Shulou(Shulou.com)06/02 Report--

Introduction to Harbor

Harbor is an enterprise-class Registry server for storing and distributing Docker images, extending open source Docker Distribution by adding some essential features of the enterprise, such as security, identity, and management. As an enterprise-class private Registry server, Harbor provides better performance and security. Improve the efficiency of users using Registry to build and run the environment to transfer images. Harbor supports replication of image resources installed on multiple Registry nodes, and all images are stored in private Registry to ensure that data and intellectual property rights are controlled in the company's internal network. In addition, Harbor also provides advanced security features, such as user management, access control and activity auditing.

Harbor characteristics

Role-based access control: users and Docker image repositories are organized and managed through a "project". A user can have different permissions for multiple image repositories in the same namespace (project).

Mirror replication: mirrors can be replicated (synchronized) in multiple Registry instances. It is especially suitable for load balancing, high availability, hybrid cloud and cloudy scenarios.

Graphical user interface: users can browse through the browser, retrieve the current Docker image repository, and manage projects and namespaces.

AD/LDAP support: Harbor can integrate the existing AD/LDAP within the enterprise for authentication and authentication management.

Audit management: all operations against the image warehouse can be recorded and traced for audit management.

Internationalization: there are localized versions in English, Chinese, German, Japanese and Russian. More languages will be added.

RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.

Easy to deploy: provide both online and offline installation tools, or install to virtual devices on the vSphere platform (OVA mode).

Harbor component

Harbor is architecturally composed of six components:

Proxy:Harbor 's registry, UI, token and other services receive requests from browsers and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services.

Registry: responsible for storing Docker images and processing docker push/pull commands. Since we need to control the access of users, that is, different users have different read and write permissions to Docker image, Registry will point to a token service, forcing users to carry a valid token for each docker pull/push request, and Registry will decrypt and verify the token through the public key.

Core services: this is the core function of Harbor and mainly provides the following services:

UI: provides a graphical interface to help users manage image on registry and authorize users.

Webhook: in order to get the image state changes on registry in time, configure webhook on Registry and pass the state changes to the UI module.

Token service: responsible for issuing token. Token to each docker push/pull command according to the user's rights. Requests made by Docker clients to the Regi ø stry service, if they do not include token, will be redirected here and redirected to Registry after obtaining the token.

Database: provides database services for core services, which is responsible for storing data such as user permissions, audit logs, Docker image grouping information, etc.

Job Services: remote replication of images is provided to synchronize local mirrors to other Harbor instances.

Log collector: to help monitor the operation of Harbor, collect the log of other components for later analysis.

The relationship between components

The realization of Harbor

Each component of Harbor is built in the form of a Docker container, and it is officially deployed using Docker Compose. The Docker Compose template used to deploy Harbor is located in harbor/docker-compose.yml. Open this template file and find that Harbor is made up of seven containers.

# docker-compose ps

Name Command State Ports-

Harbor-adminserver / harbor/harbor_adminserver Up

Harbor-db docker-entrypoint.sh mysqld Up 3306/tcp

Harbor-jobservice / harbor/harbor_jobservice Up

Harbor-log / bin/sh-c crond & & rm-f. Up 127.0.0.1 1514-> 514/tcp

Harbor-ui / harbor/harbor_ui Up

Nginx nginx-g daemon off; Up 0.0.0.0 443/tcp 4443-> 4443/tcp, 0.0.0.0 443/tcp 80-> 80/tcp

Registry / entrypoint.sh serve / etc/... Up 5000/tcp

Nginx:nginx is responsible for traffic forwarding and security verification, and all the traffic provided is transferred from nginx, so port 443 of https is opened to distribute traffic to the backend ui and the docker registry that is mirroring the storage in docker.

Harbor-jobservice:harbor-jobservice is the job management module of harbor. Job in harbor is mainly used synchronously before the image repository.

Harbor-ui:harbor-ui is the web management page, mainly the interface between the front-end page and the back-end CURD

Registry:registry is the native repository of docker, which is responsible for storing images.

Harbor-adminserver:harbor-adminserver is the harbor system management interface, which can modify the system configuration and obtain system information.

These containers are connected together in the form of Docker link and access each other through container names. For end users, only the service port of proxy (that is, Nginx) needs to be exposed.

Harbor-db:harbor-db is the database of harbor, where the job of the system, as well as project and personnel rights management are saved. Since the authentication of this harbor is also through data, it is mostly connected to the ldap of the enterprise in the production process.

Harbor-log:harbor-log is the logging service of harbor, which manages the logs of harbor uniformly. Through inspect, you can see the syslog that the container outputs logs uniformly.

These containers are connected together in the form of Docker link so that they can access each other by container name. For end users, only the service port of proxy (that is, Nginx) needs to be exposed.

Installation and deployment

Environment name

Software version

Remarks

Operating system

CentOS Linux release 7.3.1611

Docker Engine

17.12.0-ce

Docker-compose

1.24.0

Harbor

1.6.2

Before installing harbor, you need to install docker engine and docker-compose.

First, install docker

See link: binary installation Docker

Second, install docker-compose

Docker Compose is a Docker tool for defining and running complex applications. An application that uses Docker containers, usually consisting of multiple containers. Using Docker Compose, you no longer need to use the shell script to start the container.

Compose manages multiple Docker containers through a configuration file. In the configuration file, all containers are defined by services, and then use docker-compose scripts to start, stop and restart the application, and the services in the application and all dependent service containers. It is very suitable for scenarios where multiple containers are combined for development.

Official website: Docker compose

# curl-L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname-s)-$(uname-m)"-o / usr/bin/docker-compose

# chmod + x / usr/bin/docker-compose

Third, install harbor

I am here to download the offline installation package for installation

# tar xf harbor-offline-installer-v1.6.2.tgz

# mv harbor / usr/local/

# cd / usr/local/harbor/

# vi harbor.cfg

_ version = 1.6.0

Hostname = node176

Ui_url_protocol = http

Max_job_workers = 10

Customize_crt = on

Ssl_cert = / data/cert/server.crt

Ssl_cert_key = / data/cert/server.key

Secretkey_path = / data

Admiral_url = NA

Log_rotate_count = 50

Log_rotate_size = 200m

Http_proxy =

Https_proxy =

No_proxy = 127.0.0.1 focus localhost dint ui registry

Email_identity =

Email_server = smtp.mydomain.com

Email_server_port = 25

Email_username = sample_admin@mydomain.com

Email_password = abc

Email_from = admin

Email_ssl = false

Email_insecure = false

Harbor_admin_password = Harbor12345

Auth_mode = db_auth

Ldap_url = ldaps://ldap.mydomain.com

Ldap_basedn = ou=people,dc=mydomain,dc=com

Ldap_uid = uid

Ldap_scope = 2

Ldap_timeout = 5

Ldap_verify_cert = true

Ldap_group_basedn = ou=group,dc=mydomain,dc=com

Ldap_group_filter = objectclass=group

Ldap_group_gid = cn

Ldap_group_scope = 2

Self_registration = off

Token_expiration = 30

Project_creation_restriction = adminonly

Db_host = postgresql

Db_password = root123

Db_port = 5432

Db_user = postgres

Redis_host = redis

Redis_port = 6379

Redis_password =

Redis_db_index = 1, 2, 3

Clair_db_host = postgresql

Clair_db_password = root123

Clair_db_port = 5432

Clair_db_username = postgres

Clair_db = postgres

Clair_updaters_interval = 12

Uaa_endpoint = uaa.mydomain.org

Uaa_clientid = id

Uaa_clientsecret = secret

Uaa_verify_cert = true

Uaa_ca_cert = / path/to/ca.pem

Registry_storage_provider_name = filesystem

Registry_storage_provider_config =

Registry_custom_ca_bundle =

#. / install.sh

Open the URL: http://172.20.20.176

Enter the default user name and password: admin/Harbor12345

The final success is as follows:

Configure Harbor to support HTTPS access links

# mkdir-p / data/cert & & cd / data/cert

Create a CA certificate

# openssl genrsa-out ca.key 2048

Generate a self-signed certificate (using a root certificate that has been issued by the private key ca.key)

# openssl req-x509-new-nodes-key ca.key-days 3650-out ca.crt-subj "/ CN=harbor-ca"

Generate server-side private key and csr signature request

# openssl req-newkey rsa:4096-nodes-sha256-keyout server.key-out server.csr

Issue server certificate

# echo subjectAltName = IP:172.20.20.176 > extfile.cnf

# openssl x509-req-in server.csr-CA ca.crt-CAkey ca.key-CAcreateserial-days 3650-extfile extfile.cnf-out server.crt

Modify the configuration file of harbor, harbor.cfg

# cd / usr/local/harbor/

# vi harbor.cfg

Hostname = 172.20.20.176

Ui_url_protocol = https

# mkdir-p / etc/docker/certs.d/172.20.20.176

# cp / data/cert/ca.crt / etc/docker/certs.d/172.20.20.176/

Modify / etc/sysconfig/docker or modify / etc/docker/daemon.json [either]

The first kind:

Modify / etc/sysconfig/docker

Set

OPTIONS='--selinux-enabled=false-log-driver=journald-signature-verification=false-insecure-registry registry:5000

Change to:

OPTIONS='--selinux-enabled=false-log-driver=journald-signature-verification=false-insecure-registry www.node175.com

The second kind:

# cat > / etc/docker/daemon.json

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.