Set up a private dockerhub – with harbor management

1 Docker Hub

#Docker Hub is used for source code management integration, as well as build and test tools to speed up deployment cycles. Deployment cycles are reduced from days to minutes, and Docker claims to have allowed users to speed up the delivery of applications.

# Architecture and technology stack upgrades are a must for the large-scale and unpredictable adoption of Docker Hub.

# As developers quickly adopt Docker containers, IT administrators accelerate their integration into enterprise production environments. In addition to administration and configuration tools, choreography and scheduling software is required.

# Of course, some Intranet environments need to access DockerHub, which can not be accessed at this time. At this time, it is necessary to build a set of Intranet DockerHub. There is an official docker-Registry tool, which can be used to build a private image warehouse, and the implementation is simple.

2 Environment Preparation

[root@dockerhub250 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@dockerhub250 ~]# ifconfig eth1Eth1: flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 172.16.2.250 netmask 255.255.255.0 BROADCAST 172.16.2.255Copy the code

2.1 docker installation

Install the necessary system tools

yum install -y yum-utils device-mapper-persistent-data lvm2
Copy the code

# Add software source information

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
Copy the code

View available Docker versions

yum list docker-ce.x86_64 --showduplicates | sort -r
Copy the code

Install docker-CE. You can also install docker-CE using the specified version of each version listed above

yum -y install docker-ce
Copy the code

Start Docker service

systemctl enable docker
systemctl start docker
Copy the code

2.2 docker acceleration

Vim /etc/docker/daemon.json

{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"]}
Copy the code

Reload the service, restart Docker, and see if it takes effect

systemctl daemon-reload
systemctl restart docker
docker info
Copy the code

3 private warehouse construction

3.1 Viewing the Version of Registry

[root@dockerhub250 ~]# docker search registry
NAME                                 DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
registry                             The Docker Registry 2.0 implementation forS... 3062 [OK] distribution/registry WARNING: NOT the registry official image!!! ... 57 [OK] stefanscherer/registry-windows Containerized docker registryforWindows Se... 32 budry/registry-arm Docker registry buildforRaspberry PI 2 and... 18 deis/registry Docker image registryforThe Deis open sour... 12 jc21/registry-ui A nice web interfaceforManaging your Docke... 12 Anoxis/Registry - Cli You can list and delete tags from your priva... 10 [OK] Sixeyed/Registry Docker Registry 2.6.0 Running on Windows -n... 10 pallet/registry-swift Add swift storage support to the officialdo... 4 [OK] Allingeek/Registry A Specialization of Registry :2 Configured fo... 4 [OK] Arm32v6 / Registry The Docker Registry 2.0 implementationforS... 3 Goharbor/Registry - Photon 2 ConjurInc/Registry - Oauth-Server Docker Registry Authn/Authz Server Backed by... 1 concourse/registry-image-resource 1 ibmcom/registry Docker ImageforThe IBM Cloud private - CE (Commu... 1 metadata/registry Metadata Registry is a toolwhichElse you... 1 [OK] webhippie/registry Docker imagesforRegistry 1 [OK] Registry kontena/ Registry Kontena Registry 0 GisJedi/Registry - Proxy Reverse proxy of Registry Mirror image Gisje...  0 dwpdigital/registry-image-resource Concourse resourcetype0 Lorieri/Registry - Ceph Ceph Rados Gateway (and any other S3 compati... 0 Convox/Registry 0 Digillect/Registry -cleaner Tool to remove unused images from Docker reg... 0 [OK] pivnet/registry-gcloud-image 0 upmcenterprises/registry-credsCopy the code

3.2 install registry

[root@dockerhub250 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest
[root@dockerhub250 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
registry            latest              2d4f4b5309b1        2 months ago        26.2MB

Copy the code

# Create a local directory that maps the local directory to docker, so that when the container crashes, the data is still there and can be replaced with a new container

mkdir -p /data/dockerhub
Copy the code

# start the registry

Docker run - d - v/data/dockerhub: / var/lib/registry - p, 5000:5000 - restart = always - name dockerhub - registry2.0 registryCopy the code

# visit http://172.16.1.250:5000/v2, if there are the following page shows normal

[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/
{}
Copy the code

3.3 Uploading an Image to a Private Repository

[root@dockerhub250 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 4bb46517cac3 8 days ago 133MB registry latest 2d4f4b5309b1 2 months A line 26.2 MB# Docker image to be pushed to the private repository as the identifier
[root@dockerhub250 ~]# docker tag nginx: latest 172.16.1.250:5000 / nginx: the latest
[root@dockerhub250 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE Nginx Latest 4bb46517cac3 8 Days ago 133MB 172.16.1.255:5000 /nginx Latest 4bb46517CAC3 8 days ago 133MB Registry latest 2d4f4b5309b1 2 months ago 26.2MB# Push nginx image to private repository using docker push command
[root@dockerhub250 ~]# docker push 172.16.1.250:5000 / nginx: the latestPushed 22ea89b1a816: Pushed a4d893caa5c9: Pushed 22ea89b1a816: Pushed a4d893caa5c9: Pushed 22ea89b1a816: Pushed a4d893caa5c9 Pushed 0338db614b95: Pushed d0f104dc0a1f: Pushed latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362Check whether the upload is successful
[root@dockerhub250 ~]# curl http://127.0.0.1:5000/v2/_catalog
{"repositories": ["nginx"]}
# View mirror information
[root@dockerhub250 ~]# curl http://172.16.1.250:5000/v2/nginx/tags/list
{"name":"nginx"."tags": ["latest"]}

Copy the code

# Verify the pull image from another Intranet machine

[root@k8snode172 ~]# docker pull 172.16.1.250:5000 / nginx
Using default tag: latest
latest: Pulling from nginx
bf5952930446: Pull complete
cb9a6de05e5a: Pull complete
9513ea0afb93: Pull complete
b49ea07d2e93: Pull complete
a5e4a503d449: Pull complete
Digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c
Status: Downloaded newer image for172.16.1.250:5000 / nginx: latest 172.16.1.250:5000 / nginx: latest [root @ k8snode172 ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE 172.16.1.255:5000 /nginx latest 4bb46517cac3 8 days ago 133MBCopy the code

4 harbor

Harbor offers better performance and security as an enterprise-class private Registry server. Improves the efficiency with which users transfer images using Registry to build and run environments. Harbor supports mirror resource replication installed on multiple Registry nodes. All images are stored in private Registry, ensuring that data and intellectual property are managed in the Intranet. In addition, Harbor provides advanced security features such as user management, access control, and activity auditing.

# Role-based access control – Users and Docker image repositories are organized and managed by “project”. A user can have different permissions for multiple image repositories in the same namespace (project).

1. Mirror Replication – A mirror can be replicated (synchronized) across multiple Registry instances. Especially suitable for load balancing, high availability, hybrid and cloudy scenarios.
2. Graphical user interface – Users can browse through the browser, retrieve the current Docker image repository, manage projects and namespaces.
3. AD/LDAP support – Harbor Integrates with the existing AD/LDAP for authentication management.
4. Audit management – All operations against the mirror warehouse can be traced for audit management.
5. Internationalized – has local versions in English, Chinese, German, Japanese and Russian. More languages will be added.
6. RESTful APIS – RESTful apis provide administrators with more control over the Harbor, making it easier to integrate with other management software.
7. Simple deployment n/A Two installation tools are available: online and offline. You can also install virtual devices on the vSphere platform (in OVA mode).

4.1 Downloading and Installing the Harbor

Docker 17.06.0- CE +, Golang: 1.12.0+ and Docker-compose 1.18.0+ ==

[root@dockerhub250 ~]# yum install golang docker-ce docker-composeLoaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * elrepo: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.aliyun.com * updates: Mirrors.aliyun.com Package Golang-1.13.14-1.el7.x86_64 already installed and latest version Package 3: Docker-CE-19.03.12-3.el7.x86_64 already installed and latest version Package docker-compose-1.18.0-4.el7.noarch already installed and latest versionCopy the code

Download the latest version of Harbor offline installation package

# download
[root@dockerhub250 ~]Wget # https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-offline-installer-v2.0.2.tgz
# decompression
[root@dockerhub250 ~]# tar ZXVF harbor - offline installer - v2.0.2. TGZ
Copy the code

Harbor works HTTP by default, but this can only be accessed from a page. By default, harbor pushes and pulls images using HTTPS, so you need to configure HTTPS

Generate the secret key and self-signed certificate
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
# Generate certificate signing request (domain name access, write the value of common name as domain name) :
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.kkcai.vip.key -out harbor.kkcai.vip.csr
# Generate server certificate
openssl x509 -req -days 365 -in harbor.kkcai.vip.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.kkcai.vip.crt
[root@dockerhub250 harbor]# lltotal 535264 -rw-r--r-- 1 root root 2045 Aug 22 15:32 ca.crt -rw-r--r-- 1 root root 3272 Aug 22 15:32 ca.key -rw-r--r-- 1 root root 17 Aug 22 15:36 ca.srl -rw-r--r-- 1 root root 3361 Jul 28 17:47 common.sh -rw-r--r-- 1 root root 1948 Aug 22  15:36 harbor.kkcai.vip.crt -rw-r--r-- 1 root root 1797 Aug 22 15:34 harbor.kkcai.vip.csr -rw-r--r-- 1 root root 3272 Aug 22 15:34 Harbor.kkcai.vip. key-rw-r --r-- 1 root root 548041010 Jul 28 17:47 Harbor.v2.0.2.tar.gz-rw-r --r-- 1 root root 7829 Aug 22 12:00 harbor.yml -rw-r--r-- 1 root root 7828 Jul 28 17:47 harbor.yml.tmpl -rwxr-xr-x 1 root root 2523 Jul 28 17:47 install.sh -rw-r--r-- 1 root root 11347 Jul 28 17:47 LICENSE -rwxr-xr-x 1 root root 1856 Jul 28 17:47 prepareCopy the code

Install certificate

[root@dockerhub250 harbor]# mkdir -p /etc/cert/harbor
[root@dockerhub250 harbor]# cp harbor.kkcai.vip.crt harbor.kkcai.vip.key /etc/cert/harbor
[root@dockerhub250 harbor]# ll /etc/cert/harbor/
total 8
-rw-r--r-- 1 root root 1948 Aug 22 15:38 harbor.kkcai.vip.crt
-rw-r--r-- 1 root root 3272 Aug 22 15:38 harbor.kkcai.vip.key
Copy the code

#== because I have set up DNS server on the Intranet, so I have not set up hosts. If there is no DNS server on the Intranet, please vim /etc/hosts to add a route address to the domain name == # quick add hosts

echo VIP "" 172.16.1.250 harbor. Kkcai. >>/etc/hosts
Copy the code

# Go to the directory and copy the default file and modify the configuration file harbor.yml

[root@dockerhub250 harbor]# cp harbor.yml.tmpl harbor.yml
[root@dockerhub250 harbor]# vim harbor.yml
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be factcheck.org by external clients.
The domain name is recommended
hostname: harbor.kkcai.vip
Change the certificate location
  certificate: /etc/cert/harbor/harbor.kkcai.vip.crt
  private_key: /etc/cert/harbor/harbor.kkcai.vip.key
# harbor password
harbor_admin_password: devops
# Harbor Database password
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: devops
# Data storage location
data_volume: /data/harbor
Copy the code

# Run install.sh to install

[root@dockerhub250 harbor]# sh install.sh

[Step 0]: checking ifdocker is installed ... Note: Docker version: 19.03.12 [Step 1]: Checking docker-compose is installed... Note: Docker-compose version: 1.18.0 [Step 2]: Loading Harbor images... Loaded image: goharbor/prepare:v2.0.2 Loaded image: goharbor/ harbor-jobService :v2.0.2 Loaded image: Goharbor /harbor-registryctl:v2.0.2 Loaded image: Goharbor /registry- Photon :v2.0.2 Loaded image: Goharbor /harbor-core:v2.0.2 Loaded image: Goharbor/Notary - Signer-Photon: V2.0.2 Loaded image: Goharbor/Clair - Photon: V2.0.2 Loaded Image: Goharbor/Trivy-Adapter - Photon: V2.0.2 Loaded image: Goharbor /harbor-log:v2.0.2 Loaded image: Goharbor/nginx-Photon :v2.0.2 Loaded image: Goharbor/Clair-Adapter - Photon: V2.0.2 Loaded image: Goharbor/Chartmuseum - Photon: V2.0.2 Loaded image: Goharbor /harbor-portal:v2.0.2 Loaded image: goharbor/harbor-db:v2.0.2 Loaded image: Goharbor/Redis-Photon: V2.0.2 Loaded image: Goharbor/Notary server photon: V2.0.2 [Step 3]: Preparing... [Step 4]: preparing harbor configs ... prepare base dir isset to /root/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

Creating harbor-db ... done
Creating harbor-core ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... doneCreating redis ... Creating harbor-db ... Creating registryctl ... Creating harbor-portal ... Creating registry ... Creating harbor-core ... Creating nginx ... Creating harbor-jobservice ... Foreground ----Harbor has been installed and started successfully.----Copy the code

# Common commands

4.2 Verifying the Installation of the Harbor

# Visit url:harbor.kkcai.vip/The default account is admin password devops

4.3 Verifying whether Mirrors can be pushed in the Harbor

Create a docker certificate location and copy the CA certificate

[root@dockerhub250 harbor]# mkdir -p /etc/docker/certs.d/harbor.kkcai.vip
[root@dockerhub250 harbor]# cp ca.crt /etc/docker/certs.d/harbor.kkcai.vip
Copy the code

# docker login harbor

[root@dockerhub250 harbor]# docker login harbor.kkcai.vip
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
Copy the code

# Push the image to the corresponding project

[root@dockerhub250 harbor]# docker tag nginx:latest harbor.kkcai.vip/library/nginx:latest
[root@dockerhub250 harbor]# docker push harbor.kkcai.vip/library/nginx:latest
The push refers to repository [harbor.kkcai.vip/library/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362
Copy the code

# Check the Harbor Web page, it has been pushed successfully

4.4 Adding a Third-party Repository

# Docker Registry # target name: test # Target URL:http://172.16.1.250:5000For the previously created private repository, the previously created is not authenticated, so you do not need to fill in the user name and password

X. Problems encountered

X.1 WARNING: bridge-nf-call-iptables is disabled

# Problem presentation
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
If bridge-NF is not enabled on iptables, data will be forwarded directly through the bridge.
# Solution: Edit the configuration, add the following configuration to save and reload
#vim /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#sysctl -p
Copy the code

X.2 Get http: server gave HTTP response to HTTPS client

# Problem presentation
[root@dockerhub250 ~]# docker push 172.16.1.250:5000 / nginx: the latestThe push refers to The repository 172.16.1.250:5000 / nginx Get https://172.16.1.250:5000/v2/: HTTP: server gave HTTP response to HTTPS client# Cause: Docker Registry does not use HTTPS service, but docker client uses HTTPS to request push
Edit the configuration and add "insecure-registries":["172.16.1.250:5000"] Save the configuration and reload it
#vim /etc/docker/daemon.json
{"registry-mirrors": ["https://registry.cn-hangzhou.aliyuncs.com"]."insecure-registries": ["172.16.1.250:5000"]}
#systemctl restart docker
Copy the code