Shulou(Shulou.com)06/02 Report--

Introduction to Harbor

Harbor is an enterprise-class Registry server for storing and distributing Docker images, extending open source Docker Distribution by adding some essential features of the enterprise, such as security, identity, and management. As an enterprise-class private Registry server, Harbor provides better performance and security. Improve the efficiency of users using Registry to build and run the environment to transfer images. Harbor supports replication of image resources installed on multiple Registry nodes, and all images are stored in private Registry to ensure that data and intellectual property rights are controlled in the company's internal network. In addition, Harbor also provides advanced security features, such as user management, access control and activity auditing.

Harbor is an open source enterprise-level Docker Registry developed by VMware China R & D team, which not only solves the lack of functionality when we use Docker Registry directly, but also solves the operation and maintenance pain points such as high availability, direct replication of image warehouse and performance of image warehouse when we use Docker Registry in production.

Harbor characteristics

(1) role-based access control: users and Docker image repositories are organized and managed through "project". A user can have different permissions for multiple image repositories in the same namespace (project).

(2) Mirror replication: mirrors can be replicated (synchronized) in multiple Registry instances. It is especially suitable for load balancing, high availability, hybrid cloud and cloudy scenarios.

(3) graphical user interface: users can browse through the browser, retrieve the current Docker image repository, manage projects and namespaces.

(4) AD/LDAP support: Harbor can integrate the existing AD/LDAP within the enterprise for authentication and authentication management.

(5) Audit management: all operations against the image warehouse can be recorded and traced for audit management.

(6) internationalization: localized versions of English, Chinese, German, Japanese and Russian are available. More languages will be added.

(7) RESTful API: RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.

(8) easy deployment: both online and offline installation tools are provided, or they can be installed to virtual devices on the vSphere platform (OVA mode).

Harbor is architecturally composed of six components:

(1) Proxy:Harbor 's registry, UI, token and other services receive requests from browsers and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services.

(2) Registry: responsible for storing Docker images and processing docker push/pull commands. Since we need to control the access of users, that is, different users have different read and write permissions to Docker image, Registry will point to a token service, forcing users to carry a valid token for each docker pull/push request, and Registry will decrypt and verify the token through the public key.

(3) Core services: this is the core function of Harbor and mainly provides the following services:

1) UI: provides a graphical interface to help users manage image on registry and authorize users.

2) webhook: in order to get the status change of image on registry in time, configure webhook on Registry and pass the state change to UI module.

3) token service: responsible for issuing token to each docker push/pull command according to the user's rights. Requests made by Docker clients to the Regi ø stry service, if they do not include token, will be redirected here and redirected to Registry after obtaining the token.

(4) Database: provides database services for core services, which is responsible for storing data such as user permissions, audit logs, Docker image grouping information, etc.

(5) Job Services: remote replication of images is provided to synchronize local images to other Harbor instances.

(6) Log collector: to help monitor the operation of Harbor, collect the log of other components for later analysis.

The relationship between the components is shown in the following figure:

Harbor construction

Each component of Harbor is built in the form of a Docker container, and it is officially deployed using Docker Compose. The Docker Compose template used to deploy Harbor is located in harbor/docker-compose.yml. Open this template file and find that Harbor is made up of seven containers.

(1) nginx:nginx is responsible for traffic forwarding and security verification, and all the traffic provided is transferred from nginx, so port 443 of https is opened to distribute traffic to the backend ui and the docker registry that is mirrored in docker storage.

(2) harbor-jobservice:harbor-jobservice is the job management module of harbor. Job in harbor is mainly used synchronously before the image repository.

(3) harbor-ui:harbor-ui is the web management page, which is mainly the interface between the front-end page and the back-end CURD

(4) registry:registry is the native repository of docker, which is responsible for storing images.

(5) harbor-adminserver:harbor-adminserver is the harbor system management interface, which can modify the system configuration and obtain system information.

(6) harbor-db:harbor-db is the database of harbor, where the job of the system and the management of project and personnel rights are saved. Since the authentication of this harbor is also through data, it is mostly connected to the ldap of the enterprise in the production process.

(7) harbor-log:harbor-log is the log service of harbor, which manages the logs of harbor. Through inspect, you can see the syslog that the container outputs logs uniformly.

These containers are connected together in the form of Docker link so that they can access each other by container name. For end users, only the service port of proxy (that is, Nginx) needs to be exposed.

Enterprise Private Warehouse Image Repository Harbor

Download the docker-compose tool online.

Https://github.com/docker/compose/releases/tag/1.25.1-rc1

[root@docker02 ~] # tar-zxf docker-compose.tar.gz-C / usr/local/bin/// unpack to the command directory [root@docker02 ~] # chmod + x / usr/local/bin/docker-compose [root@docker02 ~] # yum- y install yum-utils device-mapper-persistent-data lvm2// installation dependency package [root@docker02 ~] # docker-compose-v hand / View version information docker-compose version 1.24.0, build 0aa59064

Download harbor and install it online.

Https://github.com/goharbor/harbor/releases

[root@docker02 ~] # tar-zxf harbor-offline-installer-v1.7.4.tgz-C / usr/local/// imports harbor offline installation package and decompresses to / usr/

Modify the harbor configuration file and execute the installation script that comes with it

[root@docker02 ~] # cd / usr/local/harbor/ [root@docker02 harbor] # ls

[root@docker02 harbor] # vim harbor.cfg hostname = 192.168.1.13 # 13 change to native IP address harbor_admin_password = Harbor12345 # harbor password [root@docker02 harbor] #. / install.sh// execute the installation script that comes with it

Log in to harbor in the browser

Http://192.168.1.13:80 username: admin, password: Harbor12345

Create a project

Modify the docker configuration file to connect to the private repository

[root@docker02 harbor] # vim / usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd-- insecure-registry 192.168.1.13 # 13 add [root@docker02 harbor] # systemctl daemon-reload [root@docker02 harbor] # systemctl restart docker// restart docker [root@docker02 harbor] # docker ps// found that there are many fewer containers running

[root@docker02 harbor] # Container in the file where docker-compose start// starts harker

Log in to harbor

[root@docker02 harbor] # docker login-u admin-p Harbor12345 192.168.1.13 / log in to harbor

Upload the image to the warehouse

[root@docker02 harbor] # docker tag centos:7 192.168.1.13/xgp/centos:7// modify tag [root@docker02 harbor] # docker push 192.168.1.13/xgp/centos:7// upload image

The second one joins the warehouse to test and download.

[root@docker02 harbor] # vim / usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd-- insecure-registry 192.168.1.13 # 13 add [root@docker02 harbor] # systemctl daemon-reload [root@docker02 harbor] # systemctl restart docker// restart docker

Log in to harbor

[root@docker02 harbor] # docker login-u admin-p Harbor12345 192.168.1.13 / log in to harbor

Download the image you just uploaded

[root@docker01 xxx] # docker pull 192.168.1.13/xgp/centos:7 [root@docker01 xxx] # docker images// to view local images

Download succeeded

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.