This page looks best with JavaScript enabled

部署 Harbor + 阿里云OSS后端存储

 ·  ☕ 3 min read

更新记录

时间 内容
2021-10-14 初稿
2021-10-15 阿里云 OSS
2021-10-16 OSS 权限调整 && 文档结构优化

软件版本

soft Version
CentOS 7.6
harbor v2.3.3
docker-ce 20.10.9
docker-compose 1.18.0

一、阿里云 OSS 环境准备

①首先打开阿里云 RAM访问控制,创建OSS管理用户添加权限如下图

RAM访问控制

②使用OSS管理用户的 accesskey 登陆 OSS Browser 创建 Bucket 管理,点击下载OSS Browser

创建bucket

③获取访问Bucket的信息

harbor官网 关于如何配置后端存储的链接
docker官网 关于如何配置后端存储的链接
github OSS驱动说明文档

下面是OSS驱动说明文档中的重要部分

Parameter Required Description
accesskeyid yes Your access key ID.
accesskeysecret yes Your access key secret.
region yes The name of the OSS region in which you would like to store objects (for example oss-cn-beijing). For a list of regions, you can look at the official documentation.
endpoint no An endpoint which defaults to [bucket].[region].aliyuncs.com or [bucket].[region]-internal.aliyuncs.com (when internal=true). You can change the default endpoint by changing this value.
internal no An internal endpoint or the public endpoint for OSS access. The default is false. For a list of regions, you can look at the official documentation.
bucket yes The name of your OSS bucket where you wish to store objects (needs to already be created prior to driver initialization).
encrypt no Specifies whether you would like your data encrypted on the server side. Defaults to false if not specified.
secure no Specifies whether to transfer data to the bucket over ssl or not. If you omit this value, true is used.
chunksize no The default part size for multipart uploads (performed by WriteStream) to OSS. The default is 10 MB. Keep in mind that the minimum part size for OSS is 5MB. You might experience better performance for larger chunk sizes depending on the speed of your connection to OSS.
rootdirectory no The root directory tree in which to store all registry files. Defaults to an empty string (bucket root)

综合上述说明,我们知道在 harbor 的配置文件 harbor.ymlstorage.oss 选项下有四个必填项,accesskeyidaccesskeysecretregionbucket,而且因为同地域下的ECS访问OSS,内网流量免费。所以其他选项 endpoint 以及 internal 也需要配置

这些信息可以在 OSS控制台中获取

二、harbor 环境准备

接下来我们可以安装harbor了

①安装 harbor 依赖 docker 以及 docker-compose, 需要先安装这两个包

1
2
3
4
5
# 安装依赖
➜  yum install -y docker-ce docker-compose

# 启动 docker
➜  systemctl start docker

②下载 harbor 离线安装包

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# 从 github 下载离线安装包
➜  wget https://github.com/goharbor/harbor/releases/download/v2.3.3/harbor-offline-installer-v2.3.3.tgz
➜  tar -zxf harbor-offline-installer-v2.3.3.tgz -C /usr/local

# 查看解压后的目录cd /usr/local/harbor
➜  ll
total 610348
-rw-r--r-- 1 root root      3361 Sep 24 14:57 common.sh
-rw-r--r-- 1 root root 624956679 Sep 24 14:58 harbor.v2.3.3.tar.gz
-rw-r--r-- 1 root root      7840 Sep 24 14:57 harbor.yml.tmpl
-rwxr-xr-x 1 root root      2500 Sep 24 14:57 install.sh
-rw-r--r-- 1 root root     11347 Sep 24 14:57 LICENSE
-rwxr-xr-x 1 root root      1881 Sep 24 14:57 prepare

三、配置 && 安装

①配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# 复制模板文件 
➜  cp harbor.yml.tmpl harbor.yml

# 修改好的配置文件全文如下
➜  vi harbor.yml
# 配置域名地址
hostname: harbor.prod.local
http:
  port: 80

harbor_admin_password: gjr@@#$$Prod@@

database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900

# 这个地方是需要配置的,官网说 配置storage_service就禁用此选项不对。
data_volume: /data/harbor

# 数据存储位置
storage_service:
  ca_bundle:
  oss:
    accesskeyid: [你的accesskeyid]
    accesskeysecret: [你的accesskeysecret]
    region: oss-cn-qingdao
    endpoint: gjr-harbor-prod.oss-cn-qingdao-internal.aliyuncs.com
    internal: true
    bucket: gjr-harbor-prod
    secure: false

trivy:
  ignore_unfixed: false
  skip_update: false
  insecure: false

jobservice:
  max_job_workers: 10

notification:
  webhook_job_max_retry: 10

chart:
  absolute_url: disabled

# Log configurations
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /data/harbor.log

_version: 2.3.0

proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

metric:
  enabled: false
  port: 9090
  path: /metrics

# 可以在安装前 先检查配置文件
➜  ./prepare

# 打印输出以下信息说明配置没问题
Clean up the input dir

②安装

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
# 执行安装脚本
➜  ./install.sh

# 打印输出以下信息证明安装成功
? ----Harbor has been installed and started successfully.----

# 使用 docker-compose 查看容器状态
➜  docker-compose ps
      Name                     Command               State             Ports
--------------------------------------------------------------------------------------
harbor-core         /harbor/entrypoint.sh            Up
harbor-db           /docker-entrypoint.sh 96 13      Up
harbor-jobservice   /harbor/entrypoint.sh            Up
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up
nginx               nginx -g daemon off;             Up      0.0.0.0:80->8080/tcp
redis               redis-server /etc/redis.conf     Up
registry            /home/harbor/entrypoint.sh       Up
registryctl         /home/harbor/start.sh            Up

四、推送镜像

要推送镜像到harbor,docker主机首先要执行以下几步操作

①修改hosts文件

1
2
3
# 配置harbor 私有域名
➜  vim /etc/hosts
192.168.189.182   harbor.prod.local

②修改docker配置文件

1
2
3
4
5
6
➜  vim /etc/docker/daemon.json
{
"insecure-registries": [
    "harbor.prod.local"
  ]
}

③登陆私有仓库

1
2
3
4
5
6
7
8
➜  docker login harbor.prod.local
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

④重新打tag

1
2
3
4
5
➜  docker tag busybox harbor.prod.local/library/busybox
➜  docker push harbor.prod.local/library/busybox
The push refers to repository [harbor.prod.local/library/busybox]
67f770da229b: Pushed
latest: digest: sha256:1ccc0a0ca577e5fb5a0bdf2150a1a9f842f47c8865e861fa0062c5d343eb8cac size: 527

五、OSS验证

使用 OSS Browser 可以看到 Bucket 中已经有了刚才传上来的镜像

OSS验证

参考文档:

Support the author with
alipay QR Code
wechat QR Code

fage
WRITTEN BY
fage
DevOps

What's on this Page