Shulou(Shulou.com)06/02 Report--

A brief introduction to Harbor

1. Introduction

Harbor is an enterprise-class Registry server for storing and distributing Docker images, extending open source Docker Distribution by adding some essential features of the enterprise, such as security, identity, and management. As an enterprise-class private Registry server, Harbor provides better performance and security. Improve the efficiency of users using Registry to build and run the environment to transfer images. Harbor supports replication of image resources installed on multiple Registry nodes, and all images are stored in private Registry to ensure that data and intellectual property rights are controlled in the company's internal network. In addition, Harbor also provides advanced security features, such as user management, access control and activity auditing.

2. Characteristics

(1) role-based access control: users and Docker image repositories are organized and managed through "project". A user can have different permissions for multiple image repositories in the same namespace (project).

(2) Mirror replication: mirrors can be replicated (synchronized) in multiple Registry instances. It is especially suitable for load balancing, high availability, hybrid cloud and cloudy scenarios.

(3) graphical user interface: users can browse through the browser, retrieve the current Docker image repository, manage projects and namespaces.

(4) AD/LDAP support: Harbor can integrate the existing AD/LDAP within the enterprise for authentication and authentication management.

(5) Audit management: all operations against the image warehouse can be recorded and traced for audit management.

(6) internationalization: localized versions of English, Chinese, German, Japanese and Russian are available. More languages will be added.

(7) RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.

(8) simple deployment: both online and offline installation tools are provided, or they can be installed to virtual devices on vSphere platform (OVA mode).

3. Components

Harbor is architecturally composed of six components:

(1) Proxy:Harbor 's registry, UI, token and other services receive requests from browsers and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services.

(2) Registry: responsible for storing Docker images and processing docker push/pull commands. Since we need to control the access of users, that is, different users have different read and write permissions to Docker image, Registry will point to a token service, forcing users to carry a valid token for each docker pull/push request, and Registry will decrypt and verify the token through the public key.

(3) Core services: this is the core function of Harbor and mainly provides the following services:

1) UI: provides a graphical interface to help users manage image on registry and authorize users.

2) webhook: in order to get the status change of image on registry in time, configure webhook on Registry and pass the state change to UI module.

3) token service: responsible for issuing token to each docker push/pull command according to the user's rights. Requests made by Docker clients to the Regi ø stry service, if they do not include token, will be redirected here and redirected to Registry after obtaining the token.

(4) Database: provides database services for core services, which is responsible for storing data such as user permissions, audit logs, Docker image grouping information, etc.

(5) Job Services: remote replication of images is provided to synchronize local images to other Harbor instances.

(6) Log collector: to help monitor the operation of Harbor, collect the log of other components for later analysis.

The relationship between the components is shown in the following figure:

4. Harbor construction

Each component of Harbor is built in the form of a Docker container, and it is officially deployed using Docker Compose. The Docker Compose template used to deploy Harbor is located in harbor/docker-compose.yml. Open this template file and find that Harbor is made up of seven containers.

(1) nginx:nginx is responsible for traffic forwarding and security verification, and all the traffic provided is transferred from nginx, so port 443 of https is opened to distribute traffic to the backend ui and the docker registry that is mirrored in docker storage.

(2) harbor-jobservice:harbor-jobservice is the job management module of harbor. Job in harbor is mainly used synchronously before the image repository.

(3) harbor-ui:harbor-ui is the web management page, which is mainly the interface between the front-end page and the back-end CURD

(4) registry:registry is the native repository of docker, which is responsible for storing images.

(5) harbor-adminserver:harbor-adminserver is the harbor system management interface, which can modify the system configuration and obtain system information.

(6) harbor-db:harbor-db is the database of harbor, where the job of the system and the management of project and personnel rights are saved. Since the authentication of this harbor is also through data, it is mostly connected to the ldap of the enterprise in the production process.

(7) harbor-log:harbor-log is the log service of harbor, which manages the logs of harbor. Through inspect, you can see the syslog that the container outputs logs uniformly.

These containers are connected together in the form of Docker link so that they can access each other by container name. For end users, only the service port of proxy (that is, Nginx) needs to be exposed.

II. Environmental preparation

1. Production environment

Name

Version

System environment

CentOS Linux release 7.5.1804 (Core)

Docker-ce

Docker version 18.09.0

Docker-compose

1.22.0

Harbor

V1.6.0

Installation location

/ usr/local/harbor

2. Temporarily turn off the firewall and selinux

3. Download address of the service:

Docker source: wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

Docker-compose: https://github.com/docker/compose/releases/

Harbor: https://github.com/goharbor/harbor/releases

Third, build services

1. Install docker-ce

# installation

# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# yum install docker-ce-y

# Uninstall

# yum remove docker-ce-y

Images,containers,volumes,configuration files cannot be deleted automatically after uninstallation. To delete all images,containers,and volumes, execute the following command:

# rm-rf / var/lib/docker

2. Install docker-compose

Method 1: binary

(1) download the package

# wget https://github.com/docker/compose/releases/download/1.22.0/docker-compose-Linux-x86_64

(2) install the service

# mv docker-compose-Linux-x86_64 docker-compose

# cp docker-compose / usr/local/bin/

# chmod uplix / usr/local/bin/docker-compose

(3) decide whether to install the command completion function according to your own situation.

# yum install bash-completion

(4) View

# docker-compose

# docker-compose version

(5) Uninstall

# rm / usr/local/bin/docker-compose

Method 2: pip

(1) installation

# yum install python-pip

# pip install docker-compose

(2) uninstall:

# pip uninstall docker-compose

3. Install Harbor

(1) download

# cd / usr/local/src/

# wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-online-installer-v1.6.0.tgz

(2) decompress the file

# tar-xvf harbor-online-installer-v1.6.0.tgz-C / usr/local/

# cd / usr/local/harbor/

(3) modify the configuration file

# vim harbor.cfg

# Domain name configuration

Hostname = www.jiangjj.com

# Mailbox configuration

Email_server = smtp.qq.com

Email_server_port = 25

Email_username = jiangjj@qq.com

Email_password = 123456

Email_from = admin

Email_ssl = false

Email_insecure = false

# prohibit users from registering

Self_registration = off

# set that only administrators can create projects

Project_creation_restriction = adminonly

(4) execute script

#. / prepare

#. / install.sh

(5) View

# docker ps

Or

# docker-compose ps

(6) start and stop of Harbor

Start Harbor

# docker-compose start

Stop Harbor

# docker-comose stop

Restart Harbor

# docker-compose restart

4. Visit

Enter www.jiangjj.com in the browser because the domain name I configured is www.jiangjj.com.

Default account password: change the password after admin / Harbor12345 login

Http://www.jiangjj.com/

4. Harbor configure TLS certificate

The configuration on the Harbor is to use the http protocol access, but for the sake of security, we usually configure https access. Here, make a simple configuration as follows:

1. Modify harbor configuration file (purchase certificate)

Hostname = www.jiangjj.com

Ui_url_protocol = https

Ssl_cert = / etc/certs/jiangjj.com.crt

Ssl_cert_key = / etc/certs/jiangjj.com.key

2. Create a self-signed certificate key file

# mkdir / etc/certs

# openssl genrsa-out / etc/certs/jiangjj.com.key 2048

3. Create a self-signed certificate crt file

# openssl req-x509-new-nodes-key / etc/certs/jiangjj.com.key-subj "/ CN=www.jiangjj.com"-days 5000-out / etc/certs/jiangjj.com.crt

4. Reinstall harbor

#. / prepare

. / install.sh

5. Configure the client certificate

# mkdir-p / etc/docker/certs.d/www.jiangjj.com

# copy the crt certificate to the new directory and restart docker

6. Testing

5. Test upload and download images

1. Modify docker in each client

# vim / usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd-insecure-registry www.jiangjj.com

Just add-- insecure-registry www.jiangjj.com.

Restart docker:

# systemctl daemon-reload

# systemctl restart docker

Or

Create a / etc/docker/daemon.json file and specify the warehouse address in the file

# cat > / etc/docker/daemon.json

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.