硬件和依赖软件
Harbor docs | Harbor Installation Prerequisites (goharbor.io)
硬件依赖
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
软件依赖
| Software | Version | Description |
|---|---|---|
| Docker engine | Version 17.06.0-ce+ or higher | For installation instructions, see Docker Engine documentation |
| Docker Compose | Version 1.18.0 or higher | For installation instructions, see Docker Compose documentation |
| Openssl | Latest is preferred | Used to generate certificate and keys for Harbor |
shell/centos7_init.sh at main · Spinestars/shell (github.com)
网络依赖
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file. |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file. |
| 80 | HTTP | Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file. |
下载/配置
harbor通过安装包里的安装脚本和安装配置文件,来生成各组件容器所需的配置,各组件容器通过docker-compose来启动.
- 下载在线安装包并解压
https://github.com/goharbor/harbor/releases
- 修改解压后的配置文件
cp harbor.yml.tmpl harbor.yml
mkdir -p /export/docker-data-harbor/log
配置文件中,主要的修改如下
✨这里的配置并非 harbor 各程序组件直接调用的配置,而是 harbor 安装脚本会根据这个配置,动态的生成之后 harbor 所需各项程序组件的配置和数据
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# <域名>
hostname: <域名>
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 10080
# https related config
https:
# https port for harbor, default is 443
port: 10443
# The path of cert and key files for nginx <宿主机路径,不能是软链接>,nginx容器会将这份证书复制到容器里
certificate: /export/cert/apps/xxx.com/fullchain.cer
private_key: /export/cert/apps/xxx.com/xxx.com.key
...
harbor_admin_password: <web界面管理员密码>
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: <数据库密码>
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The default data volume, default: /data <宿主机路径,harbor所有容器的数据目录的根目录>
data_volume: /export/docker-data-harbor
...
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log,
location: /export/docker-data-harbor/log
https的配置
证书配置分为两部分,一个是nginx的,一个是docker的,两地证书一样,只不过docker需要额外的ca.cert
- docker位置(可用软连接)
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
# 如果你更换了默认端口,则复制到 /etc/docker/certs.d/yourdomain.com:port/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
- nginx位置(不可用软连接)
nginx的证书会从harbor.yml中的https.certificate https.private_key处复制到 <path_to_data_volume>/secret/cert/
安装/启动/关闭
预安装,并启动
生成 docker-compose 配置,并创建相关数据目录,以及容器所需的依赖数据
./prepare && docker-compose up -d
直接安装,并启动
./install.sh
关闭
docker-compose down
其它
证书更换
nginx需要更换 <path_to_data_volume>/secret/cert/ 下的文件,并重启nginx容器
docker需要更换 /etc/docker/certs.d/yourdomain.com/ 下的文件,应该无需重启
web配置-策略
删除策略的具体需求:
- 策略执行时,删除所有的含有 untag 镜像
- 策略执行时,保留最近7天含有 tag 镜像
策略的测试,可以通过【模拟运行】+运行后的【日志】来确定策略是否满足期望。