一.项目背景
随着业务和时间的增加,docker registry暴露出如下缺点:
缺点:
功能极度简陋 :
没有 Web UI:你无法通过浏览器直观地看到仓库里有哪些镜像、哪些 Tag。管理基本靠 API (curl) 或记忆。
没有用户管理和权限控制:默认情况下是完全开放的,任何人都可以推拉镜像。虽然可以外挂认证(如 Nginx + htpasswd),但配置复杂。
没有安全扫描:不支持对镜像进行漏洞扫描。
没有镜像复制/同步:不支持在多个 Registry 实例之间自动同步镜像。
维护困难:
垃圾回收 (Garbage Collection) 复杂:删除镜像后,磁盘空间不会立即释放。需要手动进入容器执行 garbage-collect 命令,并且在执行期间需要将 Registry 设置为只读模式,会短暂中断服务。
高可用部署复杂:需要自己解决存储共享、负载均衡等问题。
二.项目还原
**环境准备,两台harbor(10.0.0.91和10.0.0.91)服务器,如需公网访问,还需准备证书,内网自用使用http访问即可。
基础环境搭建
1.harbor概述
harbor是VMware公司开源的一款企业级镜像仓库,底层基于docker-compose来管理harbor服务。
官网地址:
https://github.com/goharbor/harbor2.部署harbor实战
2.1 下载harbor软件包
2.2 解压软件包
[root@elk91 ~]# tar xf harbor-offline-installer-v2.13.1.tgz -C /usr/local/2.3 修改harbor的配置文件
[root@elk91 ~]# cd /usr/local/harbor/
[root@elk91 harbor]#
[root@elk91 harbor]# cp harbor.yml{.tmpl,}
[root@elk91 harbor]#
[root@elk91 harbor]# vim harbor.yml
...
# hostname: reg.mydomain.com
hostname: 10.0.0.91
...
## https related config
#https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # enable strong ssl ciphers (default: false)
# # strong_ssl_ciphers: false
...
# harbor_admin_password: Harbor12345
harbor_admin_password: 1
...
# data_volume: /data
data_volume: /data/harbor
...2.4 安装harbor服务
[root@elk91 harbor]# ./install.sh
...
[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0) docker:default
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.0s
✔ Container redis Started 0.0s
✔ Container registryctl Started 0.0s
✔ Container harbor-portal Started 0.0s
✔ Container registry Started 0.0s
✔ Container harbor-db Started 0.0s
✔ Container harbor-core Started 0.0s
✔ Container harbor-jobservice Started 0.0s
✔ Container nginx Started 0.0s
✔ ----Harbor has been installed and started successfully.----[root@elk91 harbor]# ll
total 650932
drwxr-xr-x 3 root root 4096 Jul 7 10:43 ./
drwxr-xr-x 14 root root 4096 Jul 7 10:38 ../
drwxr-xr-x 3 root root 4096 Jul 7 10:43 common/
-rw-r--r-- 1 root root 3646 May 22 15:48 common.sh
-rw-r--r-- 1 root root 5998 Jul 7 10:43 docker-compose.yml
-rw-r--r-- 1 root root 666471629 May 22 15:48 harbor.v2.13.1.tar.gz
-rw-r--r-- 1 root root 14784 Jul 7 10:40 harbor.yml
-rw-r--r-- 1 root root 14688 May 22 15:48 harbor.yml.tmpl
-rwxr-xr-x 1 root root 1975 Jul 7 10:42 install.sh*
-rw-r--r-- 1 root root 11347 May 22 15:48 LICENSE
-rwxr-xr-x 1 root root 2211 May 22 15:48 prepare*[root@elk91 harbor]# docker-compose ps -a
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
harbor-core goharbor/harbor-core:v2.13.1 "/harbor/entrypoint.…" core About a minute ago Up About a minute (healthy)
harbor-db goharbor/harbor-db:v2.13.1 "/docker-entrypoint.…" postgresql About a minute ago Up About a minute (healthy)
harbor-jobservice goharbor/harbor-jobservice:v2.13.1 "/harbor/entrypoint.…" jobservice About a minute ago Up About a minute (healthy)
harbor-log goharbor/harbor-log:v2.13.1 "/bin/sh -c /usr/loc…" log About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal goharbor/harbor-portal:v2.13.1 "nginx -g 'daemon of…" portal About a minute ago Up About a minute (healthy)
nginx goharbor/nginx-photon:v2.13.1 "nginx -g 'daemon of…" proxy About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp
redis goharbor/redis-photon:v2.13.1 "redis-server /etc/r…" redis About a minute ago Up About a minute (healthy)
registry goharbor/registry-photon:v2.13.1 "/home/harbor/entryp…" registry About a minute ago Up About a minute (healthy)
registryctl goharbor/harbor-registryctl:v2.13.1 "/home/harbor/start.…" registryctl About a minute ago Up About a minute (healthy)
[root@elk91 harbor]# 2.5 访问webUI
http://10.0.0.91/harbor/projects初始用户名: admin
初始化密码: 1
另一台搭建方法如上
两台harbor配置数据数据同步
配置两台harbor服务器数据相互同步,一下以91为例,92节点相同
#配置新仓库
#配置复制管理,设置定时任务定时92从91定时拉取镜像,91从92也相同
harbor出现问题解决小技巧
#停止并重启
[root@elk92 harbor]# docker-compose down -t 0
[+] Running 10/10
✔ Container harbor-jobservice Removed 0.2s
✔ Container registryctl Removed 0.3s
✔ Container nginx Removed 0.0s
✔ Container harbor-portal Removed 0.3s
✔ Container harbor-core Removed 0.2s
✔ Container redis Removed 0.3s
✔ Container harbor-db Removed 0.3s
✔ Container registry Removed 0.3s
✔ Container harbor-log Removed 0.2s
✔ Network harbor_harbor Removed 0.2s
[root@elk92 harbor]#
[root@elk92 harbor]#
[root@elk92 harbor]# docker-compose up -d
[+] Building 0.0s (0/0) docker:default
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.0s
✔ Container redis Started 0.0s
✔ Container registryctl Started 0.0s
✔ Container registry Started 0.0s
✔ Container harbor-db Started 0.0s
✔ Container harbor-portal Started 0.0s
✔ Container harbor-core Started 0.0s
✔ Container harbor-jobservice Started 0.0s
✔ Container nginx Started 0.0s
[root@elk92 harbor]#
[root@elk92 harbor]# docker-compose ps -a
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
harbor-core goharbor/harbor-core:v2.13.1 "/harbor/entrypoint.…" core 21 seconds ago Up 19 seconds (health: starting)
harbor-db goharbor/harbor-db:v2.13.1 "/docker-entrypoint.…" postgresql 21 seconds ago Up 20 seconds (health: starting)
harbor-jobservice goharbor/harbor-jobservice:v2.13.1 "/harbor/entrypoint.…" jobservice 21 seconds ago Up 18 seconds (health: starting)
harbor-log goharbor/harbor-log:v2.13.1 "/bin/sh -c /usr/loc…" log 21 seconds ago Up 21 seconds (health: starting) 127.0.0.1:1514->10514/tcp
harbor-portal goharbor/harbor-portal:v2.13.1 "nginx -g 'daemon of…" portal 21 seconds ago Up 19 seconds (health: starting)
nginx goharbor/nginx-photon:v2.13.1 "nginx -g 'daemon of…" proxy 21 seconds ago Up 18 seconds (health: starting) 0.0.0.0:80->8080/tcp, :::80->8080/tcp
redis goharbor/redis-photon:v2.13.1 "redis-server /etc/r…" redis 21 seconds ago Up 20 seconds (health: starting)
registry goharbor/registry-photon:v2.13.1 "/home/harbor/entryp…" registry 21 seconds ago Up 19 seconds (health: starting)
registryctl goharbor/harbor-registryctl:v2.13.1 "/home/harbor/start.…" registryctl 21 seconds ago Up 20 seconds (health: starting)
[root@elk92 harbor]# 仓库复制harbor的高可用解决方案
方案一:
多个harbor共享存储。
方案二:
仓库复制。(官方推荐)
1.多节点安装keepalived
[root@elk91 ~]# apt -y install keepalived
[root@elk92 ~]# apt -y install keepalived2.91节点修改keepalived配置
[root@elk91 ~]# ifconfig
...
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.91 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fee8:8b7c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e8:8b:7c txqueuelen 1000 (Ethernet)
RX packets 1149700 bytes 1334270651 (1.3 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1026632 bytes 1117756007 (1.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@elk91 ~]# cat > /etc/keepalived/keepalived.conf <<'EOF'
! Configuration File for keepalived
global_defs {
router_id 10.0.0.91
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 8443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.0.0.91
nopreempt
authentication {
auth_type PASS
auth_pass yinzhengjie_k8s
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.230
}
}
EOF2.92节点修改keepalived配置
[root@elk92 harbor]# ifconfig
...
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.92 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe0d:67d5 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0d:67:d5 txqueuelen 1000 (Ethernet)
RX packets 917723 bytes 1096507658 (1.0 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 476754 bytes 434552251 (434.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@elk92 ~]# cat > /etc/keepalived/keepalived.conf <<'EOF'
! Configuration File for keepalived
global_defs {
router_id 10.0.0.92
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 8443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.0.0.92
nopreempt
authentication {
auth_type PASS
auth_pass yinzhengjie_k8s
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.230
}
}
EOF3.启动keepalived
[root@elk91 ~]# systemctl enable --now keepalived
[root@elk92 harbor]# systemctl enable --now keepalived 4.测试验证
http://10.0.0.230/5.停止一台keepalived观察VIP是否飘逸
将docker registry的镜像迁移到harbor仓库
1.配置仓库
2.新建复制规则
3.启动复制规则
4.验证测试,查看是否迁移成功
5.设置项目为公开
