Docker Docker Habor一个比Register更加好用的仓库

构建Docker仓库方式除了使用Registry之外，还可以使用Harbor，如下为Registry方式缺点：

1. 缺少认证机制，任何人都可以随意拉取及上传镜像，安全性缺失
2. 缺乏镜像清理机制，镜像可以push却不能删除，日积月累，占用空间会越来越大(如果要删除找到宿主机目录下面对应文件进行删除)
3. 缺乏相应的扩展机制
4. 鉴于以上缺点，我们通常在生产环境中，不会直接使用docker registry来实现提供镜像服务。

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，通过添加一些企业必需的功能特性，例如安全、标识和管理等，扩展了开源Docker Distribution。

作为一个企业级私有Registry服务器，Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制，镜像全部保存在私有Registry中，确保数据和知识产权在公司内部网络中管控。另外，Harbor也提供了高级的安全特性，诸如用户管理，访问控制和活动审计等。

Harbor仓库部署两种方式，一种是off-line ，一种是on-line，即离线和在线安装，此处选择离线安装：

 1）安装Docker-Compose快速编排工具

curl -L https://github.com/docker/compose/releases/download/1.8.0/run.sh > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version

2）下载Habor并且解压： 

[root@www ~]# wget -c https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.0.tgz
--2020-08-14 21:19:45--  https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.0.tgz
Resolving storage.googleapis.com (storage.googleapis.com)... 216.58.200.48, 172.217.160.80, 172.217.24.16, ...
Connecting to storage.googleapis.com (storage.googleapis.com)|216.58.200.48|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 597564518 (570M) [application/x-tar]
Saving to: ?.arbor-offline-installer-v1.7.0.tgz?

100%[==============================================================================================>] 597,564,518 11.0MB/s   in 60s    

2020-08-14 21:20:46 (9.48 MB/s) - ?.arbor-offline-installer-v1.7.0.tgz?.saved [597564518/597564518]

[root@www ~]# ls
anaconda-ks.cfg  harbor-offline-installer-v1.7.0.tgz  
[root@www ~]# tar xf harbor-offline-installer-v1.7.0.tgz 
[root@www ~]# cd harbor
[root@www harbor]# ls
common                          docker-compose.clair.yml   docker-compose.yml  harbor.v1.7.0.tar.gz  LICENSE              prepare
docker-compose.chartmuseum.yml  docker-compose.notary.yml  harbor.cfg          install.sh            open_source_license

3）修改Habor配置文件harbor.cfg，修改hostname为本机IP地址，下所示： 

[root@www harbor]# vim harbor.cfg 
hostname = 192.168.179.100

4）安装Habor，命令如下：./install.sh

[root@www harbor]# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 19.03.12

Note: docker-compose version: 1.8.0

[Step 1]: loading Harbor images ...
^C
[root@www harbor]# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 19.03.12

Note: docker-compose version: 1.8.0

[Step 1]: loading Harbor images ...
22.8MB/22.8MB
Loaded image: goharbor/registry-photon:v2.6.2-v1.7.0


[Step 2]: preparing environment ...
Generated and saved secret to file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log
Creating registry
Creating harbor-adminserver
Creating redis
Creating registryctl
Creating harbor-db
Creating harbor-core
Creating harbor-portal
Creating harbor-jobservice
Creating nginx

?.----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.179.100. 
For more details, please visit https://github.com/goharbor/harbor .

5）登陆Habor WEB平台，默认用户名：admin，默认密码： Harbor12345，可以在habor.cnf自己设置密码

#下面可以看到安装完docker hub的机器上面跑着很多容器，所以不建议部署了docker hub的机器上跑别的应用，只跑docker hub来为我们提供镜像
[root@www harbor]# docker ps
CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS                   PORTS                                                              NAMES
4db9f3a2c228        goharbor/nginx-photon:v1.7.0             "nginx -g 'daemon of??   2 minutes ago       Up 2 minutes (healthy)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
fbb0fb69d986        goharbor/harbor-jobservice:v1.7.0        "/harbor/start.sh"       2 minutes ago       Up 2 minutes                                                                                harbor-jobservice
794e29619d74        goharbor/harbor-portal:v1.7.0            "nginx -g 'daemon of??   2 minutes ago       Up 2 minutes (healthy)   80/tcp                                                             harbor-portal
1768ed74ea87        goharbor/harbor-core:v1.7.0              "/harbor/start.sh"       2 minutes ago       Up 2 minutes (healthy)                                                                      harbor-core
baa0ff5a77c8        goharbor/harbor-db:v1.7.0                "/entrypoint.sh post??   3 minutes ago       Up 2 minutes (healthy)   5432/tcp                                                           harbor-db
a4957591eb25        goharbor/harbor-registryctl:v1.7.0       "/harbor/start.sh"       3 minutes ago       Up 2 minutes (healthy)                                                                      registryctl
fae0c9ccf7bd        goharbor/harbor-adminserver:v1.7.0       "/harbor/start.sh"       3 minutes ago       Up 2 minutes (healthy)                                                                      harbor-adminserver
82bda7680cce        goharbor/redis-photon:v1.7.0             "docker-entrypoint.s??   3 minutes ago       Up 2 minutes             6379/tcp                                                           redis
acf4f076c2f4        goharbor/registry-photon:v2.6.2-v1.7.0   "/entrypoint.sh /etc??   3 minutes ago       Up 2 minutes (healthy)   5000/tcp                                                           registry
7e08dab0f44b        goharbor/harbor-log:v1.7.0               "/bin/sh -c /usr/loc??   3 minutes ago       Up 3 minutes (healthy)   127.0.0.1:1514->10514/tcp                                          

#可以看到数据也持久化在本地了​
[root@www harbor]# ll /data/
total 8
drwxr-xr-x  2 root    root        6 Aug 14 21:28 ca_download
drwxr-xr-x  2   10000    10000    6 Aug 14 21:28 config
drwx------ 19 polkitd ssh_keys 4096 Aug 14 21:28 database
drwxr-xr-x  2   10000    10000    6 Aug 14 21:27 job_logs
drwxr-xr-x  2 root    root        6 Aug 14 21:28 psc
drwxr-xr-x  2 polkitd root       22 Aug 14 21:33 redis
drwxr-xr-x  3   10000    10000   20 Aug 14 10:11 registry
-rw-------  1   10000    10000   16 Aug 14 21:27 secretkey

6）创建私有仓库用户名lulei，并且设置密码，并且绑定library仓库

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd  -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=192.168.179.100
[root@localhost ~]# systemctl daemon-reload 
[root@localhost ~]# systemctl restart docker 

 这里告诉你了怎么推送镜像，需要修改你的镜像tag，保持和下面提示的一致

[root@localhost ~]# docker tag nginx:latest 192.168.179.100/library/nginx

创建用户已经授予权限，该用户是用于登入仓库验证并且上传镜像的用户 ，将之前创建的用户加入进去

7）登入到镜像仓库，并且上传/下载 镜像 

使用上面的用户名提前登入（输入你的密码），然后再去上传镜像 

[root@localhost ~]# docker login  192.168.179.100/library/nginx
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Login Succeeded

[root@localhost ~]# docker push 192.168.179.100/library/nginx 
The push refers to repository [192.168.179.100/library/nginx]
f978b9ed3f26: Pushed 
9040af41bb66: Pushed 
7c7d7f446182: Pushed 
d4cf327d8ef5: Pushed 
13cb14c2acd3: Pushed 
latest: digest: sha256:0efad4d09a419dc6d574c3c3baacb804a530acd61d5eba72cb1f14e1f5ac0c8f size: 1362

[root@localhost ~]# docker tag 02aedead27dd  192.168.179.100/library/tomcat:v1
[root@localhost ~]# docker push   192.168.179.100/library/tomcat:v1

 下载你上传的镜像，这里通过图形界面已经为我们提供了push命令，点击然后在你的shell终端粘贴就行，是不是很方便

[root@localhost ~]# docker rmi -f 2622e6cca7eb

[root@localhost ~]# docker pull 192.168.179.100/library/nginx:latest
latest: Pulling from library/nginx
8559a31e96f4: Already exists 
8d69e59170f7: Already exists 
3f9f1ec1d262: Already exists 
d1f5ff4f210d: Already exists 
1e22bfa8652e: Already exists 
Digest: sha256:0efad4d09a419dc6d574c3c3baacb804a530acd61d5eba72cb1f14e1f5ac0c8f
Status: Downloaded newer image for 192.168.179.100/library/nginx:latest
192.168.179.100/library/nginx:latest

 8）最后下载完镜像之后退出仓库

[root@localhost ~]# docker logout 192.168.179.100
Removing login credentials for 192.168.179.100
[root@localhost ~]# docker tag 688353a31fde  192.168.179.100/library/ansible/centos7-ansible

#退出之后，如果需要上传镜像需要重新输入用户名密码，可以看到只有登入才能上传镜像
[root@localhost ~]# docker push   192.168.179.100/library/ansible/centos7-ansible
The push refers to repository [192.168.179.100/library/ansible/centos7-ansible]
cf4eb7184a66: Preparing 
596e51307fcb: Preparing 
7794e20d52b7: Preparing 
f8c414e271fb: Preparing 
0d1585b29470: Preparing 
34e7b85d83e4: Waiting 
denied: requested access to the resource is denied

[root@localhost ~]# docker login 192.168.179.100
Username: lulei
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded