肝2022天下杯，怒写企业级镜像私仓Docker+Harbor实践

2022-12-09 揭幕2022卡塔尔天下杯4强比赛的第一天，越来越精彩了
同时记录程序猿的成长~
1.配景

由于盼望搭建一个企业级CICD的环境，开始尝试常规的gitlab+jenkins+k8s+docker harbor+springboot开始练手
其中版本如下：
1.gitlab: GitLab Community Edition 12.2.1
2.jenkins:
3.Mac kubernetes: v1.24.2
4.Mac docker: Engine: 20.10.17 Compose: 1.29.2
5.harbor: v2.5.1-b0506782
1.1 条件

• 企业级代码库 Gitlab
  
• 企业级CICD持续化集成工具 Jenkins
  
• 企业级容器化技能架构：Docker+Kubernetes
  

以下就开始搭建Harbor，构造企业级私有化镜像仓库
1.2 为什么选择Harbor？

因为它的功能相对较强，可以或许基本满足企业级运作
上图先浅看一下

2.使用离线包进行手动安装

请注意需要安装在有Docker指令的呆板上
2.1 下载资源包

从 github releases 官方下载offline离线包，这边选取一个稳固版本v2.5.1（online版本需要在线去持续下载资源，为了克制失败，直接下载离线包更为简朴）

1. #通过wget
2. wget https://github.com/goharbor/harbor/releases/download/v2.5.1/harbor-online-installer-v2.5.1.tgz
4. #通过页面
5. #直接点击Asserts中harbor-online-installer-v2.5.1.tgz 下载即可

复制代码

2.2 解压并配置

tgz的包直接解压

1. tar zxf harbor-online-installer-v2.5.1.tgz ./harbor

复制代码

解压出来后的目录结构：

1. -rw-r--r--@ 1 xxxxx  test      11347  5 26 23:59 LICENSE
2. drwxr-xr-x  3 xxxxx  test         96  8 29 18:20 common
3. -rw-r--r--@ 1 xxxxx  test       3361  5 26 23:59 common.sh
4. -rw-r--r--  1 xxxxx  test       6057  8 30 08:25 docker-compose.yml
5. -rw-r--r--@ 1 xxxxx  test  664492716  5 27 00:00 harbor.v2.5.1.tar.gz
6. -rw-r--r--@ 1 xxxxx  test       9917  5 26 23:59 harbor.yml.tmpl
7. -rwxr-xr-x@ 1 xxxxx  test       2500  5 26 23:59 install.sh
8. -rwxr-xr-x@ 1 xxxxx  test       1881  5 26 23:59 prepare

复制代码

脚本有prepare install common三个，其中common是根本脚本，我们只会直接调用prepare和install两个脚本
其中harbor.yml.tmpl为焦点配置的模板，我们可以直接修改文件名称，或者拷贝一个文件来作为焦点配置文件，文件内容如下：

1. # Configuration file of Harbor
3. # The IP address or hostname to access admin UI and registry service.
4. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5. # 以下主要填写仓库的IP或域名，最好为域名形式
6. hostname: 127.0.0.1
8. # http related config
9. # 以下为HTTP的配置形式
10. http:
11.   # port for http, default is 80. If https enabled, this port will redirect to https port
12.   # 默认80，基本是要调整
13.   port: 18080
15. # https related config
16. # 以下为HTTPs的配置形式，正常生产环境需要打开，需要配置https证书
17. #https:
18.   # https port for harbor, default is 443
19.   #port: 443
20.   # The path of cert and key files for nginx
21.   #certificate: /your/certificate/path
22.   #private_key: /your/private/key/path
24. # # Uncomment following will enable tls communication between all harbor components
25. # internal_tls:
26. #   # set enabled to true means internal tls is enabled
27. #   enabled: true
28. #   # put your cert and key files on dir
29. #   dir: /etc/harbor/tls/internal
31. # Uncomment external_url if you want to enable external proxy
32. # And when it enabled the hostname will no longer used
33. # external_url: https://reg.mydomain.com:8433
35. # The initial password of Harbor admin
36. # It only works in first time to install harbor
37. # Remember Change the admin password from UI after launching Harbor.
38. # 以下是Harbor admin的默认密码，可修改
39. harbor_admin_password: Harbor123
41. # Harbor DB configuration
42. database:
43.   # The password for the root user of Harbor DB. Change this before any production use.
44.   # 内置DB的默认密码
45.   password: root123
46.   # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
47.   max_idle_conns: 100
48.   # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
49.   # Note: the default number of connections is 1024 for postgres of harbor.
50.   max_open_conns: 900
52. # The default data volume
53. # 挂载的目录
54. data_volume: /files/docker/harbor
56. # Harbor Storage settings by default is using /data dir on local filesystem
57. # Uncomment storage_service setting If you want to using external storage
58. # storage_service:
59. #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
60. #   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
61. #   ca_bundle:
63. #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
64. #   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
65. #   filesystem:
66. #     maxthreads: 100
67. #   # set disable to true when you want to disable registry redirect
68. #   redirect:
69. #     disabled: false
71. # Trivy configuration
72. #
73. # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
74. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
75. # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
76. # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
77. # 12 hours and published as a new release to GitHub.
78. trivy:
79.   # ignoreUnfixed The flag to display only fixed vulnerabilities
80.   ignore_unfixed: false
81.   # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
82.   #
83.   # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
84.   # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
85.   # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
86.   skip_update: false
87.   #
88.   # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
89.   # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
90.   # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
91.   # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
92.   # It would work if all the dependencies are in local.
93.   # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
94.   offline_scan: false
95.   #
96.   # insecure The flag to skip verifying registry certificate
97.   insecure: false
98.   # github_token The GitHub access token to download Trivy DB
99.   #
100.   # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
101.   # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
102.   # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
103.   # https://developer.github.com/v3/#rate-limiting
104.   #
105.   # You can create a GitHub token by following the instructions in
106.   # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
107.   #
108.   # github_token: xxx
110. jobservice:
111.   # Maximum number of job workers in job service
112.   max_job_workers: 10
114. notification:
115.   # Maximum retry count for webhook job
116.   webhook_job_max_retry: 10
118. chart:
119.   # Change the value of absolute_url to enabled can enable absolute url in chart
120.   absolute_url: disabled
122. # Log configurations
123. log:
124.   # options are debug, info, warning, error, fatal
125.   level: info
126.   # configs for logs in local storage
127.   local:
128.     # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
129.     rotate_count: 50
130.     # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
131.     # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
132.     # are all valid.
133.     rotate_size: 200M
134.     # The directory on your host that store log
135.     location: /var/log/harbor
137.   # Uncomment following lines to enable external syslog endpoint.
138.   # external_endpoint:
139.   #   # protocol used to transmit log to external endpoint, options is tcp or udp
140.   #   protocol: tcp
141.   #   # The host of external endpoint
142.   #   host: localhost
143.   #   # Port of external endpoint
144.   #   port: 5140
146. #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
147. _version: 2.5.0
149. # Uncomment external_database if using external database.
150. # external_database:
151. #   harbor:
152. #     host: harbor_db_host
153. #     port: harbor_db_port
154. #     db_name: harbor_db_name
155. #     username: harbor_db_username
156. #     password: harbor_db_password
157. #     ssl_mode: disable
158. #     max_idle_conns: 2
159. #     max_open_conns: 0
160. #   notary_signer:
161. #     host: notary_signer_db_host
162. #     port: notary_signer_db_port
163. #     db_name: notary_signer_db_name
164. #     username: notary_signer_db_username
165. #     password: notary_signer_db_password
166. #     ssl_mode: disable
167. #   notary_server:
168. #     host: notary_server_db_host
169. #     port: notary_server_db_port
170. #     db_name: notary_server_db_name
171. #     username: notary_server_db_username
172. #     password: notary_server_db_password
173. #     ssl_mode: disable
175. # Uncomment external_redis if using external Redis server
176. # external_redis:
177. #   # support redis, redis+sentinel
178. #   # host for redis: <host_redis>:<port_redis>
179. #   # host for redis+sentinel:
180. #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
181. #   host: redis:6379
182. #   password:
183. #   # sentinel_master_set must be set to support redis+sentinel
184. #   #sentinel_master_set:
185. #   # db_index 0 is for core, it's unchangeable
186. #   registry_db_index: 1
187. #   jobservice_db_index: 2
188. #   chartmuseum_db_index: 3
189. #   trivy_db_index: 5
190. #   idle_timeout_seconds: 30
192. # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
193. # uaa:
194. #   ca_file: /path/to/ca
196. # Global proxy
197. # Config http proxy for components, e.g. http://my.proxy.com:3128
198. # Components doesn't need to connect to each others via http proxy.
199. # Remove component from `components` array if want disable proxy
200. # for it. If you want use proxy for replication, MUST enable proxy
201. # for core and jobservice, and set `http_proxy` and `https_proxy`.
202. # Add domain to the `no_proxy` field, when you want disable proxy
203. # for some special registry.
204. proxy:
205.   http_proxy:
206.   https_proxy:
207.   no_proxy:
208.   components:
209.     - core
210.     - jobservice
211.     - trivy
213. # metric:
214. #   enabled: false
215. #   port: 9090
216. #   path: /metrics
218. # Trace related config
219. # only can enable one trace provider(jaeger or otel) at the same time,
220. # and when using jaeger as provider, can only enable it with agent mode or collector mode.
221. # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
222. # if using jaeger agetn mode uncomment agent_host and agent_port
223. # trace:
224. #   enabled: true
225. #   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
226. #   sample_rate: 1
227. #   # # namespace used to differenciate different harbor services
228. #   # namespace:
229. #   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
230. #   # attributes:
231. #   #   application: harbor
232. #   # # jaeger should be 1.26 or newer.
233. #   # jaeger:
234. #   #   endpoint: http://hostname:14268/api/traces
235. #   #   username:
236. #   #   password:
237. #   #   agent_host: hostname
238. #   #   # export trace data by jaeger.thrift in compact mode
239. #   #   agent_port: 6831
240. #   # otel:
241. #   #   endpoint: hostname:4318
242. #   #   url_path: /v1/traces
243. #   #   compression: false
244. #   #   insecure: true
245. #   #   timeout: 10s
247. # enable purge _upload directories
248. upload_purging:
249.   enabled: true
250.   # remove files in _upload directories which exist for a period of time, default is one week.
251.   age: 168h
252.   # the interval of the purge operations
253.   interval: 24h
254.   dryrun: false

复制代码

2.3 将Harbor仓库地址配置在Docker的署理仓库地址中

找到自己当前部署Docker daemon.json所在目录

1. cat /etc/docker/daemon.json
2. {
3.   "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"],
4.   "insecure-registries" : ["127.0.0.1:18080"]
5. }

复制代码

配置保存后，需要重新加载启动一下Docker服务使其生效
2.4 启动Harbor

1. #使用当前目录下install指令即可启动
2. ./install.sh

复制代码

假如修改了harbor.yml则需要先执行 prepare指令，再执行install指令
别的还可以在体系上将服务固定下来，不用手动启动，将其设置为基于docker服务的体系服务

1. [Unit]
2. Description=Harbor
3. After=docker.service systemd-networkd.service systemd-resolved.service
4. Requires=docker.service
5. Documentation=http://github.com/vmware/harbor
7. [Service]
8. Type=simple
9. Restart=on-failure
10. RestartSec=5
11. ExecStart=/usr/local/bin/docker-compose -f  [harbor dir]/docker-compose.yml up      ##中括号部分修改成harbor的文件夹
12. ExecStop=/usr/local/bin/docker-compose -f [harbor dir]/docker-compose.yml down      ##中括号部分修改成harbor的文件夹
14. [Install]
15. WantedBy=multi-user.target

复制代码

2.5 校验仓库的登录与推送

1. # 一、使用页面登录，直接输入 127.0.0.1:18080的地址，即可出现登录页，可使用配置文件中的admin密码进行设置
3. # 二、使用指令验证
4. a@b:/etc/docker$ docker login 127.0.0.1:18080
5. Authenticating with existing credentials...
6. Login Succeeded
8. #制作镜像
9. docker tag nginx:latest 127.0.0.1:18080/cicd/nginx:latest
10. #查看镜像
11. a@b:/etc/docker$ docker images
12. REPOSITORY                                                TAG                                                                          IMAGE ID       CREATED         SIZE
13. 127.0.0.1:18080/cicd/nginx                                latest                                                                       2b7d6430f78d   6 days ago      142MB
14. #推送镜像
15. a@v:/etc/docker$  docker push 127.0.0.1:18080/cicd/nginx:latest
16. The push refers to repository [127.0.0.1:18080/cicd/nginx]
17. 73993eeb8aa2: Pushed
18. 2c31eef17db8: Pushed
19. 7b9055fc8058: Pushed
20. 04ab349b7b3b: Pushed
21. 226117031573: Pushed
22. 6485bed63627: Pushed
23. latest: digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc size: 1570
25. #最终能够在页面查看到对应仓库中的镜像

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。