Docker enterprise private warehouse introduction and deployment of Harbor

Preface

The application, development and operation of docker container are inseparable from reliable image management. In the previous article, we mentioned that when we pull images, we use the public image warehouse provided by docker. However, we also need to deploy the Registry in the private environment in terms of security, efficiency and other aspects.

This article will introduce the deployment and use of Harbor, an enterprise level docker image warehouse. In the later Kubernetes cluster, Harbor warehouse environment is also recommended.

1, Introduction to the concept and characteristics of Harbor

What is Harbor?

Harbor is an enterprise level Docker Registry management project open-source by VMware company. Compared with the docker official, it has more rights and perfect architecture design, and is suitable for providing warehouse services for large-scale docker cluster deployment. It mainly provides the Dcoker Registry management interface UI, which can be based on role access control, image replication, AD/LDAP integration, log audit and other functions, and fully supports Chinese.

What are the features of Harbor?

  1. Role based access control: users and docker image warehouses are organized and managed through projects. A user can have different permissions for multiple image warehouses in the same namespace;
  2. Mirror replication: mirrors can be replicated (synchronized) in multiple Registry instances. It is very suitable for load balancing, high availability hybrid or multi cloud scenarios;
  3. Graphical user interface: users can view, retrieve, manage and other operations through the browser;
  4. AD/LDAP support: Harbor can integrate the existing AD/LADP in the enterprise for authentication management;
  5. Audit management: all operations for the image warehouse can be tracked and recorded;
  6. Internationalization: support localized versions of English, Chinese, German, Japanese, Russian, etc., and will follow up to join in;
  7. RESTful API: this interface provides administrators with more control over Harbor, making management more convenient and easy;
  8. Simple deployment: online and offline modes are provided, and virtual devices can also be installed on vSphere platform.

2, Harbor architecture and components

Let's take a look at the overall architecture of harbor

In fact, Harbor's own components are the core functions provided by the Core Service in the figure above. The mirror synchronization (replication) function between multiple Harbor instances provided by Replication Job Services and the monitoring and log analysis function provided by Log collector

The core services are mainly in three aspects:

UI: provides a graphical interface to help users manage image s on the registry and authorize users.

Webhook: in order to get the status change of image on the Registry in time, configure webhook on the Registry and pass the status change to the UI module.

Auth service: it is responsible for issuing token to each docker push/pull command according to the user's permission. The request initiated by the docker client to the Registry registry service will be redirected here if the token is not included. After obtaining the token, the request will be made to the Registry again.

API: provide Harbor's RESTful API interface

Other components in the figure above are external components that Harbor relies on, such as Nginx (acting as an agent), Registry v2 (image warehouse, the official location for storing images), database, etc

3, Harbor deployment and test process

Preparation environment: one virtual machine Centos7 with docker deployed as Harbor deployment server, and the other needs to deploy docker environment as client for relevant tests

Specific planning:

Server docker Harbor: 192.168.0.135, Centos7 operating system, docker Ce (docker environment)

,docker-compose,harbor

Client (test side): 192.168.0.129; Centos7 operating system, docker CE

Server deployment

Start deployment configuration

First, install and configure docker compose and harbor software on the harbor side

You can download it through the curl command (it's time to test the network speed ~ ~):

Download docker compose tool

curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s-uname -m` -o /usr/local/bin/docker-compose

Download harbor package

wget http://harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz

[root@localhost opt]# ls
containerd  docker-compose  docker.sh  harbor-offline-installer-v1.2.2.tgz  rh
[root@localhost opt]# chmod +x docker-compose 
[root@localhost opt]# cp -p docker-compose  /usr/local/bin/
[root@localhost opt]# ls
containerd  docker-compose  docker.sh  harbor-offline-installer-v1.2.2.tgz  rh
[root@localhost opt]# tar zxf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
[root@localhost opt]# cd /usr/local/
[root@localhost local]# ls
bin  etc  games  harbor  include  lib  lib64  libexec  sbin  share  src
[root@localhost local]# cd harbor/
[root@localhost harbor]# ll
//Total consumption 527664
drwxr-xr-x. 3 root root        23 4 June 6, 2009:02 common
-rw-r--r--. 1 root root      1163 10 20 / 2017 docker-compose.clair.yml
-rw-r--r--. 1 root root      1988 10 20 / 2017 docker-compose.notary.yml
-rw-r--r--. 1 root root      3191 10 20 / 2017 docker-compose.yml
-rw-r--r--. 1 root root      4304 10 20 / 2017 harbor_1_1_0_template
-rw-r--r--. 1 root root      4345 10 Month 202017 harbor.cfg
-rw-r--r--. 1 root root 539885476 10 20 / 2017 harbor.v1.2.2.tar.gz
-rwxr-xr-x. 1 root root      5332 10 20 / 2017 install.sh
-rw-r--r--. 1 root root    371640 10 20 / 2017 LICENSE
-rw-r--r--. 1 root root       482 10 20 / 2017 NOTICE
-rwxr-xr-x. 1 root root     17592 10 20 / 2017 prepare
-rwxr-xr-x. 1 root root      4550 10 20 / 2017 upgrade

Modify the harbor configuration file harbor.cfg and start harbor with the given script

[root@localhost harbor]# vim harbor.cfg 

In this process, it should not be difficult to find that the image will be downloaded and the related containers will be run. We can check it

[root@localhost harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-log           v1.2.2              36ef78ae27df        2 years ago         200MB
vmware/harbor-jobservice    v1.2.2              e2af366cba44        2 years ago         164MB
vmware/harbor-ui            v1.2.2              39efb472c253        2 years ago         178MB
vmware/harbor-adminserver   v1.2.2              c75963ec543f        2 years ago         142MB
vmware/harbor-db            v1.2.2              ee7b9fa37c5d        2 years ago         329MB
vmware/nginx-photon         1.11.13             6cc5c831fc7f        2 years ago         144MB
vmware/registry             2.6.2-photon        5d9100e4350e        2 years ago         173MB
vmware/postgresql           9.6.4-photon        c562762cbd12        2 years ago         225MB
vmware/clair                v2.0.1-photon       f04966b4af6c        2 years ago         297MB
vmware/harbor-notary-db     mariadb-10.1.10     64ed814665c6        2 years ago         324MB
vmware/notary-photon        signer-0.5.0        b1eda7d10640        3 years ago         156MB
vmware/notary-photon        server-0.5.0        6e2646682e3c        3 years ago         157MB
photon                      1.0                 e6e4e4a2ba1b        3 years ago         128MB

[root@localhost harbor]# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                                              NAMES
2bc676837f83        vmware/nginx-photon:1.11.13        "nginx -g 'daemon of..."   3 minutes ago       Up 3 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
d1bb681c1bde        vmware/harbor-jobservice:v1.2.2    "/harbor/harbor_jobs..."   3 minutes ago       Up 3 minutes                                                                           harbor-jobservice
da75599518b4        vmware/harbor-ui:v1.2.2            "/harbor/harbor_ui"      3 minutes ago       Up 3 minutes                                                                           harbor-ui
55da84f35f22        vmware/registry:2.6.2-photon       "/entrypoint.sh serv..."   3 minutes ago       Up 3 minutes        5000/tcp                                                           registry
9143d4b35f5a        vmware/harbor-db:v1.2.2            "docker-entrypoint.s..."   3 minutes ago       Up 3 minutes        3306/tcp                                                           harbor-db
fbf66bc6ea28        vmware/harbor-adminserver:v1.2.2   "/harbor/harbor_admi..."   3 minutes ago       Up 3 minutes                                                                           harbor-adminserver
e2ef481df1c7        vmware/harbor-log:v1.2.2           "/bin/sh -c 'crond &..."   3 minutes ago       Up 3 minutes        127.0.0.1:1514->514/tcp                                            harbor-log

It can be seen that 13 images have been downloaded and 7 containers have been running. In fact, the harbor service has been set up at this time. Isn't it too simple to be true?

Since the above mentioned harbor warehouse is not only easy to deploy, but also can be managed through the web UI interface, how can we log in?

It is necessary to go back to the configuration file of harbor. Let's use the command cat harbor.cfg to see the following results:

Of course, this password is the initial password, which can be modified

Now, let's use the browser to enter the IP address for login verification

Login test

)

Login results:

Above, Harbor's warehouse has been built. Let's operate on the web ui interface, and then test and verify it on the command-line terminal.

We create a private project myproject to test the upload and download images

Log in to the warehouse on the Harbor server node. Log in first to operate!

[root@localhost harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1/
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Server upload test

Now test pull a nginx image and use the tag command to set a copy for upload test

[root@localhost harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:86ae264c3f4acb99b2dee4d0098c40cb8c46dcf9e1148f05d3a51c4df6758c12
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@localhost harbor]# docker tag nginx:latest 127.0.0.1/myproject/nginx:v1
[root@localhost harbor]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED                  SIZE
127.0.0.1/myproject/nginx   v1                  602e111c06b6        Less than a second ago   127MB
nginx                       latest              602e111c06b6        Less than a second ago   127MB
...//Omit superfluous content
#Upload command execution
[root@localhost harbor]# docker push 127.0.0.1/myproject/nginx
The push refers to repository [127.0.0.1/myproject/nginx]
b3003aac411c: Pushed 
216cf33c0a28: Pushed 
c2adabaecedb: Pushed 
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948

Verification results

Click myproject to view the corresponding image, member, log and other information in the newly created project

The above test for the server is here. Interested friends can continue to try other operations on their own

The following test is to log in through the client and access harbor remotely. After all, everyone in the enterprise needs to share the warehouse, and they have their own permissions for different departments and different people's identities (determined by the leader or the boss)

Client remote test (pull and upload test)

Client current environment

[root@localhost opt]# docker images 
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@localhost opt]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

The first step is to specify the location and IP address of the private warehouse harbor server

Modify docker service configuration file and overload service

~~~shell,
[root@localhost opt]# vim /usr/lib/systemd/system/docker.service

![](https://s4.51cto.com/images/blog/202004/28/15c4b1b71282c5a09b8e15a1fb9f1c2c.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

~~~shell
[root@localhost opt]# systemctl daemon-reload
[root@localhost opt]# systemctl restart docker.service 

Now we log in

[root@localhost opt]# docker login -u admin -p Harbor12345 http://192.168.0.135
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

At this time, we will pull and test an image of the private warehouse we just created (the results are compared as follows)

[root@localhost opt]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@localhost opt]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@localhost opt]# docker pull 192.168.0.135/myproject/nginx:v1
v1: Pulling from myproject/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422
Status: Downloaded newer image for 192.168.0.135/myproject/nginx:v1
192.168.0.135/myproject/nginx:v1
[root@localhost opt]# docker images
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
192.168.0.135/myproject/nginx   v1                  602e111c06b6        5 days ago          127MB

At this time, you can also view the corresponding log records in the web ui interface. There must be corresponding operation records (the "audit" feature mentioned above).

The pull test is completed, and then the client upload test is carried out

Log out first and pull the test image

[root@localhost opt]# docker logout http://192.168.0.135
Removing login credentials for 192.168.0.135
[root@localhost opt]# docker images
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
192.168.0.135/myproject/nginx   v1                  602e111c06b6        5 days ago          127MB
[root@localhost opt]# docker pull cirros
...//Omit part of the content

Log in to harbor warehouse after tag for upload test

[root@localhost opt]# docker tag cirros:latest 192.168.0.135/myproject/cirros:v1
[root@localhost opt]# docker login -u admin -p Harbor12345 http://192.168.0.135
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@localhost opt]# docker push 192.168.0.135/myproject/cirros:v1
The push refers to repository [192.168.0.135/myproject/cirros]
858d98ac4893: Pushed 
aa107a407592: Pushed 
b993cfcfd8fd: Pushed 
v1: digest: sha256:c7d58d6d463247a2540b8c10ff012c34fd443426462e891b13119a9c66dfd28a size: 943

We directly verify through the log to check whether the previous operations are recorded

So far, the deployment and installation, the upload and download tests of the server and the client have been completed successfully. Finally, add the management and maintenance of harbor

Harbor management and maintenance

Profile modification or maintenance

To modify the harbor.cfg configuration file, you need to stop all harbor instances and update the configuration file first, then run the prepare script to reload the configuration, and then re create and start the harbor instance

1. Close all containers (the corresponding result is the phenomenon of stopping and removing)

[root@localhost harbor]# docker-compose down -v
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-db          ... done
Stopping harbor-adminserver ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-db          ... done
Removing harbor-adminserver ... done
Removing harbor-log         ... done
Removing network harbor_harbor
[root@localhost harbor]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@localhost harbor]# docker-compose ps
Name   Command   State   Ports
------------------------------

2. Execute the prepare script after changing the configuration file as required

[root@localhost harbor]# vim harbor.cfg 
[root@localhost harbor]# ls
common                    docker-compose.notary.yml  harbor_1_1_0_template  harbor.v1.2.2.tar.gz  LICENSE  prepare
docker-compose.clair.yml  docker-compose.yml         harbor.cfg             install.sh            NOTICE   upgrade
[root@localhost harbor]# ./prepare 
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

3. Restart docker service and container service

[root@localhost harbor]# systemctl restart docker 
[root@localhost harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-adminserver ... done
Creating registry           ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ... done

result:

[root@localhost harbor]# docker-compose ps
       Name                     Command               State                              Ports                           
-------------------------------------------------------------------------------------------------------------------------
harbor-adminserver   /harbor/harbor_adminserver       Up                                                                 
harbor-db            docker-entrypoint.sh mysqld      Up      3306/tcp                                                   
harbor-jobservice    /harbor/harbor_jobservice        Up                                                                 
harbor-log           /bin/sh -c crond && rm -f  ...   Up      127.0.0.1:1514->514/tcp                                    
harbor-ui            /harbor/harbor_ui                Up                                                                 
nginx                nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp,              
                                                              0.0.0.0:80->80/tcp                                         
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp        

UI related operation demonstration

Mainly for user creation and testing

1. Create user action

2. Add new user for project

We use new users to log in on the client side

The above is a simple introduction of harbor warehouse management and maintenance.

Thank you for reading!

Tags: Linux Docker Nginx Vmware network

Posted on Tue, 28 Apr 2020 10:43:01 -0700 by gooney0