Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to use Harbo". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to use Harbo.

Basic architecture

Harbor installation and configuration guidance

Harbor can be installed and deployed in the following three ways:

Online installation: users can download the official image of harbor directly from docker hub.

Offline installation: users need to download the source package and build their own images. The source package is relatively large.

Virtual Appliance: generally use this method to build a private repository on a third-party platform as a platform, such as vsphere, etc., you need to download the OVA version of Harbor.

Please click on me on the official download page.

To install Harbor's virtual appliance, please click on me.

This guide mainly explains how to install and configure Harbor step by step by using both online and offline methods. The installation steps are basically the same.

If you run the old version of harbor, you may need to migrate the data to the new database queue. For detailed steps, please * * Click me * *

In addition, the steps for deployment on kubernetes and see the link below * * harbor on kubernets * *

Harbor dependence

Harbor is deployed on the service area as a docker container, so it can be deployed in any linux distribution. Python,docker and docker-compose tools need to be installed on the target host.

Python needs 2.7 million. It is important to note that it is best to install python that corresponds to the hairstyle version of linux.

Docker engine requires 1.10 + the newer version 1.12. Docker installation

Docker Compose needs 1.6.0 million. Compose installation

Harbor installation and configuration

The installation steps are as follows:

Download the installation package

Modify related configuration harbor.cfg

Run install.sh to install and start harbor

1. Download the installation package

Click the link to download the binary package Harbor download. Select an online or offline package to download. Use the tar command to extract the downloaded source package

On-line package installation:

$tar xvf harbor-online-installer-.tgz

Offline package installation:

$tar xvf harbor-offline-installer-.tgz2. Configure Harbor

The configuration parameters are placed in the file harbor.cfg. Explain the detailed parameters. At least configure hostname parameters.

Hostname: configure the hostname of the target host, which is used to access Harbor ui and image repository, and can be configured as ip address and full domain name, such as 192.168.1.10 or reg.yourdomain.com. Do not use localhost or 127.0.0.1 hostname

Ui_url_protocol: (http or https. The default protocol is http) this protocol is used to access the UI and the token/notification services. The default is http. To set up the https protocol, see the link to configure Harbor to support the https protocol.

Email settings: configure Harbor to send mail, of course, changing the configuration is not necessary. Note: the default ssl link is not enabled. If SMTP requires ssl support, you can set the following parameters to support it.

Email_ssl = true

* email_server = smtp.mydomain.com * email_server_port = 25 * email_username = sample_admin@mydomain.com * email_password = abc * email_from = admin * email_ssl = false

Harbor_admin_password: sets the administrator's internal password, which takes effect the first time you start Harbor. After that, this setting is ignored and the administrator's password is reset in UI. The default user name and password are as follows: admin/Harbor12345.

Auth_mode: used for authentication. Db_auth is used by default, and the authentication is dismembered and stored in the database. If you need to set LDAP authentication, you need to use ldap_auth.

Ldap_url: URL (e.g. Ldaps://ldap.mydomain.com) of LDAP authentication. When auth_mode is set to ldap_auth.

Ldap_searchdn: the user domain (e.g. Uid=admin,ou=people,dc=mydomain,dc=com) that links to the LDAP/AD service.

Ldap_search_pwd: set the password ldap_searchdn for the user domain set above.

Ldap_basedn: basic domain to find a user e.g. Ou=people,dc=mydomain,dc=com. Used only when auth_mode is is set to ldap_auth

Ldap_filter: user search filtering (objectClass=person).

Ldap_uid: this parameter is used to match a LDAP search user, which can be uid,cn,email or otherwise.

Ldap_scope: user search scope, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE. Default is 3.

Db_password: mysql database root user password db_auth.

Self_registration: (on or off. Default is on) enables and disables user registration. When turned off, new user functions are created by admin users. _ Note: when auth_mode is set to ldap_auth, self-registration will be disabled all the time, and this parameter will be ignored.

Use_compressed_js: (on or off. Default is on) used in production, it is recommended that this parameter be set to on. Set the parameter to off in deployment mode so that the js file can be modified separately.

Max_job_workers: (default is 3) set the largest working copy in the task service. For each image copy task, a worker synchronizes all tag from the repository to the remote end. Increasing this value allows more current replica tasks, but since each worker consumes certain network / cpu/io and other resources, the value must be set reasonably according to the resources of the system.

Secret_key: this value is the password of the remote repository encrypted and decrypted in the replica policy, with a length of 16 characters. The value must be modified in production. NOTE: After changing this key, previously encrypted password of a policy can not be decrypted.

Token_expiration: token expiration time. Default is 30 minutes.

Verify_remote_cert: (on or off. Default on) this parameter determines whether to use SSL/TLS. On when the registry instance at the remote end of the harbor box interacts. When set to off, the general remote registry will adopt a self-signed or untrusted certificate.

Customize_crt: (on or off. Default is on) when set to on, scripts are used to create private keys and root certificates to authenticate registry's token

The following parameters: crt_country, crt_state, crt_location, crt_organization, crt_organizationalunit, crt_commonname, crt_email are used in the provincial capital key. When set to off, key and root certificates can be applied to external sources. Customize the certificate for the Harbor token service

3. Configure back-end storage (optional)

By default, Harbor stores mirrored files to the local file system. In a production environment, you should consider using some back-end storage to replace the local file system, such as S3 Magi Openstack swift or ceph. You can choose the update storage method in the file templates/registry/config.yml. For example, if you want to use Openstack Swift as your storage backend, the corresponding configuration will be as follows:

Storage: swift: username: admin password: ADMIN_PASS authurl: http://keystone_addr:35357/v3/auth tenant: admin domain: default region: regionOne container: docker_images

Note: for more information about docker registry in the storage backend, please see the configuration details of the corresponding link Registry.

4. Complete the installation of Harbor and start Harbor

Once the harbord.cfg and storage backend are configured, you can use the install.sh script to install and start the Harbor service. It is important to note that it may be expensive to perform this operation because you need to download some images files related to Harbor dependencies from docker hub.

$sudo. / install.sh

If everything works fine after the above script is executed, you can enter the hostname configured in the configuration file harbor.cfg on the browser and use the configured admin user to access the Harbor service. Http://reg.yourdomain.com default administrator username password: username/password:admin/Harbor12345.

After logging in using admin users, first create a project, such as myproject. The user can then log in using docker login reg.yourdomain.com and mirror the push. (default port 80 that the registry service listens on):

Sh$ docker login reg.yourdomain.com$ docker push reg.yourdomain.com/myproject/myrepo:mytag

Important: the default installation of Harbor uses the HTTP protocol, so when users are using it, they need to add the following parameter-insecure-registry reg.yourdomain.com to the configuration file of docker daemon and restart docker.

For more information about using Harbor, please click my * * Harbor user Guide * *.

5. Configure Harbor to support HTTPs access

Harbor does not run with any authentication and defaults to http to provide services. This approach is correspondingly simpler for deployment or test environments, but it is not recommended in production environments. To enable HTTPS support, see the link below to configure Harbor to support https.

Manage the lifecycle of Harbor

You can use docker-compose to manage the entire lifecycle of Harbor. The following are the corresponding administrative commands, and it is important to note that docker-compose must be executed in a directory with docker-compose.yml files:

Stop the Harbor service:

$sudo docker-compose stopStopping harbor_proxy_1... DoneStopping harbor_ui_1... DoneStopping harbor_registry_1... DoneStopping harbor_mysql_1... DoneStopping harbor_log_1... DoneStopping harbor_jobservice_1... Done

Start the Harbor service:

$sudo docker-compose startStarting harbor_log_1Starting harbor_mysql_1Starting harbor_registry_1Starting harbor_ui_1Starting harbor_proxy_1Starting harbor_jobservice_1

If you need to modify the configuration of Harbor, you first need to stop the running Harbor instance, update the harbor.cfg file, and run install.sh again

$sudo docker-compose down$ vim harbor.cfg$ sudo install.sh

Delete the Harbor container and save the image file and the Harbor database file:

$sudo docker-compose rmGoing to remove harbor_proxy_1, harbor_ui_1, harbor_registry_1, harbor_mysql_1, harbor_log_1, harbor_jobservice_1Are you sure? [yN] yRemoving harbor_proxy_1... DoneRemoving harbor_ui_1... DoneRemoving harbor_registry_1... DoneRemoving harbor_mysql_1... DoneRemoving harbor_log_1... DoneRemoving harbor_jobservice_1... Done

Delete the database information and image files of Harbor (usually for pure installation):

$rm-r / data/database$ rm-r / data/registry

More guidelines for using docker-compose commands

Persist data and log files

By default, regirstry's data is persisted to the / data/ directory of the target host. When the Harbor container is deleted or recreated, the data will not change. In addition, Harbor uses rsyslog to collect logs for each container. By default, CPPCC log files are stored in the / var/log/harbor/ directory of the target host for troubleshooting

Configure Harbor snooping custom port

By default, Harbor listens for 80s and 443s (to be configured) as portals for admin users to log in, and of course you can customize the port.

Http protocol

1. Modify the docker-compose.yml file to replace the port mapping in ui, e.g. 8888 80.

Proxy: image: library/nginx:1.11.5 restart: always volumes: -. / config/nginx:/etc/nginx ports:-8888 syslog 80-443 depends_on:-mysql-registry-ui-log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "proxy"

two。 Modify template file templates/registry/config.yml

Add custom port ": 8888" after the parameter "$ui_url".

Auth: token: issuer: registry-token-issuer realm: $ui_url:8888/service/token rootcertbundle: / etc/registry/root.crt service: token-service

3. Run the install.sh update and start harbor.

$sudo docker-compose down$ sudo install.shHTTPS protocol

1. Enable Https protocol guide guide.

two。 Modify docker-compose.yml configuration file

Modify the port 443 mapping in the compose file, for example: 4443

Proxy: image: library/nginx:1.11.5 restart: always volumes: -. / config/nginx:/etc/nginx ports:-80:80-4443 always volumes depends_on:-mysql-registry-ui-log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "proxy"

3. Modify template file templates/registry/config.yml

Add a custom port after "$ui_url", such as ": 4443"

Auth: token: issuer: registry-token-issuer realm: $ui_url:4443/service/token rootcertbundle: / etc/registry/root.crt service: token-service

4. Run the install.sh update to start Harbor.

$sudo docker-compose down$ sudo install.sh troubleshooting

When harbor is not working properly, you can use the following command to view the running container information:

$sudo docker-compose ps Name Command State Ports- -- harbor_jobservice_1 / harbor/harbor_jobservice Up harbor_log_1 / bin/sh-c crond & & rsyslo. Up 0.0.0.0 entrypoint.sh mysqld Up 3306/tcp harbor_proxy_1 nginx 1514-> 514/tcp harbor_mysql_1 / entrypoint.sh mysqld Up 3306/tcp harbor_proxy_1 nginx-g daemon off Up 0.0.0.0 entrypoint.sh serve 443-> 443/tcp, 0.0.0.0 80/tcp harbor_registry_1 / entrypoint.sh serve / etc/. Up 5000/tcp harbor_ui_1 / harbor/harbor_ui Up

If any container is in a non-up state, check the container log / var/log/harbor

two。 When you perform elastic load balancing on harbor, you can view the following files when nginx responds to the agent

Related configurations in make/config/nginx/nginx.conf location /, location / v2 / location / service/.

Proxy_set_header X-Forwarded-Proto $scheme; thank you for reading, the above is the content of "how to use Harbo", after the study of this article, I believe you have a deeper understanding of how to use Harbo, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.