harbor 2.9.1 安装

[TOC]

# Harbor 介绍
Harbor 是由 VMware 开源的一款云原生制品仓库，Harbor 的核心功能是存储和管理 Artifact。Harbor 允许用户用命令行工具对容器镜像及其他 Artifact 进行推送和拉取，并提供了图形管理界面帮助用户查看和管理这些 Artifact。在 Harbor 2.0 版本中，除容器镜像外，Harbor 对符合 OCI 规范的 Helm Chart、CNAB、OPA Bundle 等都提供了更多的支持。

![title](/api/file/getImage?fileId=65572ba940c007000c00019f)

如上图所示是 Harbor 2.0 的架构图，从上到下可分为代理层、功能层和数据层。

- 代理层：代理层实质上是一个 Nginx 反向代理，负责接收不同类型的客户端请求，包括浏览器、用户脚本、Docker 等，并根据请求类型和 URI 转发给不同的后端服务进行处理。

- 功能层：

- Portal：是一个基于 Argular 的前端应用，提供 Harbor 用户访问的界面。
  - Core：是 Harbor 中的核心组件，封装了 Harbor 绝大部分的业务逻辑。
  - JobService：异步任务组件，负责 Harbor 中很多比较耗时的功能，比如 Artifact 复制、扫描、垃圾回收等。
  - Docker Distribution：Harbor 通过 Distribution 实现 Artifact 的读写和存取等功能。
  - RegistryCtl：Docker Distribution 的控制组件。
  - 扫描工具Trivy（可选）：镜像的漏洞检测工具。
  - Notary（`2.9.1已废弃`）：基于 TUF 提供镜像签名管理的功能。
  - ChartMuseum（`2.9.1已废弃`）：提供 API 管理非 OCI 规范的 Helm Chart，随着兼容 OCI 规范的 Helm Chart 在社区上被更广泛地接受，Helm Chart 能以 Artifact 的形式在 Harbor 中存储和管理，不再依赖 ChartMuseum，因此 Harbor 可能会在后续版本中移除对 ChartMuseum 的支持。

- 数据层：
  - Redis：主要作为缓存服务存储一些生命周期较短的数据，同时对于 JobService 还提供了类似队列的功能。
  - PostgreSQL：存储 Harbor 的应用数据，比如项目信息、用户与项目的关系、管理策略、配置信息、Artifact 的元数据等等。
  - Artifact 存储：存储 Artifact 本身的内容，也就是每次推送镜像、Helm Chart 或其他 Artifact 时，数据最终存储的地方。默认情况下，Harbor 会把 Artifact 写入本地文件系统中。用户也可以修改配置，将 Artifact 存储在外部存储中，例如亚马逊的对象存储 S3、谷歌云存储 GCS、阿里云的对象存储 OSS 等等。

# 概述
环境：centos 7.x（实际是 Alibaba Cloud Linux (Aliyun Linux) 2.1903 LTS (Hunting Beagle)）
单节点，非集群方式
集群方式需要拆分组件（db、cache和存储），多harbor实例共用这些组件
部署方式：docker compose

# 准备
需要先安装docker，新版的docker，yum安装会自动安装docker compose
参考：
https://docs.zh3.fun/blog/post/sanger/DockerInstall.sh

在此页面选择最新的offline包，进行下载
https://github.com/goharbor/harbor/releases

下载后解压
```
wget https://github.com/goharbor/harbor/releases/download/v2.9.1/harbor-offline-installer-v2.9.1.tgz
tar xf harbor-offline-installer-v2.9.1.tgz
```

# harbor.yml 配置

```
#此处要改，用域名或IP都要改
hostname: reg.xxx.com
http:
  port: 80
# 开启https
https:
  port: 443
  certificate: /opt/apps/harbor/harbor/certs/tls.pem
  private_key: /opt/apps/harbor/harbor/certs/tls.key
#admin密码，后期可以在UI页面进行修改
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
  conn_max_lifetime: 5m
  conn_max_idle_time: 0
#data_volume 默认是/data，我修改了一下
data_volume: /data/harbor
#storage_service 这一段配置是阿里云oss的，默认不配置推送的镜像将存储在本地，需要配置相应的bucket和ram账号及权限
storage_service:
  ca_bundle:
  oss:
    accesskeyid: LTAI5xxxxxxxxxxxxxxzGo6WM
    accesskeysecret: EVomxxxxxxxxxxxxxxxxxxx5zVs9F
    region: oss-cn-shenzhen
    endpoint: xxx-registry.oss-cn-shenzhen-internal.aliyuncs.com
    bucket: xxx-registry
    rootdirectory: registry
    secure: false
  redirect:
    disable: false
trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  security_check: vuln
  insecure: false
jobservice:
  max_job_workers: 10
  job_loggers:
    - STD_OUTPUT
    - FILE
  logger_sweeper_duration: 1 #days
notification:
  webhook_job_max_retry: 3
  webhook_job_http_client_timeout: 3 #seconds
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.9.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false
cache:
  enabled: false
  expire_hours: 24

```

# 安装
```
#检查配置文件
./prepare

#安装帮助
./install.sh -h

Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-trivy if needs enable Trivy in Harbor.
Please do NOT set --with-chartmuseum, as chartmusuem has been deprecated and removed.
Please do NOT set --with-notary, as notary has been deprecated and removed.

#根据提示用 --with-trivy来安装
./install.sh --with-trivy

[Step 0]: checking if docker is installed ...

Note: docker version: 24.0.7

[Step 1]: checking docker-compose is installed ...

Note: Docker Compose version v2.21.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-jobservice:v2.9.1
Loaded image: goharbor/harbor-registryctl:v2.9.1
Loaded image: goharbor/harbor-core:v2.9.1
Loaded image: goharbor/harbor-log:v2.9.1
Loaded image: goharbor/harbor-db:v2.9.1
Loaded image: goharbor/harbor-exporter:v2.9.1
Loaded image: goharbor/redis-photon:v2.9.1
Loaded image: goharbor/nginx-photon:v2.9.1
Loaded image: goharbor/registry-photon:v2.9.1
Loaded image: goharbor/trivy-adapter-photon:v2.9.1
Loaded image: goharbor/prepare:v2.9.1
Loaded image: goharbor/harbor-portal:v2.9.1

[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /opt/apps/harbor/harbor
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/portal/nginx.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

Note: stopping existing Harbor instance ...

[Step 5]: starting Harbor ...
[+] Running 11/11
 ✔ Network harbor_harbor        Created                                                                                        
 ✔ Container harbor-log         Started                                                                                        
 ✔ Container harbor-db          Started                                                                                        
 ✔ Container harbor-portal      Started                                                                                        
 ✔ Container redis              Started                                                                                        
 ✔ Container registryctl        Started                                                                                        
 ✔ Container registry           Started                                                                                        
 ✔ Container trivy-adapter      Started                                                                                        
 ✔ Container harbor-core        Started                                                                                        
 ✔ Container nginx              Started                                                                                        
 ✔ Container harbor-jobservice  Started                                                                                        
✔ ----Harbor has been installed and started successfully.----
```

# 验证
解析域名后，就可以正常访问了
![title](/api/file/getImage?fileId=6557264940c007000c00019d)

#配置LDAP
![title](/api/file/getImage?fileId=655726d140c007000c00019e)

# 出现的问题
- Q: 推送一直出现retry，retry次数超过限制后报错 received unexpected HTTP status: 500 Internal Server Error
- A: 通过排查harbor日志，观察到是阿里云RAM子账号的权限问题

# 参考：
https://xie.infoq.cn/article/c54645b4c5f6857b66beec488
https://www.gbase8.cn/10741
https://blog.csdn.net/qq_35036073/article/details/110132910
[Trivy + Harbor实现镜像漏洞的简单、高效扫描](https://blog.51cto.com/lidabai/5846822)

导航

最近发表

友情链接