Shulou(Shulou.com)06/03 Report--

harbor:

Harbor is an open source solution for building an enterprise-level private docker image repository. It is a higher-level package of Docker Registry. In addition to providing a friendly Web UI interface, role and user rights management, user operation auditing, etc., it also integrates K8s Add-ons repository, i.e. Helm downloads, manages, and installs K8s plug-ins via chart, while chartmuseum can provide a repository for storing chart data [Note:helm is equivalent to yum of k8s]. In addition, it also integrates two open source security components, one is Notary, the other is Clair, Notary is similar to the private CA center, and Clair is a container security scanning tool, which obtains the latest vulnerability information through the CVE vulnerability library provided by major vendors, and scans the containers uploaded by users for known vulnerability information. These two security functions are very meaningful for enterprise-level private repositories.

Additional:

Nexus is a Maven repository manager. If you use Maven, you can download the artifacts you need from the Maven central repository, but this is usually not a good practice. You should set up a Maven repository server locally to save bandwidth and time while maintaining the local repository while proxy remote repositories. Nexus can meet such needs. In addition, it also provides powerful repository management capabilities, component search capabilities, it is REST-based, friendly UI is a REST client for extjs, it takes less memory, based on simple file systems rather than databases. These advantages make it the most popular Maven repository manager ever.

Notary is a project that allows anyone to trust arbitrary data sets. A Notary project consists of a server and client for running and interacting with trusted collections. Notary aims to make the Internet safer by making it easy for people to publish and verify content. We often rely on TLS to protect our communications with Web servers, which is inherently flawed because it allows malicious content to replace legitimate content when the server is compromised. With Notary, publishers can sign their content offline with keys that remain highly secure. Once publishers have content ready, they can push trusted collections of their signatures to Notary servers. Consumers obtain the publisher's public key through secure channels and can then communicate with any Notary server or (insecure) mirror, relying solely on the publisher's secret key to determine the validity and integrity of the received content. Notary is based on the TUF project, a secure universal design for software distribution and update issues.

Clair：

Reference: https://blog.csdn.net/liumiaocn/article/details/76697022

By scanning the layer of the container, vulnerabilities are found and early warnings are given. The usage data is based on the Common Vulnerabilities and Exposures database (CVE). Each Linux distribution generally has its own CVE source, and Clair matches it to determine whether vulnerabilities exist. For example, the CVE of HeartBleed is CVE-2014-0160.

Clair currently supports the following data sources:

HARBOR:

This is VMWare company provides a docker private repository building program, very powerful.

1. Support multi-tenant signature and authentication

2. Support security scanning and risk analysis

3. This log audit

4. role-based access control

5. Support for extensible APIs and GUIs

6. Image replication between instances

7. Internationalization is well done (currently only English and Chinese supported)

Harbor deployment:

1. Download Harbor binary distribution from GitHub.

2. Prepare the necessary environment:

yum install docker-ce docker-compose

3. After decompression, edit harbor.cfg

vim harbor.cfg

hostname = node1.test.com

ui_url_protocol = http

max_job_workers = 3 #Start 3 processes to process user uploads and downloads. If it is 4 cores, 3 is the best.

admiral_url = NA #NA: Do not customize administrative URLs

harbor_admin_password = Harbor12345 #Default Administrator Password

#By default it automatically creates a mysql container and sets mysql root password to root123,

#Note: The default database used since Harbor v1.7.5 is postgresql

db_password = root123

#To use an external database, change the following parameter to the address of the external database.

db_host = postgresql

#If--with-clair is enabled, pay attention to modifying clair's database password and redis password, because clair needs to use redis.

clair_db_password = root123

4. Run install.sh, check install.sh --help if you need to enable other harbor features

After installation, it will prompt you to visit harbor address, you can directly access this address in the browser.

5. You can test opening harbor and test uploading images.

5.1 To test uploading images, you need to log in to harbor's Web interface first, and then create a project. This project is equivalent to different project groups in the company. Each project group manages its own project image separately, so that when the project is no longer needed, you can delete the project directly.

5.2 Then go to the harbour client, test logging into the harbour repository, and try uploading the image

5.2.1 Because non-secure HTTP is used here, docker startup parameters need to be modified.

vim /usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --selinux-enabled=false --insecure-registry 192.168.10.154

#If SELinux is not enabled, set it not to be enabled

#--insecure-registry specifies an insecure repository, where the specified intranet harbor address is 192.168.10.154

#If there are multiple repeatable--insecure-registry

5.2.2 Test Upload Image

~]# docker login http://192.168.10.154

Authenticating with existing credentials...

WARNING! Your password will be stored unencrypted in /root/.docker/config.json. #Note here: After successful login, the username and password will be saved to config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

~]# docker push 192.168.10.154/test1/nginx-alpine:v1 #This will allow you to upload images to Harbor.

6. You can check docker-compose.yml, install.sh for the docker-compose command actually executed.

docker-compose

#When the command is run, it will automatically find the docker-compose.yml configuration file in the current directory. If it is found, install the definition inside.

#To decide where to find the image, start the container first, what volume to mount to start the image, etc.

When configuring Harbor, if there is a problem, you can view the problem in conjunction with the log file in/var/log/harbor.

I usually look like this:

tail -f /var/log/harbor/*.log

Harbor configuration HTTPS:

1. Modify harbor.cfg

hostname = harbor.zcf.com

ui_url_protocol = https

ssl_cert = /data/docker/certs/harbor.zcf.com.crt

ssl_cert_key = /data/docker/certs/harbor.zcf.com.key

harbor_admin_password = adminpass

2. Create a certificate and place it in the directory defined above

Test use, you can use the certificate I wrote with shell production tools:

https://github.com/zhang75656/shell-tools/blob/master/gencret.sh

chmod +x gencret.sh

./ gencret.sh--help #See how to use help. This requires that OpenSSL be installed.

3. Re-execution.../ install.sh, so that the harbor server can work.

Harbor client configuration:

1. Create a certificate directory under docker configuration directory,

#Note: The certificate directory is the certificate file that stores harbor servers.

# docker login harbor.zcf.com

#When executing the above command to log into harbor, docker will go to/etc/docker/certs.d/to find harbor.zcf.com directory by default to see if there are certificates available below.

#So, you need to scp the certificate from the Harbor server and put it in this directory on the docker client.

mkdir /etc/docker/certs.d/harbor.zcf.com

When Harbor is managed by Systemd, the systemd script required is referenced:

[Unit]

Description=BigDisk docker-compose container starter

After=docker.service network-online.target

Requires=docker.service network-online.target

[Service]

WorkingDirectory=/[path_to_harbor] #This needs to be modified to Harbor's installation directory.

Type=oneshot

RemainAfterExit=yes

ExecStart=/usr/bin/docker-compose up -d #Here you need to make sure that the path of docker-compose matches the path of your own system.

ExecStop=/usr/local/bin/docker-compose down

ExecReload=/usr/bin/docker-compose up -d

[Install]

WantedBy=multi-user.target

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.