📖 post address: blog. Mitscherlich. Me / 2021/12 / ins…
1. Background requirements
The internal project of the company plans to carry out container transformation next year, and it is necessary to build internal mirror warehouse first. After investigation, the solutions available are as follows:
- Docker Registry + Docker Registry Web
- Gitlab Registry
- Harbor
After comparative analysis, Harbor was finally selected as the production practice. The main concerns are as follows:
- LDAP account association is supported
- Supports group-based permission management
- Replication synchronization can be used to synchronize production mirrors in the future
This article is based on the latest Harbor version of Writing Day (2021-12-08). It aims to record how to build Harbor platform based on CentOS 7 system installation.
2. Before you start
This document does not describe the installation and deployment of the CentOS 7 system in detail. However, it assumes that the new CentOS 7 system is used, and the following dependencies and installation and configuration procedures are required.
2.1. System minimum/recommended configuration
According to the official document, the minimum/recommended Harbor installation and configuration is as follows, which can be adjusted for local or VIRTUAL machine users. Cloud host users may note that the Harbor platform not only contains the Harbor system itself, but also includes Redis/PostgreSQL and other supporting services. This document uses the All-in-one installation mode. Check whether the cloud host meets the minimum configuration requirements.
| The resource type | minimum | The recommended configuration |
|---|---|---|
| CPU | 2C | 4C |
| memory | 4G | 8G |
| disk | 40 GB | 160 GB |
The vm used in this document is configured as 4C, 8 gb, or 100GB.
2.2. Configure the USTC image
After logging in to the CentOS system, run the following command to change the yum installation source to uSTC image:
sudo sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://mirror.centos.org/centos|baseurl=https://mirrors.ustc.edu.cn/centos|g' \
-i.bak \
/etc/yum.repos.d/CentOS-Base.repo
Copy the codeWhen done, update the YUM database with yum Makecache.
2.3. Install the Docker
This article uses the get.docker.com installation script to install the Docker runtime.
curl -fsSL https://get.docker.com -o get-docker.sh
sudo bash ./get-docker.sh --mirror Aliyun # Domestic use of Ali Cloud image acceleration
Copy the codeAfter the installation is complete, you can use the following command to check whether the Docker installation is successful:
sudo docker info
Copy the codeNormal output can be. If you want docker to automatically start with the system, you also need to enable docker.service
sudo systemctl enable docker
sudo systemctl start docker
Copy the code2.4. Install the docker – compose
This step does not have what speculative method, according to the official website script installation can, may need scientific Internet access:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
Copy the codeAfter the download is complete, run the following command to modify the permission:
sudo chmod +x /usr/local/bin/docker-compose
Copy the codeIf other users need to use it, you can soft link to the /usr/bin directory:
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
Copy the code3. Install the Harbor platform
3.1. Download the Harbor offline installation package
If it is difficult to access Github/docker. IO, you can configure the appropriate Docker image repository and use the online installation package (only the image pull process).
Wget HTTP: / / https://github.com/goharbor/harbor/releases/download/v2.3.4/harbor-offline-installer-v2.3.4.tgzCopy the codeOnce downloaded, unzip to the current directory:
Tar - ZXVF harbor - offline installer - v2.3.4. TGZCopy the code3.2. Modify the Harbor installation configuration
After the decompression is complete, enter the harbor directory under the current directory (the decompressed path) :
cd harbor && cp harbor.yml.tmpl harbor.yml
Copy the codeThis step is also missing from many tutorials. In fact, Harbor has been using the harbor.yml file as its installation configuration since the earliest version 1.10 available. After the copy is complete, modify the harbor.yml configuration.
Use the harbor domain name or IP address to access harbor. Be careful not to use localhost or 127.0.0.1
hostname: harbor.your-domain.com
# HTTP configuration
http:
If you do not enable HTTPS and access Harbor only through HTTP, conventionally set port 5000
Description Docker needs to be configured with insecure_registry
port: 5000
# HTTPS related configuration
# HTTPS is recommended
https:
Use the./prepare script if the port conflicts with other applications on the host
Docker-compose is generated, but port 443 should remain the same here
port: 443
To enable HTTPS, you must provide an SSL certificate. You can use a self-signed certificate, but let's encrypt or is recommended
# Aliyun/Tencent cloud issued public certificate, can use the pan-domain name certificate
/data is mounted as a container volume and can be read by nginx inside the container
certificate: /data/cert/harbor.your-domain.com.crt
private_key: /data/cert/harbor.your-domain.com.key
Copy the codeIf you do not want Harbor to start immediately, you can comment line 99 in the file:
3.3. Install the Harbor platform
The./install.sh script is provided in the./harbor directory for installation, and harbor also inherits some optional components:
- Notary: provides security trust mechanism, can add digital signature to the image, use
--with-notaryParameter enable; - Trivy: Vulnerability scanner for containers, used
--with-trivyParameter enable; - Chart warehouse: As the name implies, Helm Chart warehouse, used
--with-chartmuseumParameter enable;
We need to use the Chart repository and add parameters according to the actual situation.
sudo ./install.sh --with-chartmuseum [--with-trivy]
Copy the codeThis command will import the image required by Harbor and generate docker-comemage. yml. If the installation script is prohibited from automatically starting Harbor service in the previous step, There is still a chance to modify the contents of docker-comemage. yml (for example, to change the port address that HTTPS is actually listening on) before startup:
3.4. Start the Harbor platform
After all changes are saved, you can use the following command to start the Harbor platform:
sudo docker-compose up -d
Copy the codeAfter the wait, you can access it using the hostname configured above
Complete. Use the default administrator account admin/Harbor12345 to log in. 🎉
4. Other matters
4.1 about LDAP
After logging in to the system using an administrator account, choose System Administration-Configuration Management from the menu on the left, and then choose the authentication mode TAB to change the authentication mode to LDAP.
4.2. About reverse proxy
If Harbor has nginx installed on the host or any other service that uses port 443, you can configure Harbor HTTPS to actually proxy to host port 8443. Then use the Nginx reverse proxy to access the Harbor platform. Here is an example configuration, which can be modified according to the actual situation
server {
server_name harbor.your-domain.com;
listen 80;
location / {
rewrite ^/(.*)$ https://$host/The $1permanent; }} upstream harbor {server 127.0.0.1:8443;Replace # 127.0.0.1 with the actual Harbor address
}
server {
server_name harbor.your-domain.com;
listen 443 ssl;
client_max_body_size 1G; Docker images are generally largerssl_certificate ssl/harbor.your-domain.com.crt; ssl_certificate_key ssl/harbor.your-domain.com; ssl_session_timeout 5m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES1 28-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location ~ / { add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
# make options request fast return
if ($request_method = 'OPTIONS') {
return 204;
}
proxy_pass https://harbor;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port; }}Copy the code