摘要

平時經常用Docker來部署各種環境，發現從DockerHub上下載映象有時候比較慢。第三方的映象還可以使用一些國內的映象倉庫來加速，如果我們自己構建的映象那就不行了。這時候搭建一個私有的映象倉庫很有必要，最近發現Harbor這個企業級映象倉庫，非常好用且功能強大，推薦給大家！

Harbor簡介

Harbor是一款開源的Docker映象倉庫服務，在Github上目前有13.4k+Star。提供了基於角色的映象訪問機制，可以保護你的映象安全。

安裝

學習開源專案的第一步，一般都是把它執行起來，我們先來把Harbor執行起來吧！

下載Harbor安裝包，這裡下載的是v1.10.6離線版本，下載地址：https://github.com/goharbor/harbor/releases下載完成後上傳到Linux伺服器，使用如下命令解壓；

tar xvf harbor-offline-installer-v1.10.6.tgz複製程式碼

解壓完成後，所有檔案內容如下；

[root@linux-local harbor]# lltotal 700260drwxr-xr-x. 3 root root        20 Dec  2 11:18 common-rw-r--r--. 1 root root      3398 Nov 17 11:58 common.sh-rw-r--r--. 1 root root      5348 Dec  2 14:41 docker-compose.yml-rw-r--r--. 1 root root 717021676 Nov 17 11:59 harbor.v1.10.6.tar.gz-rw-r--r--. 1 root root      5882 Dec  2 11:21 harbor.yml-rwxr-xr-x. 1 root root      2284 Nov 17 11:58 install.sh-rw-r--r--. 1 root root     11347 Nov 17 11:58 LICENSE-rwxr-xr-x. 1 root root      1749 Nov 17 11:58 prepare複製程式碼

修改Harbor的配置檔案harbor.yml，修改hostname，並註釋掉https配置，相關屬性說明參考註釋即可；

# 指定Harbor的管理介面及映象倉庫訪問地址hostname: 192.168.3.101# http相關配置http:  # http埠，如果配置了https，預設使用https  port: 80# https相關配置#https:#  # https埠#  port: 443#  # 指定Habor中Nginx的https的證書和私鑰地址#  certificate: /your/certificate/path#  private_key: /your/private/key/path# Harbor預設管理員賬號admin的密碼harbor_admin_password: Harbor12345# Harbor內建PostgreSQL資料庫配置database:  # root使用者密碼  password: root123  # 最大空閒連線數，小於等於0表示無空閒連線  max_idle_conns: 50  # 最大連線數，小於等於0表示無限制  max_open_conns: 100# 預設資料目錄data_volume: /data# Clair configurationclair:  # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.  updaters_interval: 12jobservice:  # Maximum number of job workers in job service  max_job_workers: 10notification:  # Maximum retry count for webhook job  webhook_job_max_retry: 10chart:  # Change the value of absolute_url to enabled can enable absolute url in chart  absolute_url: disabled# 日誌配置log:  # 日誌級別配置： debug, info, warning, error, fatal  level: info  # 日誌本地儲存策略  local:    # 日誌檔案滾動數量，超過該數量會刪除日誌檔案    rotate_count: 50    # 日誌滾動大小，超過該大小會生成新的日誌檔案    rotate_size: 200M    # 日誌儲存路徑    location: /var/log/harbor# This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!_version: 1.10.0# Configure proxies to be used by Clair, the replication jobservice, and Harbor. Leave blank if no proxies are required.proxy:  http_proxy:  https_proxy:  # no_proxy endpoints will appended to 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair,chartmuseum,notary-server  no_proxy:  components:    - core    - jobservice    - clair複製程式碼

使用install.sh指令碼安裝Harbor:

./install.sh複製程式碼

Harbor啟動成功後會輸出如下資訊，這裡需要注意的是Harbor會啟動Nginx、Redis之類的容器，以前建立過的需要先刪除掉，看到started successfully就表示啟動成功了；

[Step 0]: checking if docker is installed ...Note: docker version: 19.03.5[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.24.0[Step 2]: loading Harbor images ...Loaded image: goharbor/harbor-migrator:v1.10.6Loaded image: goharbor/harbor-core:v1.10.6Loaded image: goharbor/harbor-db:v1.10.6Loaded image: goharbor/harbor-registryctl:v1.10.6Loaded image: goharbor/nginx-photon:v1.10.6Loaded image: goharbor/clair-photon:v1.10.6Loaded image: goharbor/clair-adapter-photon:v1.10.6Loaded image: goharbor/harbor-portal:v1.10.6Loaded image: goharbor/harbor-log:v1.10.6Loaded image: goharbor/registry-photon:v1.10.6Loaded image: goharbor/notary-signer-photon:v1.10.6Loaded image: goharbor/harbor-jobservice:v1.10.6Loaded image: goharbor/redis-photon:v1.10.6Loaded image: goharbor/prepare:v1.10.6Loaded image: goharbor/notary-server-photon:v1.10.6Loaded image: goharbor/chartmuseum-photon:v1.10.6[Step 3]: preparing environment ...[Step 4]: preparing harbor configs ...prepare base dir is set to /mydata/harbor/harborWARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to httpsClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/core/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/db/envClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/jobservice/config.ymlGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dirNote: stopping existing Harbor instance ...Stopping harbor-jobservice ... doneStopping harbor-core       ... doneStopping redis             ... doneStopping registryctl       ... doneStopping registry          ... doneStopping harbor-db         ... doneStopping harbor-portal     ... doneStopping harbor-log        ... doneRemoving harbor-jobservice ... doneRemoving harbor-core       ... doneRemoving redis             ... doneRemoving registryctl       ... doneRemoving registry          ... doneRemoving harbor-db         ... doneRemoving harbor-portal     ... doneRemoving harbor-log        ... doneRemoving network harbor_harbor[Step 5]: starting Harbor ...Creating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating harbor-portal ... doneCreating registry      ... doneCreating harbor-db     ... doneCreating registryctl   ... doneCreating redis         ... doneCreating harbor-core   ... doneCreating harbor-jobservice ... doneCreating nginx             ... done✔ ----Harbor has been installed and started successfully.----複製程式碼

我們可以使用docker images命令檢視下安裝Harbor安裝的Docker映象，還挺多的；

REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE                              latest              dc3bacd8b5ea        8 days ago          1.23MBgoharbor/chartmuseum-photon          v1.10.6             01b70eccaf71        2 weeks ago         178MBgoharbor/harbor-migrator             v1.10.6             a5d4a4ee44e4        2 weeks ago         356MBgoharbor/redis-photon                v1.10.6             99e25b65195c        2 weeks ago         132MBgoharbor/clair-adapter-photon        v1.10.6             aa72598ecc12        2 weeks ago         61.3MBgoharbor/clair-photon                v1.10.6             da1b03030e34        2 weeks ago         171MBgoharbor/notary-server-photon        v1.10.6             37c8bed3e255        2 weeks ago         142MBgoharbor/notary-signer-photon        v1.10.6             c56d82220929        2 weeks ago         139MBgoharbor/harbor-registryctl          v1.10.6             1d3986d90c65        2 weeks ago         101MBgoharbor/registry-photon             v1.10.6             3e669c8204ed        2 weeks ago         83.7MBgoharbor/nginx-photon                v1.10.6             a39d8dd46060        2 weeks ago         43.7MBgoharbor/harbor-log                  v1.10.6             1085d3865a57        2 weeks ago         106MBgoharbor/harbor-jobservice           v1.10.6             aa05538acecf        2 weeks ago         143MBgoharbor/harbor-core                 v1.10.6             193e76e6be5d        2 weeks ago         129MBgoharbor/harbor-portal               v1.10.6             942a9c448850        2 weeks ago         51.8MBgoharbor/harbor-db                   v1.10.6             37da2e5414ae        2 weeks ago         170MBgoharbor/prepare                     v1.10.6             35f073e33ec5        2 weeks ago         177MB複製程式碼

訪問Harbor的管理介面，輸入賬號密碼admin:Harbor12345登入即可，訪問地址：http://192.168.3.101/使用

接下來我們就可以使用Harbor來管理我們的映象了。

首先點選新建專案按鈕，新建一個專案：這裡新建一個叫做test的私有專案；由於docker login命令預設不支援http訪問，所以我們需要手動開啟，使用Vim編輯器修改docker的配置檔案daemon.json；

vi /etc/docker/daemon.json複製程式碼

新增一行insecure-registries配置即可，允許使用非安全方式訪問Harbor映象倉庫，注意不要少了埠號80；

{ "registry-mirrors":["https://xxx.aliyuncs.com"], "insecure-registries":["192.168.3.101:80"]}複製程式碼

再次重新啟動docker服務；

systemctl restart docker複製程式碼

再次使用install.sh啟動Harbor服務；

./install.sh複製程式碼

使用docker login命令訪問Harbor映象倉庫，注意加上埠號為80；

[root@linux-local harbor]# docker login 192.168.3.101:80Username: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded複製程式碼

編寫Dockerfile指令碼，用於構建Docker映象，一個最簡單的busybox指令碼如下；

FROM busybox:latest複製程式碼

使用如下命令構建一個自己的busybox映象；

docker build -t 192.168.3.101:80/test/busybox .複製程式碼

將自己構建的busybox映象推送到Harbor映象倉庫；

docker push 192.168.3.101:80/test/busybox複製程式碼

推送成功後在Harbor的管理介面中就可以檢視到busybox映象了；由於Harbor是用Docker Compose部署的，可以直接使用Docker Compose的命令來停止和啟動。

# 停止Harbordocker-compose stop# 啟動Harbordocker-compose start複製程式碼

結合SpringBoot使用

這裡使用之前的mall-tiny-fabric專案來演示下，如何使用Maven外掛一鍵打包並推送到Harbor映象倉庫。

之後使用Maven外掛打包映象並推送到Harbor倉庫，具體可以參考《還在手動部署SpringBoot應用？試試這個自動化外掛！》，推送過程中輸出資訊如下；

[INFO] Scanning for projects...[INFO]                                                                         [INFO] ------------------------------------------------------------------------[INFO] Building mall-tiny-fabric 0.0.1-SNAPSHOT[INFO] ------------------------------------------------------------------------[INFO] [INFO] --- docker-maven-plugin:0.33.0:push (default-cli) @ mall-tiny-fabric ---[INFO] DOCKER> The push refers to repository [192.168.3.101:80/mall-tiny/mall-tiny-fabric]###############[INFO] DOCKER> 0.0.1-SNAPSHOT: digest: sha256:3a54682fd3b04526f6da0916e98f3d0d5ba4193a8ad6aafbe6c05a1badf6c13b size: 2212[INFO] DOCKER> Temporary image tag skipped. Target image '192.168.3.101:80/mall-tiny/mall-tiny-fabric:0.0.1-SNAPSHOT' already has registry set or no registry is available[INFO] DOCKER> Pushed 192.168.3.101:80/mall-tiny/mall-tiny-fabric:0.0.1-SNAPSHOT in 2 minutes and 8 seconds [INFO] ------------------------------------------------------------------------[INFO] BUILD SUCCESS[INFO] ------------------------------------------------------------------------[INFO] Total time: 02:11 min[INFO] Finished at: 2020-12-02T15:11:10+08:00[INFO] Final Memory: 19M/219M[INFO] ------------------------------------------------------------------------Process finished with exit code 0複製程式碼

開啟Harbor管理頁面，發現mall-tiny-fabric映象已經存在了。總結

Harbor提供了管理介面讓我們可以更方便地管理Docker映象，同時添加了基於角色的許可權管理功能來保護映象的安全。之前我們為了安全地使用映象，需要使用繁瑣的TLS來控制遠端Docker服務打包映象，具體參考《Docker服務開放了這個埠，伺服器分分鐘變肉機！》。現在我們只要搭建一個Harbor映象倉庫，然後本地打包好映象上傳到Harbor，需要使用映象的時候直接從Harbor下載即可！