1. 主机配置

主机地址 主机配置 主机角色 软件版本
192.168.1.60 CPU:4C MEM:4GB Disk: 100GB Harbor+Keepalived Harbor 2.1.3 Keepalived 2.2.1 Docker 19.03.9 VIP:192.168.1.156
192.168.1.61 CPU:4C MEM:4GB Disk: 100GB Harbor+Keepalived Harbor 2.1.3 Keepalived 2.2.1 Docker 19.03.9 VIP:192.168.1.156
192.168.1.62 CPU:4C MEM:8GB Disk: 500GB Postgres+Redis+NFS Docker 19.03.9

2. 基础安装配置

2.1 Docker 安装教程

2.1.1 安装存储驱动
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
2.1.2 添加 Docker-ce 安装仓库
sudo yum-config-manager --add-repo \

https://download.docker.com/linux/centos/docker-ce.repo
2.1.3 查看与安装所需版本
yum list docker-ce --showduplicates | sort -r

yum -y install docker-ce-19.03.9 docker-ce-cli-19.03.9 containerd.io
2.1.4 配置国内仓库
 {

    "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn","https://hub-mirror.c.163.com"],

    "max-concurrent-downloads": 20,

    "live-restore": true,

    "max-concurrent-uploads": 10,

    "debug": true,

    "data-root": "/data/docker_data",

    "exec-root": "/data/docker_exec",

    "log-opts": {

      "max-size": "100m",

      "max-file": "5"

    }

}
2.1.5 启动 Docker
systemctl start docker && systemctl enable docker
2.1.6 安装 docker-compose
sudo wget https://github.com/docker/compose/releases/download/1.28.4/docker-compose-Linux-x86_64

sudo mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose

sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

3. 安装配置数据与共享数据(有存储可跳过)

3.1 NFS Server端配置

# 安装软件

yum -y install nfs-utils rpcbind

# 创建共享目录

mkdir /data/harbor-data

# 配置共享目录

echo "/data/harbor-data *(rw,sync,no_root_squash)"  >> /etc/exports

# 启动服务

systemctl enable rpcbind && systemctl restart rpcbind

systemctl enable nfs && systemctl restart nfs

# 检测工目录

showmount -e localhost

3.2 NFS Client端配置

# 安装软件

yum -y install nfs-utils

# 创建挂载目录

mkdir /data/harbor-data

# 配置自动挂载

vi /etc/fstab # 添加如行

192.168.1.62:/data/harbor-data  /data/harbor-data  nfs defaults 0 0

# 进行挂载

mount -a

3.3 postgres+redis服务

# 创建数据存放目录

docker volume create --driver local \

--opt type=none \

--opt device=/data/harbor-relay/postgres-data \

--opt o=bind postgres-data

docker volume create --driver local \

--opt type=none \

--opt device=/data/harbor-relay/redis-data \

--opt o=bind redis-data

3.4 启动服务

version: '3.1'

services:

  db:

    image: postgres

    container_name: harbor-postgres

    restart: always

    environment:

      POSTGRES_USER: postgres

      POSTGRES_PASSWORD: password

    volumes:

      - postgres-data:/var/lib/postgresql/data

    ports:

      - 5432:5432

  redis:

    image: redis

    container_name: harbor-redis

    restart: always

    environment:

      TZ: Asia/Shanghai

      LANG: en_US.UTF-8

    command: redis-server /etc/conf/redis.conf

    privileged: true

    volumes:

      - redis-data:/data

      - ./conf:/etc/conf

    ports:

      - 6379:6379

volumes:

  postgres-data:

    external: true

  redis-data:

    external: true

4. Harbor 服务安装配置

4.1 下载离线安装包

wget https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-offline-installer-v2.1.3.tgz

4.2 创建外部数据库

# 登陆到容器内进行配置

root@0c68861b7df3:/# psql -U postgres

psql (9.6.20)

Type "help" for help.

postgres=# create user harbor with password 'harbor123';

CREATE ROLE

postgres=# CREATE DATABASE harbor;

CREATE DATABASE

postgres=# create database harbor_clair;

CREATE DATABASE

postgres=# create database harbor_notary_server;

CREATE DATABASE

postgres=# create database harbor_notary_signer;

CREATE DATABASE

postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor to harbor;

GRANT

postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_clair to harbor;

GRANT

postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_notary_server to harbor;

GRANT

postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_notary_signer to harbor;

GRANT

postgres=# \q

4.3 生成自签名证书

#!/bin/bash

# 在该目录下操作生成证书,正好供harbor.yml使用

mkdir -p /data/harbor/cert

cd /data/harbor/cert

DOMAIN_NAME=$1

${DOMAIN_NAME:-magic-harbor.magic.com}

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=ShenZhen/L=ShenZhen/O=magic/OU=Harbor/CN=${DOMAIN_NAME}" -key ca.key -out ca.crt

openssl genrsa -out ${DOMAIN_NAME}.key 4096

openssl req -sha512 -new -subj "/C=CN/ST=ShenZhen/L=ShenZhen/O=magic/OU=Harbor/CN=${DOMAIN_NAME}" -key ${DOMAIN_NAME}.key -out ${DOMAIN_NAME}.csr

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=${DOMAIN_NAME}

EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in ${DOMAIN_NAME}.csr -out ${DOMAIN_NAME}.crt

openssl x509 -inform PEM -in ${DOMAIN_NAME}.crt -out ${DOMAIN_NAME}.cert

cp ${DOMAIN_NAME}.crt /etc/pki/ca-trust/source/anchors/${DOMAIN_NAME}.crt

4.4 重新配置 Docker

# 把这三个复制到docke下

mkdir -p /etc/docker/certs.d/magic-harbor.magic.com/

cp magic-harbor.magic.com.cert /etc/docker/certs.d/magic-harbor.magic.com/

cp magic-harbor.magic.com.key /etc/docker/certs.d/ymagic-harbor.magic.com/

cp ca.crt /etc/docker/certs.d/magic-harbor.magic.com/

最终docker目录结构:

/etc/docker/certs.d/

    └── magic-harbor.magic.com

       ├── magic-harbor.magic.com.cert  <-- Server certificate signed by CA

       ├── magic-harbor.magic.com.key   <-- Server key signed by CA

       └── ca.crt               <-- Certificate authority that signed the registry certificate

# 重启docker

systemctl restart docker.service

# 停止

docker-compose down -v

# 重新生成配置文件

./prepare --with-notary --with-clair --with-chartmuseum

# 启动

docker-compose up -d

4.5 更改 harbor.yml

hostname: magic-harbor.magic.com

https:

  port: 443

  certificate: /data/harbor/cert/magic-harbor.magic.com.crt

  private_key: /data/harbor/cert/magic-harbor.magic.com.key

harbor_admin_password: Harbor12345

# The default data volume

data_volume: /data/harbor-data

trivy:

  # ignoreUnfixed The flag to display only fixed vulnerabilities

  ignore_unfixed: false

  skip_update: false

  insecure: false

jobservice:

  # Maximum number of job workers in job service

  max_job_workers: 10

notification:

  # Maximum retry count for webhook job

  webhook_job_max_retry: 10

chart:

  # Change the value of absolute_url to enabled can enable absolute url in chart

  absolute_url: disabled

# Log configurations

log:

  level: info

  local:

    rotate_count: 50

    rotate_size: 200M

    location: /var/log/harbor

_version: 2.0.0

external_database:

  harbor:

    host: 192.168.1.62

    port: 5432

    db_name: harbor

    username: harbor

    password: harbor123

    ssl_mode: disable

    max_idle_conns: 2

    max_open_conns: 0

  clair:

    host: 192.168.1.62

    port: 5432

    db_name: harbor_clair

    username: harbor

    password: harbor123

    ssl_mode: disable

  notary_signer:

    host: 192.168.1.62

    port: 5432

    db_name: harbor_notary_signer

    username: harbor

    password: harbor123

    ssl_mode: disable

  notary_server:

    host: 192.168.1.62

    port: 5432

    db_name: harbor_notary_server

    username: harbor

    password: harbor123

    ssl_mode: disable

external_redis:

  host: 192.168.1.62:6379

  password:

  registry_db_index: 1

  jobservice_db_index: 2

  chartmuseum_db_index: 3

  clair_db_index: 4

proxy:

  http_proxy:

  https_proxy:

  no_proxy:

  components:

    - core

    - jobservice

    - clair

    - trivy

4.6 启动 Harbor

# 开启 chart 仓库服务、开启静态分析容器漏洞服务、内容信任插件

./install.sh --with-chartmuseum --with-trivy --with-clair --with-notary

4.7 验证 Harbor

# docker-compose ps

chartmuseum         ./docker-entrypoint.sh           Up (healthy)

clair               ./docker-entrypoint.sh           Up (healthy)

clair-adapter       /home/clair-adapter/entryp ...   Up (healthy)

harbor-core         /harbor/entrypoint.sh            Up (healthy)

harbor-jobservice   /harbor/entrypoint.sh            Up (healthy)

harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp

harbor-portal       nginx -g daemon off;             Up (healthy)

nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:4443->4443/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp

notary-server       /bin/sh -c migrate-patch - ...   Up

notary-signer       /bin/sh -c migrate-patch - ...   Up

registry            /home/harbor/entrypoint.sh       Up (healthy)

registryctl         /home/harbor/start.sh            Up (healthy)

trivy-adapter       /home/scanner/entrypoint.sh      Up (healthy)

5. Harbor 高可用配置

5.1 下载 Keepalived

wget https://www.keepalived.org/software/keepalived-2.2.1.tar.gz

5.2 编译安装 Keepalived

5.2.1 安装依赖
yum -y install gcc gcc-c++ openssl openssl-devel
5.2.2 安装 keepalived
./configure --sysconf=/etc --prefix=/usr/local/keepalived && \

make && \

make install
5.2.3 准备 keepalived 配置文件 与 check.sh 文件

keepalived.conf

global_defs {

  router_id haborlb

}

vrrp_sync_groups VG1 {

  group {

    VI_1

  }

}

#Please change "ens160" to the interface name on you loadbalancer hosts.

#In some case it will be eth0, ens16xxx etc.

vrrp_instance VI_1 {

  interface eth0

  track_interface {

    eth0

  }

  state MASTER

  virtual_router_id 51

  priority 10

  virtual_ipaddress {

    192.168.1.156/24

  }

  advert_int 1

  authentication {

    auth_type PASS

    auth_pass d0cker

  }

}

##########################HTTPS#################################

#Please uncomment the follow when harbor running under https

virtual_server 192.168.1.156 443 {

  delay_loop 15

  lb_algo rr

  lb_kind DR

  protocol TCP

  nat_mask 255.255.255.0

  persistence_timeout 10

  real_server 192.168.1.60 443 {

    weight 10

    MISC_CHECK {

       misc_path "/usr/local/bin/check.sh 192.168.1.60"

       misc_timeout 5

    }

  }

  real_server 192.168.1.61 443 {

    weight 10

    MISC_CHECK {

       misc_path "/usr/local/bin/check.sh 192.168.1.61"

       misc_timeout 5

    }

  }

}

#########################End of HTTPS Section#################

check.sh

#!/bin/bash

set -e

#get protocol

LOG=/var/log/keepalived_check.log

nodeip=$1

nodeaddress="http://${nodeip}"

http_code=`curl -s -o /dev/null -w "%{http_code}" ${nodeaddress}`

if [ $http_code == 200 ] ; then

  protocol="http"

elif [ $http_code == 308 ]

then

  protocol="https"

else

  echo "`date +"%Y-%m-%d %H:%M:%S"` $1, CHECK_CODE=$http_code" >> $LOG

  exit 1

fi

systeminfo=`curl -k -o - -s ${protocol}://${nodeip}/api/v2.0/systeminfo`

echo $systeminfo | grep "registry_url"

if [ $? != 0 ] ; then

  exit 1

fi

5.3 同步配置文件到另外一台 harbor

scp keepalived.conf check.sh root@192.168.1.61:/etc/keepalived/keepalived.conf

scp /usr/local/bin/check.sh root@192.168.1.61:/usr/local/bin/check.sh

5.4 2 台 Harbor 启动 keepalived

systemctl start keepalived && systemctl enable keepalived

5.5 验证 VIP

# VIP 为 192.168.1.156

ip addr | grep 192.168.1.156

inet 192.168.1.156/24 scope global secondary eth0

6. Harbor 验证

6.1 配置私有仓库

cat /etc/docker/daemon.json

{

    "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn","https://hub-mirror.c.164.com","https://magic-harbor.magic.com"],

    "insecure-registries": ["https://magic-harbor.magic.com"],

    "max-concurrent-downloads": 20,

    "live-restore": true,

    "max-concurrent-uploads": 10,

    "debug": true,

    "data-root": "/data/docker_data",

    "exec-root": "/data/docker_exec",

    "log-opts": {

      "max-size": "100m",

      "max-file": "5"

    }

}

6.2 验证上传下载

# docker tag hello-world magic-harbor.magic.com/library/hello-world:latest

# docker push magic-harbor.magic.com/library/hello-world:latest

    The push refers to repository [magic-harbor.magic.com/library/hello-world]

    9c27e219663c: Preparing

    unauthorized: unauthorized to access repository: library/hello-world, action: push: unauthorized to access repository: library/hello-world, action: push

# docker login  magic-harbor.magic.com

    Username: admin

    Password:

    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

    Configure a credential helper to remove this warning. See

    https://docs.docker.com/engine/reference/commandline/login/#credentials-store

    Login Succeeded

# docker push magic-harbor.magic.com/library/hello-world:latest

    The push refers to repository [magic-harbor.magic.com/library/hello-world]

    9c27e219663c: Pushed

    latest: digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 size: 525

Harbor 共享后端高可用的更多相关文章

  1. Docker namespace,cgroup,镜像构建,数据持久化及Harbor安装、高可用配置

    1.Docker namespace 1.1 namespace介绍 namespace是Linux提供的用于分离进程树.网络接口.挂载点以及进程间通信等资源的方法.可以使运行在同一台机器上的不同服务 ...

  2. 014.Docker Harbor+Keepalived+LVS+共享存储高可用架构

    一 多Harbor高可用介绍 共享后端存储是一种比较标准的方案,将多个Harbor实例共享同一个后端存储,任何一个实例持久化到存储的镜像,都可被其他实例中读取.通过前置LB组件,如Keepalived ...

  3. Harbor高可用理论及实践(汇聚篇)

    目录 一.理论概述 什么是harbor harbor要解决的问题 有了docker自带的registry为什么还要用harbor harbor的架构组件 Harbor工作原理 二.部署harbor及其 ...

  4. Harbor高可用

    项目需求: 实现Harbor的HTTPS高可用,由于Harbor 服务器配置不高,直接做HTTPS对上传下载镜像时,若docker客户端多时,会非常慢,为了提高harbor的效率,采用以下方式来解决. ...

  5. 分布式集群系统下的高可用session解决方案

    目前,为了使web能适应大规模的访问,需要实现应用的集群部署. 而实现集群部署首先要解决session的统一,即需要实现session的共享机制. 目前,在集群系统下实现session统一的有如下几种 ...

  6. Apache shiro集群实现 (五)分布式集群系统下的高可用session解决方案

    Apache shiro集群实现 (一) shiro入门介绍 Apache shiro集群实现 (二) shiro 的INI配置 Apache shiro集群实现 (三)shiro身份认证(Shiro ...

  7. 部署docker镜像仓库及高可用

      下载地址: https://github.com/goharbor/harbor/releases   安装harbor服务器: 安装harbor root@harbor-vm1:/usr/loc ...

  8. harbor高可用集群配置

    目录 说明 双主复制 主从同步 双主复制说明 多harbor实例共享后端存储 方案说明 环境说明 配置说明 安装redis和mysql 导入registry数据库 配置harbor 挂载nfs目录 修 ...

  9. 基于Harbor和CephFS搭建高可用Private Registry

    我们有给客户搭建私有容器仓库的需求.开源的私有容器registry可供选择的不多,除了docker官方的distribution之外,比较知名的是VMware China出品的Harbor,我们选择了 ...

  10. Kubernetes容器集群 - harbor仓库高可用集群部署说明

    之前介绍Harbor私有仓库的安装和使用,这里重点说下Harbor高可用集群方案的部署,目前主要有两种主流的Harbor高可用集群方案:1)双主复制:2)多harbor实例共享后端存储. 一.Harb ...

随机推荐

  1. npoi2.3+泛型+反射 根据配置统一解析excel数据到实体的基础方法

    解析方法: /// <summary> /// excel数据解析到实体 /// </summary> /// <typeparam name="T" ...

  2. 计算机网络常见面试题(二):浏览器中输入URL返回页面过程、HTTP协议特点,GET、POST的区别,Cookie与Session

    文章目录 一.HTTP协议的特点 1.1 特点 1.2 HTTP是不保存状态的协议,如何保存用户状态? 二.浏览器中输入URL返回页面过程(重) 三.HTTP状态码 四.HTTP相关协议对比 4.1 ...

  3. 我的博客网站为什么又回归Blazor了

    引言 在博客网站的开发征程中,站长可谓是一路披荆斩棘.从最初的构思到实践,先后涉足了多种开发技术,包括 [MVC](ASP.NET Core MVC 概述 | Microsoft Learn).[Ra ...

  4. 低功耗4G模组:Air780EP之fskv开发示例

    ​ 今天我们学习合宙低功耗4G模组Air780EP的fskv开发示例. 一.简介 兼容fdb的函数 使用fdb的flash空间,启用时也会替代fdb库 功能上与EEPROM是类似的 fskv与fdb的 ...

  5. linux下的rpm与yum

    一.源代码形式 1.      绝大多数开源软件都是直接以原码形式发布的 2.      源代码一般会被打成.tar.gz的归档压缩文件 3.      源代码需要编译成为二进制形式之后才能够运行使用 ...

  6. Filter内存马

    概述 最近感冒了,不想BB太多,直接开始调试吧,先写个Filter来调试 Filter代码 新建一个FilterShell类,代码如下: 一个类如果想要成为Filter则需要继承Filter,然后重写 ...

  7. sde解除锁定

    在sde数据被锁定的情况下,编辑.创建featureclass或者注册版本的时候会报告:Lock request conflicts with an established lock. 方法一:多半情 ...

  8. 树莓派4B 多屏 QT程序窗口全屏 QScreen 只能获取1个屏幕

    直接运行程序时,窗口全屏, 并且QScreen 只能获取1个屏幕,这是由于QT默认使用了EGLFS.(坑了一下午) 所以必须采用命令方式打开程序. ./程序名称 -platform xcb

  9. 配置 Forwarded Headers Middleware

    来自微软的说明:Configure ASP.NET Core to work with proxy servers and load balancers | Microsoft Learn. 通过该中 ...

  10. 依赖注入在 dotnet core 中实现与使用:5. 使用支持 Unicode 的 HtmlEncoder

    现象 在 ASP.NET Core MVC 中,当在页面中传递了一个包含中文字符串到页面的时候,页面的显示是正常的,但是如果查看页面源码,却看不到中文,变成了一串编码之后的内容. 例如,在页面中直接定 ...