1, About Harbor

1. Introduction to harbor

2.Harbor characteristics

• Role based access control: users and Docker image warehouses are organized and managed through "project". A user can have different permissions for multiple image warehouses in the same namespace (project).
• Mirror replication: mirrors can be replicated (synchronized) in multiple Registry instances. Especially suitable for load balancing, high availability, mixed cloud and multi cloud scenarios.
• Graphical user interface: users can browse through the browser, retrieve the current Docker image warehouse, manage projects and namespaces.
• AD/LDAP support: Harbor can integrate the existing AD/LDAP in the enterprise for authentication management.
• Audit management: all operations against the image warehouse can be traced for audit management.
• Internationalization: we have localized versions in English, Chinese, German, Japanese and Russian. More languages will be added.
• RESTful API: the RESTful API provides administrators with more control over Harbor, making it easier to integrate with other management software.
• Simple deployment: two installation tools, online and offline, can also be installed to vSphere platform (OVA mode) virtual devices.

3.Harbor component

Harbor is mainly composed of six components in Architecture:

• Proxy: Harbor's registry, UI, token and other services receive requests from browser and Docker clients through a front-end reverse proxy, and forward the requests to different back-end services.

• Registry: store the Docker image and process the docker push/pull command. Because we need to control access to users, that is, different users have different read and write permissions to Docker image, registry will point to a token service, forcing users to carry a legal token for each docker pull/push request, and registry will decrypt and verify the token through the public key.

• Core services: This is the core function of Harbor, which mainly provides the following services:

• UI: provides a graphical interface to help users manage image s on the registry and authorize users.

• Webhook: in order to get the status change of image on the Registry in time, configure webhook on the Registry and pass the status change to the UI module.

• Token service: it is responsible for issuing the token to each docker push/pull command according to the user's permission. The request initiated by the docker client to the Registry registry service will be redirected here if the token is not included. After obtaining the token, the request will be made to the Registry again.

• Database: provides database services for core services, and stores data such as user permissions, audit logs, Docker image grouping information, etc.

• Job Services: provides the remote replication function of image, which can synchronize the local image to other Harbor instances.

• Log collector: to help monitor Harbor operation, it is responsible for collecting logs of other components for future analysis.

The relationship between the components is shown in the following figure:

2, Installing and configuring Harbor

1. Environmental preparation

CentOS Linux release 7.3.1611 (Core)
docker-ce-18.06.1
docker-compose version 1.21.2, build a133471
harbor-v1.8.0

2. Install docker

# Use Alibaba cloud image warehouse
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
# Install docker
yum install -y docker-ce-18.06.1.ce-3   #Installation package may not be found
yum -y install https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/docker-ce-18.06.3.ce-3.el7.x86_64.rpm

# Set docker startup parameters (optional)
#  graph: set docker data directory: select a larger partition (I don't need to configure if I'm the root directory, which is / var/lib/docker by default)
#  Exec opts: set cgroup driver (cgroupfs by default, systemd is not recommended)
#  Secure registers: set up a private warehouse

cat > /etc/docker/daemon.json <<EOF
{
    "graph": "/data/docker",
    "exec-opts": ["native.cgroupdriver=cgroupfs"],
    "insecure-registries": ["http://192.168.101.11"]
}
EOF

# Start docker service and add boot entry
systemctl start docker && systemctl enable docker

3. Install docker compose

curl -L https://mirrors.aliyun.com/docker-toolbox/linux/compose/1.21.2/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose
 chmod +x /usr/local/bin/docker-compose
 # docker-compose --version
docker-compose version 1.21.2, build a133471

4. Installing harbor

1,Next week installation package
# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz

2,Extract and modify the configuration file
# tar xf harbor-offline-installer-v1.8.1.tgz -C /usr/local
# cd /usr/local/harbor

node1 upper
# vim harbor.yml
hostname: 192.168.101.11

node2 upper
# vim harbor.yml
hostname: 192.168.101.12

3,Execute installation script
# ./install.sh

✔ ----Harbor has been installed and started successfully.----   #Seeing this line means success

Now you should be able to visit the admin portal at http://192.168.101.12.
For more details, please visit https://github.com/goharbor/harbor .

4,start and stopping
# docker-compose up -d  #start-up
# docker-compose down  #Stop it

5. Access test

3, Test upload and set up synchronization

1,Mirror and commit next week
# docker pull centos:7.6.1810
# docker push 192.168.101.11/open/centos:7.6.1810
The push refers to repository [192.168.101.11/open/centos]
89169d87dbe2: Pushed
7.6.1810: digest: sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb size: 529

2. Visit page test

3. Set target host

4. Set synchronization rules

5. Check whether peer synchronization is complete

6. Repeat this step on another server

4, Verify and test high availability

1,install nginx
# yum -y install nginx

2,Configure load balancing
# cat hub.huoban.com.conf
upstream huoban_hub {
     server 192.168.101.11:80 max_fails=3 fail_timeout=10s;
     server 192.168.101.12:80 max_fails=3 fail_timeout=10s;
     ip_hash;
}

server {
    listen 80;
    server_name hub.huoban.com;
    rewrite ^(.*)$  https://hub.huoban.com$1 permanent;
}

server {
    listen 443 ssl;
    server_name hub.huoban.com;
    server_tokens off;
    #proxy_set_header           Host $host;   #This line can't be asked for. If you add it, you will report an error
    proxy_set_header           X-Real-IP $remote_addr;
    proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
        proxy_pass      http://huoban_hub;
    }
    access_log /data/logs/nginx/${host}_access.log combined;
}

3. Test access

4. Push pull mirror test

# docker tag centos:7.6.1810 hub.huoban.com/open/centos:7.6.18101
# docker push hub.huoban.com/open/centos:7.6.18101
The push refers to repository [hub.huoban.com/open/centos]
89169d87dbe2: Preparing
denied: requested access to the resource is denied
# docker login hub.huoban.com
Username: admin
Password:
Login Succeeded
# docker push hub.huoban.com/open/centos:7.6.18101
The push refers to repository [hub.huoban.com/open/centos]
89169d87dbe2: Layer already exists
7.6.18101: digest: sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb size: 529
# # docker pull hub.huoban.com/open/centos:7.6.18101
Trying to pull repository hub.huoban.com/open/centos ...
7.6.18101: Pulling from hub.huoban.com/open/centos
ac9208207ada: Pull complete
Digest: sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb
Status: Downloaded newer image for hub.huoban.com/open/centos:7.6.18101