环球快报:50-Docker-分布式仓库Harbor高可用

首页 > 数码 > 内容页

环球快报:50-Docker-分布式仓库Harbor高可用

2023-01-14 19:16:53 来源：51CTO博客

Harbor 介绍

(相关资料图)

基于角色的访问控制: 用户与Docker镜像仓库通过“项目”进行组织管理，一个用户可以对多个镜像仓库在同一命名空间（project）里有不同的权限镜像复制: 镜像可在多个Registry实例中复制（同步）。尤其适合于负载均衡，高可用，混合云和多云的场景图形化用户界面: 用户可以通过浏览器来浏览，检索当前Docker镜像仓库，管理项目和命名空间AD/LDAP 支: Harbor可以集成企业内部已有的AD/LDAP，用于鉴权认证管理审计管理: 所有针对镜像仓库的操作都可以被记录追溯，用于审计管理国际化: 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来RESTful API: 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易部署简单: 提供在线和离线两种安装工具，也可以安装到vSphere平台(OVA方式)虚拟设备

harbor 官方github 地址: https://github.com/vmware/harbor

安装 Harbor

#下载离线完整安装包https://github.com/goharbor/harbor/releases/download/v2.7.0/harbor-offline-installer-v2.7.0.tgz#安装前确保docker和docker-compose安装完毕[root@ubuntu2204 ~]#docker-compose versiondocker-compose version 1.29.2, build unknowndocker-py version: 5.0.3CPython version: 3.10.6OpenSSL version: OpenSSL 3.0.2 15 Mar 2022[root@ubuntu2204 ~]#docker versionClient: Version:           20.10.12 API version:       1.41 Go version:        go1.17.3 Git commit:        20.10.12-0ubuntu4 Built:             Mon Mar  7 17:10:06 2022 OS/Arch:           linux/amd64 Context:           default Experimental:      trueServer: Engine:  Version:          20.10.12  API version:      1.41 (minimum version 1.12)  Go version:       go1.17.3  Git commit:       20.10.12-0ubuntu4  Built:            Mon Mar  7 15:57:50 2022  OS/Arch:          linux/amd64  Experimental:     false containerd:  Version:          1.5.9-0ubuntu3.1  GitCommit:         runc:  Version:          1.1.0-0ubuntu1.1  GitCommit:         docker-init:  Version:          0.19.0  GitCommit:        [root@ubuntu2204 ~]#ll har*-rw-r--r-- 1 root root 789527572  1月 13 14:09 harbor-offline-installer-v2.7.0.tgz#解压缩离线包[root@ubuntu2204 ~]#mkdir /apps[root@ubuntu2204 ~]#tar xvf harbor-offline-installer-v2.7.0.tgz -C /apps/harbor/harbor.v2.7.0.tar.gzharbor/prepareharbor/LICENSEharbor/install.shharbor/common.shharbor/harbor.yml.tmpl#编辑 harbor 配置文件[root@ubuntu2204 apps]#cd /apps/harbor/[root@ubuntu2204 harbor]#lscommon.sh  harbor.v2.7.0.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare[root@ubuntu2204 harbor]#mv harbor.yml.tmpl harbor.yml[root@ubuntu2204 harbor]#vim harbor.yml [root@ubuntu2204 harbor]#cat harbor.yml |grep hostname# The IP address or hostname to access admin UI and registry service.hostname: 10.0.0.200# And when it enabled the hostname will no longer used#   #   endpoint: http://hostname:14268/api/traces#   #   agent_host: hostname#   #   endpoint: hostname:4318[root@ubuntu2204 harbor]#cat harbor.yml |grep harbor_admin_passwordharbor_admin_password: 123456*harbor.yml禁用了https.后面用到了再开启#运行 harbor 安装脚本 注意：如果脚本运行失败，可利用当前目录下生成的docker-compose文件卸载容器，排除错误再运行[root@ubuntu2204 harbor]#./install.sh [Step 0]: checking if docker is installed ...Note: docker version: 20.10.12[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.29.2[Step 2]: loading Harbor images ...Loaded image: goharbor/prepare:v2.7.0Loaded image: goharbor/harbor-db:v2.7.0Loaded image: goharbor/harbor-core:v2.7.0Loaded image: goharbor/harbor-log:v2.7.0Loaded image: goharbor/harbor-exporter:v2.7.0Loaded image: goharbor/nginx-photon:v2.7.0Loaded image: goharbor/chartmuseum-photon:v2.7.0Loaded image: goharbor/harbor-portal:v2.7.0Loaded image: goharbor/harbor-jobservice:v2.7.0Loaded image: goharbor/harbor-registryctl:v2.7.0Loaded image: goharbor/registry-photon:v2.7.0Loaded image: goharbor/notary-server-photon:v2.7.0Loaded image: goharbor/redis-photon:v2.7.0Loaded image: goharbor/notary-signer-photon:v2.7.0Loaded image: goharbor/trivy-adapter-photon:v2.7.0[Step 3]: preparing environment ...[Step 4]: preparing harbor configs ...prepare base dir is set to /apps/harborWARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to httpsClearing the configuration file: /config/db/envClearing the configuration file: /config/portal/nginx.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/passwdClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/jobservice/config.ymlClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/core/envGenerated configuration file: /config/portal/nginx.confGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/registryctl/config.ymlGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /data/secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dirNote: stopping existing Harbor instance ...Removing network harbor_harborWARNING: Network harbor_harbor not found.[Step 5]: starting Harbor ...Creating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating harbor-portal ... doneCreating registryctl   ... doneCreating registry      ... doneCreating redis         ... doneCreating harbor-db     ... doneCreating harbor-core   ... doneCreating nginx             ... doneCreating harbor-jobservice ... done✔ ----Harbor has been installed and started successfully.----[root@ubuntu2204 harbor]#ss -nltpState           Recv-Q           Send-Q                     Local Address:Port                      Peer Address:Port          Process                                             LISTEN          0                4096                           127.0.0.1:1514                           0.0.0.0:*              users:(("docker-proxy",pid=6471,fd=4))             LISTEN          0                4096                             0.0.0.0:80                             0.0.0.0:*              users:(("docker-proxy",pid=7150,fd=4))             LISTEN          0                4096                       127.0.0.53%lo:53                             0.0.0.0:*              users:(("systemd-resolve",pid=720,fd=14))          LISTEN          0                128                              0.0.0.0:22                             0.0.0.0:*              users:(("sshd",pid=818,fd=3))                      LISTEN          0                128                            127.0.0.1:6010                           0.0.0.0:*              users:(("sshd",pid=921,fd=7))                      LISTEN          0                4096                           127.0.0.1:39647                          0.0.0.0:*              users:(("containerd",pid=769,fd=13))               LISTEN          0                4096                                [::]:80                                [::]:*              users:(("docker-proxy",pid=7155,fd=4))             LISTEN          0                128                                 [::]:22                                [::]:*              users:(("sshd",pid=818,fd=4))                      LISTEN          0                128                                [::1]:6010                              [::]:*              users:(("sshd",pid=921,fd=5))                      [root@ubuntu2204 harbor]#docker psCONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                   PORTS                                   NAMESa47c64904b16   goharbor/harbor-jobservice:v2.7.0    "/harbor/entrypoint.…"   9 minutes ago   Up 9 minutes (healthy)                                           harbor-jobservice15a7d3807dae   goharbor/nginx-photon:v2.7.0         "nginx -g "daemon of…"   9 minutes ago   Up 9 minutes (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp   nginx660cf0009cfb   goharbor/harbor-core:v2.7.0          "/harbor/entrypoint.…"   9 minutes ago   Up 9 minutes (healthy)                                           harbor-core731c9af81973   goharbor/harbor-db:v2.7.0            "/docker-entrypoint.…"   9 minutes ago   Up 9 minutes (healthy)                                           harbor-db8c5705c268bc   goharbor/redis-photon:v2.7.0         "redis-server /etc/r…"   9 minutes ago   Up 9 minutes (healthy)                                           redis0fc108dd6a9a   goharbor/registry-photon:v2.7.0      "/home/harbor/entryp…"   9 minutes ago   Up 9 minutes (healthy)                                           registry6cb7a7983283   goharbor/harbor-registryctl:v2.7.0   "/home/harbor/start.…"   9 minutes ago   Up 9 minutes (healthy)                                           registryctlf7267bd1c057   goharbor/harbor-portal:v2.7.0        "nginx -g "daemon of…"   9 minutes ago   Up 9 minutes (healthy)                                           harbor-portalf1689c0378e7   goharbor/harbor-log:v2.7.0           "/bin/sh -c /usr/loc…"   9 minutes ago   Up 9 minutes (healthy)   127.0.0.1:1514->10514/tcp               harbor-log#测试

#通过service文件实现开机启动服务[root@ubuntu2204 harbor]#vim /lib/systemd/system/harbor.service[root@ubuntu2204 harbor]#cat /lib/systemd/system/harbor.service[Unit]Descriptinotallow=HarborAfter=docker.service systemd-networkd.service systemd-resolved.serviceRequires=docker.serviceDocumentatinotallow=http://github.com/vmware/harbor[Service]Type=simpleRestart=on-failureRestartSec=5ExecStart=/usr/bin/docker-compose -f /apps/harbor/docker-compose.yml upExecStop=/usr/bin/docker-compose -f /apps/harbor/docker-compose.yml down[Install]WantedBy=multi-user.target[root@ubuntu2204 harbor]#systemctl  daemon-reload[root@ubuntu2204 harbor]#systemctl  enable harborCreated symlink /etc/systemd/system/multi-user.target.wants/harbor.service → /lib/systemd/system/harbor.service.#测试[root@ubuntu2204 harbor]#systemctl  status harbor○ harbor.service - Harbor     Loaded: loaded (/lib/systemd/system/harbor.service; enabled; vendor preset: enabled)     Active: inactive (dead)       Docs: http://github.com/vmware/harbor[root@ubuntu2204 harbor]#reboot[root@ubuntu2204 ~]#systemctl status harbor● harbor.service - Harbor     Loaded: loaded (/lib/systemd/system/harbor.service; enabled; vendor preset: enabled)     Active: active (running) since Fri 2023-01-13 14:53:54 CST; 42min ago       Docs: http://github.com/vmware/harbor   Main PID: 1960 (docker-compose)      Tasks: 13 (limit: 3402)     Memory: 27.9M        CPU: 13.296s     CGroup: /system.slice/harbor.service             └─1960 /usr/bin/python3 /usr/bin/docker-compose -f /apps/harbor/docker-compose.yml up1月 13 15:36:00 ubuntu2204.wang.org docker-compose[1960]: registryctl    | 172.19.0.5 - - [13/Jan/2023:07:36:00 +0000] "GET /api/health HTTP/1.1" 200 91月 13 15:36:00 ubuntu2204.wang.org docker-compose[1960]: harbor-portal  | 172.19.0.5 - - [13/Jan/2023:07:36:00 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"1月 13 15:36:02 ubuntu2204.wang.org docker-compose[1960]: registry       | 127.0.0.1 - - [13/Jan/2023:07:36:02 +0000] "GET / HTTP/1.1" 200 0 "" "curl/7.86.0"1月 13 15:36:03 ubuntu2204.wang.org docker-compose[1960]: harbor-portal  | 127.0.0.1 - - [13/Jan/2023:07:36:03 +0000] "GET / HTTP/1.1" 200 785 "-" "curl/7.86.0"1月 13 15:36:10 ubuntu2204.wang.org docker-compose[1960]: registry       | 172.19.0.5 - - [13/Jan/2023:07:36:10 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"1月 13 15:36:10 ubuntu2204.wang.org docker-compose[1960]: registryctl    | 172.19.0.5 - - [13/Jan/2023:07:36:10 +0000] "GET /api/health HTTP/1.1" 200 91月 13 15:36:10 ubuntu2204.wang.org docker-compose[1960]: harbor-portal  | 172.19.0.5 - - [13/Jan/2023:07:36:10 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"1月 13 15:36:13 ubuntu2204.wang.org docker-compose[1960]: registryctl    | 127.0.0.1 - - [13/Jan/2023:07:36:13 +0000] "GET /api/health HTTP/1.1" 200 91月 13 15:36:18 ubuntu2204.wang.org docker-compose[1960]: nginx          | 127.0.0.1 - "GET / HTTP/1.1" 200 785 "-" "curl/7.86.0" 0.000 0.001 .1月 13 15:36:18 ubuntu2204.wang.org docker-compose[1960]: harbor-portal  | 172.19.0.2 - - [13/Jan/2023:07:36:18 +0000] "GET / HTTP/1.1" 200 785 "-" "curl/7.86.0"

使用单主机 Harbor

建立项目

命令行登录 harbor

[root@ubuntu2204 ~]#vim /etc/docker/daemon.json [root@ubuntu2204 ~]#cat /etc/docker/daemon.json {..."insecure-registry": [ "10.0.0.200","10.0.0.202"]}[root@ubuntu2204 ~]#systemctl daemon-reload[root@ubuntu2204 ~]#systemctl restart docker[root@ubuntu2204 ~]#docker login 10.0.0.200Authenticating with existing credentials...WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded[root@ubuntu2204 ~]#cat /root/.docker/config.json{    "auths": {        "10.0.0.200": {            "auth": "YWRtaW46MTIzNDU2"        },        "10.0.0.202": {            "auth": "YWRtaW46MTIzNDU2"        },        "127.0.0.1": {            "auth": "YWRtaW46MTIzNDU2"        },        "https://index.docker.io/v1/": {            "auth": "bW9vcmV5eGlhOm1vb3JleXhpYS44ODEw"        }    }[root@ubuntu2204 ~]#echo -e  YWRtaW46MTIzNDU2|base64 -dadmin:123456

给本地镜像打标签并上传到 Harbor

#修改 images 的名称，不修改成指定格式无法将镜像上传到 harbor 仓库[root@ubuntu2204 ~]#docker tag nginx-alpine:1.16.1 10.0.0.200/mooreyxia-1/nginx-alpine:1.16.1-1[root@ubuntu2204 ~]#docker push 10.0.0.200/mooreyxia-1/nginx-alpine:1.16.1-1The push refers to repository [10.0.0.200/mooreyxia-1/nginx-alpine]f54ca93f29a8: Pushed 0273e525dd0a: Pushed daa344f0fb22: Pushed 5ccc4c24bcac: Pushed b3dd37fd4cfa: Pushed e2dc414ff3be: Pushed 9fa45c5f1089: Mounted from mooreyxia-200/alpine-base ded7a220bb05: Mounted from mooreyxia-200/alpine-base 1.16.1-1: digest: sha256:b80de5bd851ed0a162f273947e6aff0122e1757bc61a3323ab3551bc167929d0 size: 1996

访问harbor网站验证上传镜像成功

下载 Harbor 的镜像

#下载前必须修改docker的service 文件，加入harbor服务器的地址才可以下载[root@ubuntu2204 ~]#vim /etc/docker/daemon.json [root@ubuntu2204 ~]#cat /etc/docker/daemon.json {..."insecure-registries": ["10.0.0.200", "10.0.0.202"]}[root@ubuntu2204 ~]#systemctl daemon-reload[root@ubuntu2204 ~]#systemctl restart docker[root@ubuntu2204 ~]#docker infoClient: Context:    default Debug Mode: falseServer: Containers: 6  Running: 4  Paused: 0  Stopped: 2 Images: 16 Server Version: 20.10.12 Storage Driver: overlay2  Backing Filesystem: extfs  Supports d_type: true  Native Overlay Diff: true  userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins:  Volume: local  Network: bridge host ipvlan macvlan null overlay  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version:  runc version:  init version:  Security Options:  apparmor  seccomp   Profile: default  cgroupns Kernel Version: 5.15.0-57-generic Operating System: Ubuntu 22.04.1 LTS OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 1.896GiB Name: ubuntu2204.wang.org ID: 2PI7:R6DF:7UAL:2JP4:NSW4:HEWM:SKRS:WTFS:FFCY:OGZH:2EQN:GK3M Docker Root Dir: /data/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries:  10.0.0.200  10.0.0.202  127.0.0.0/8 Registry Mirrors:  https://registry.docker-cn.com/  http://hub-mirror.c.163.com/  https://docker.mirrors.ustc.edu.cn/ Live Restore Enabled: true#从harbor下载镜像[root@ubuntu2204 ~]#docker pull 10.0.0.200/mooreyxia-1/nginx-alpine:1.16.1-11.16.1-1: Pulling from mooreyxia-1/nginx-alpinec158987b0551: Pull complete b24b5e1a85db: Pull complete 09d00cadef1a: Pull complete 9cd63c39ff06: Pull complete 81b6b70fa169: Pull complete 8cb247876251: Pull complete 894ae90a2895: Pull complete c17c8b0dae99: Pull complete Digest: sha256:b80de5bd851ed0a162f273947e6aff0122e1757bc61a3323ab3551bc167929d0Status: Downloaded newer image for 10.0.0.200/mooreyxia-1/nginx-alpine:1.16.1-110.0.0.200/mooreyxia-1/nginx-alpine:1.16.1-1[root@ubuntu2204 ~]#docker imagesREPOSITORY                            TAG        IMAGE ID       CREATED       SIZE10.0.0.200/mooreyxia-1/nginx-alpine   1.16.1-1   34b3eb9eef98   3 days ago    274MB

实现 Harbor 高可用

Harbor支持基于策略的Docker镜像复制功能

在第二台主机上安装部署好harbor，并登录系统

参考第一台harbor服务器的项目名称，在第二台harbor服务器上新建与之同名的项目

第二台harbor上新建复制规则实现到第一台harbor的单向推送复制

测试 202上传镜像，200同步

#202[root@ubuntu2204 ~]#docker tag busybox:latest 10.0.0.202/mooreyxia-1/busybox:latest-1[root@ubuntu2204 ~]#docker push 10.0.0.202/mooreyxia-1/busybox:latest-1The push refers to repository [10.0.0.202/mooreyxia-1/busybox]b64792c17e4a: Preparing unauthorized: unauthorized to access repository: mooreyxia-1/busybox, action: push: unauthorized to access repository: mooreyxia-1/busybox, action: push[root@ubuntu2204 ~]#docker login 10.0.0.202Username: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded[root@ubuntu2204 ~]#docker push 10.0.0.202/mooreyxia-1/busybox:latest-1The push refers to repository [10.0.0.202/mooreyxia-1/busybox]b64792c17e4a: Pushed latest-1: digest: sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754 size: 528

查看200

注意：以上操作，只是实现了从第二台harbor主机10.0.0.202到第一台harbor主机10.0.200的单向同步，在200的主机harbor上再执行相同的推送操作，才实现双向同步

测试镜像删除是否同步

200删除，202观察是否也同步删除

删除后

配置 Nginx 做为反向代理

#配置Nginx反向代理[root@ubuntu2004 ~]#cat /etc/nginx/conf.d/harbor.mooreyxia.org.confupstream harbor {ip_hash;server harbor1.mooreyxia.org:80;server harbor2.mooreyxia.org:80;}server {listen 80;server_name harbor.mooreyxia.org;client_max_body_size 10g;location / {proxy_pass http://harbor;}}#客户端docker配置[root@rocky8 ~]#cat /etc/docker/daemon.json{"registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"],"insecure-registries": ["harbor.mooreyxia.org"]}[root@rocky8 ~]#systemctl restart docker#客户端docker配置名称解析[root@rocky8 ~]#vim /etc/hosts10.0.0.100 harbor.mooreyxia.org#如果harbor配置中的hostname: 指定harbor1.mooreyxia.org和harbor2.mooreyxia.org名称，还需要加下面解析10.0.0.101 harbor1.mooreyxia.org10.0.0.102 harbor2.mooreyxia.org

我是moore,大家一起加油！

标签：反向代理服务器的命名空间