Harbor - 企业级 Docker 私有仓库 一、安装底层需求 一、安装底层需求 Python应该是 应该是2.7或更高版本 或更高版本 Docker引擎应为 引擎应为1.10或更高版本 或更高版本 Docker Compose需要为 需要为1.6.0或更高版本 或更高版本 docker-compose： ：curl -L https://github.com/docker/compose/releases/download/1 com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 二、 二、Harbor 安装： 安装：Harbor 官方地址： 官方地址：https://github.com/vmware/harbor/releases 1、解压软件包： 、解压软件包：tar xvf a、指定镜像仓库地址 、指定镜像仓库地址 vim /etc/docker/daemon.json { "insecure-registries": ["serverip"] } b、下载测试镜像 、下载测试镜像 docker pull hello-world c、给镜像重新打标签 、给镜像重新打标签 docker tag hello-world serverip/hello-world:latest

Downloads Stars Users 55 Contributors 700+ Forks 6 Partners 10 Harbor Architecture 11 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Core Service Log Collector ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ... Other security considerations • Enable content trust by installing Master-Slave Replication 27 ����.��� ����.����.� Docker Client ���� Docker host Docker host ���� Docker host Docker host Docker host Docker host • �������������� • �������.���������

4 4.1 Docker-ce 安装 ............................................................................................................................................................. 4 4.2 Docker-compose Harbor 环境搭建指导书 – CentOS 7.6 1 软件介绍 1 1 软件介绍 Harbor 是构建企业级私有 docker 镜像的仓库的开源解决方案，是 Docker Registry 的更 高级封装。除了提供友好的 Web UI 界面，角色和用户权限管理，用户操作审计等功能 外，还整合了 K8s 的插件(Add-ons)仓库，即 Helm C1100088654/3e971c8d 本文档安装过程选择的环境为 “Server with GUI”，并附加了 “Development Tools”。 Docker-ce 19.03.8 见 4.1 章节 支持版本最低为 17.06.0-ce Docker- compose 1.18.0 见 4.2 章节 支持版本最低为 1.18.0 Harbor 环境搭建指导书 – CentOS 7

mainly focus on docker & kubernetes recently 五年前 Now Linux container(LXC) by Google at 2008 namespaces Cgroups + Developer eXperience(DX) + Union File System Docker by dotCloud at at 2013 After 4 years docker run ubuntu “echo hello” Solaris container by Sun at 2005 build, ship and run any app and anywhere What is Docker Docker bring us 1. 交付标准化 2. 执行高效化 3 VS. What is Docker Registry • Docker Registry : 官方镜像 存储、管理和分发工具 • 最新实现是distribution， 实现了registry2.0协议 • 官方仓库: hub.docker.com • 国内一般采用加速器 docker push 启动一个registry docker run -d -p 5000:5000

No Do you recommend Harbor to others? (%) Survey based on Chinese user community, 53 responses Docker Container Lifecycle: Build-Ship-Run Build-Ship-Run through Registry Cloud • Registry is a key and easy deployment 14 Project Harbor - Microservices Architecture Basic Registry (Docker Distribution) Docker Client Revers e Proxy (Nginx) API Harbor Browser Auth UI DB (MySQL) AD / LDAP • Load balancing 17 Master – Slave Docker Client push Docker host Docker host pull Docker host Docker host Docker host Docker host Docker host Image Replication Use Case(2)

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

ova的虚拟机，直接部署在 vSphere上 图形化管理界面 基于开源UI库Clarity构建 提供完备的镜像管理运维能力 增加批处理操作 为镜像库添加描述信息 Harbor 架构 17 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Core ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ... 内容信任 Registry Notary 3. Verify signature status, fetch digest registry来实现 复制技术在镜像分发中应用 25 Master – Slave 模式 Docker Client push Docker host Docker host pull Docker host Docker host Docker host Docker host 1 镜像运维 2 开源企业级镜像仓库-Harbor 3 集成Harbor

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes 14 Publicly Referenceable Customers Agenda 1 Containers 101 2 Introduction to Harbor 21 Role-Based Access Control (RBAC) 22 Members Images Guest: Developer: Admin: docker pull ... docker pull/push Project operation & management Settings Other security considerations • trust for image provenance 24 Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest Image Creator Image Consumer Verify

Using a Harbor registry, you can host container images in a local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity management, and a graphical of the VMs in the cluster and login to the Harbor registry with the admin password from Step 4. docker login -u admin -p ***** https://:443 Using Harbor Chartmuseum in Tenant Clusters