Harbor - 企业私有容器映像仓库

好风 发表于 2017-07-30T23:05:43.928832Z
引用地址:https://plus.ooclab.com/note/article/1377

Harbor 是时下流行的企业私有容器映像仓库。

An enterprise-class container registry server based on Docker Distribution http://vmware.github.io/harbor/

<img src="https://github.com/vmware/harbor/raw/master/docs/img/rbac.png" width="800">

安装

使用 release installer

  1. github releases 页下载 harbor-online-installer-v1.1.2.tgz (我使用时的版本)
  2. 解压缩;进入目录;配置harbor.cfg;执行./install.sh

此种方法比较简单

docker-compose

harbor releases 包就是使用 docker-compose 方式单机部署,请参考其配置文件

k8s

使用

上传 images 到私有仓库

首先需要在 web ui 上创建仓库 demo (设置为私有)

docker login 127.0.0.1
docker tag ubuntu:latest 127.0.0.1/demo/ubuntu:latest
docker push 127.0.0.1/demo/ubuntu:latest

下载 image , /etc/hosts 中设置 127.0.0.1 hub.ooclab.com

docker pull hub.ooclab.com/demo/ubuntu

FAQ

unable to open token auth root certificate bundle file "/etc/registry/root.crt"

环境:harbor-online-installer-v1.6.0.tgz

缺少权限 registry 容器启动失败,查看 /var/log/harbor/registry.log 发现如下错误:

panic: unable to configure authorization (token): unable to open token auth root certificate bundle file "/etc/registry/root.crt": open /etc/registry/root.crt: permission denied

解决问题:

chown 10000.10000 ./common/config/registry/root.crt

unauthorized: authentication required

使用 docker login 登录时出现如下错误:

➜  ~ docker login hub.ooclab.com
Username: gwind
Password:
Error response from daemon: Get https://hub.ooclab.com/v2/: unauthorized: authentication required

修改 common/config/registry/config.yml , 将 http 换成 https :

auth:
  token:
    issuer: harbor-token-issuer
    realm: https://hub.ooclab.com/service/token
    rootcertbundle: /etc/registry/root.crt
    service: harbor-registry

重启即可。

如果出现错误:

➜  ~ docker login -u gwind hub.ooclab.com
Password:
Error response from daemon: Get https://hub.ooclab.com/v2/: received unexpected HTTP status: 500 Internal Server Error

查看 /var/log/harbor/ui.log 发现错误:

Sep 28 16:14:56 172.23.0.1 ui[1321]: 2018-09-28T08:14:56Z [ERROR] [token.go:48]: Unexpected error when creating the token, error: unable to read key file /etc/ui/private_key.pem: open /etc/ui/private_key.pem: permission denied

修改 common/config/ui/private_key.pem 权限

push image 出现 unknown blob 错误

harbor 搭建真的好“坎坷”,如果你和我一样,将 harbor 放在一个反向代理或LB后面,就会出现这个错误。 编辑 common/config/nginx/nginx.conf , 注释掉所有的 proxy_set_header X-Forwarded-Proto $scheme; 重启即可