介绍

  • Harbor 是一个开源注册表,它使用策略和基于角色的访问控制来保护工件,确保图像被扫描且没有漏洞,并将图像签名为受信任。Harbor 是 CNCF 毕业项目,可提供合规性、性能和互操作性,帮助您跨云原生计算平台(如 Kubernetes 和 Docker)一致、安全地管理工件。

  • 在现代云原生技术领域,容器化已经成为实现应用快速部署、扩展和管理的主流方式。Docker作为容器生态中的核心力量,其镜像仓库的重要性不言而喻。Harbor作为一款由VMware公司开源的企业级Docker Registry项目,以其丰富的功能特性、高度可定制性和对安全性的重视,在全球范围内广受企业和开发者的青睐。

安装教程

注意

  • 本篇教程目前为止仅为一个参考,经过多次排查与查找资料,部署教程无误,但不知为什么在群晖NAS系统上出现两个容器无法启动,导致无法将本地镜像上传上去,待后期使用纯净环境之后再重新矫正教程!

docker-compose方式安装

  1. 演示以在群晖NAS系统上安装为例
    (其他系统请自行安装好最新版本Docker、docker-compose)

  2. 前往Harbor项目releases地址下载最新的文件

    https://github.com/goharbor/harbor/releases
  3. 有在线版和离线版的区别,可以联网的可以下载在线包,本文选择的是离线安装。

  4. 将下载的文件解压缩两次,直到得到harbor文件夹。

  5. 将此文件夹放到群晖的docker目录(随意放哪都行)
    (可以先将压缩包放到群晖内再多次解压,然后再移动到对应的位置。)
    (其他系统也可以通过SMB的方式直接将解压后的文件夹放到对应的位置)

    其他Linux系统解压文件夹命令(如无工具,请自行安装。)
    #格式 tar -xf 文件名
    
    tar -xf harbor-offline-installer-v2.11.0.tgz


  6. 打开群晖的SSH功能,使用终端软件进行连接,并切换到root状态下。

  7. 进入群晖的docker文件夹内的harbor文件夹(就是你存放harbor文件夹的路径)

    #自行替换为自己的实际文件夹路径
    
    cd /volume1/docker/harbor
  8. 创建所需的子文件夹

    mkdir -p common/config
    
    mkdir -p /var/log/harbor
    
    mkdir data
  9. 将配置文件重命名

    cp harbor.yml.tmpl harbor.yml
  10. 编辑重命名后的配置文件

    vi harbor.yml
  11. 按字母 i 键进入编辑模式,修改下面的配置文件,按Esc键退出编辑模式,输入 :wq 退出并保存。
    (配置文件的https部分先注释掉,目前先使用http协议。)

    #只需要修改我写了中文注释的地方即可!!!
    
    # Configuration file of Harbor
    
    # The IP address or hostname to access admin UI and registry service.
    # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
    hostname: reg.mydomain.com    #将reg.mydomain.com 换成你的NAS的IP(演示使用)、或者你的域名
    
    # http related config
    http:
      # port for http, default is 80. If https enabled, this port will redirect to https port
      port: 80    #容器默认HTTP访问端口,可以自己修改成你想用的。
    
    # https related config    #将https://这一段(此处开始共九行)添加 # 符号注释掉(就是在这几行前面添加 # 符号)。
    https:
      # https port for harbor, default is 443
      port: 443
      # The path of cert and key files for nginx
      certificate: /your/certificate/path
      private_key: /your/private/key/path
      # enable strong ssl ciphers (default: false)
      # strong_ssl_ciphers: false
    
    # # Harbor will set ipv4 enabled only by default if this block is not configured
    # # Otherwise, please uncomment this block to configure your own ip_family stacks
    # ip_family:
    #   # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
    #   ipv6:
    #     enabled: false
    #   # ipv4Enabled set to true by default, currently it affected the nginx related component
    #   ipv4:
    #     enabled: true
    
    # # Uncomment following will enable tls communication between all harbor components
    # internal_tls:
    #   # set enabled to true means internal tls is enabled
    #   enabled: true
    #   # put your cert and key files on dir
    #   dir: /etc/harbor/tls/internal
    
    
    # Uncomment external_url if you want to enable external proxy
    # And when it enabled the hostname will no longer used
    # external_url: https://reg.mydomain.com:8433
    
    # The initial password of Harbor admin
    # It only works in first time to install harbor
    # Remember Change the admin password from UI after launching Harbor.
    harbor_admin_password: Harbor12345    #默认登录账号admin,默认密码是Harbor12345 ,你可以自己修改密码。
    
    # Harbor DB configuration
    database:
      # The password for the root user of Harbor DB. Change this before any production use.
      password: root123
      # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
      max_idle_conns: 100
      # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
      # Note: the default number of connections is 1024 for postgres of harbor.
      max_open_conns: 900
      # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
      # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      conn_max_lifetime: 5m
      # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
      # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      conn_max_idle_time: 0
    
    # The default data volume
    data_volume: /data    #将/data换成创建的data文件夹的完整路径
    
    # Harbor Storage settings by default is using /data dir on local filesystem
    # Uncomment storage_service setting If you want to using external storage
    # storage_service:
    #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
    #   # of registry's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
    #   ca_bundle:
    
    #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
    #   # for more info about this configuration please refer https://distribution.github.io/distribution/about/configuration/
    #   # and https://distribution.github.io/distribution/storage-drivers/
    #   filesystem:
    #     maxthreads: 100
    #   # set disable to true when you want to disable registry redirect
    #   redirect:
    #     disable: false
    
    # Trivy configuration
    #
    # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
    # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
    # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
    # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
    # 12 hours and published as a new release to GitHub.
    trivy:
      # ignoreUnfixed The flag to display only fixed vulnerabilities
      ignore_unfixed: false
      # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
      #
      # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
      # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
      # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
      skip_update: false
      #
      # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
      # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
      skip_java_db_update: false
      #
      # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
      # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
      # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
      # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
      # It would work if all the dependencies are in local.
      # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
      offline_scan: false
      #
      # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
      security_check: vuln
      #
      # insecure The flag to skip verifying registry certificate
      insecure: false
      #
      # timeout The duration to wait for scan completion.
      # There is upper bound of 30 minutes defined in scan job. So if this `timeout` is larger than 30m0s, it will also timeout at 30m0s.
      timeout: 5m0s
      #
      # github_token The GitHub access token to download Trivy DB
      #
      # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
      # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
      # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
      # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting
      #
      # You can create a GitHub token by following the instructions in
      # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
      #
      # github_token: xxx
    
    jobservice:
      # Maximum number of job workers in job service
      max_job_workers: 10
      # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
      job_loggers:
        - STD_OUTPUT
        - FILE
        # - DB
      # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
      logger_sweeper_duration: 1 #days
    
    notification:
      # Maximum retry count for webhook job
      webhook_job_max_retry: 3
      # HTTP client timeout for webhook job
      webhook_job_http_client_timeout: 3 #seconds
    
    # Log configurations
    log:
      # options are debug, info, warning, error, fatal
      level: info
      # configs for logs in local storage
      local:
        # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
        rotate_count: 50
        # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
        # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
        # are all valid.
        rotate_size: 200M
        # The directory on your host that store log
        location: /var/log/harbor
    
      # Uncomment following lines to enable external syslog endpoint.
      # external_endpoint:
      #   # protocol used to transmit log to external endpoint, options is tcp or udp
      #   protocol: tcp
      #   # The host of external endpoint
      #   host: localhost
      #   # Port of external endpoint
      #   port: 5140
    
    #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
    _version: 2.11.0
    
    # Uncomment external_database if using external database.
    # external_database:
    #   harbor:
    #     host: harbor_db_host
    #     port: harbor_db_port
    #     db_name: harbor_db_name
    #     username: harbor_db_username
    #     password: harbor_db_password
    #     ssl_mode: disable
    #     max_idle_conns: 2
    #     max_open_conns: 0
    
    # Uncomment redis if need to customize redis db
    # redis:
    #   # db_index 0 is for core, it's unchangeable
    #   # registry_db_index: 1
    #   # jobservice_db_index: 2
    #   # trivy_db_index: 5
    #   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
    #   # harbor_db_index: 6
    #   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
    #   # cache_layer_db_index: 7
    
    # Uncomment external_redis if using external Redis server
    # external_redis:
    #   # support redis, redis+sentinel
    #   # host for redis: <host_redis>:<port_redis>
    #   # host for redis+sentinel:
    #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    #   host: redis:6379
    #   password: 
    #   # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
    #   # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
    #   # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage
    #   # username:
    #   # sentinel_master_set must be set to support redis+sentinel
    #   #sentinel_master_set:
    #   # db_index 0 is for core, it's unchangeable
    #   registry_db_index: 1
    #   jobservice_db_index: 2
    #   trivy_db_index: 5
    #   idle_timeout_seconds: 30
    #   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
    #   # harbor_db_index: 6
    #   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
    #   # cache_layer_db_index: 7
    
    # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
    # uaa:
    #   ca_file: /path/to/ca
    
    # Global proxy
    # Config http proxy for components, e.g. http://my.proxy.com:3128
    # Components doesn't need to connect to each others via http proxy.
    # Remove component from `components` array if want disable proxy
    # for it. If you want use proxy for replication, MUST enable proxy
    # for core and jobservice, and set `http_proxy` and `https_proxy`.
    # Add domain to the `no_proxy` field, when you want disable proxy
    # for some special registry.
    proxy:
      http_proxy:
      https_proxy:
      no_proxy:
      components:
        - core
        - jobservice
        - trivy
    
    # metric:
    #   enabled: false
    #   port: 9090
    #   path: /metrics
    
    # Trace related config
    # only can enable one trace provider(jaeger or otel) at the same time,
    # and when using jaeger as provider, can only enable it with agent mode or collector mode.
    # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
    # if using jaeger agetn mode uncomment agent_host and agent_port
    # trace:
    #   enabled: true
    #   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
    #   sample_rate: 1
    #   # # namespace used to differentiate different harbor services
    #   # namespace:
    #   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
    #   # attributes:
    #   #   application: harbor
    #   # # jaeger should be 1.26 or newer.
    #   # jaeger:
    #   #   endpoint: http://hostname:14268/api/traces
    #   #   username:
    #   #   password:
    #   #   agent_host: hostname
    #   #   # export trace data by jaeger.thrift in compact mode
    #   #   agent_port: 6831
    #   # otel:
    #   #   endpoint: hostname:4318
    #   #   url_path: /v1/traces
    #   #   compression: false
    #   #   insecure: true
    #   #   # timeout is in seconds
    #   #   timeout: 10
    
    # Enable purge _upload directories
    upload_purging:
      enabled: true
      # remove files in _upload directories which exist for a period of time, default is one week.
      age: 168h
      # the interval of the purge operations
      interval: 24h
      dryrun: false
    
    # Cache layer configurations
    # If this feature enabled, harbor will cache the resource
    # `project/project_metadata/repository/artifact/manifest` in the redis
    # which can especially help to improve the performance of high concurrent
    # manifest pulling.
    # NOTICE
    # If you are deploying Harbor in HA mode, make sure that all the harbor
    # instances have the same behaviour, all with caching enabled or disabled,
    # otherwise it can lead to potential data inconsistency.
    cache:
      # not enabled by default
      enabled: false
      # keep cache for one day by default
      expire_hours: 24
    
    # Harbor core configurations
    # Uncomment to enable the following harbor core related configuration items.
    # core:
    #   # The provider for updating project quota(usage), there are 2 options, redis or db,
    #   # by default is implemented by db but you can switch the updation via redis which
    #   # can improve the performance of high concurrent pushing to the same project,
    #   # and reduce the database connections spike and occupies.
    #   # By redis will bring up some delay for quota usage updation for display, so only
    #   # suggest switch provider to redis if you were ran into the db connections spike around
    #   # the scenario of high concurrent pushing to same project, no improvement for other scenes.
    #   quota_update_provider: redis # Or db
    
  12. 对项目文件夹授权everyone的读写权限为777。

    #查看当前文件夹路径
    pwd
    
    #授权777权限(换成你自己的实际文件夹路径)
    chmod -R 777 /volume1/docker/harbor
  13. 执行运行脚本

    ./install.sh
  14. 查看正在运行的项目容器

    docker-compose ps
  15. 常用的启停命令(须进到harbor目录下执行)

    # docker-compose up -d #在后台启动所有服务
    # docker-compose build #在运行项目前先构建项目所需镜像
    # docker-compose ps      #列出本地docker-compose.yml文件里定义的正在运行的所有服务
    # docker-compose stop    #停止所有服务,如果服务没有停止,可以使用docker-compose kill强制杀死服务
    # docker-compose start #开启所有服务
    # docker-compose rm #删除所有服务

访问Harbor镜像仓库系统

  1. 打开浏览器,以群晖的IP+设置的端口进行访问。
    以本机为例:http://192.168.2.35:8000
    账号:admin
    密码:你自己设置的/默认密码Harbor12345

  2. 登录成功

项目地址

  • GitHub项目地址:https://github.com/goharbor/harbor

  • 网络参考地址:https://mp.weixin.qq.com/s/ihP0YYRepIiFklAjVXNapg

功德+1(狗子).gif

👇👇👇