高可用harbor集群搭建

一、安装部署

1.节点角色

角色 数量 名称 备注
harbor主节点 2 harbor-1 harbor-2 双主模式
haproxy 2 HA-1 HA-2 需要通过keepalived绑定vip
Redis 高可用集群 redis harbor组件,本地启动或远程配置
postgresql 高可用集群 postgres harbor组件,本地启动或远程配置
ceph 高可用集群 ceph harbor组件

2.离线安装

1、下载离线源码包解压至harbor-1 harbor-2 节点 /data/harbor目录下,修改启动脚本harbor.cfg各项配置参数如下



## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!

_version = 1.7.0

#The IP address or hostname to access admin UI and registry service.

#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

#DO NOT comment out this line, modify the value of "hostname" directly, or the installation will fail.

hostname = harbor.xxx.xxx.com //配置域名信息

#The protocol for accessing the UI and token/notification service, by default it is http.

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = https //指定为https协议

#Maximum number of job workers in job service

max_job_workers = 10

#Determine whether or not to generate certificate for the registry's token.

#If the value is on, the prepare script creates new root cert and private key

#for generating token to access the registry. If the value is off the default key/cert will be used.

#This flag also controls the creation of the notary signer's cert.

customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https

ssl_cert = /data/harbor/cert/uat.cmft.com.pem

ssl_cert_key = /data/harbor/cert/uat.cmft.com.pem

#The path of secretkey storage

secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone

admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

log_rotate_count = 50

#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

#are all valid.

log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128

#Clair doesn't need to connect to harbor internal components via http proxy.

http_proxy =

https_proxy =

no_proxy = 127.0.0.1,localhost,core,registry

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES

#only take effect in the first boot, the subsequent changes of these properties

#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

#Identity left blank to act as username.

email_identity =

email_server = smtp.mydomain.com

email_server_port = 25

email_username = sample_admin@mydomain.com

email_password = abc

email_from = admin <sample_admin@mydomain.com>

email_ssl = false

email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.

#It has no effect after the first launch of Harbor.

#Change the admin password from UI after launching Harbor.

harbor_admin_password = yourpassword //配置harboradmin账户密码,建议修改

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.

#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.

auth_mode = db_auth

#The url for an ldap endpoint.

ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.

#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.

#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn

#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD

ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.

#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD

ldap_uid = uid

#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_scope = 2

#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.

ldap_timeout = 5

#Verify certificate from LDAP server

ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD

ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group

ldap_group_filter = objectclass=group

#The attribute used to name a LDAP/AD group, it could be cn, name

ldap_group_gid = cn

#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_group_scope = 2

#Turn on or off the self-registration feature

self_registration = on

#The expiration time (in minute) of token created by token service, default is 30 minutes

token_expiration = 30

#The flag to control what users have permission to create projects

#The default value "everyone" allows everyone to creates a project.

#Set to "adminonly" so that only admin user can create project.

project_creation_restriction = everyone

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.

db_host = 100.12.13.10

#The password for the root user of Harbor DB. Change this before any production use.

db_password = yourdbpassword

#The port of Harbor database host

db_port = 7810

#The user name of Harbor database

db_user = harbordata

#若采用本地配置,则采用如下配置形式,指定db为本地启动。

#db_host = postgresql

#db_password = yourpassword

#db_port = 5432

#db_user = postgres

##### End of Harbor DB configuration#######

##########Redis server configuration.############

#Redis connection address

redis_host = 100.101.21.3

#Redis connection port

redis_port = 4410

#Redis connection password

redis_password = 123456

#Redis connection db index

#db_index 1,2,3 is for registry, jobservice and chartmuseum.

#db_index 0 is for UI, it's unchangeable

redis_db_index = 1,2,3

########## End of Redis server configuration ############

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.

clair_db_host = 100.101.12.3 //clair 使用与db相同的数据库,注意使用新的database,防止数据冲突。

#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.

#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.

clair_db_password = 123456

#Clair DB connect port

clair_db_port = 7810

#Clair DB username

clair_db_username = harbordata

#Clair default database

clair_db = template1 //由于与主数据库公用 不可与db指定相同的database

#clair_db_host = postgresql

#clair_db_password = root123

#clair_db_port = 5432

#clair_db_username = postgres

#clair_db = postgres

#The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.

clair_updaters_interval = 12

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth

uaa_endpoint = uaa.mydomain.org

uaa_clientid = id

uaa_clientsecret = secret

uaa_verify_cert = true

uaa_ca_cert = /path/to/ca.pem

### Harbor Storage settings ###

#若采用本地ceph 指定 registry_storage_provider_name = filesystem 且忽略registry_storage_provider_config

#默认申请ceph具有如下形式

#bucket region accesskey secretkey regionendpoint参数

#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository.

#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.

registry_storage_provider_name = s3//使用s3协议连接ceph

#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".

#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry.

#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.

registry_storage_provider_config = bucket: registry, region: default, accesskey: 123456, secretkey: 123456, regionendpoint: http://100.xx.xxx.xxx:7480, rootdirectory: /harbor-registry/st

#ceph建议使用域名配置 若使用ip有可能出现 401 signatureMisMatch的错误。

#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore

#of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signeed certificate.

registry_custom_ca_bundle =

#If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings.

#reload_config=false

#Regular expression to match skipped environment variables

#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)

3.初始化与证书生成

1.harbor-1节点/data/harbor目录下执行命令: ./install.sh --with-notary --with-clair --with-chartmuseum #初始化运行harbor watch 'docker ps -a' #监测各组件运行情况 2.拷贝证书 : /data/harbor/common/config/core/private_key.pem /data/harbor/common/config/registry/root.crt 到/tmp/certfile目录下 同时拷贝到harbor-2节点的相同目录下

4、指定生成证书



#关闭harbor-1节点与相关组件:

docker-compose down -v --remove-orphans


1.修改启动脚本install.sh


 if [ -f harbor*.tar.gz ]

 then

 h2 "[Step $item]: loading Harbor images ..."; let item+=1

 #docker load -i ./harbor*.tar.gz

 fi

 echo "" #关闭重复加载image


2.(下列修改操作同时针对 harbor-1 与 harbor-2)


if customize_crt == 'on' and openssl_installed():

print("creating cert-----------------------------")

shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT)

empty_subj = "/"

private_key_pem = os.path.join(config_dir, "core", "private_key.pem")

root_crt = os.path.join(config_dir, "registry", "root.crt")

create_root_cert(empty_subj, key_path=private_key_pem, cert_path=root_crt)

mark_file(private_key_pem)

mark_file(root_crt)

else:

print("Copied configuration file: %s" % os.path.join("/tmp", "certfile", "private_key.pem"))

shutil.copyfile(os.path.join("/tmp", "certfile", "private_key.pem"), os.path.join(core_config_dir, "private_key.pem"))

print("Copied configuration file: %s" % os.path.join("/tmp", "certfile", "root.crt"))

shutil.copyfile(os.path.join("/tmp", "certfile", "root.crt"), os.path.join(registry_config_dir, "root.crt"))

#此处将harbor自动生成证书关闭,将证书拷贝到外部路径并直接指定,否则将导致出现两个节点鉴权失败的问题。

修改install.sh 添加参数 customize_crt == off  #关闭自生成证书

5、启动harbor

分别进入harbor-1 harbor-2 执行启动命令

 ./install.sh --with-notary --with-clair --with-chartmuseum

 watch 'docker ps -a' #监测各组件运行情况

6、配置haproxy/keep-alived

在HA-1 HA-2节点 安装ha/keepalived 修改配置文件如下

harproxy(haproxy.cfg):

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global

# to have these messages end up in /var/log/haproxy.log you will

# need to:

#

# 1) configure syslog to accept network log events. This is done

# by adding the '-r' option to the SYSLOGD_OPTIONS in

# /etc/sysconfig/syslog

#

# 2) configure local2 events to go to the /var/log/haproxy.log

# file. A line like the following can be added to

# /etc/sysconfig/syslog

#

# local2.* /var/log/haproxy.log

#

log 127.0.0.1 local2

chroot /var/lib/haproxy

pidfile /var/run/haproxy.pid

maxconn 20000

user haproxy

group haproxy

daemon

tune.bufsize 131072

tune.ssl.default-dh-param 2048

# turn on stats unix socket

stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#---------------------------------------------------------------------

defaults

mode http

log global

option httplog

option dontlog-normal

option http-server-close

option forwardfor except 127.0.0.0/8

option redispatch

retries 3

timeout http-request 10s

timeout queue 1m

timeout connect 10s

timeout client 1m

timeout server 30m

timeout http-keep-alive 10s

timeout check 10s

maxconn 10000

#---------------------------------------------------------------------

# static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------

#---------------------------------------------------------------------

# round robin balancing between the various backends

#---------------------------------------------------------------------

frontend app

bind *:443

balance roundrobin

mode tcp

server s1 100.65.22.2:443 weight 1  #绑定harbor-1 harbor-2 的443端口

#server s2 100.65.22.3:443 weight 1

#---------------------------------------------------------------------

# round robin balancing between the various backends

#---------------------------------------------------------------------

frontend ceph

bind *:80

balance roundrobin

server app1 100.xx.xx.xx:7480 check  #ceph 可选配置


keepalived (keepalived.conf):




vrrp_script chk_http_haproxy {

script "/app/haproxy/bin/check_haproxy.sh"

interval 10

weight 2

}

global_defs {

notification_email {

admin@admin.com

}

notification_email_from admin@admin.com

smtp_server mail.admin.com

smtp_connect_timeout 30

router_id CMRH_WEB

}

vrrp_instance VI_1 {

state MASTER

interface eth0

virtual_router_id 6

priority 101

advert_int 1

track_script {

#run the script

chk_http_haproxy

}

virtual_ipaddress {

100.70.42.6

}

}

    /app/haproxy/bin/check_haproxy.sh

#! /bin/bash

num=`ps -C haproxy --no-header |wc -l`

if [ $num -eq 0 ]; then

/app/haproxy/sbin/haproxy -f /app/haproxy/conf/haproxy.cfg

sleep 3

if [ `ps -C haproxy --no-header |wc -l` -eq 0 ]; then

killall keepalived

fi

fi


#! /bin/bash

num=`ps -C haproxy --no-header |wc -l`

if [ $num -eq 0 ]; then

/app/haproxy/sbin/haproxy -f /app/haproxy/conf/haproxy.cfg

sleep 3

if [ `ps -C haproxy --no-header |wc -l` -eq 0 ]; then

killall keepalived

fi

fi

配置完成后启动在HA-1 HA-2 上启动haproxy

systemcl start keepalived

systemctl start haproxy

7、访问测试

1、访问ha-vip页面 443端口 测试前端访问

2、pull/push测试

3、关闭harbor-1 harbor-2节点:高可用测试

8、常见问题:

1、页面可正常访问,但经常性显示错误,账号登出

haproxy/keepalive配置错误,确认配置

2、harbor启动日志查看/问题排查:/var/log/harbor/下存在的log文件

3、401 SignatureMisMatch :

ceph地址配置错误,建议使用域名进行配置

4、harbor仓库内部数据访问异常:

此处可能是harbor迁移时,使用的新数据库内部有脏数据导致,可清除template1数据库内所有表数据重置。

5、notary数据库为本地:待解决

6、日志刷新时有概率出现无数据问题:交替访问harbor节点导致,待解决

7、unkown blob问题

When setting up Harbor behind an nginx proxy or elastic load balancing, look for the line below, in common/templates/nginx/nginx.http.conf and remove it from the sections if the proxy already has similar settings: location /, location /v2/ and location /service/.

proxy_set_header X-Forwarded-Proto $scheme;

harbor高可用集群搭建的更多相关文章

  1. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  2. 实现CI/CDk8s高可用集群搭建总结以及部署API到k8s

    实现CI/CD(Centos7.2)系列二:k8s高可用集群搭建总结以及部署API到k8s 前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署 ...

  3. hadoop高可用集群搭建小结

    hadoop高可用集群搭建小结1.Zookeeper集群搭建2.格式化Zookeeper集群 (注:在Zookeeper集群建立hadoop-ha,amenode的元数据)3.开启Journalmno ...

  4. Spark高可用集群搭建

    Spark高可用集群搭建 node1    node2    node3   1.node1修改spark-env.sh,注释掉hadoop(就不用开启Hadoop集群了),添加如下语句 export ...

  5. Hadoop HA高可用集群搭建(Hadoop+Zookeeper+HBase)

    声明:作者原创,转载注明出处. 作者:帅气陈吃苹果 一.服务器环境 主机名 IP 用户名 密码 安装目录 master188 192.168.29.188 hadoop hadoop /home/ha ...

  6. Hadoop 3.1.2(HA)+Zookeeper3.4.13+Hbase1.4.9(HA)+Hive2.3.4+Spark2.4.0(HA)高可用集群搭建

    目录 目录 1.前言 1.1.什么是 Hadoop? 1.1.1.什么是 YARN? 1.2.什么是 Zookeeper? 1.3.什么是 Hbase? 1.4.什么是 Hive 1.5.什么是 Sp ...

  7. MongoDB高可用集群搭建(主从、分片、路由、安全验证)

    目录 一.环境准备 1.部署图 2.模块介绍 3.服务器准备 二.环境变量 1.准备三台集群 2.安装解压 3.配置环境变量 三.集群搭建 1.新建配置目录 2.修改配置文件 3.分发其他节点 4.批 ...

  8. RabbitMQ高级指南:从配置、使用到高可用集群搭建

    本文大纲: 1. RabbitMQ简介 2. RabbitMQ安装与配置 3. C# 如何使用RabbitMQ 4. 几种Exchange模式 5. RPC 远程过程调用 6. RabbitMQ高可用 ...

  9. spring cloud 服务注册中心eureka高可用集群搭建

    spring cloud 服务注册中心eureka高可用集群搭建 一,准备工作 eureka可以类比zookeeper,本文用三台机器搭建集群,也就是说要启动三个eureka注册中心 1 本文三台eu ...

随机推荐

  1. 用AutoHotkey的热字串功能启动常用电脑程序软件 Version 2 Build 20191214

    ; 用AutoHotkey的热字串功能启动常用电脑程序软件 Version 2 Build 20191214 ; 电脑上的快捷键太多了,记都记不住,容易冲突和搞混,所以做了个热字串启动; 用法:运行此 ...

  2. netty系列之:自动重连

    目录 简介 使用netty建立连接 自动重连接的原理 模拟自动重连 总结 简介 我们在使用客户端和服务器端连接的过程中,可能会因为各种问题导致客户端和服务器的连接发生中断,遇到这种情况,一般情况下我们 ...

  3. NodeJS 中的事件循环,读了这篇就全懂了

    事件循环是 NodeJS 处理非阻塞 I/O 操作的和核心机制.NodeJS 的事件循环脱胎于 libuv 的事件循环,因此,要搞清楚 NodeJS 的事件循环,还需要先了解 libuv 的事件循环是 ...

  4. CYPEESS USB3.0程序解读之---同步FIFO(slaveFifoSync)

    上一篇文章解读了CYPRESS FX3的GPIO的操作过程,下面解读同步FIFO的一个例子(slaveFifoSync). *生产者,消费者. 1.首先看DMA的回调函数(cyu3dma.h): ty ...

  5. 服务器put请求获取不到参数

    问题 put请求参数映射成实体类 而参数似乎接受不到,服务器识别为null 解决 在参数前边加上RequestBody @RequestBody主要用来接收前端传递给后端的json字符串中的数据的(请 ...

  6. 开源中国【面经】Java后台开发

    2021.04.09 直接正文: 开场自我介绍,说一下自己 有没有实习经历?(毕业实习) 毕业实习学了什么?(前端) 有什么大项目吗?(除了课设就是毕设) 能说一下毕设的情况吗?(做了大概,没有开始登 ...

  7. kivy之Label属性及文本标记实操练习

    关于kivy内label功能有二部分内容,一个是label小部件属性,另一个是label文本标记属性,实操练习的效果图如下: . 现将label常用的这二类属性整理如下: 现在我们来进行实操练习,在p ...

  8. [数据库系列之MySQL] Mysql整体架构浅析一

    一.引言 平时我们在做Java系统时,一般情况下都会连接到一个MySQL数据库上去,执行各种增删改查的语句.大部分的Java工程师对MySQL的了解和掌握程度,大致就停留在这么一个阶段:对MySQL可 ...

  9. 为什么网络损伤仪WANsim中没有流量通过

    在使用网络损伤仪 WANsim 的过程中,有时候发现网损仪中没有流量通过.有些小伙伴可能会想:自己所有配置都是正确的 ,为什么会没有流量通过呢? 有可能,是你忽略了一些东西. 下面,我总结了一些导致网 ...

  10. 旅游景点 Tourist Attractions 题解

    题面在这里 再次破了纪录,连做了3天... 让我们从头来一点一点分析 1.预处理 先看题面,乍一看貌似是个图论题,有n个点m条边,给定一些必须经过的点和强制经过顺序,求一条最短路 我们发现n和m都比较 ...