harbor☞安装

阅读量: zyh 2021-07-07 15:51:44
Categories: > Tags:

硬件和依赖软件

Harbor docs | Harbor Installation Prerequisites (goharbor.io)

硬件依赖

Resource Minimum Recommended
CPU 2 CPU 4 CPU
Mem 4 GB 8 GB
Disk 40 GB 160 GB

软件依赖

Software Version Description
Docker engine Version 17.06.0-ce+ or higher For installation instructions, see Docker Engine documentation
Docker Compose Version 1.18.0 or higher For installation instructions, see Docker Compose documentation
Openssl Latest is preferred Used to generate certificate and keys for Harbor

shell/centos7_init.sh at main · Spinestars/shell (github.com)

网络依赖

Port Protocol Description
443 HTTPS Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file.
4443 HTTPS Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file.
80 HTTP Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file.

下载/配置

https://github.com/goharbor/harbor/releases

cp harbor.yml.tmpl harbor.yml
mkdir -p /export/docker-data-harbor/log

主要的修改如下

这里的配置并非 harbor 各组件直接调用的配置,而是 harbor 安装脚本所需的配置,安装脚本会根据这个配置,动态的生成之后 harbor 所需各项软件配置和数据

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# <域名>
hostname: <域名>

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 10080

# https related config
https:
  # https port for harbor, default is 443
  port: 10443
  # The path of cert and key files for nginx <宿主机路径,不能是软链接>
  certificate: 
  private_key: 
  
...

harbor_admin_password: <web界面管理员密码>

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: <数据库密码>
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900

# The default data volume, default: /data  <宿主机路径,所有软件的数据目录的根目录>
data_volume: /export/docker-data-harbor

...

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log, 
    location: /export/docker-data-harbor/log

https的配置

证书配置分为两部分,一个是nginx的,一个是docker的,两地证书一样,只不过docker需要额外的ca.cert

cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/  
# 如果你更换了默认端口,则复制到 /etc/docker/certs.d/yourdomain.com:port/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/

nginx的证书会从harbor.yml中的https.certificate https.private_key处复制到 <path_to_data_volume>/secret/cert/

安装/启动/关闭

预安装,并启动

生成 docker-compose 配置,并创建相关数据目录,以及容器所需的依赖数据

./prepare && docker-compose up -d

直接安装,并启动

./install.sh

关闭

docker-compose down

其它

证书更换

nginx需要更换 <path_to_data_volume>/secret/cert/ 下的文件,并重启nginx容器

docker需要更换 /etc/docker/certs.d/yourdomain.com/ 下的文件,应该无需重启

web配置-策略

删除策略的具体需求:

  1. 策略执行时,删除所有的含有 untag 镜像
  2. 策略执行时,保留最近7天含有 tag 镜像

image-20210823180632775

策略的测试,可以通过【模拟运行】+运行后的【日志】来确定策略是否满足期望。