Harbor:基于Docker Distribution的企业级Registry服务

  • 2017-12-02
  • 106
  • 0
  • 0

Harbor简介


Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。

 

  • 基于角色的访问控制 – 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
  • 镜像复制 – 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
  • 图形化用户界面 – 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
  • AD/LDAP 支持 – Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
  • 审计管理 – 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
  • 国际化 – 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
  • RESTful API – RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
  • 部署简单 – 提供在线和离线两种安装工具, 也可以安装到vSphere平台(OVA方式)虚拟设备。

 

Harbor部署


前置条件

硬件

Resource Capacity Description
CPU minimal 2 CPU 4 CPU is prefered
Mem minimal 4GB 8GB is prefered
Disk minimal 40GB 160GB is prefered

 

软件

Software Version Description
Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
Docker engine version 1.10 or higher For installation instructions, please refer to: https://docs.docker.com/engine/installation/
Docker Compose version 1.6.0 or higher For installation instructions, please refer to: https://docs.docker.com/compose/install/
Openssl latest is prefered Generate certificate and keys for Harbor

 

网络

Port Protocol Description
443 HTTPS Harbor UI and API will accept requests on this port for https protocol
4443 HTTS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
80 HTTP Harbor UI and API will accept requests on this port for http protocol

 

部署


安装步骤

  1. 下载安装包;
  2. 配置harbor.cfg
  3. 执行install.sh并启动;

 

下载安装包

安装包下载地址:release

你可以选择在线安装或者离线安装,在国内推荐用离线安装,在线安装效率并不是很高。

在线安装包:harbor-online-installer-<version>.tgz

离线安装包:harbor-offline-installer-<version>.tgz

 

配置harbor.cfg

在harbor.cfg中有两类参数,一类是可选,一类是必选。

  1. 必选参数:这些参数必须在配置文件中设置。如果用户在harbor.cfg中更新它们并运行在脚本重新安装港口,它们将生效。
  2. 可选参数:这些参数是可选的更新,也就是说用户可以将它们作为缺省值,并在harbor启动后在web ui上更新它们。如果它们是在harbor.cfg中设置的,它们只会在第一次harbor启动后生效。随后将忽略在harbor.cfg中对这些参数的后续更新。

注意:如果您选择通过ui设置这些参数,请确保在harbor启动之后就这样做。特别是,您必须在注册或创建harbor中创建任何新用户之前设置所需的auth_mode。当系统中存在用户(除了默认管理员用户)时,无法更改auth_mode

 

必选参数

  • hostname: The target host’s hostname, which is used to access the UI and the registry service. It should be the IP address or the fully qualified domain name (FQDN) of your target machine, e.g., 192.168.1.10 or reg.yourdomain.comDo NOT use localhost or 127.0.0.1 for the hostname – the registry service needs to be accessible by external clients!
  • ui_url_protocol: (http or https. Default is http) The protocol used to access the UI and the token/notification service. If Notary is enabled, this parameter has to be https. By default, this is http. To set up the https protocol, refer to Configuring Harbor with HTTPS Access.
  • db_password: The root password for the MySQL database used for db_authChange this password for any production use!
  • max_job_workers: (default value is 3) The maximum number of replication workers in job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, please carefully pick the value of this attribute based on the hardware resource of the host.
  • customize_crt: (on or off. Default is on) When this attribute is on, the prepare script creates private key and root certificate for the generation/verification of the registry’s token. Set this attribute to off when the key and root certificate are supplied by external sources. Refer to Customize Key and Certificate of Harbor Token Service for more info.
  • ssl_cert: The path of SSL certificate, it’s applied only when the protocol is set to https
  • ssl_cert_key: The path of SSL key, it’s applied only when the protocol is set to https
  • secretkey_path: The path of key for encrypt or decrypt the password of a remote registry in a replication policy.
  • log_rotate_count: Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
  • log_rotate_size: Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G are all valid.

 

可选参数

  • Email settings: These parameters are needed for Harbor to be able to send a user a “password reset” email, and are only necessary if that functionality is needed. Also, do note that by default SSL connectivity is not enabled – if your SMTP server requires SSL, but does not support STARTTLS, then you should enable SSL by setting email_ssl = true. Setting email_insecure = true if the email server uses a self-signed or untrusted certificate. For a detailed description about “email_identity” please refer to rfc2595
  • harbor_admin_password: The administrator’s initial password. This password only takes effect for the first time Harbor launches. After that, this setting is ignored and the administrator’s password should be set in the UI. Note that the default username/password are admin/Harbor12345 .
  • auth_mode: The type of authentication that is used. By default, it is db_auth, i.e. the credentials are stored in a database. For LDAP authentication, set this to ldap_auth.IMPORTANT: When upgrading from an existing Harbor instance, you must make sure auth_mode is the same in harbor.cfg before launching the new version of Harbor. Otherwise, users may not be able to log in after the upgrade.
  • ldap_url: The LDAP endpoint URL (e.g. ldaps://ldap.mydomain.com). Only used when auth_mode is set to ldap_auth .
  • ldap_searchdn: The DN of a user who has the permission to search an LDAP/AD server (e.g. uid=admin,ou=people,dc=mydomain,dc=com).
  • ldap_search_pwd: The password of the user specified by ldap_searchdn.
  • ldap_basedn: The base DN to look up a user, e.g. ou=people,dc=mydomain,dc=comOnly used when auth_mode is set to ldap_auth .
  • ldap_filter:The search filter for looking up a user, e.g. (objectClass=person).
  • ldap_uid: The attribute used to match a user during a LDAP search, it could be uid, cn, email or other attributes.
  • ldap_scope: The scope to search for a user, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE. Default is 2.
  • self_registration: (on or off. Default is on) Enable / Disable the ability for a user to register himself/herself. When disabled, new users can only be created by the Admin user, only an admin user can create new users in Harbor. NOTE: When auth_mode is set to ldap_auth, self-registration feature is always disabled, and this flag is ignored.
  • token_expiration: The expiration time (in minutes) of a token created by token service, default is 30 minutes.
  • project_creation_restriction: The flag to control what users have permission to create projects. By default everyone can create a project, set to “adminonly” such that only admin can create project.

 

启动harbor

 

sudo ./install.sh

如果一切正常运行,您应该能够打开浏览器访问管理门户,http://reg.yourdomain.com(更改reg.yourdomain.com到您的harbor.cfg中配置的主机名)。请注意,默认管理员用户名/密码admin/Harbor12345

评论

还没有任何评论,你来说两句吧