ToB企服应用市场:ToB评测及商务社交产业平台

标题: Harbor的安装部署 [打印本页]

---

作者: 立山    时间: 2024-8-28 09:25
标题: Harbor的安装部署

---

一、什么是Harbor

Harbor是一个开源的企业级容器镜像仓库，最初由VMware公司的中国团队开发。它旨在提供安全、高性能和易于管理的容器镜像存储、署名和扫描服务。Harbor扩展了开源Docker Distribution的功能，增长了用户通常需要的安全性、身份和管理功能，使得注册表更加接近构建和运行环境，进步了图像传输服从。Harbor支持在注册表之间复制镜像，并提供高级安全功能，如用户管理、访问控制和活动考核。
Harbor的上风在于它专为企业级环境设计，提供了合规性、性能和互操作性，特别适合在Kubernetes和Docker这样的云原生盘算平台上举行镜像管理。
Harbor实用于需要安全、稳固和高效管理大量Docker镜像的企业，尤其是在云环境、假造化环境或物理服务器中。它有助于企业实现镜像的会合存储管理，进步开发、测试和部署服从。最佳实践包罗合理规划项目布局、使用角色基础的访问控制举行权限分配、定期举行镜像扫描和更新，以及根据需要配置高可用性部署
二、安装Docker

参考：Dockr的安装
三、安装Docker Compose

GitHub下载

• GitHub下载
  

1. wget https://github.com/docker/compose/releases/download/v2.26.0/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose

复制代码

• 赋予执行权限
  

1. sudo chmod +x /usr/local/bin/docker-compose

复制代码

• 创建软毗连
  

1. sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

复制代码

• 查看docker版本
  

1. docker-compose --version

复制代码

镜像源安装

• 镜像源下载
  

1. wget https://mirror.ghproxy.com/https://github.com/docker/compose/releases/download/v2.26.0/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose

复制代码

• 赋予执行权限：
  

1. sudo chmod +x /usr/local/bin/docker-compose

复制代码

• 创建软毗连：
  

1. sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

复制代码

四、Harbor的安装

镜像源：https://mirror.ghproxy.com/

• 从github上找到要安装的harbor的地点通过https://mirror.ghproxy.com/来从国内拉取对应的安装包
  
• 通过wget https://mirror.ghproxy.com/+对应的githhub上的的安装地点 拉取安装包
  

1. wget https://mirror.ghproxy.com/https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-offline-installer-v2.1.3.tgz

复制代码

• 将安装包举行解压，解压至/usr/local/
  

1. tar -zxf harbor-offline-installer-v2.1.3.tgz -C /usr/local/

复制代码

• 修改harbor的配置文件
  

1. cd /usr/local/harbor/
2. cp harbor.yml.tmp harbor.yml
3. vim harbor.yml

复制代码

1. # Configuration file of Harbor
3. # The IP address or hostname to access admin UI and registry service.
4. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5. #
6. hostname: 域名        #harbor的域名
8. # http related config
9. http:
10.   # port for http, default is 80. If https enabled, this port will redirect to https port
11.   port: 端口号        #harbor的端口号
12. #不使用HTTPS将其注释
13. # https related config
14. #https:
15. # https port for harbor, default is 443
16. # port: 443
17. # The path of cert and key files for nginx
18. # certificate: /your/certificate/path
19. # private_key: /your/private/key/path
21. # # Uncomment following will enable tls communication between all harbor components
22. # internal_tls:
23. #   # set enabled to true means internal tls is enabled
24. #   enabled: true
25. #   # put your cert and key files on dir
26. #   dir: /etc/harbor/tls/internal
28. # Uncomment external_url if you want to enable external proxy
29. # And when it enabled the hostname will no longer used
30. # external_url: https://reg.mydomain.com:8433
32. # The initial password of Harbor admin
33. # It only works in first time to install harbor
34. # Remember Change the admin password from UI after launching Harbor.
35. harbor_admin_password: 密码 #harbor的admin密码
37. # Harbor DB configuration
38. database:
39.   # The password for the root user of Harbor DB. Change this before any production use.
40.   password: 密码 #harbor的数据库密码
41.   # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
42.   max_idle_conns: 100
43.   # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
44.   # Note: the default number of connections is 1024 for postgres of harbor.
45.   max_open_conns: 900
47. # The default data volume
48. data_volume: /data
50. # Harbor Storage settings by default is using /data dir on local filesystem
51. # Uncomment storage_service setting If you want to using external storage
52. # storage_service:
53. #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
54. #   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
55. #   ca_bundle:
57. #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
58. #   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
59. #   filesystem:
60. #     maxthreads: 100
61. #   # set disable to true when you want to disable registry redirect
62. #   redirect:
63. #     disabled: false
65. # Trivy configuration
66. #
67. # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
68. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
69. # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
70. # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
71. # 12 hours and published as a new release to GitHub.
72. trivy:
73.   # ignoreUnfixed The flag to display only fixed vulnerabilities
74.   ignore_unfixed: false
75.   # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
76.   #
77.   # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
78.   # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
79.   # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
80.   skip_update: false
81.   #
82.   # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
83.   # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
84.   # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
85.   # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
86.   # It would work if all the dependencies are in local.
87.   # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
88.   offline_scan: false
89.   #
90.   # insecure The flag to skip verifying registry certificate
91.   insecure: false
92.   # github_token The GitHub access token to download Trivy DB
93.   #
94.   # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
95.   # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
96.   # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
97.   # https://developer.github.com/v3/#rate-limiting
98.   #
99.   # You can create a GitHub token by following the instructions in
100.   # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
101.   #
102.   # github_token: xxx
104. jobservice:
105.   # Maximum number of job workers in job service
106.   max_job_workers: 10
108. notification:
109.   # Maximum retry count for webhook job
110.   webhook_job_max_retry: 10
112. chart:
113.   # Change the value of absolute_url to enabled can enable absolute url in chart
114.   absolute_url: disabled
116. # Log configurations
117. log:
118.   # options are debug, info, warning, error, fatal
119.   level: info
120.   # configs for logs in local storage
121.   local:
122.     # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
123.     rotate_count: 50
124.     # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
125.     # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
126.     # are all valid.
127.     rotate_size: 200M
128.     # The directory on your host that store log
129.     location: /var/log/harbor
131.   # Uncomment following lines to enable external syslog endpoint.
132.   # external_endpoint:
133.   #   # protocol used to transmit log to external endpoint, options is tcp or udp
134.   #   protocol: tcp
135.   #   # The host of external endpoint
136.   #   host: localhost
137.   #   # Port of external endpoint
138.   #   port: 5140
140. #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
141. _version: 2.4.0
143. # Uncomment external_database if using external database.
144. # external_database:
145. #   harbor:
146. #     host: harbor_db_host
147. #     port: harbor_db_port
148. #     db_name: harbor_db_name
149. #     username: harbor_db_username
150. #     password: harbor_db_password
151. #     ssl_mode: disable
152. #     max_idle_conns: 2
153. #     max_open_conns: 0
154. #   notary_signer:
155. #     host: notary_signer_db_host
156. #     port: notary_signer_db_port
157. #     db_name: notary_signer_db_name
158. #     username: notary_signer_db_username
159. #     password: notary_signer_db_password
160. #     ssl_mode: disable
161. #   notary_server:
162. #     host: notary_server_db_host
163. #     port: notary_server_db_port
164. #     db_name: notary_server_db_name
165. #     username: notary_server_db_username
166. #     password: notary_server_db_password
167. #     ssl_mode: disable
169. # Uncomment external_redis if using external Redis server
170. # external_redis:
171. #   # support redis, redis+sentinel
172. #   # host for redis: <host_redis>:<port_redis>
173. #   # host for redis+sentinel:
174. #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
175. #   host: redis:6379
176. #   password:
177. #   # sentinel_master_set must be set to support redis+sentinel
178. #   #sentinel_master_set:
179. #   # db_index 0 is for core, it's unchangeable
180. #   registry_db_index: 1
181. #   jobservice_db_index: 2
182. #   chartmuseum_db_index: 3
183. #   trivy_db_index: 5
184. #   idle_timeout_seconds: 30
186. # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
187. # uaa:
188. #   ca_file: /path/to/ca
190. # Global proxy
191. # Config http proxy for components, e.g. http://my.proxy.com:3128
192. # Components doesn't need to connect to each others via http proxy.
193. # Remove component from `components` array if want disable proxy
194. # for it. If you want use proxy for replication, MUST enable proxy
195. # for core and jobservice, and set `http_proxy` and `https_proxy`.
196. # Add domain to the `no_proxy` field, when you want disable proxy
197. # for some special registry.
198. proxy:
199.   http_proxy:
200.   https_proxy:
201.   no_proxy:
202.   components:
203.     - core
204.     - jobservice
205.     - trivy
207. # metric:
208. #   enabled: false
209. #   port: 9090
210. #   path: /metrics
212. # Trace related config
213. # only can enable one trace provider(jaeger or otel) at the same time,
214. # and when using jaeger as provider, can only enable it with agent mode or collector mode.
215. # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
216. # if using jaeger agetn mode uncomment agent_host and agent_port
217. # trace:
218. #   enabled: true
219. #   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
220. #   sample_rate: 1
221. #   # # namespace used to differenciate different harbor services
222. #   # namespace:
223. #   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
224. #   # attributes:
225. #   #   application: harbor
226. #   # # jaeger should be 1.26 or newer.
227. #   # jaeger:
228. #   #   endpoint: http://hostname:14268/api/traces
229. #   #   username:
230. #   #   password:
231. #   #   agent_host: hostname
232. #   #   # export trace data by jaeger.thrift in compact mode
233. #   #   agent_port: 6831
234. #   # otel:
235. #   #   endpoint: hostname:4318
236. #   #   url_path: /v1/traces
237. #   #   compression: false
238. #   #   insecure: true
239. #   #   timeout: 10s

复制代码

• 使用./install.sh
  命令执行安装脚本
  

1. ./install.sh

复制代码

• 在/etc/hosts中添加对应的域名解析
  

1. 本机IP        域名 #例：192.168.1.3  ganchengfang.xyz

复制代码

五、Harbor的登录

• 使用docker login 域名:端口
  的命令行形式登录harbor
  

1. docker login 域名:端口

复制代码

• 使用欣赏器访问harbor
  在导航栏输入 服务器ip:端口 进入harbor的登录界面
  
  
  
  
• 在导航栏输入 域名:端口 进入harbor的登岸界面
  
  
  
  

   注：使用 域名:端口时 需要买一个域名举行绑定（在任何公网都可访问）或修改本地的hosts来举行解析（只有修改过才能访问）

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4