Harbor - 企业级 Docker 私有仓库 一、安装底层需求 一、安装底层需求 Python应该是 应该是2.7或更高版本 或更高版本 Docker引擎应为 引擎应为1.10或更高版本 或更高版本 Docker Compose需要为 需要为1.6.0或更高版本 或更高版本 docker-compose： ：curl -L https://github.com/docker/compose/releases/download/1 com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 二、 二、Harbor 安装： 安装：Harbor 官方地址： 官方地址：https://github.com/vmware/harbor/releases 1、解压软件包： 、解压软件包：tar xvf 、上传镜像进行上传测试 a、指定镜像仓库地址 、指定镜像仓库地址 vim /etc/docker/daemon.json { "insecure-registries": ["serverip"] } b、下载测试镜像 、下载测试镜像 docker pull hello-world c、给镜像重新打标签 、给镜像重新打标签 docker tag hello-world

基于Harbor的高可用企业级私有容器 镜像仓库部署实践 Tony Bai @Neusoft Cloud Technology About Me • 白明 (Tony Bai) • @Neusoft Cloud Technology • Gopher • Translator & Author • GopherChina lecturer • Blogger • mainly mainly focus on docker & kubernetes recently 五年前 Now Linux container(LXC) by Google at 2008 namespaces Cgroups + Developer eXperience(DX) + Union File System Docker by dotCloud at at 2013 After 4 years docker run ubuntu “echo hello” Solaris container by Sun at 2005 build, ship and run any app and anywhere What is Docker Docker bring us 1. 交付标准化 2. 执行高效化 3

4 4.1 Docker-ce 安装 ............................................................................................................................................................. 4 4.2 Docker-compose Harbor 是构建企业级私有 docker 镜像的仓库的开源解决方案，是 Docker Registry 的更 高级封装。除了提供友好的 Web UI 界面，角色和用户权限管理，用户操作审计等功能 外，还整合了 K8s 的插件(Add-ons)仓库，即 Helm 通过 chart 方式下载，管理，安装 K8s 插件，而 chartmuseum 可以提供存储 chart 数据的仓库。 Harbor 环境搭建指导书 C1100088654/3e971c8d 本文档安装过程选择的环境为 “Server with GUI”，并附加了 “Development Tools”。 Docker-ce 19.03.8 见 4.1 章节 支持版本最低为 17.06.0-ce Docker- compose 1.18.0 见 4.2 章节 支持版本最低为 1.18.0 Harbor 环境搭建指导书 – CentOS 7

Runtime Package Cluster 开场 1 镜像运维 2 开源企业级镜像仓库-Harbor 3 集成Harbor 4 总结 议程 4 Registry 镜像 Images Push Pull • 镜像存储仓库 • 分发镜像的媒介 • 访问控制和镜像管理较佳节点 Registry – 镜像管理的重要部件 多实例 registry 共享存储 – 多实例 registry 不共享存储 1 镜像运维 2 开源企业级镜像仓库-Harbor 3 集成Harbor 4 总结 议程 Harbor开源项目 11 • 开源企业级容器镜像仓库 • 由 VMware 中国团队设计和开发 • 集成到多个企业级产品中:VIC和PKS • Apache 2 使用许可 ova的虚拟机，直接部署在 vSphere上 图形化管理界面 基于开源UI库Clarity构建 提供完备的镜像管理运维能力 增加批处理操作 为镜像库添加描述信息 Harbor 架构 17 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Core

Downloads Stars Users 55 Contributors 700+ Forks 6 Partners 10 Harbor Architecture 11 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Core Service Log Collector ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ... Other security considerations • Enable content trust by installing Master-Slave Replication 27 ����.��� ����.����.� Docker Client ���� Docker host Docker host ���� Docker host Docker host Docker host Docker host • �������������� • �������.���������

No Do you recommend Harbor to others? (%) Survey based on Chinese user community, 53 responses Docker Container Lifecycle: Build-Ship-Run Build-Ship-Run through Registry Cloud • Registry is a key and easy deployment 14 Project Harbor - Microservices Architecture Basic Registry (Docker Distribution) Docker Client Revers e Proxy (Nginx) API Harbor Browser Auth UI DB (MySQL) AD / LDAP • Load balancing 17 Master – Slave Docker Client push Docker host Docker host pull Docker host Docker host Docker host Docker host Docker host Image Replication Use Case(2)

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes 14 Publicly Referenceable Customers Agenda 1 Containers 101 2 Introduction to Harbor 21 Role-Based Access Control (RBAC) 22 Members Images Guest: Developer: Admin: docker pull ... docker pull/push Project operation & management Settings Other security considerations • trust for image provenance 24 Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest Image Creator Image Consumer Verify

Using a Harbor registry, you can host container images in a local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity management, and a graphical of the VMs in the cluster and login to the Harbor registry with the admin password from Step 4. docker login -u admin -p ***** https://:443 Using Harbor Chartmuseum in Tenant Clusters