简述：

Docker 官方镜像仓库是用于管理公共镜像的地方，大家可以在上面找到想要的镜像，也可以把自己的镜像推送上去。但是有时候服务器无法访问互联网，或者不希望将自己的镜像放到互联网上，那么就需要用到 Docker Registry 私有仓库，它可以用来存储和管理自己的镜像。最近公司将项目全部打包成镜像有部署私有仓库服务的需求，经过几轮商讨，最终选择 Docker Harbor，Docker Harbor 有可视化的 Web 管理界面可以方便管理Docker 镜像操作也很方便简单，又提供了多个项目的镜像权限管理控制功能等。

Harbor 架构构成

Proxy：Harbor 的 Registry、UI、token 等服务。通过一个前置的反向代理统一接收浏览器Docker 客户端的请求，并将请求转发给后端不同的服务。
Registry：负责储存Docker镜像，并处理 Docker push/pull 命令。由于要对用户进行访问控制，即不同用户对Docker image有不同的读写权限，Registry会指向一个 token服务，强制用户的每次 Docker pull/push 请求都要携带一个合法的token,Registry会通过公钥对 token 进行解密验证。

环境：

两台主机：

192.168.50.66 master 服务端

192.168.50.53 lbin-nfs 客户端

两台主机同样操作

关闭防火墙

[root@localhost ~]# iptables -F

[root@localhost ~]# setenforce 0

[root@localhost ~]# systemctl stop firewalld

更改主机名

[root@localhost ~]# hostname master

[root@localhost ~]# bash

创建dockers rpm包目录

[root@master ~]# mkdir docker

导入docker -ce

[root@master docker]# ll

总用量 97596

-rw-r--r--. 1 root root 30374084 9月 18 2020 containerd.io-1.3.7-3.1.el7.x86_64.rpm

-rw-r--r--. 1 root root    40816 7月   6 2020 container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm

-rw-r--r--. 1 root root   302564 5月 14 2020 device-mapper-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root   195448 5月 14 2020 device-mapper-event-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root   195004 5月 14 2020 device-mapper-event-libs-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root   331908 5月 14 2020 device-mapper-libs-1.02.164-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root   432624 4月   4 2020 device-mapper-persistent-data-0.8.5-2.el7.x86_64.rpm

-rw-r--r--. 1 root root 25268380 9月 18 2020 docker-ce-19.03.13-3.el7.x86_64.rpm

-rw-r--r--. 1 root root 40247476 10月 9 2020 docker-ce-cli-19.03.13-3.el7.x86_64.rpm

-rw-r--r--. 1 root root 1384208 5月 14 2020 lvm2-2.02.186-7.el7_8.2.x86_64.rpm

-rw-r--r--. 1 root root 1143916 5月 14 2020 lvm2-libs-2.02.186-7.el7_8.2.x86_64.rpm

[root@localhost docker]# yum -y install *.rpm

[root@localhost docker]# cd

重启

[root@localhost ~]# systemctl start docker

[root@localhost ~]# systemctl enable docker

Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

配置阿里云镜像加速

[root@localhost ~]# cat << END > /etc/docker/daemon.json

> {

> "registry-mirrors":[ "https://nyakyfun.mirror.aliyuncs.com" ]

> }

> END

重启服务

[root@localhost ~]# systemctl daemon-reload

[root@localhost ~]# systemctl restart docker

获取Docker Compose容器的工具。

[root@localhost ~]# rz

[root@localhost ~]# mv docker-compose /usr/bin

[root@localhost ~]# chmod +x /usr/bin/docker-compose

[root@localhost ~]# docker-compose --version

docker-compose version 1.21.1, build 5a3f1a3

Harbor配置服务端

[root@master ~]# tar xf harbor-offline-installer-v1.6.1.tgz

[root@master ~]# cd harbor

[root@master harbor]# tree

bash: tree: 未找到命令

[root@master harbor]# yum -y install tree

[root@master harbor]# tree ha
ha
├── docker-compose.clair.tpl
├── docker-compose.clair.yml
├── docker-compose.tpl
├── docker-compose.yml
├── initial-registry.sql
└── sample
    ├── active_active
    │   ├── check.sh
    │   └── keepalived_active_active.conf
    └── active_standby
        ├── check_harbor.sh
        └── keepalived_active_standby.conf

[root@master ]# vim /root/harbor/harbor.cfg

7 hostname = 192.168.50.66

[root@master harbor]# sh install.sh

如果报错就更改下面文件

[root@master harbor]# cat ha/initial-registry.sql

CREATE DATABASE IF NOT EXISTS `registry` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';

成功

查看

[root@master harbor]# docker-compose ps

       Name                     Command                  State                    Ports

----------------------------------------------------------------------------------------------------

harbor-adminserver   /harbor/start.sh                 Up (healthy)

harbor-db            /entrypoint.sh postgres          Up (healthy)   5432/tcp

harbor-jobservice    /harbor/start.sh                 Up

harbor-log           /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp

harbor-ui            /harbor/start.sh                 Up (healthy)

nginx                nginx -g daemon off;             Up (healthy)   0.0.0.0:443->443/tcp,

                                                                     0.0.0.0:4443->4443/tcp,

                                                                     0.0.0.0:80->80/tcp

redis                docker-entrypoint.sh redis ...   Up             6379/tcp

registry             /entrypoint.sh /etc/regist ...   Up (healthy)   5000/tcp

浏览器访问

如果一切都正常，应该可以打开浏览器访问192.168.50.66的管理页面，默认的管理员用户名和密码是 admin/Harbor12345

创建一个新项目

输入用户名和密码登录界面后可以创建一个新项目。点击“+项目”按钮。

点击“确定”按钮，成功创建

可以使用 Docker 命令在Harbor本地通过 127.0.0.1 来登录和推送镜像了。默认情况下， Register 服务器在端口 80 上

登陆 harbor

[root@master harbor]# docker login -u admin -p Harbor12345 http://127.0.0.1

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下载镜像准备测试

[root@master harbor]# docker pull cirros

Using default tag: latest

latest: Pulling from library/cirros

d0b405be7a32: Pull complete

bd054094a037: Pull complete

c6a00de1ec8a: Pull complete

Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47

Status: Downloaded newer image for cirros:latest

docker.io/library/cirros:latest

给镜像打tag

[root@master harbor]# docker tag cirros 127.0.0.1/cccoooo/cirros:v1

上传到 harbor

[root@master harbor]# docker push 127.0.0.1/cccoooo/cirros:v1

The push refers to repository [127.0.0.1/cccoooo/cirros]

984ad441ec3d: Pushed

f0a496d92efa: Pushed

e52d19c3bee2: Pushed

v1: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

查看一下有没有

[root@master harbor]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

127.0.0.1/cccoooo/cirros v1 f9cae1daf5f6 2 years ago 12.6MB

刷新查看

客户端上传镜像

修改配置文件

vim /usr/lib/systemd/system/docker.service

14 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-reg istry192.168.50.66

重启服务

[root@localhost ~]# systemctl daemon-reload

[root@localhost ~]# systemctl restart docker

登陆访问

第一种

[root@lbin-nfs ~]# docker login -u admin -p Harbor12345 http://192.168.50.66

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

第二种

[root@lbin-nfs ~]# docker login -u admin -p Harbor12345 192.168.50.66

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下载镜像准备测试

[root@lbin-nfs ~]# docker pull cirros

Using default tag: latest

latest: Pulling from library/cirros

d0b405be7a32: Pull complete

bd054094a037: Pull complete

c6a00de1ec8a: Pull complete

Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47

Status: Downloaded newer image for cirros:latest

docker.io/library/cirros:latest

打标签

[root@lbin-nfs ~]# docker tag cirros 192.168.50.66/cccoooo/cirros:v22

上传

[root@lbin-nfs ~]# docker push 192.168.50.66/cccoooo/cirros:v22

The push refers to repository [192.168.50.66/cccoooo/cirros]

984ad441ec3d: Layer already exists

f0a496d92efa: Layer already exists

e52d19c3bee2: Layer already exists

v22: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

浏览器查看

Harbor 日常操作管理

点击“+项目”时按规范填写项目名称。项目级别：私有即不勾选(勾选后会变为"公开")。如果设置为公共仓库，则所有人对此项目下的镜像拥有读权限，命令行中不需要执行"Docker login"即可下载镜像，镜像操作与Docker hub 一致。

创建用户

设置权限

首先退出当前用户，然后使用上述创建的账户登录。

退出

[root@lbin-nfs ~]# docker logout 192.168.50.66

Removing login credentials for 192.168.50.66

登陆

[root@lbin-nfs ~]# docker login 192.168.50.66

Username: asd

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

下载v1镜像

[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1

Error response from daemon: pull access denied for 192.168.50.66/cccoooo/cirros, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

[root@lbin-nfs ~]# docker pull 192.168.50.66/cccoooo/cirros:v1

v1: Pulling from cccoooo/cirros

Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22

Status: Downloaded newer image for 192.168.50.66/cccoooo/cirros:v1

192.168.50.66/cccoooo/cirros:v1

查看

[root@lbin-nfs ~]# docker images

REPOSITORY                     TAG                 IMAGE ID            CREATED             SIZE

postgres                       latest              07e2ee723e2d        19 months ago       374MB

mysql                          5.6                 dd3b2a5dcb48        19 months ago       303MB

redis                          alpine              3900abf41552        20 months ago       32.4MB

192.168.50.66/cccoooo/cirros   v1                  f9cae1daf5f6        2 years ago         12.6MB

查看日志

管理 Harbor

可以使用 docker-compose来管理Harbor。一些有用的命令如下所示（必须在与docker-compose.yml 相同的目录中运行）。

停止/启动/重启 Harbor

[root@master harbor]# docker-compose stop | start | restart