Harbor的安装部署

立山  金牌会员 | 2024-8-28 09:25:55 | 来自手机 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 579|帖子 579|积分 1737

一、什么是Harbor

Harbor是一个开源的企业级容器镜像仓库,最初由VMware公司的中国团队开发。它旨在提供安全、高性能和易于管理的容器镜像存储、署名和扫描服务。Harbor扩展了开源Docker Distribution的功能,增长了用户通常需要的安全性、身份和管理功能,使得注册表更加接近构建和运行环境,进步了图像传输服从。Harbor支持在注册表之间复制镜像,并提供高级安全功能,如用户管理、访问控制和活动考核。
Harbor的上风在于它专为企业级环境设计,提供了合规性、性能和互操作性,特别适合在Kubernetes和Docker这样的云原生盘算平台上举行镜像管理。
Harbor实用于需要安全、稳固和高效管理大量Docker镜像的企业,尤其是在云环境、假造化环境或物理服务器中。它有助于企业实现镜像的会合存储管理,进步开发、测试和部署服从。最佳实践包罗合理规划项目布局、使用角色基础的访问控制举行权限分配、定期举行镜像扫描和更新,以及根据需要配置高可用性部署
二、安装Docker

参考:Dockr的安装
三、安装Docker Compose

GitHub下载

  • GitHub下载
  1. wget https://github.com/docker/compose/releases/download/v2.26.0/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose
复制代码

  • 赋予执行权限
  1. sudo chmod +x /usr/local/bin/docker-compose
复制代码

  • 创建软毗连
  1. sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
复制代码

  • 查看docker版本
  1. docker-compose --version
复制代码
镜像源安装

  • 镜像源下载
  1. wget https://mirror.ghproxy.com/https://github.com/docker/compose/releases/download/v2.26.0/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose
复制代码

  • 赋予执行权限:
  1. sudo chmod +x /usr/local/bin/docker-compose
复制代码

  • 创建软毗连:
  1. sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
复制代码
四、Harbor的安装

镜像源:https://mirror.ghproxy.com/

  • 从github上找到要安装的harbor的地点通过https://mirror.ghproxy.com/来从国内拉取对应的安装包
  • 通过wget https://mirror.ghproxy.com/+对应的githhub上的的安装地点 拉取安装包
  1. wget https://mirror.ghproxy.com/https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-offline-installer-v2.1.3.tgz
复制代码

  • 将安装包举行解压,解压至/usr/local/
  1. tar -zxf harbor-offline-installer-v2.1.3.tgz -C /usr/local/
复制代码

  • 修改harbor的配置文件
  1. cd /usr/local/harbor/
  2. cp harbor.yml.tmp harbor.yml
  3. vim harbor.yml
复制代码
  1. # Configuration file of Harbor
  3. # The IP address or hostname to access admin UI and registry service.
  4. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
  5. #
  6. hostname: 域名        #harbor的域名
  8. # http related config
  9. http:
  10.   # port for http, default is 80. If https enabled, this port will redirect to https port
  11.   port: 端口号        #harbor的端口号
  12. #不使用HTTPS将其注释
  13. # https related config
  14. #https:
  15. # https port for harbor, default is 443
  16. # port: 443
  17. # The path of cert and key files for nginx
  18. # certificate: /your/certificate/path
  19. # private_key: /your/private/key/path
  21. # # Uncomment following will enable tls communication between all harbor components
  22. # internal_tls:
  23. #   # set enabled to true means internal tls is enabled
  24. #   enabled: true
  25. #   # put your cert and key files on dir
  26. #   dir: /etc/harbor/tls/internal
  28. # Uncomment external_url if you want to enable external proxy
  29. # And when it enabled the hostname will no longer used
  30. # external_url: https://reg.mydomain.com:8433
  32. # The initial password of Harbor admin
  33. # It only works in first time to install harbor
  34. # Remember Change the admin password from UI after launching Harbor.
  35. harbor_admin_password: 密码 #harbor的admin密码
  37. # Harbor DB configuration
  38. database:
  39.   # The password for the root user of Harbor DB. Change this before any production use.
  40.   password: 密码 #harbor的数据库密码
  41.   # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  42.   max_idle_conns: 100
  43.   # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  44.   # Note: the default number of connections is 1024 for postgres of harbor.
  45.   max_open_conns: 900
  47. # The default data volume
  48. data_volume: /data
  50. # Harbor Storage settings by default is using /data dir on local filesystem
  51. # Uncomment storage_service setting If you want to using external storage
  52. # storage_service:
  53. #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
  54. #   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
  55. #   ca_bundle:
  57. #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
  58. #   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
  59. #   filesystem:
  60. #     maxthreads: 100
  61. #   # set disable to true when you want to disable registry redirect
  62. #   redirect:
  63. #     disabled: false
  65. # Trivy configuration
  66. #
  67. # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
  68. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
  69. # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
  70. # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
  71. # 12 hours and published as a new release to GitHub.
  72. trivy:
  73.   # ignoreUnfixed The flag to display only fixed vulnerabilities
  74.   ignore_unfixed: false
  75.   # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  76.   #
  77.   # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  78.   # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  79.   # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  80.   skip_update: false
  81.   #
  82.   # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
  83.   # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
  84.   # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
  85.   # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
  86.   # It would work if all the dependencies are in local.
  87.   # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
  88.   offline_scan: false
  89.   #
  90.   # insecure The flag to skip verifying registry certificate
  91.   insecure: false
  92.   # github_token The GitHub access token to download Trivy DB
  93.   #
  94.   # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  95.   # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  96.   # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  97.   # https://developer.github.com/v3/#rate-limiting
  98.   #
  99.   # You can create a GitHub token by following the instructions in
  100.   # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  101.   #
  102.   # github_token: xxx
  104. jobservice:
  105.   # Maximum number of job workers in job service
  106.   max_job_workers: 10
  108. notification:
  109.   # Maximum retry count for webhook job
  110.   webhook_job_max_retry: 10
  112. chart:
  113.   # Change the value of absolute_url to enabled can enable absolute url in chart
  114.   absolute_url: disabled
  116. # Log configurations
  117. log:
  118.   # options are debug, info, warning, error, fatal
  119.   level: info
  120.   # configs for logs in local storage
  121.   local:
  122.     # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
  123.     rotate_count: 50
  124.     # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
  125.     # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
  126.     # are all valid.
  127.     rotate_size: 200M
  128.     # The directory on your host that store log
  129.     location: /var/log/harbor
  131.   # Uncomment following lines to enable external syslog endpoint.
  132.   # external_endpoint:
  133.   #   # protocol used to transmit log to external endpoint, options is tcp or udp
  134.   #   protocol: tcp
  135.   #   # The host of external endpoint
  136.   #   host: localhost
  137.   #   # Port of external endpoint
  138.   #   port: 5140
  140. #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
  141. _version: 2.4.0
  143. # Uncomment external_database if using external database.
  144. # external_database:
  145. #   harbor:
  146. #     host: harbor_db_host
  147. #     port: harbor_db_port
  148. #     db_name: harbor_db_name
  149. #     username: harbor_db_username
  150. #     password: harbor_db_password
  151. #     ssl_mode: disable
  152. #     max_idle_conns: 2
  153. #     max_open_conns: 0
  154. #   notary_signer:
  155. #     host: notary_signer_db_host
  156. #     port: notary_signer_db_port
  157. #     db_name: notary_signer_db_name
  158. #     username: notary_signer_db_username
  159. #     password: notary_signer_db_password
  160. #     ssl_mode: disable
  161. #   notary_server:
  162. #     host: notary_server_db_host
  163. #     port: notary_server_db_port
  164. #     db_name: notary_server_db_name
  165. #     username: notary_server_db_username
  166. #     password: notary_server_db_password
  167. #     ssl_mode: disable
  169. # Uncomment external_redis if using external Redis server
  170. # external_redis:
  171. #   # support redis, redis+sentinel
  172. #   # host for redis: <host_redis>:<port_redis>
  173. #   # host for redis+sentinel:
  174. #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
  175. #   host: redis:6379
  176. #   password:
  177. #   # sentinel_master_set must be set to support redis+sentinel
  178. #   #sentinel_master_set:
  179. #   # db_index 0 is for core, it's unchangeable
  180. #   registry_db_index: 1
  181. #   jobservice_db_index: 2
  182. #   chartmuseum_db_index: 3
  183. #   trivy_db_index: 5
  184. #   idle_timeout_seconds: 30
  186. # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
  187. # uaa:
  188. #   ca_file: /path/to/ca
  190. # Global proxy
  191. # Config http proxy for components, e.g. http://my.proxy.com:3128
  192. # Components doesn't need to connect to each others via http proxy.
  193. # Remove component from `components` array if want disable proxy
  194. # for it. If you want use proxy for replication, MUST enable proxy
  195. # for core and jobservice, and set `http_proxy` and `https_proxy`.
  196. # Add domain to the `no_proxy` field, when you want disable proxy
  197. # for some special registry.
  198. proxy:
  199.   http_proxy:
  200.   https_proxy:
  201.   no_proxy:
  202.   components:
  203.     - core
  204.     - jobservice
  205.     - trivy
  207. # metric:
  208. #   enabled: false
  209. #   port: 9090
  210. #   path: /metrics
  212. # Trace related config
  213. # only can enable one trace provider(jaeger or otel) at the same time,
  214. # and when using jaeger as provider, can only enable it with agent mode or collector mode.
  215. # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
  216. # if using jaeger agetn mode uncomment agent_host and agent_port
  217. # trace:
  218. #   enabled: true
  219. #   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
  220. #   sample_rate: 1
  221. #   # # namespace used to differenciate different harbor services
  222. #   # namespace:
  223. #   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
  224. #   # attributes:
  225. #   #   application: harbor
  226. #   # # jaeger should be 1.26 or newer.
  227. #   # jaeger:
  228. #   #   endpoint: http://hostname:14268/api/traces
  229. #   #   username:
  230. #   #   password:
  231. #   #   agent_host: hostname
  232. #   #   # export trace data by jaeger.thrift in compact mode
  233. #   #   agent_port: 6831
  234. #   # otel:
  235. #   #   endpoint: hostname:4318
  236. #   #   url_path: /v1/traces
  237. #   #   compression: false
  238. #   #   insecure: true
  239. #   #   timeout: 10s
复制代码

  • 使用./install.sh
    命令执行安装脚本
  1. ./install.sh
复制代码

  • 在/etc/hosts中添加对应的域名解析
  1. 本机IP        域名 #例:192.168.1.3  ganchengfang.xyz
复制代码
五、Harbor的登录


  • 使用docker login 域名:端口
    的命令行形式登录harbor
  1. docker login 域名:端口
复制代码

  • 使用欣赏器访问harbor
    在导航栏输入 服务器ip:端口 进入harbor的登录界面

  • 在导航栏输入 域名:端口 进入harbor的登岸界面

   注:使用 域名:端口时 需要买一个域名举行绑定(在任何公网都可访问)或修改本地的hosts来举行解析(只有修改过才能访问)

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

立山

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表