部署私有镜像容器仓库-Harbor
Harbor部署
部署docker-compose
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version生成证书
# 生成CA证书私钥
openssl genrsa -out ca.key 4096
# 生成CA证书,harbor.itho.cn为域名地址
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.itho.cn" \
-key ca.key \
-out ca.crt
# 将服务器证书和密匙复制到Harbor主机上的证书文件夹中
cp ca.crt /root/harbor/ca.crt
cp ca.key /root/harbor/ca.key安装harbor
如果需要arm版本的,harbor官方好像没有提供,可以访问https://github.com/wise2c-devops/build-harbor-aarch64/
[root@CentOS7 harbor]# wget https://github.com/goharbor/harbor/releases/download/v2.9.1/harbor-offline-installer-v2.9.1.tgz
[root@CentOS7 harbor]# tar -zxvf harbor-offline-installer-v2.9.1.tgz
[root@CentOS7 harbor]# cd harbor/
[root@CentOS7 harbor]# mv harbor.yml.tmpl harbor.yml
[root@CentOS7 harbor]# vim harbor.yml
# 修改http端口
http:
port: 5480
# 修改https端口跟证书路径
https:
port: 5443
certificate: /root/harbor/ca.crt
private_key: /root/harbor/ca.key
# --with-chartmuseum 参数表示启用Charts存储功能。
[root@CentOS7 harbor]# ./install.sh --with-chartmuseumweb登录
web界面登录名admin初始密码Harbor12345
测试命令登录仓库地址
myluzh@myluzhdeMacBook-Pro ~ % docker login harbor.itho.cn:5443
Authenticating with existing credentials...
Login Succeeded如果报错如下(Error response from daemon: Get "https://harbor.itho.cn:5443/v2/": x509: certificate relies on legacy Common Name field, use SANs instead)
解决方法:在docker/daemon.json文件里写入仓库地址,然后重启docker后重试。
{
"insecure-registries": ["harbor.itho.cn:5443"],
}push镜像测试
myluzh@myluzhdeMacBook-Pro ~ % docker tag f0b7d20addb4 harbor.itho.cn:5443/mytest/hellok8s:v3
myluzh@myluzhdeMacBook-Pro ~ % docker push harbor.itho.cn:5443/mytest/hellok8s:v3
The push refers to repository [harbor.itho.cn:5443/mytest/hellok8s]
v3: digest: sha256:16588a8f2845147995bea2ddd46bc20c72010c3af26dab987c7b73cd13601a10 size: 2203设置harbor服务自启动
当部署Harbor的服务器在重启之后,可能会出现Harbor无法跟随系统自启动
解决方案
现假设Harbor的安装目录位置为/usr/local/harbor,在Harbor安装完成之后,在此目录下会生成docker-compose.yml配置文件,可以使用docker-compose操作此文件来控制Harbor的启停。
接下来编写自启Harbor的systemd服务,命名为harbor.service(放置于/etc/systemd/system目录下):
[Unit]
Description=harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f {{ harbor_install_path }}/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f {{ harbor_install_path }}/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target其中ExecStart 字段中的/usr/local/bin/docker-compose 为自己本机的docker-compose所在目录,可使用 which docker-compose 命令查找,{{ harbor_install_path }}为harbor的安装目录,最后使用chmod -R 777 harbor.service 设置访问权限,使用systemctl enable harbor.service来设置开机自启动即可。然后重启服务器进行测试。
Harbor优化
persistence:
imageChartStorage:
type: s3
disableredirect: true
s3:
bucket: harborstorage
accesskey: vwioalnesiul324wev
secretkey: qg3434h52g4h652h4h65dger6252
regionendpoint: http://10.10.158.44:9000
chunksize: "67108864" # 64MB(原16MB,增大以减少请求次数)
multipartcopythresholdsize: "134217728" # 128MB(原64MB,避免小文件多段复制)
multipartcopychunksize: "67108864" # 64MB(与 chunksize 对齐)
multipartcopymaxconcurrency: 200Harbor迁移(使用s3存储)
迁移思路
1、设置Harbor只读状态(2.1+版本支持)
2、迁移Harbor镜像到Minio上
3、Harbor对接Minio存储
4、取消Harbor只读
5、验证服务
Harbor设置只读状态
注意!!!:只读状态是只允许pull镜像,不能push镜像。设置Harbor只读状态,需要Harbor 2.1及以上版本才支持。
页面设置和调用API接口两种方式,任选一种即可。
$ curl -X PUT -k -u admin https://172.139.20.100/api/v2.0/configurations \
-H "Host: core.jiaxzeng.com" \
-H "Content-Type: application/json" \
-d '{"read_only": true}'
Enter host password for user 'admin': 输入密码迁移Harbor镜像到Minio
1、下载rclone服务
$ wget https://downloads.rclone.org/v1.68.2/rclone-v1.68.2-linux-amd64.zip
--2024-12-23 09:31:34-- https://downloads.rclone.org/v1.68.2/rclone-v1.68.2-linux-amd64.zip
Resolving downloads.rclone.org (downloads.rclone.org)... 95.217.6.16, 2a01:4f9:c012:7154::1
Connecting to downloads.rclone.org (downloads.rclone.org)|95.217.6.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22492286 (21M) [application/zip]
Saving to: ‘rclone-v1.68.2-linux-amd64.zip’
100%[===============================================================================================================================>] 22,492,286 5.15MB/s in 4.2s
2024-12-23 09:31:40 (5.15 MB/s) - ‘rclone-v1.68.2-linux-amd64.zip’ saved [22492286/22492286]
$ unzip rclone-v1.68.2-linux-amd64.zip
Archive: rclone-v1.68.2-linux-amd64.zip
creating: rclone-v1.68.2-linux-amd64/
inflating: rclone-v1.68.2-linux-amd64/README.html
inflating: rclone-v1.68.2-linux-amd64/rclone.1
inflating: rclone-v1.68.2-linux-amd64/rclone
inflating: rclone-v1.68.2-linux-amd64/README.txt
inflating: rclone-v1.68.2-linux-amd64/git-log.txt 2、配置rclone连接minio
$ cat ~/.config/rclone/rclone.conf
[minio]
type = s3
provider = minio
access_key_id = vwioalnesiul324wev
secret_access_key = qg3434h52g4h652h4h65dger6252
endpoint = http://10.10.158.44:9000
acl = private
upload_cutoff = 1024Gi3、数据迁移
$ ./rclone tree minio:/harborstorage --no-check-certificate
/
0 directories, 0 files
$ ./rclone sync /data/harbor minio:/harborstorage --no-check-certificate
Transferred: 4.552 GiB / 5.031 GiB, 90%, 0 B/s, ETA -
Checks: 685 / 685, 100%
Transferred: 1310 / 1311, 100%
Server Side Copies: 1310 @ 4.552 GiB
Elapsed time: 8m0.0s
Transferring:
* docker/registry/v2/blo…1f625c3eba5d6ef8f/data: 0% /491.157Mi, 0/s, -
2024/12/23 14:51:54 INFO : docker/registry/v2/blobs/sha256/aa/aa0d936fc7016fdab5ca4fcbc688b774c10731c66a456971f625c3eba5d6ef8f/data: Copied (server-side copy)
2024/12/23 14:51:54 INFO :
Transferred: 5.031 GiB / 5.031 GiB, 100%, 0 B/s, ETA -
Checks: 685 / 685, 100%
Transferred: 1311 / 1311, 100%
Server Side Copies: 1311 @ 5.031 GiB
Elapsed time: 8m5.7s4、Harbor对接Minio
$ cat /etc/kubernetes/addons/harbor-value.yml
persistence:
imageChartStorage:
type: s3
disableredirect: true
s3:
bucket: harborstorage
accesskey: vwioalnesiul324wev
secretkey: qg3434h52g4h652h4h65dger6252
regionendpoint: http://10.10.158.44:90005、取消Harbor只读模式
$ curl -X PUT -k -u admin https://172.139.20.100/api/v2.0/configurations \
-H "Host: core.jiaxzeng.com" \
-H "Content-Type: application/json" \
-d '{"read_only": false}'
Enter host password for user 'admin': 输入密码6、验证服务可用性
$ sudo docker push nginx:latest
The push refers to repository [nginx:latest]
6d6e25fcbe73: Layer already exists
83c89c42636d: Layer already exists
latest: digest: sha256:fde527bff0c89d6cefbf8fac19e7c6e8266766641f4a8610e4f7c2154ca86252 size: 741参考文章
https://blog.csdn.net/yy139926/article/details/125269322
https://blog.csdn.net/Katie_ff/article/details/132498162
https://zhangyw.flowus.cn/share/5bdeabc0-6a4d-4e58-8522-a466446cf81a