自建Harbor私有Docker镜像仓库
介绍
Harbor 是一个开源注册表,它使用策略和基于角色的访问控制来保护工件,确保图像被扫描且没有漏洞,并将图像签名为受信任。Harbor 是 CNCF 毕业项目,可提供合规性、性能和互操作性,帮助您跨云原生计算平台(如 Kubernetes 和 Docker)一致、安全地管理工件。
在现代云原生技术领域,容器化已经成为实现应用快速部署、扩展和管理的主流方式。Docker作为容器生态中的核心力量,其镜像仓库的重要性不言而喻。Harbor作为一款由VMware公司开源的企业级Docker Registry项目,以其丰富的功能特性、高度可定制性和对安全性的重视,在全球范围内广受企业和开发者的青睐。
安装教程
注意
本篇教程目前为止仅为一个参考,经过多次排查与查找资料,部署教程无误,但不知为什么在群晖NAS系统上出现两个容器无法启动,导致无法将本地镜像上传上去,待后期使用纯净环境之后再重新矫正教程!
docker-compose方式安装
演示以在群晖NAS系统上安装为例
(其他系统请自行安装好最新版本Docker、docker-compose)前往Harbor项目releases地址下载最新的文件
https://github.com/goharbor/harbor/releases有在线版和离线版的区别,可以联网的可以下载在线包,本文选择的是离线安装。
将下载的文件解压缩两次,直到得到harbor文件夹。
将此文件夹放到群晖的docker目录(随意放哪都行)
(可以先将压缩包放到群晖内再多次解压,然后再移动到对应的位置。)
(其他系统也可以通过SMB的方式直接将解压后的文件夹放到对应的位置)其他Linux系统解压文件夹命令(如无工具,请自行安装。) #格式 tar -xf 文件名 tar -xf harbor-offline-installer-v2.11.0.tgz
打开群晖的SSH功能,使用终端软件进行连接,并切换到root状态下。
进入群晖的docker文件夹内的harbor文件夹(就是你存放harbor文件夹的路径)
#自行替换为自己的实际文件夹路径 cd /volume1/docker/harbor创建所需的子文件夹
mkdir -p common/config mkdir -p /var/log/harbor mkdir data将配置文件重命名
cp harbor.yml.tmpl harbor.yml编辑重命名后的配置文件
vi harbor.yml按字母 i 键进入编辑模式,修改下面的配置文件,按Esc键退出编辑模式,输入 :wq 退出并保存。
(配置文件的https部分先注释掉,目前先使用http协议。)#只需要修改我写了中文注释的地方即可!!! # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: reg.mydomain.com #将reg.mydomain.com 换成你的NAS的IP(演示使用)、或者你的域名 # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 #容器默认HTTP访问端口,可以自己修改成你想用的。 # https related config #将https://这一段(此处开始共九行)添加 # 符号注释掉(就是在这几行前面添加 # 符号)。 https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /your/certificate/path private_key: /your/private/key/path # enable strong ssl ciphers (default: false) # strong_ssl_ciphers: false # # Harbor will set ipv4 enabled only by default if this block is not configured # # Otherwise, please uncomment this block to configure your own ip_family stacks # ip_family: # # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component # ipv6: # enabled: false # # ipv4Enabled set to true by default, currently it affected the nginx related component # ipv4: # enabled: true # # Uncomment following will enable tls communication between all harbor components # internal_tls: # # set enabled to true means internal tls is enabled # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: Harbor12345 #默认登录账号admin,默认密码是Harbor12345 ,你可以自己修改密码。 # Harbor DB configuration database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 100 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 1024 for postgres of harbor. max_open_conns: 900 # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age. # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". conn_max_lifetime: 5m # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time. # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". conn_max_idle_time: 0 # The default data volume data_volume: /data #将/data换成创建的data文件夹的完整路径 # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://distribution.github.io/distribution/about/configuration/ # # and https://distribution.github.io/distribution/storage-drivers/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disable: false # Trivy configuration # # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it # should download a newer version from the Internet or use the cached one. Currently, the database is updated every # 12 hours and published as a new release to GitHub. trivy: # ignoreUnfixed The flag to display only fixed vulnerabilities ignore_unfixed: false # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. skip_update: false # # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path skip_java_db_update: false # # The offline_scan option prevents Trivy from sending API requests to identify dependencies. # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. # It would work if all the dependencies are in local. # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment. offline_scan: false # # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. security_check: vuln # # insecure The flag to skip verifying registry certificate insecure: false # # timeout The duration to wait for scan completion. # There is upper bound of 30 minutes defined in scan job. So if this `timeout` is larger than 30m0s, it will also timeout at 30m0s. timeout: 5m0s # # github_token The GitHub access token to download Trivy DB # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting # # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # # github_token: xxx jobservice: # Maximum number of job workers in job service max_job_workers: 10 # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB" job_loggers: - STD_OUTPUT - FILE # - DB # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) logger_sweeper_duration: 1 #days notification: # Maximum retry count for webhook job webhook_job_max_retry: 3 # HTTP client timeout for webhook job webhook_job_http_client_timeout: 3 #seconds # Log configurations log: # options are debug, info, warning, error, fatal level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor # Uncomment following lines to enable external syslog endpoint. # external_endpoint: # # protocol used to transmit log to external endpoint, options is tcp or udp # protocol: tcp # # The host of external endpoint # host: localhost # # Port of external endpoint # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 2.11.0 # Uncomment external_database if using external database. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 # Uncomment redis if need to customize redis db # redis: # # db_index 0 is for core, it's unchangeable # # registry_db_index: 1 # # jobservice_db_index: 2 # # trivy_db_index: 5 # # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. # # harbor_db_index: 6 # # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. # # cache_layer_db_index: 7 # Uncomment external_redis if using external Redis server # external_redis: # # support redis, redis+sentinel # # host for redis: <host_redis>:<port_redis> # # host for redis+sentinel: # # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> # host: redis:6379 # password: # # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form. # # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892 # # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage # # username: # # sentinel_master_set must be set to support redis+sentinel # #sentinel_master_set: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # trivy_db_index: 5 # idle_timeout_seconds: 30 # # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. # # harbor_db_index: 6 # # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. # # cache_layer_db_index: 7 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. # Remove component from `components` array if want disable proxy # for it. If you want use proxy for replication, MUST enable proxy # for core and jobservice, and set `http_proxy` and `https_proxy`. # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy # metric: # enabled: false # port: 9090 # path: /metrics # Trace related config # only can enable one trace provider(jaeger or otel) at the same time, # and when using jaeger as provider, can only enable it with agent mode or collector mode. # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed # if using jaeger agetn mode uncomment agent_host and agent_port # trace: # enabled: true # # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth # sample_rate: 1 # # # namespace used to differentiate different harbor services # # namespace: # # # attributes is a key value dict contains user defined attributes used to initialize trace provider # # attributes: # # application: harbor # # # jaeger should be 1.26 or newer. # # jaeger: # # endpoint: http://hostname:14268/api/traces # # username: # # password: # # agent_host: hostname # # # export trace data by jaeger.thrift in compact mode # # agent_port: 6831 # # otel: # # endpoint: hostname:4318 # # url_path: /v1/traces # # compression: false # # insecure: true # # # timeout is in seconds # # timeout: 10 # Enable purge _upload directories upload_purging: enabled: true # remove files in _upload directories which exist for a period of time, default is one week. age: 168h # the interval of the purge operations interval: 24h dryrun: false # Cache layer configurations # If this feature enabled, harbor will cache the resource # `project/project_metadata/repository/artifact/manifest` in the redis # which can especially help to improve the performance of high concurrent # manifest pulling. # NOTICE # If you are deploying Harbor in HA mode, make sure that all the harbor # instances have the same behaviour, all with caching enabled or disabled, # otherwise it can lead to potential data inconsistency. cache: # not enabled by default enabled: false # keep cache for one day by default expire_hours: 24 # Harbor core configurations # Uncomment to enable the following harbor core related configuration items. # core: # # The provider for updating project quota(usage), there are 2 options, redis or db, # # by default is implemented by db but you can switch the updation via redis which # # can improve the performance of high concurrent pushing to the same project, # # and reduce the database connections spike and occupies. # # By redis will bring up some delay for quota usage updation for display, so only # # suggest switch provider to redis if you were ran into the db connections spike around # # the scenario of high concurrent pushing to same project, no improvement for other scenes. # quota_update_provider: redis # Or db对项目文件夹授权everyone的读写权限为777。
#查看当前文件夹路径 pwd #授权777权限(换成你自己的实际文件夹路径) chmod -R 777 /volume1/docker/harbor执行运行脚本
./install.sh查看正在运行的项目容器
docker-compose ps常用的启停命令(须进到harbor目录下执行)
# docker-compose up -d #在后台启动所有服务 # docker-compose build #在运行项目前先构建项目所需镜像 # docker-compose ps #列出本地docker-compose.yml文件里定义的正在运行的所有服务 # docker-compose stop #停止所有服务,如果服务没有停止,可以使用docker-compose kill强制杀死服务 # docker-compose start #开启所有服务 # docker-compose rm #删除所有服务
访问Harbor镜像仓库系统
打开浏览器,以群晖的IP+设置的端口进行访问。
以本机为例:http://192.168.2.35:8000
账号:admin
密码:你自己设置的/默认密码Harbor12345
登录成功
项目地址
GitHub项目地址:https://github.com/goharbor/harbor
网络参考地址:https://mp.weixin.qq.com/s/ihP0YYRepIiFklAjVXNapg
.gif)
👇👇👇
- 感谢你赐予我前进的力量
-
微信 
支付宝
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
最近发布