Building enterprise private image warehouse with harbor

Time:2021-4-8

background

Generally, images are downloaded from local, docker hub public warehouses and other third-party public warehouses when using images in dockers. Generally, images are not easy to use in enterprises because of security and download rate of external network (wall) resources. So is there a way to store your own image and a warehouse with security authentication?

- - > build your own security certification warehouse based on harbor in enterprise environment.

Harbor is the latest open source enterprise docker registry project of VMware company. Its goal is to help users quickly build an enterprise docker registry service.

Installing harbor

To use harbor, you need to install docker and docker compose. For the steps to install docker, please refer to the previous article:Introduction to docker container technology (1)

Install docker Dompose

The installation steps of docker Dompose are as follows:

Download the latest version of docker compose file

$ curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose

Add executable permission

$ chmod +x /usr/local/bin/docker-compose

Verify version

$ docker-compose -v
docker-compose version 1.23.2, build 1110ad01

Get the harbor package

https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz

decompression

tar -xf harbor-offline-installer-v1.7.1.tgz -C /usr/local/

Edit profile

$ cd /usr/local/harbor

$ vim harbor.cfg
hostname = reg.for-k8s.com
#The IP or domain name of the external network of this machine, which can be accessed by users through UI, do not use 127.0.0.1
ui_url_protocol = https
#The protocol used by users to access private warehouses is HTTP by default and configured as HTTPS
db_password = root123
#Specify MySQL database administrator password
harbor_admin_password:Harbor12345
#Administrator account password of harbor
ssl_cert = /data/cert/reg.for-k8s.com.crt
#Set certificate file path
ssl_cert_key = /data/cert/reg.for-k8s.com.key
#Set certificate key file path

####Other configuration options can be filled in as needed

Generate SSL certificate

Generate root certificate

$ cd /dada/cert/
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=Shanghai/O=harbor/CN=harbor-registry"

Generate a certificate signature and set the access domain name to reg.for -k8s.com

$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.for-k8s.com.key -out server.csr -subj "/C=CN/L=Shanghai/O=harbor/CN=reg.for-k8s.com"

Generate host certificate

$ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out reg.for-k8s.com.crt

One click installation through its own script

The installation steps are as follows:

$ cd /usr/local/harbor/
./install.sh
......
......
......
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://reg.for-k8s.com.
For more details, please visit https://github.com/goharbor/harbor .

Then bind hosts to access

Default account password: admin / harbor12345

OK, the private warehouse service has been built. How to use it?

First, create a project on harbormyproject(I don’t use the default libary here)

Building enterprise private image warehouse with harbor

Here I choose a private warehouse. Pull / push requires docker login on the host;

1. When I build a new image through dockerfile, I directly specify the registry and label, such as:

$ docker build -treg.for -k8s.com/myproject/mydocker-image:v1.0.1 .  
Sending build contextto Docker daemon97.21MB  
Step1/12 : FROM1and1internet/ubuntu-16  
 ---> dbf985f1f449  
Step2/12 : MAINTAINER guomaoqiu <[email protected]>  
 ---> Using cache  
 --->598894333db9  
......  
......  
Successfully built b190966f3773  
Successfully taggedreg.for -k8s.com/myproject/mydocker-image:v1.0.1  
  
$ docker images |grep myproject  
reg.for -k8s.com/myproject/mydocker-image v1.0.1   b190966f3773  44 seconds ago482MB

2. When you want to upload the image you got from other places to the private warehouse? For example, I want to put the nginx image from the official website into my warehouse

$ dockertag nginxreg.for -k8s.com/myproject/mynginx:latest  
$ docker images |grep myproject  
reg.for -k8s.com/myproject/mydocker-image v1.0.1 b190966f3773  2 minutes ago 482MB  
reg.for -k8s.com/myproject/mynginx latest568c4670fa80  5 weeks ago 109MB

3. Log in to the warehouse

$ docker login -u admin -p Harbor12345reg.for -k8s.com  
Username: admin  
Password:  
WARNING! Your password willbe stored unencrypted in /root/.docker/config.json.  
Configurea credential helpertoremove this warning. See  
https://docs.docker.com/engine/reference/commandline/login/#credentials-store  
  
Login Succeeded

4. Finally, push the local image to the warehouse
When I execute this, I report an error:

docker pushreg.for -k8s.com/myproject/mynginx:latest  
Error response from daemon: Get https://reg.for -k8s.com/v2/: x509: certificate signed by unknown authority

The solution is to set the parameter “– insure registry IP / warehouse domain name” at the time of docker startup if the certificate is not deployed on the client, and then restart the docker process by overloading the service. Note that the domain name I use here is user-defined, so it is also necessary to modify the docker process parameters and bind hosts on the machine that needs to upload and download the image, Otherwise, even if the parameters are configured, the domain name cannot be resolved, and the push / pull cannot be mirrored.

5. Push again:

$ docker pushreg.for -k8s.com/myproject/mynginx:latest  
The push refersto repository [reg.for -k8s.com/myproject/mynginx]  
b7efe781401d: Pushed  
c9c2a3696080: Pushed  
7b4e562e58dc: Pushed  
latest: digest:sha256:e2847e35d4e0e2d459a7696538cbfea42ea2d3b8a1ee8329ba7e68694950afd3 size:948  
  
$ [[email protected] kubectl-terminal-ubuntu]# docker pushreg.for -k8s.com/myproject/mydocker-image:v1.0.1  
The push refersto repository [reg.for -k8s.com/myproject/mydocker-image]  
96dca48ee72c: Pushed  
fa879b69764c: Pushed  
4d823b00e6b7: Pushed  
6bf6e96da4a0: Pushed  
eedda540c6a8: Pushed  
f2a971e53afa: Pushed  
3ee1a3b3fd18: Pushed  
8a225cfa6dea: Pushed  
428c1ba11354: Pushed  
b097f5edab7b: Pushed  
27712caf4371: Pushed  
8241afc74c6f: Pushed  
v1.0.1: digest:sha256:a20629f62d73cff93bf73b31958878a1d76c2dd42e36ebb2cb6d0ac294a46da7 size:2826

Building enterprise private image warehouse with harbor

The above push is successful;

Test pull

In order to test the pull and run it successfully, I run a daemonset through kuernetes. The image adopts mynginx, and set the image pull policy to always. Then I create a service that can be accessed through clusterip inside the cluster. Yaml is as follows:

$cat >> test.yaml << EOF  
apiVersion: v1  
kind: Service  
metadata:  
  labels:  
    app: mynginx-service  
  name: mynginx-service  
spec:  
  ports:  
  - name:80-80  
    port:80  
    protocol: TCP  
    targetPort:80  
  selector:  
    run: mynginx  
type: ClusterIP  
 ---  
apiVersion: extensions/v1beta1  
kind: DaemonSet  
metadata:  
  labels:  
    run: mynginx  
  name: mynginx  
spec:  
  selector:  
    matchLabels:  
      run: mynginx  
  template:  
    metadata:  
      labels:  
        run: mynginx  
    spec:  
      containers:  
      - image:reg.for -k8s.com/myproject/mynginx:latest  
        imagePullPolicy: Always  
        name: mynginx  
EOF  
  
$ kubectl apply -f daemonset.yaml  
service/mynginx-service created  
daemonset.extensions/mynginx create

Since the privacy of the warehouse I set when I created the warehouse just now is private, after the docker login is successful, k8s kubectl create will not be able to pull the image; if it is set to public, it will not be necessary to configure this step for a long time. After the docker login is successful, k8s kubectl create can pull the image. However, I don’t want it to be public. Therefore, I need to configure the following steps:

Configure the secret of a private warehouse Harbor:

kubectlcreate secret docker-registry registry-secret --namespace=default \  
--docker-server=https://reg.for-k8s.com --docker-username=admin \  
--docker-password=Harbor12345

When deploying, specify imagepullsecrets, modify and add this option in yaml above:

$cat >> test.yaml << EOF  
apiVersion: v1  
kind: Service  
metadata:  
  labels:  
    app: mynginx-service  
  name: mynginx-service  
spec:  
  ports:  
  - name:80-80  
    port:80  
    protocol: TCP  
    targetPort:80  
  selector:  
    run: mynginx  
type: ClusterIP  
 ---  
apiVersion: extensions/v1beta1  
kind: DaemonSet  
metadata:  
  labels:  
    run: mynginx  
  name: mynginx  
spec:  
  selector:  
    matchLabels:  
      run: mynginx  
  template:  
    metadata:  
      labels:  
        run: mynginx  
    spec:  
      containers:  
      - image:reg.for -k8s.com/myproject/mynginx:latest  
        imagePullPolicy: Always  
        name: mynginx  
      imagePullSecrets:  
        - name: registry-secret  
EOF  
  
$ kubectl apply -f daemonset.yaml  
service/mynginx-service created  
daemonset.extensions/mynginx create

Building enterprise private image warehouse with harbor

The above is the whole process of building enterprise private image warehouse based on harbor.

If there are errors or other problems, welcome to comment and correct. If you have any help, please click like + forward to share.

Welcome to the official account of the brother of migrant workers:The way of migrant workers’ Technology
Building enterprise private image warehouse with harbor

Recommended Today

Third party calls wechat payment interface

Step one: preparation 1. Wechat payment interface can only be called if the developer qualification has been authenticated on wechat open platform, so the first thing is to authenticate. It’s very simple, but wechat will charge 300 yuan for audit 2. Set payment directory Login wechat payment merchant platform( pay.weixin.qq . com) — > Product […]