/psc/:/etc/ui/token/:z

Networks:

-harbor

Depends_on:

-log

-adminserver

-registry

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "ui"

Jobservice:

Image: vmware/harbor-jobservice:v1.4.0

Container_name: harbor-jobservice

Env_file:

-. / common/config/jobservice/env

Restart: always

Volumes:

-/ mnt/harbor/job_logs:/var/log/jobs:z

-. / common/config/jobservice/app.conf:/etc/jobservice/app.conf:z

-/ mnt/harbor/secretkey:/etc/jobservice/key:z

Networks:

-harbor

Depends_on:

-ui

-adminserver

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "jobservice"

Proxy:

Image: vmware/nginx-photon:v1.4.0

Container_name: nginx

Restart: always

Volumes:

-. / common/config/nginx:/etc/nginx:z

Networks:

-harbor

Ports:

80:80

-443PUR 443

-4443 Suzhou 4443

Depends_on:

-mysql

-registry

-ui

-log

Logging:

Driver: "syslog"

Options:

Syslog-address: "tcp://127.0.0.1:1514"

Tag: "proxy"

Networks:

Harbor:

External: false

Install Harbor

. / install.sh

You can use docker-compose to manage the lifecycle of Harbor. Some useful commands are listed as follows:

Docker-compose ps View

Docker-compose stop stop

Docker-compose start start

Docker-compose down is deleted and can be reinstalled using. / install.sh

Five: verification

1. The problems encountered

a. Error prompt

Click (here) to collapse or open

/ usr/lib/python2.7/site-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.21.1) or chardet (2.2.1) doesn

Reason: incompatible versions of urllib3 (1.21.1) or chardet (2.2.1) in the python library

Solution:

Pip uninstall urllib3

Pip uninstall chardet

Pip install requests

b. Error message: "harbor failed to initialize the system: read / etc/adminserver/key: is a directory"

Reason: settings in secretkey_path in harbor.cfg are inconsistent with those in docker-compose.yml

2.ui interface

Thank you for reading this article carefully. I hope the article "what is the use of Harbor in kubernetes" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.