Shulou(Shulou.com)06/02 Report--

1. Background

To use images in docker, images are generally downloaded from local, docker Hup public repositories and other third-party public repositories. Generally, images are not easily used at the enterprise level for reasons of security and download rate of external network (wall) resources. Is there a way to store your own image and have a security authentication warehouse?-> build your own security authentication warehouse based on Harbor in the enterprise environment.

Harbor is VMware's recent open source enterprise Docker Registry project, whose goal is to help users quickly build an enterprise Docker registry service.

two。 The reason for choosing

* Management UI is provided

* role-based access control (Role Based Access Control)

* AD/LDAP integration

* Audit log (Audit logging)

* Native support for Chinese

3. Related introduction

The architecture of Harbor consists of five main components:

* Proxy:Harbor 's registry, UI, token and other services receive requests from browsers and Docker clients through a front-end reverse proxy, and forward the requests to different backend services.

* Registry: responsible for storing Docker images and processing docker push/pull commands. Since we need to control the access of users, that is, different users have different read and write permissions to Docker p_w_picpath, Registry will point to a token service, forcing users to carry a valid token for each docker pull/push request, and Registry will decrypt and verify the token through the public key.

* Core services: this is the core function of Harbor and mainly provides the following services:

* UI: provides a graphical interface to help users manage p_w_picpath on registry and authorize users.

* webhook: in order to get the status changes of p_w_picpath on registry in time, configure webhook on Registry and pass the status changes to the UI module.

* token service: responsible for issuing token to each docker push/pull command according to user permissions. The request made by the Docker client to the Registry service, if it does not include token, will be redirected here, and the request will be redirected to Registry after obtaining the token.

* Database: provides database services for core services, which is responsible for storing data such as user permissions, audit logs, Docker p_w_picpath grouping information, etc.

* Log collector: to help monitor the operation of Harbor, collect the log of other components for future analysis.

The relationship between the components is shown in the following figure:

Each component of Harbor is built in the form of a Docker container, so use Docker Compose to deploy it.

The Docker Compose template for deploying Harbor is located in / Deployer/docker-compose.yml. When you open this template file, you will find that Harbor consists of five containers:

* proxy: a reverse proxy made up of Nginx servers.

* registry: a container instance composed of Docker's official open source registry image.

* ui: the core services in the architecture, and the code that makes up this container is the main body of the Harbor project.

* mysql: a database container composed of official MySql images.

* log: a container that runs rsyslogd and collects logs from other containers in the form of log-driver.

These containers are connected together in the form of Docker link so that they can access each other by container name. For end users, only the service port of proxy (that is, Nginx) needs to be exposed.

Authentication process of Harbor

First, the request is intercepted by the proxy container and redirected to the specified authentication server.

B. if the authentication server is configured with permission authentication, 401 will be returned. Inform dockerclient that a legal token is required in a specific request. The logical address of the authentication points to core services in the architecture diagram.

C. When docker client receives the wrong code. Client will send an authentication request (with a user name and password) to coreservices for basic auth authentication.

D. When C's request is sent to ngnix, ngnix will send the request with user name and password to core serivces according to the configured authentication address.

E and coreservices authenticate the user information after obtaining the user name and password (you can either use your own database or intervene in LDAP). After success, the information of successful authentication is returned.

How to install Harbor

* online online installation-- > due to domestic wall and network speed, the experience is not ideal

* offline offline installation-- > download package is large [includes related dependent images]

Choose offline package installation this time

4. Environment

[root@harbor ~] # cat / etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@harbor ~] # uname-r3.10.0-327.36.3.el7.x86_64

5. Server IP address

192.168.60.150

6. Create a certificate

* create a certificate storage directory

[root@harbor] # mkdir-p / data/cert

* switch the work path and cut the certificate storage directory

[root@harbor ~] # cd / data/cert/

* create CA root certificate

[root@harbor cert] # openssl req-newkey rsa:4096\-nodes-sha256-keyout ca.key-x509-days 365\-out ca.crt-subj "/ C=CN/L=wuhan/O=lisea/CN=harbor-registry"

* generate a certificate signature and set the access domain name to harbor.lisea.acn

[root@harbor cert] # openssl req-newkey rsa:4096\-nodes-sha256-keyout harbor.lisea.cn.key\-out server.csr-subj "/ C=CN/L=wuhan/O=lisea/CN=harbor.lisea.cn"

* generate the certificate of the host

[root@harbor cert] # openssl x509-req-days 365\-in server.csr-CA ca.crt-CAkey ca.key\-CAcreateserial-out harbor.lisea.cn.crt

7. Harbor installation and deployment

* install docker

[root@harbor ~] # yum install docker-y

* set the docker service to boot

[root@harbor ~] # systemctl enable docker.service

* start the docker service

[root@harbor ~] # systemctl start docker.service

* install docker-compose

[root@harbor ~] # yum install python-pip-y [root@harbor ~] # pip install-- upgrade pip [root@harbor ~] # pip install docker-compose [root@harbor ~] # pip install-upgrade backports.ssl_match_hostname

* download harbor offline package [https://github.com/vmware/harbor]

[root@harbor ~] # wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-offline-installer-v1.1.2.tgz

* extract the downloaded harbor package [harbor-offline-installer-v1.1.2.tgz]

[root@harbor ~] # tar zxf harbor-offline-installer-v1.1.2.tgz

* switch to the harbor package directory

[root@harbor ~] # cd harbor

* modify habor configuration file [harbor.cfg]

Hostname = harbor.lisea.cn # specifies the hostname of the private repository, which can be either the IP address or the domain name ui_url_protocol = https # the protocol used by users to access the repository. Default is http. Configure as httpsdb_password = root123 # specify mysql database administrator password harbor_admin_password:Harbor12345 # harbor administrator account password ssl_cert = / data/cert/harbor.lisea.cn.crt # set certificate file path ssl_cert_key = / data/cert/harbor.lisea.cn.key # set certificate key file path

* install with one click with your own script

[root@harbor harbor] #. / install.sh

* through browser access management [set local hosts files locally redirected to harbor server IP]

Https://harbor.lisea.cn

User defaults to admin

The password defaults to Harbor12345 [the harbor_admin_password assignment can be modified through the pre-installation harbor.cfg configuration file]

8. Client uses the test [docker machine]

* create test users by logging in to your admin account

* log out of admin account and log in to test users

* create a test project and choose the access level to be made public

* create a repository certificate storage directory

[root@harbor client] # mkdir / etc/docker/certs.d/harbor.lisea.cn

* obtain a certificate from the harbor server to the repository certificate directory

[root@harbor client] # scp root@192.168.60.150:/data/cert/ca.crt / etc/docker/certs.d/harbor.lisea.cn/ca.crt

* user login [local need to redirect hosts harbor.lisea.cn domain name to harbor server IP]

[root@harbor client] # docker login-u test-p Test123456 harbor.lisea.cnLogin Succeeded

* write dockerfile files

# Url https://lisea.cn# Base imgae# Base imgaeFROM centos# MaintainerMAINTAINER lisea lisea@126.com# CommandsRUN rpm-ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpmRUN yum install nginx-yRUN echo "daemon off;" > > / etc/nginx/nginx.confRUN echo "this is test nginx p_w_picpath" > / usr/share/nginx/html/index.htmlEXPOSE 80CMD ["nginx"]

* build a new image through Dockerfile, indicating the registry and tag directly

[root@harbor client] # docker build-t harbor.lisea.cn/test/nginx:v1.0.1.

* upload mirror image to harbor registry

[root@harbor client] # docker push harbor.lisea.cn/test/nginx:v1.0.1

* check whether the image is uploaded successfully in web [upload nginx successfully]

* Delete a local image

[root@harbor client] # docker rmi harbor.lisea.cn/test/nginx:v1.0.1

* download images from harbor

[root@harbor client] # docker pull harbor.lisea.cn/test/nginx:v1.0.1

9. Summary

In order to demand-driven technology, there is no difference in technology itself, only in business.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.