I. Installation and use of the latest version of Harbor
1: Basic environmental requirements
- 1) Docker installed (because all Harbor components are assembled by a Docker container)
- Docker-compose (Harbor is composed by docker-compose management and other component container)
2: Install Harbor
2.1 Downloading the Installation Package
The installation package can be installed online or offline.
- Download the installation package offline and then manage it or download it from Github.
The address is github.com/goharbor/ha…
The latest version is 2.3.2.
- Download online:
[root@localhost mydome]# wget https://github.com/goharbor/harbor/releases/download/v2.3.2/harbor-offline-installer-v2.3.2.tgz
Copy the code
Docker-compose installation
The curl -l https://github.com/docker/compose/releases/download/v2.3.2/docker-compose- ` ` uname - s - ` uname -m ` - o /usr/local/bin/docker-compose /usr/local/bin/docker-compose Docker-compose docker-compose chmod +x /usr/local/bin/docker-composeCopy the code
2.2 Decompress the package and install it
[root@localhost mydonw]# tar xf harbor-offline-installer-v2.3.2. TGZ [root@localhost mydonw]# ls harbor TGZ [root@localhost mydonw]# CD harbor [root@localhost harbor]# ll Total 594380 -rw-r--r-- 1 root root 3361 Aug 18 16:51 common.sh -rw-r--r-- 1 root root 608611132 Aug 18 16:52 harbor.v2.3.2.tar.gz -rw-r--r--. 1 root root 7840 Aug 18 16:51 harbor.yml.tmpl -rwxr-xr-x. 1 root root 2500 Aug 18 16:51 install.sh -rw-r--r--. 1 root root 11347 Aug 18 16:51 LICENSE -rwxr-xr-x. 1 root root 1881 Aug 18 16:51 prepare [root@localhost harbor]#Copy the code
2.3 Configuration Information Description and Modification
2.3.1 Configuration Information File Description:
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or, because Harbor needs to be accessed by external clients.
# 设置仓库访问的地址域名,可以使用IP,然后下面HTTP配置对应的端口号
# 但是需要注意的点是:不要设置DO NOT use localhost or
# 不然别人无法访问
# 如果配置是HTTP的话,这里需要设定HTTP使用的端口,使用的宿主机的端口
# http related config
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 8056
# 如果开启了HTTPs的话,需要配置好正确的正式的目录,不然会报错!
# certificate: /your/certificate/path 证书的对应的信息
# private_key: /your/private/key/path
# https related config
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# 代理的开启
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# 默认仓库的超级管理员的信息
# 默认账号为:ammin
# harbor_admin_password: Harbor12345 是默认的管理员密码
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# 仓库数据库信息配置
# 数据库的密码:容器的中的数据库的密码
# 数据库的链接信息配置
# Harbor DB configuration
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# 仓库数据持久化的存放的路径
# The default data volume
data_volume: /data/harbor/data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Trivy configuration
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
# github_token: xxx
# Maximum number of job workers in job service
max_job_workers: 10
# Maximum retry count for webhook job
webhook_job_max_retry: 10
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.3.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
Copy the code
2.3.2 Modifying Configuration File Information:
- Example Modify the login account information
- Modify request hostanme
- Example Modify database configuration items
- Modify harbor persistent data directory information
Back up configuration file information:
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# nano harbor.yml
Copy the code
Modification of login account information:
To change the hostaname and the port used, use the domain name or IP address
Change the IP address of the local VM and use port 8056.
Modifying database configuration items:
Persistent data directory storage path changes:
2.4 Run the installation script to install the oceanstor 9000
[root@localhost harbor]# ./install.sh
Copy the code
An error occurred during installation and was stopped! The error message is:
prepare base dir is set to /data/mydonw/harbor
Error happened in config validation...
ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
Copy the code
HTTS configuration information is not configured correctly. Modify configuration file information, log out of HTTPS first, temporarily not needed!
Modify before script installation! Prompt installation complete and startup complete!
2.5 Viewing Information about Startup Services
[root @ localhost harbor] # docker ps | grep harbor cca40a764d35 goharbor/nginx - photon: v2.3.2 "nginx - g 'daemon of..." Abo ut a minute ago Up 58 seconds (healthy)>8080/ TCP, :::8056- >8080/ TCP nginx 73827976dfab goharbor/ harbor-jobService :v2.3.2 "/harbor/ entryPoint...." Abo ut a minute ago Up 58 seconds (healthy) harbor-jobService AAA8BF092C86 GOharbor /harbor-core:v2.3.2 "/ harbor/entrypoint...." About a minute ago Up About a minute (healthy) harbor-core D22058F67C82 goharbor/harbor-portal:v2.3.2 "nginx-g 'daemon Of..." About a minute ago Up About a minute (healthy) harbor-portal 96835424FA77 GOharbor/harbor-DB :v2.3.2 "/ docker - entrypoint...." About a minute ago Up About a minute (healthy) harbor-db 7e115673e7e6 goharbor/ Redis-Photon :v2.3.2 "Redis-Server The/etc/r..." About a minute ago Up About a minute (healthy) Redis 241327b6376b Goharbor/Registry - Photon :v2.3.2 "/ home/harbor/entryp..." About a minute ago Up About a minute (healthy) registry 3a1490d5dFC9 GoHarbor/harbor-registryCTL :v2.3.2 "/ home/harbor/start...." About a minute ago Up About a minute (healthy) registryctl f4c25d9e3a51 goharbor/harbor-log:v2.3.2 "/bin/sh -c The/usr/loc..." About a minute ago Up About a minute (healthy)>10514/ TCP harbor-log [root@localhost harbor]#Copy the code
2.6 Access the Harbor WE login interface for login management
Access address is:
The login account information is admin. The password is the password specified in the previous configuration
2.7 Configuring docker to connect to our Harbot
Docker uses HTTPS by default to interact with Docker Registry after 1.3.X, but ours annotated HTTPS and used HTTP before! Need to modify, otherwise it may appear:
[root@localhost harbor]# docker login Username: admin Password: Error response from daemon: Get "" : HTTP: server gave, the HTTP response to HTTPS client [root @ localhost harbor] #Copy the code
Modify Docker configuration file /etc/docker/daemon.json:
{" registry - mirrors ":" https://aiyf7r3a.mirror.aliyuncs.com "], "insecure - registries:" [] ""}Copy the code
Or all open to the outside world (not recommended) :
{" registry - mirrors ":" https://aiyf7r3a.mirror.aliyuncs.com "], "insecure - registries:" [] ""}Copy the code
Here is:
Restart Doker after the modification is complete.
systemctl restart docker
Copy the code
Log in again:
[root@localhost harbor]# docker login
Username: admin
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
Login Succeeded
Copy the code
3: Image push to Harbor private server basic preparation
3.1 Creating User Information
3.2 Creating an Image warehouse to store project images
3.3 Warehouse project assignment Bind relevant member accounts
(Administrator can push directly without binding member)
3.4 Viewing the Command Planning of Image Push
Mark the image in the project:
Docker tag SOURCE_IMAGE [: tag] / zyx_docker/REPOSITORY [: tag]Copy the code
Push image to current project:
Docker push / zyx_docker/REPOSITORY [: TAG]Copy the code
Helm push command
Mark Chart in the project
Helm chart Save CHART_PATH[:TAG]Copy the code
Push chart to current project
Helm chart push / zyx_docker/REPOSITORY [: TAG]Copy the code
CNAB Push command
Push CNAB to current project
Cnab-to-oci push CNAB_PATH --target[:TAG] --auto-update-bundleCopy the code
3.5 Basic operation of private warehouse on the machine
- The first step is to log in first (here use the administrator to log in first, also can use the new account information)
Docker login the code
- View local mirrors:
- Label the image:
Mark drone/ Agent: Latest as Drone/Agent: V3 mirror.
[root@localhost harbor]# docker tag drone/agent:latest drone/agent:v3
Copy the code
- Tag the image and push the local image to the private repository:
Push image specification: Docker push registered user name/image name
Mark the image in the project:
Docker tag SOURCE_IMAGE [: tag] / zyx_docker/REPOSITORY [: tag]Copy the code
Push image to current project:
Docker push / zyx_docker/REPOSITORY [: TAG]Copy the code
Example: The first step is to modify the image to the specified format as required:
root@localhost harbor]# Docker tag Drone /agent:v3 [root@localhost harbor]# docker imagesCopy the code
Step 2: Push the image to the current project:
[root@localhost harbor]# docker push V3 The push refers to repository [] EDC2F156270e: Pushed 22089F22c4C3: Pushed a38e4a9D8800: Pushed f1b5933fe4b5: Pushed v3: digest: sha256:13524befdf2fdb5dc9881e1e254536dcb4df9ccf37c6a60d19c9f1a5f4d64c49 size: 1156 [root@localhost harbor]#Copy the code
Step 3: Look at our project repository
You can view the image details:
View the pull mirror command:
docker pull / zyx_docker/drone/agent @ sha256:13524 befdf2fdb5dc9881e1e254536dcb4df9ccf37c6a60d19c9f1a5f4d64c49Copy the code
Start a new virtual machine validation test pull image:
[root@localhost ~]# docker pull Error Response from daemon: A Get HTTP: server gave, the HTTP response to HTTPS client/root @ localhost ~ #Copy the code
Json file, add insecure-registries config nano /etc/docker/daemon.json
{" registry - mirrors ":" https://aiyf7r3a.mirror.aliyuncs.com "], "insecure - registries:" [] ""}Copy the code
Restart Doker after the modification is complete.
systemctl restart docker
Copy the code
[root@localhost ~]# docker pull
Error response from daemon: unauthorized: unauthorized to access repository: zyx_docker/drone/agent, action: pull: unauthorized to access repository: zyx_docker/drone/agent, action: pull
[root@localhost ~]#
Copy the code
Because I have not logged in, I need to log in first to pull (log in with a new account)
[root@localhost ~]# docker login
Username: zyx123456
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
Login Succeeded
[root@localhost ~]#
Copy the code
Pull mirror again:
View the pull result:
Second, combined with Drone to push mirror configuration
Please refer to the practice in the previous section at:
Fastapi framework (18) Fastapi container deployment +Drone complete CI example simple whole process (only for demonstrating the process)
The following operations are based on the previous section to extend the drop!
1 Modify pipeline configuration
In the previous section we completed the simple pipelining task, but the push to private repository step was missing!
We add the following pipeline configuration information based on the previous section, as shown in the figure:
Pipeline information of push part:
# pushStructure image: plugins/docker Settings: dockerfile: dockerfile registry: Repo: fatest_API Username: zyx123456 password: Abc123456789 tags: - 'latest' when: branch: master event: [ push ]Copy the code
Example format:
- name: pushup image: plugins/docker Settings: dockerfile: dockerfile path (under the current path./ alternatively) Registry: harbor_server_ip repo: Harbor_server_ip/project name/image name Username: harbor password: Harbor password tags: - 'latest' insecure: true # auto_tag: Run volumes: -name: docker Path: /var/run/docker.sockCopy the code
Some flow parameters information auxiliary reference information: the following information from sources: blog.csdn.net/kikajack/ar…
# []()Parameter manual-registry: Authenticate to the registry - username: authenticate with this username - password: authenticate with this password - repo: the name of the repository used to store the image - tags: the tag of the repository used for the image - dockerfile: Dockerfile to use, default is' dockerfile '-auth: registry authentication token-context: the context path to use, default is git repository root -target: To use the build target, you must define it in the dockerfile. -force_tag =false: replace the tag-insecure of existing matched mirrors. -bip =false: used to pass bridge IP-custom_dns: set custom DNS server for container -storage_driver: Support for AUFS, overlay or VFS drivers -build_args: custom parameters to pass to docker build-auto_tag =false: Automatically generates tag names based on git branches and git tags - auto_tag_suffix: generates tag names with this suffix - debug, launch_DEBUG: starts the Docker daemon in detailed debug modeCopy the code
After the update is complete, start pushing the new push to our GOgs repository and let it execute! However, the new version of image: plugins/docker also encountered HTTPS problems:
The docker container in the image is not configured to use HTTP, so it uses HTTPS by default.
\ + /usr/local/bin/dockerd --data-root /var/lib/docker --host=unix:///var/run/docker.sock 0s 2Detected registry Credentials 1 s 3 2 s 4 error response from the daemon: Get dial TCP connect: connection refused 2s 5 2s 6time="2021-08-25T09:10:30Z" level=fatal msg="Error authenticating: exit status 1"Copy the code
2 Resolve the HTTPS problem in the container
Try the replication reference above, on: insecure: true
Even if the host is configured with full permission:
This time, it is changed to HTTP, but it is still inaccessible:
The reason is that our private server warehouse has been stopped!! Pit dad!!!! I forgot to reboot when I changed the configuration!
Restart our Harbor service and go to our Harbor unzip directory:
[root@localhost harbor]# ls common common.sh docker-comemage.yml harbor.v2.3.2.tar.gz harbor.yml harbor.yml. TMPL install.sh LICENSE prepare [root@localhost harbor]#Copy the code
Docker-compose is then used for management:
- Stop harbor, stop the container
docker-compose stop
Copy the code
- Start the container
docker-compose up -d
Copy the code
Then the pipeline is executed again:
3: Complete new executable pipeline (including mirror push private server)
Complete new pipeline configuration file information. Drone. yml:
Docker type kubernetes, exec, SSH, etc. Workspace: path: /drone/ SRC steps: - name: code- SCP image: appleboy/drone-scp Settings: host: # remote connection address username: root # remote connection account password: 123456 Port: 22 /data/fatest # copy all files related to the current workspace (git pulled project files) source:. # Push image to image - name: pushstructure image: plugins/docker Settings: Repo: fatest_API username: Zyx123456 password: Abc123456789 Insecure: true tags: - 'latest' When: branch: Master event: [push] # Deployment project - name: # add SSH to host: host: # add SSH to host: -cd /data/fatest | | | | | | | | | | | | | | | | | Because our code is copied to the mirror inside! #- docker-compose stop && echo y | docker-compose rm && docker rmi fatest_api:latest - docker-compose stop && Docker-compose up-d --build # do not write this! - docker-compose up --build && docker-compose up -d - name: notify image: drillster/drone-email settings: host: # from_secret: qqzhanghao password: # from_secret: qqzhanghao password: # from_secret: qqpassword subject: "Drone build: [{{ build.status }}] {{ repo.name }} ({{ repo.branch }}) #{{ build.number }}" from: 308711822@qq.com skip_verify: True Recipients_only: true # Recipients_only. Does not default to recipients_recipients_only. Exerts: [308711822@qq.com] when: # Status: [changed, failure, success]Copy the code
Wait for the completion of flow execution, after successful execution:
Check our warehouse, it has been pushed up! :
The above is just a personal combination of their own actual needs, do study practice notes! If there are clerical errors! Welcome criticism and correction! Thank you!
At the end
Jane: www.jianshu.com/u/d6960089b…
The Denver nuggets: juejin. Cn/user / 296393…
Public account: wechat search [children to a pot of wolfberry wine tea]
Let students | article | welcome learning exchange together 】 【 original 】 【 QQ: 308711822