文章目录

搭建harbor私有镜像仓库

安装docker harbor
wget -c https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
我的百度网盘
链接:https://pan.baidu.com/s/1eYsu5teqslfXE_SgCs_PeQ 
提取码:mq57

image-20220527140712357

解压harbor包
root@debian:~/docker# ls
harbor-offline-installer-v2.3.3.tgz
root@debian:~/docker# tar -zxf harbor-offline-installer-v2.3.3.tgz -C /usr/local/

image-20220527141033136

修改harbor配置文件
root@debian:/usr/local# cd harbor/
root@debian:/usr/local/harbor# ls
common.sh  harbor.v2.3.3.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare
root@debian:/usr/local/harbor# cp harbor.yml.tmpl harbor.yml

image-20220527141158893

配置本地解析

vim /etc/hosts

127.0.0.1       localhost
196.196.196.11  debian

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
196.196.196.11 harbor.example.com

image-20220527141359523

修改harbor.yml配置文件

我是用的这个 visual这个工具修改的

vim /usr/local/harbor/harbor.yml

第一处
hostname: harbor.example.com  196.196.196.11   #主机名修改为域名(也可以是ip)

image-20220527142332285

第二处
#注释掉以下没注释的
# https related config
# https:
  # https port for harbor, default is 443     #因为未做https,所以将https全部注释
  # port: 443
  # The path of cert and key files for nginx
  # certificate: /your/certificate/path
  # private_key: /your/private/key/path

image-20220527142735114

密码
harbor_admin_password: Harbor12345              #web界面登录密码

image-20220527142812277

启动脚本

//执行脚本
[root@harbor harbor]# ./install.sh 
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating harbor-db     ... done
Creating registryctl   ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----		//安装成功

image-20220527143304405

启动报错

显示端口被占用,去查看端口或者改端口

image-20220527143353939

启动成功
image-20220527153601191

查看镜像

root@debian:/usr/local/harbor# docker images
REPOSITORY                      TAG       IMAGE ID       CREATED        SIZE
goharbor/harbor-exporter        v2.3.3    a75350aa1e3d   8 months ago   81.1MB
goharbor/chartmuseum-photon     v2.3.3    24b85ee1f3ff   8 months ago   179MB
goharbor/redis-photon           v2.3.3    5b8e952b8f45   8 months ago   165MB
goharbor/trivy-adapter-photon   v2.3.3    271525f11619   8 months ago   130MB
goharbor/notary-server-photon   v2.3.3    bea6e3465892   8 months ago   110MB
goharbor/notary-signer-photon   v2.3.3    c5116fef5e4c   8 months ago   108MB
goharbor/harbor-registryctl     v2.3.3    ffea0a2c3674   8 months ago   133MB
goharbor/registry-photon        v2.3.3    08b0e6fe666e   8 months ago   81.9MB
goharbor/nginx-photon           v2.3.3    43487013ae1e   8 months ago   45MB
goharbor/harbor-log             v2.3.3    77b2d1cb3ab2   8 months ago   168MB
goharbor/harbor-jobservice      v2.3.3    cb3b2c9d8f57   8 months ago   211MB
goharbor/harbor-core            v2.3.3    f065d61635a8   8 months ago   193MB
goharbor/harbor-portal          v2.3.3    eeb24c004c47   8 months ago   58.2MB
goharbor/harbor-db              v2.3.3    7f32a2a21263   8 months ago   237MB
goharbor/prepare                v2.3.3    9f7ce0f16ecc   8 months ago   262MB

image-20220527153638687

查看运行的 容器
root@debian:/usr/local/harbor# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED             STATUS                       PORTS                                   NAMES
34143c398fff   goharbor/nginx-photon:v2.3.3         "nginx -g 'daemon of…"   About an hour ago   Up About an hour (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp   nginx
41c5b9d90528   goharbor/harbor-jobservice:v2.3.3    "/harbor/entrypoint.…"   About an hour ago   Up About an hour (healthy)                                           harbor-jobservice
190899f26070   goharbor/harbor-core:v2.3.3          "/harbor/entrypoint.…"   About an hour ago   Up About an hour (healthy)                                           harbor-core
0be822fafc7b   goharbor/harbor-registryctl:v2.3.3   "/home/harbor/start.…"   About an hour ago   Up About an hour (healthy)                                           registryctl
f205740cd5f3   goharbor/harbor-portal:v2.3.3        "nginx -g 'daemon of…"   About an hour ago   Up About an hour (healthy)                                           harbor-portal
f2e42ca499c2   goharbor/registry-photon:v2.3.3      "/home/harbor/entryp…"   About an hour ago   Up About an hour (healthy)                                           registry
9559788d6d05   goharbor/redis-photon:v2.3.3         "redis-server /etc/r…"   About an hour ago   Up About an hour (healthy)                                           redis
17ed48abfc39   goharbor/harbor-db:v2.3.3            "/docker-entrypoint.…"   About an hour ago   Up About an hour (healthy)                                           harbor-db
4c206b580e82   goharbor/harbor-log:v2.3.3           "/bin/sh -c /usr/loc…"   About an hour ago   Up About an hour (healthy)   127.0.0.1:1514->10514/tcp               harbor-log

image-20220527153902929

查看端口占用
root@debian:/usr/local/harbor# ss -antl
State      Recv-Q     Send-Q              Local Address:Port         Peer Address:Port    
LISTEN     0          128                     127.0.0.1:6011              0.0.0.0:*       
LISTEN     0          128                     127.0.0.1:1514              0.0.0.0:*       
LISTEN     0          128                       0.0.0.0:80                0.0.0.0:*       
LISTEN     0          128                       0.0.0.0:22                0.0.0.0:*       
LISTEN     0          5                       127.0.0.1:631               0.0.0.0:*       
LISTEN     0          128                         [::1]:6011                 [::]:*       
LISTEN     0          50             [::ffff:127.0.0.1]:9600                    *:*       
LISTEN     0          128                          [::]:80                   [::]:*       
LISTEN     0          128                             *:9200                    *:*       
LISTEN     0          128                             *:9300                    *:*       
LISTEN     0          128                          [::]:22                   [::]:*       
LISTEN     0          5                           [::1]:631                  [::]:*  

image-20220527154023613

使用IP登录管理Harbor

账户:admin
密码:Harbor12345

image-20220527154131894

登陆之后页面
image-20220527154223327

配置https方式访问

[root@kub-k8s-master ~]# mkdir -pv /data/cert/
[root@kub-k8s-master ~]# openssl genrsa -out /data/cert/server.key 2048
Generating RSA private key, 2048 bit long modulus
............................................+++
............+++
e is 65537 (0x10001)
[root@kub-k8s-master ~]# openssl req -x509 -new -nodes -key /data/cert/server.key -subj "/CN=192.168.2.204" -days 3650 -out /data/cert/server.crt
[root@kub-k8s-master ~]# ll -a /data/cert
[root@kub-k8s-master ~]# cd harbor
[root@kub-k8s-master harbor]# vim harbor.yml   #编辑如下

image-20220527170814236

重启
重启
[root@kub-k8s-master harbor]# ./prepare 
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

如果出错,重启Docker服务,再次执行./prepare 
[root@kub-k8s-master harbor]# docker-compose down
Stopping nginx             ... done
Stopping harbor-portal     ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-portal     ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-log        ... done
Removing network harbor_harbor
[root@kub-k8s-master harbor]# docker-compose up -d  #放后台

image-20220527170909905

查看
image-20220527170934197

访问测试

image-20220527171020894

image-20220527171158823

配置push镜像配置
[root@harbor harbor]# vim /etc/docker/daemon.json
[root@harbor harbor]# cat /etc/docker/daemon.json
{
        "dns": ["8.8.8.8","8.8.4.4"],
        "insecure-registries": [""https://harbor.example.com","https://196.196.196.11""]
}

image-20220527172221565

重启服务 systemctl restart docker 重启服务以后需要再跑一遍脚本,80端口才会启动
登录harbor仓库
[root@harbor harbor]# docker login 196.196.196.11


我这里报错了,遇到下面报错

image-20220527172905565

解决账号登陆报错

默认时,client 与 Registry 的交互是通过 https 通信的。在 install Registry 时,若未配置任何tls 相关的 key 和 crt 文件,https 访问必然失败。使用 "–insecure-registry "可以指定 client 与 Registry 以 http 的方式进行通信。
修改 /lib/systemd/system/docker.service 文件里的 ExecStart= 行:
vim /lib/systemd/system/docker.service
添加这个
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=196.196.196.11

image-20220527175822636

重载、重启 docker 服务,验证配置是否生效
python@job:/lib/systemd/system$ systemctl daemon-reload
python@job:/lib/systemd/system$ systemctl restart docker
python@job:/lib/systemd/system$ docker info
————————————————

可以看到

Insecure Registries:
 196.196.196.11
 127.0.0.0/8

image-20220527180028028

登陆成功
root@debian:/usr/local/harbor# docker login 196.196.196.11
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

harbor仓库操作指南

创建harbor账号

image-20220527174147248

image-20220527174327052

账号:aike
密码:Aike@52100

项目授权

image-20220527174454675

再次登录harbor仓库
推送前创建一个项目

image-20220527154341600

image-20220527155019271

重新打包镜像并推送
docker pull daocloud.io/library/nginx

root@debian:/usr/local/harbor# docker images | grep nginx
goharbor/nginx-photon           v2.3.3    43487013ae1e   8 months ago    45MB
nginx/ceshi                     v2.3.3    43487013ae1e   8 months ago    45MB
daocloud.io/library/nginx       latest    298ec0e28760   15 months ago   133MB

root@debian:/usr/local/harbor# docker tag daocloud.io/library/nginx:latest 196.196.196.11/bimuyu/nginx

image-20220527182542697

推送镜像
The push refers to repository [196.196.196.11/bimuyu/nginx]
d9eb91d66e2a: Pushed 
ae1f545e4c08: Pushed 
c20672db3628: Pushed 
4cbb728cd302: Pushed 
9eb82f04c782: Pushed 
latest: digest: sha256:1a53eb723d17523512bd25c27299046cfa034cce309f4ed330c943a304513f59 size: 1362

image-20220527182653208

效果

image-20220527182710250

harbor常用功能-标签保留规则
存储库可以迅速积累大量工件,在给定时间之后或由后续工件构建取代它们之后,可能不需要许多工件。这些多余的工件显然会消耗大量的存储容量。作为Harbor系统管理员,您可以定义规则来管理给定存储库中要保留多少工件,或将某些工件保留多长时间。

创建Dockerfile文件和build脚本构建一些差异化docker镜像进行演示:

cat > Dockerfile <<EOF
FROM nginx:alpine
ARGS num
RUN echo $num > file.txt
EOF

cat > build.sh <<EOF
for num in {1..8}
do
  docker build --build-arg $num -t registry.harbor.com/library/nginx:v$num .
  docker push registry.harbor.com/library/nginx:v$num
done
EOF

image-20220819112728006

执行脚本构建8个镜像并推送到library/nginx仓库中

sh build.sh
查看上传的镜像

image-20220819133932585

配置tag保留策略,仅保留nginx镜像仓库最新上传的5个镜像tag

image-20220819133952576

返回项目界面,点击策略,选择立即运行

image-20220819134014693

运行完成后再次查看nginx仓库中的镜像,保留了最新上传的5个镜像,其他3个已经被删除:

image-20220819134031548

harbor仓库复制功能

复制允许用户在pull或push模式下在harbor和非harbor注册表之间复制资源,即镜像和charts。

Harbor系统管理员设置复制规则后,满足触发条件时,所有与定义的过滤器模式匹配的资源都将复制到目标注册表。复制的每个资源都会启动复制任务。如果目标注册表中不存在该名称空间,则会自动创建一个新的名称空间。如果它已经存在,并且复制策略中配置的用户帐户没有写权限,则该过程将失败。会员信息不被复制。
根据网络状况,复制期间可能会有一些延迟。如果复制任务失败,则会在几分钟后重新安排它并重试几次。
参考:https://goharbor.io/docs/2.0.0/administration/configuring-replication/

配置示例:

仓库管理中选择新建目标,这里将harbor官网提供的demo仓库作为目标,用户密码为默认admin/Harbor12345:

image-20220819134151033

在复制管理中新建复制规则,将library项目下的所有镜像仓库同步到远端harbor仓库:

image-20220819134350708

回到复制管理,点击复制开始手动触发同步

image-20220819134409785

任务完成后登录demo harbor进行验证

image-20220819134431874

harbor垃圾回收策略

从Harbor删除镜像时,不会自动释放空间。您必须运行垃圾回收以通过从文件系统中删除清单不再引用的blob来释放空间

参考:https://goharbor.io/docs/2.0.0/administration/garbage-collection/

image-20220819134514923

harbor标签管理

Harbor提供两种标签来隔离不同种类的资源:

  • 全局标签:由Harbor系统管理员管理,用于管理整个系统的映像。可以将它们添加到任何项目下的镜像中。
  • 项目标签:由项目下的项目管理员管理,并且只能添加到项目的镜像中。
创建标签

image-20220819135437507

为镜像打标签

image-20220819140054674

按照标签过滤镜像

image-20220819140112322

配置https方式访问二

默认情况下,Harbor不附带证书。可以在没有安全性的情况下部署Harbor,以便您可以通过HTTP连接到它。但是,只有在没有外部网络连接的测试或开发环境中,才可以使用HTTP。在外网暴露环境中使用HTTP会使您遭受中间人攻击。在生产环境中,请始终使用HTTPS。如果启用Content Trust with Notary来正确签名所有镜像,则必须使用HTTPS。

要配置HTTPS,必须创建SSL证书。您可以使用由受信任的第三方CA签名的证书,也可以使用自签名证书。本节介绍如何使用OpenSSL创建CA,以及如何使用CA签署服务器证书和客户端证书。您可以使用其他CA提供程序,例如Let’s Encrypt。

以下过程假定您的Harbor注册表的主机名是yourdomain.com,并且其DNS记录指向您在其上运行Harbor的主机。

以上是官方说明,这里以registry.harbor.com域名为例进行演示,也可以直接使用IP地址代替域名配置https,但在生成证书时有两处配置稍有不同。

官方文档:https://goharbor.io/docs/2.0.0/install-config/configure-https/

生成证书颁发机构证书

在生产环境中,您应该从CA获得证书。在测试或开发环境中,您可以生成自己的CA。要生成CA证书,请运行以下命令。

1、生成CA证书私钥。
#创建目录保存证书(可选)
mkdir -p /root/harbor/ssl
cd /root/harbor/ssl

openssl genrsa -out ca.key 4096
2、生成CA证书。

调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" \
 -key ca.key \
 -out ca.cr

如果使用IP地址,需要在执行以上命令前执行以下操作:

cd /root
openssl rand -writerand .rnd
cd -

image-20220818173241019

生成服务器证书

证书通常包含一个.crt文件和一个.key文件,例如yourdomain.com.crtyourdomain.com.key

1、生成私钥。
openssl genrsa -out registry.harbor.com.key 4096
2、生成证书签名请求(CSR)。

调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性,并在密钥和CSR文件名中使用它。

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" \
    -key registry.harbor.com.key \
    -out registry.harbor.com.csr

image-20220818173427297

3、生成一个x509 v3扩展文件。

无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域。

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=registry.harbor.com
DNS.2=registry.harbor
DNS.3=harbor
EOF

如果使用ip,需要使用如下方式进行创建:

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.93.9
EOF

image-20220818173621904

4、使用该v3.ext文件为您的Harbor主机生成证书。

yourdomain.comCRS和CRT文件名中的替换为Harbor主机名。

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in registry.harbor.com.csr \
    -out registry.harbor.com.crt

image-20220818173720896

提供证书给Harbor和Docker

生成后ca.crtyourdomain.com.crtyourdomain.com.key文件,必须将它们提供给harbor和docker,和重新配置harbor使用它们。

1、将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。
mkdir -p /data/cert
cp registry.harbor.com.crt /data/cert/
cp registry.harbor.com.key /data/cert/

image-20220818173857551

2、转换yourdomain.com.crtyourdomain.com.cert,供Docker使用。

Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。

openssl x509 -inform PEM -in registry.harbor.com.crt -out registry.harbor.com.cert
3、将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹
mkdir -p /etc/docker/certs.d/registry.harbor.com/
cp registry.harbor.com.cert /etc/docker/certs.d/registry.harbor.com/
cp registry.harbor.com.key /etc/docker/certs.d/registry.harbor.com/
cp ca.crt /etc/docker/certs.d/registry.harbor.com/

如果将默认nginx端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port/etc/docker/certs.d/harbor_IP:port。(省略)

4、重新启动Docker Engine。
systemctl restart docker

您可能还需要在操作系统级别信任证书。有关更多信息,请参见对Harbour安装进行故障排除

以下示例说明了使用自定义证书的配置。

image-20220818174208029

部署或重新配置harbor

这里是全新部署,修改harbor.yml配置文件:

[root@harbor ~]# cd /root/harbor
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml

#只需修改hostname及https下的证书路径即可,其他保持默认
[root@harbor harbor]# more harbor.yml
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: registry.harbor.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/registry.harbor.com.crt
  private_key: /data/cert/registry.harbor.com.key
...

执行harbor部署
./install.sh

已经使用http方式部署harbor的情况

如果您已经使用HTTP部署了Harbor,并希望将其重新配置为使用HTTPS,请执行以下步骤。

1、运行prepare脚本以启用HTTPS。

Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTPS。该prepare在港的安装包,在同级别的install.sh脚本。

./prepare
2、如果Harbor正在运行,请停止并删除现有实例。

您的镜像数据保留在文件系统中,因此不会丢失任何数据。

docker-compose down -v
3、重启harbor:
docker-compose up -d

验证HTTPS连接

为Harbor设置HTTPS之后,您可以通过执行以下步骤来验证HTTPS连接。

1、打开浏览器,然后输入https://yourdomain.com。它应该显示Harbor界面。

某些浏览器可能会显示警告,指出证书颁发机构(CA)未知。使用不是来自受信任的第三方CA的自签名CA时,会发生这种情况。您可以将CA导入浏览器以删除警告。

注意,这里的CA证书位于harbor节点/root/harbor/ssl/ca.crt。

以chrome浏览器导入证书为例,搜索栏输入以下内容,下拉选择管理证书,选择受信任的证书颁发机构,然后导入ca.crt重启浏览器使用域名访问即可。

image-20220818175550992

如果没有配置dns,需要配置hosts解析

vim /etc/hosts
49.234.19.160 registry.harbor.com

image-20220818175926294

2、在运行Docker守护程序的机器上,检查/etc/docker/daemon.json文件以确保-insecure-registry未指定https://yourdomain.com选项。
3、从Docker客户端登录Harbor(这里从harbor节点登录)。
[root@harbor ~]# echo "192.168.93.9 registry.harbor.com" >> /etc/hosts

[root@harbor ~]# docker login registry.harbor.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

遇到报错

Docker login Harbor报错解决:Error response from daemon: Get https://… 443: connect: connection refused

image-20220818180738550

报错信息
[root@160 harbor]# docker login registry.harbor.com
Username: admin
Password: 
Error response from daemon: Get "https://registry.harbor.com/v2/": x509: certificate is not valid for any names, but wanted to match registry.harbor.com
查看Docker版本
docker version
停止harbor:

docker-compose down -v:停止并移除整个project的所有services**

image-20220818181000448

查找docker.service所在位置:
[root@localhost harbor]# find / -name docker.service -type f
/usr/lib/systemd/system/docker.service
修改docker.service配置文件(需要登录Harbor仓库的主机都要修改):
[root@localhost harbor]# vim /usr/lib/systemd/system/docker.service
[Unit]
Documentation=http://docs.docker.io     //需修改
...
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

ExecStart=/usr/bin/dockerd --insecure-registry=192.168.2.195   //重要
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
      //需修改,根据自己的docker路径跟IP地址进行修改
      
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
...
[Install]
WantedBy=multi-user.target

image-20220819103218452

重启服务:
[root@localhost harbor]# systemctl daemon-reload

[root@localhost harbor]# systemctl restart docker
启动harbor:

docker-compose up -d :构建(容器)并启动(容器)整个project的所有service

image-20220819103355020

查看服务:

已经包含了 --insecure-registry=192.168.2.195 参数

[root@160 harbor]# ps -aux | grep docker
root      5850  1.1  3.4 1466428 70204 ?       Ssl  10:33   0:00 /usr/bin/dockerd --insecure-registry=49.234.19.160

image-20220819103524646

测试登录:
[root@localhost harbor]# docker login 192.168.2.195
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded        //登录成功

image-20220819111839630

如果已将nginx443端口映射到其他端口,请在login命令中添加该端口。

docker login yourdomain.com:port

注意:从其他节点docker客户端登录harbor,必须分发ca.crt到对应客户端

对应节点执行以下操作:
[root@test ~]# mkdir -p /etc/docker/certs.d/registry.harbor.com/
[root@test ~]# scp 192.168.93.9:/root/harbor/ssl/ca.crt ca.crt /etc/docker/certs.d/registry.harbor.com/

image-20220819112139842

推送镜像测试
[root@test ~]# docker login registry.harbor.com
[root@test ~]# docker tag nginx:alpine registry.harbor.com/library/nginx:alpine
[root@test ~]# docker push registry.harbor.com/library/nginx:alpine

admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded //登录成功


[外链图片转存中...(img-2Mymg1xD-1660889034550)]

如果已将`nginx`443端口映射到其他端口,请在`login`命令中添加该端口。

```shell
docker login yourdomain.com:port

注意:从其他节点docker客户端登录harbor,必须分发ca.crt到对应客户端

对应节点执行以下操作:
[root@test ~]# mkdir -p /etc/docker/certs.d/registry.harbor.com/
[root@test ~]# scp 192.168.93.9:/root/harbor/ssl/ca.crt ca.crt /etc/docker/certs.d/registry.harbor.com/

[外链图片转存中…(img-vUH0BoZ5-1660889034550)]

推送镜像测试
[root@test ~]# docker login registry.harbor.com
[root@test ~]# docker tag nginx:alpine registry.harbor.com/library/nginx:alpine
[root@test ~]# docker push registry.harbor.com/library/nginx:alpine
Logo

为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。

更多推荐