1. Harbor简介与版本说明
Harbor是VMware开源的企业级Docker Registry项目,提供镜像签名、漏洞扫描、镜像复制等功能。Harbor扩展了开源Docker Distribution,增加了企业用户所需的功能特性。更多学习教程www.fgedu.net.cn
最新版本信息:
Harbor v2.11.0 – 最新稳定版
Harbor v2.10.2 – 长期支持版
Harbor v2.9.4 – 维护版
Harbor v2.8.6 – 旧版支持
2. Harbor下载方式
Harbor提供多种下载方式,包括离线安装包、在线安装包和Helm Chart部署。学习交流加群风哥微信: itpux-com
方式一:离线安装包下载(推荐)
# https://github.com/goharbor/harbor/releases
# 下载Harbor v2.11.0离线安装包
$ wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz
# 下载校验文件
$ wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz.sha256sum
# 验证下载文件完整性
$ sha256sum -c harbor-offline-installer-v2.11.0.tgz.sha256sum
输出示例如下:
harbor-offline-installer-v2.11.0.tgz: OK
# 解压安装包
$ tar -xzf harbor-offline-installer-v2.11.0.tgz
# 查看解压内容
$ ls -la harbor/
输出示例如下:
total 1258240
drwxr-xr-x 3 root root 4096 Mar 15 10:00 .
drwxr-xr-x 3 root root 4096 Mar 15 10:00 ..
-rw-r–r– 1 root root 3365 Mar 15 10:00 common.sh
-rw-r–r– 1 root root 1288490188 Mar 15 10:00 harbor.v2.11.0.tar.gz
-rw-r–r– 1 root root 12634 Mar 15 10:00 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2740 Mar 15 10:00 install.sh
-rwxr-xr-x 1 root root 1897 Mar 15 10:00 prepare
-rwxr-xr-x 1 root root 7480 Mar 15 10:00 upgrade.sh
-rw-r–r– 1 root root 480 Mar 15 10:00 LICENSE
方式二:在线安装包下载
$ wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-online-installer-v2.11.0.tgz
# 解压安装包
$ tar -xzf harbor-online-installer-v2.11.0.tgz
# 查看解压内容
$ ls -la harbor/
输出示例如下:
total 128
drwxr-xr-x 3 root root 4096 Mar 15 10:00 .
drwxr-xr-x 3 root root 4096 Mar 15 10:00 ..
-rw-r–r– 1 root root 3365 Mar 15 10:00 common.sh
-rw-r–r– 1 root root 12634 Mar 15 10:00 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2740 Mar 15 10:00 install.sh
-rwxr-xr-x 1 root root 1897 Mar 15 10:00 prepare
-rwxr-xr-x 1 root root 7480 Mar 15 10:00 upgrade.sh
-rw-r–r– 1 root root 480 Mar 15 10:00 LICENSE
方式三:Helm Chart部署
$ helm repo add harbor https://helm.goharbor.io
输出示例如下:
“harbor” has been added to your repositories
# 更新仓库
$ helm repo update
输出示例如下:
Hang tight while we grab the latest from your chart repositories…
…Successfully got an update from the “harbor” chart repository
Update Complete. ⎈Happy Helming!⎈
# 搜索Harbor Chart
$ helm search repo harbor
输出示例如下:
NAME CHART VERSION APP VERSION DESCRIPTION
harbor/harbor 1.14.0 2.11.0 An open source trusted cloud native registry th…
# 下载Harbor Chart
$ helm pull harbor/harbor –version 1.14.0
# 解压Chart
$ tar -xzf harbor-1.14.0.tgz
# 查看Chart内容
$ ls harbor/
输出示例如下:
Chart.yaml LICENSE README.md templates values.yaml
3. Harbor安装部署
Harbor依赖Docker和Docker Compose环境,需要先安装这些依赖组件。学习交流加群风哥QQ113257174
步骤1:安装Docker环境
$ sudo yum install -y yum-utils
$ sudo yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
$ sudo yum install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
# 启动Docker服务
$ sudo systemctl enable docker
$ sudo systemctl start docker
# 验证Docker版本
$ docker –version
输出示例如下:
Docker version 26.0.0, build abc123d
# 验证Docker Compose版本
$ docker compose version
输出示例如下:
Docker Compose version v2.25.0
步骤2:配置Harbor
$ cd harbor
# 复制配置模板
$ cp harbor.yml.tmpl harbor.yml
# 编辑配置文件
$ vi harbor.yml
# 主要配置项说明
hostname: harbor.fgedu.net.cn
http:
port: 80
https:
port: 443
certificate: /data/cert/harbor.fgedu.net.cn.crt
private_key: /data/cert/harbor.fgedu.net.cn.key
harbor_admin_password: Harbor@12345
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data/harbor
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
security_check: vuln
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.11.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
– core
– jobservice
– trivy
upload_purging:
enabled: true
age: 168h
interval: 24h
dryrun: false
步骤3:执行安装
$ sudo ./install.sh –with-trivy –with-chartmuseum
输出示例如下:
[Step 0]: checking if docker is installed …
Note: docker version: 26.0.0
[Step 1]: checking docker-compose is installed …
Note: Docker Compose version v2.25.0
[Step 2]: loading Harbor images …
Loaded image: goharbor/harbor-core:v2.11.0
Loaded image: goharbor/harbor-portal:v2.11.0
Loaded image: goharbor/harbor-db:v2.11.0
Loaded image: goharbor/harbor-jobservice:v2.11.0
Loaded image: goharbor/harbor-log:v2.11.0
Loaded image: goharbor/harbor-registryctl:v2.11.0
Loaded image: goharbor/harbor-exporter:v2.11.0
Loaded image: goharbor/registry-photon:v2.11.0
Loaded image: goharbor/redis-photon:v2.11.0
Loaded image: goharbor/trivy-adapter-photon:v2.11.0
Loaded image: goharbor/chartmuseum-photon:v2.11.0
Loaded image: goharbor/prepare:v2.11.0
Loaded image: goharbor/nginx-photon:v2.11.0
[Step 3]: preparing environment …
[Step 4]: preparing harbor configs …
prepare base dir is set to /root/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /config/chartserver/env
Generated configuration file: /config/nginx/conf.d/default.conf
Generated configuration file: /config/exporter/env
Generated and saved secret to file: /data/secret/keys/secretkey
Generated and saved secret to file: /data/secret/keys/rootkey
Generated certificate, secret file: /data/secret/keys/secretkey
The configuration files are ready, please use docker-compose to start the service.
[Step 5]: starting Harbor …
[+] Running 13/13
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 1.2s
✔ Container harbor-db Started 2.3s
✔ Container redis Started 2.4s
✔ Container registryctl Started 3.1s
✔ Container registry Started 3.2s
✔ Container harbor-portal Started 3.8s
✔ Container harbor-core Started 4.2s
✔ Container harbor-jobservice Started 5.1s
✔ Container nginx Started 5.8s
✔ Container trivy-adapter Started 5.9s
✔ Container chartmuseum Started 6.0s
✔ Container harbor-exporter Started 6.1s
✔ —-Harbor has been installed and started successfully.—-
4. Harbor配置详解
Harbor的配置文件harbor.yml包含多个重要配置项,需要根据生产环境进行调整。from:www.itpux.com
核心配置项说明
$ cat harbor.yml
# 主要配置项详解
# 主机名配置(必填)
hostname: harbor.fgedu.net.cn
# HTTP配置
http:
port: 80
# HTTPS配置(生产环境必须)
https:
port: 443
certificate: /data/cert/harbor.fgedu.net.cn.crt
private_key: /data/cert/harbor.fgedu.net.cn.key
# 管理员密码(首次安装后可在Web界面修改)
harbor_admin_password: Harbor@12345
# 数据库配置
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
conn_max_lifetime: 5m
conn_max_idle_time: 0
# 数据存储目录
data_volume: /data/harbor
# Trivy漏洞扫描配置
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
security_check: vuln
insecure: false
# Job服务配置
jobservice:
max_job_workers: 10
job_log_logger:
sweeper:
duration: 14
enabled: true
# 日志配置
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
# 代理配置(可选)
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
– core
– jobservice
– trivy
5. Harbor SSL证书配置
生产环境必须配置HTTPS,可以使用自签名证书或CA签发的证书。风哥提示:自签名证书需要在客户端配置信任。
步骤1:生成自签名证书
$ mkdir -p /data/cert
$ cd /data/cert
# 生成CA私钥
$ openssl genrsa -out ca.key 4096
输出示例如下:
Generating RSA private key, 4096 bit long modulus (2 primes)
………………………………………++++
…………..++++
e is 65537 (0x010001)
# 生成CA证书
$ openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj “/C=CN/ST=Beijing/L=Beijing/O=fgedu/OU=IT/CN=harbor.fgedu.net.cn” \
-key ca.key \
-out ca.crt
# 生成服务器私钥
$ openssl genrsa -out harbor.fgedu.net.cn.key 4096
# 生成证书签名请求
$ openssl req -sha512 -new \
-subj “/C=CN/ST=Beijing/L=Beijing/O=fgedu/OU=IT/CN=harbor.fgedu.net.cn” \
-key harbor.fgedu.net.cn.key \
-out harbor.fgedu.net.cn.csr
# 生成x509 v3扩展文件
$ cat > harbor.fgedu.net.cn.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.fgedu.net.cn
DNS.2=harbor
IP.1=192.168.1.51
EOF
# 生成服务器证书
$ openssl x509 -req -sha512 -days 3650 \
-extfile harbor.fgedu.net.cn.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.fgedu.net.cn.csr \
-out harbor.fgedu.net.cn.crt
输出示例如下:
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = fgedu, OU = IT, CN = harbor.fgedu.net.cn
Getting CA Private Key
步骤2:配置Docker信任证书
$ mkdir -p /etc/docker/certs.d/harbor.fgedu.net.cn
# 复制证书文件
$ cp /data/cert/harbor.fgedu.net.cn.crt /etc/docker/certs.d/harbor.fgedu.net.cn/
$ cp /data/cert/ca.crt /etc/docker/certs.d/harbor.fgedu.net.cn/
# 重启Docker服务
$ systemctl restart docker
# 验证证书配置
$ ls -la /etc/docker/certs.d/harbor.fgedu.net.cn/
输出示例如下:
total 16
drwxr-xr-x 2 root root 4096 Mar 15 10:00 .
drwxr-xr-x 3 root root 4096 Mar 15 10:00 ..
-rw-r–r– 1 root root 2049 Mar 15 10:00 ca.crt
-rw-r–r– 1 root root 2049 Mar 15 10:00 harbor.fgedu.net.cn.crt
6. Harbor使用实战
完成安装后,可以进行镜像推送和拉取操作。更多学习教程公众号风哥教程itpux_com
步骤1:登录Harbor
$ docker login harbor.fgedu.net.cn
输出示例如下:
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 查看登录状态
$ cat ~/.docker/config.json
输出示例如下:
{
“auths”: {
“harbor.fgedu.net.cn”: {
“auth”: “YWRtaW46SGFyYm9yQDEyMzQ1”
}
}
}
步骤2:推送镜像
$ docker pull nginx:alpine
输出示例如下:
alpine: Pulling from library/nginx
abc123d: Pull complete
def456g: Pull complete
Digest: sha256:abc123def456789012345678901234567890123456789012345678901234
Status: Downloaded newer image for nginx:alpine
docker.io/library/nginx:alpine
# 标记镜像
$ docker tag nginx:alpine harbor.fgedu.net.cn/library/nginx:alpine
# 推送镜像到Harbor
$ docker push harbor.fgedu.net.cn/library/nginx:alpine
输出示例如下:
The push refers to repository [harbor.fgedu.net.cn/library/nginx]
abc123d: Pushed
def456g: Pushed
alpine: digest: sha256:abc123def456789012345678901234567890123456789012345678901234 size: 1234
# 查看推送的镜像
$ curl -k -u admin:Harbor@12345 https://harbor.fgedu.net.cn/api/v2.0/projects/library/repositories
输出示例如下:
[
{
“id”: 1,
“name”: “library/nginx”,
“project_id”: 1,
“description”: “”,
“creation_time”: “2026-03-15T10:00:00.000Z”,
“update_time”: “2026-03-15T10:00:00.000Z”
}
]
步骤3:拉取镜像
$ docker rmi nginx:alpine
$ docker rmi harbor.fgedu.net.cn/library/nginx:alpine
# 从Harbor拉取镜像
$ docker pull harbor.fgedu.net.cn/library/nginx:alpine
输出示例如下:
alpine: Pulling from library/nginx
abc123d: Pull complete
def456g: Pull complete
Digest: sha256:abc123def456789012345678901234567890123456789012345678901234
Status: Downloaded newer image for harbor.fgedu.net.cn/library/nginx:alpine
harbor.fgedu.net.cn/library/nginx:alpine
# 验证镜像
$ docker images | grep nginx
输出示例如下:
harbor.fgedu.net.cn/library/nginx alpine abc123def456 2 weeks ago 23.5MB
7. Harbor镜像复制
Harbor支持跨仓库镜像复制,可用于镜像备份和多数据中心同步。from:www.itpux.com
步骤1:配置复制目标
# 访问 https://harbor.fgedu.net.cn
# 系统管理 -> 仓库管理 -> 新建目标
# 或使用API配置
$ curl -k -X POST -H “Content-Type: application/json” \
-u admin:Harbor@12345 \
https://harbor.fgedu.net.cn/api/v2.0/registries \
-d ‘{
“name”: “backup-harbor”,
“type”: “harbor”,
“url”: “https://backup.fgedu.net.cn”,
“credential”: {
“type”: “basic”,
“access_key”: “admin”,
“access_secret”: “Harbor@12345”
},
“insecure”: true
}’
输出示例如下:
201 Created
# 查看复制目标
$ curl -k -u admin:Harbor@12345 \
https://harbor.fgedu.net.cn/api/v2.0/registries
输出示例如下:
[
{
“id”: 1,
“name”: “backup-harbor”,
“type”: “harbor”,
“url”: “https://backup.fgedu.net.cn”,
“status”: “healthy”
}
]
步骤2:创建复制规则
$ curl -k -X POST -H “Content-Type: application/json” \
-u admin:Harbor@12345 \
https://harbor.fgedu.net.cn/api/v2.0/replication/policies \
-d ‘{
“name”: “backup-all”,
“description”: “Backup all images”,
“src_registry”: {
“id”: 1
},
“dest_registry”: null,
“dest_namespace”: “backup”,
“trigger”: {
“type”: “scheduled”,
“trigger_settings”: {
“cron”: “0 0 2 * * *”
}
},
“filters”: [
{
“type”: “name”,
“value”: “**”
}
],
“deletion”: false,
“enabled”: true,
“override”: true,
“speed”: -1
}’
输出示例如下:
201 Created
# 手动触发复制
$ curl -k -X POST \
-u admin:Harbor@12345 \
https://harbor.fgedu.net.cn/api/v2.0/replication/executions \
-d ‘{
“policy_id”: 1
}’
输出示例如下:
201 Created
8. Harbor备份与恢复
Harbor的备份包括数据库备份和镜像数据备份,需要定期执行确保数据安全。
步骤1:数据库备份
$ docker exec -it harbor-db /bin/bash
# 执行数据库备份
$ pg_dump -U postgres registry > /tmp/harbor_db_backup.sql
# 退出容器
$ exit
# 复制备份文件到主机
$ docker cp harbor-db:/tmp/harbor_db_backup.sql /backup/
# 查看备份文件
$ ls -la /backup/harbor_db_backup.sql
输出示例如下:
-rw-r–r– 1 root root 123456 Mar 15 10:00 /backup/harbor_db_backup.sql
步骤2:数据目录备份
$ cd /root/harbor
$ docker compose down
输出示例如下:
[+] Running 13/13
✔ Container nginx Removed 1.0s
✔ Container harbor-core Removed 1.1s
✔ Container harbor-portal Removed 1.2s
✔ Container harbor-jobservice Removed 1.3s
✔ Container registryctl Removed 1.4s
✔ Container registry Removed 1.5s
✔ Container harbor-db Removed 1.6s
✔ Container redis Removed 1.7s
✔ Container trivy-adapter Removed 1.8s
✔ Container chartmuseum Removed 1.9s
✔ Container harbor-exporter Removed 2.0s
✔ Container harbor-log Removed 2.1s
✔ Network harbor_harbor Removed 2.2s
# 备份数据目录
$ tar -czf /backup/harbor_data_$(date +%Y%m%d).tar.gz /data/harbor
# 备份配置文件
$ tar -czf /backup/harbor_config_$(date +%Y%m%d).tar.gz /root/harbor
# 查看备份文件
$ ls -la /backup/
输出示例如下:
total 1258240
-rw-r–r– 1 root root 1288490188 Mar 15 10:00 harbor_data_20260315.tar.gz
-rw-r–r– 1 root root 12345 Mar 15 10:00 harbor_config_20260315.tar.gz
-rw-r–r– 1 root root 123456 Mar 15 10:00 harbor_db_backup.sql
步骤3:数据恢复
$ tar -xzf /backup/harbor_data_20260315.tar.gz -C /
# 解压配置备份
$ tar -xzf /backup/harbor_config_20260315.tar.gz -C /
# 启动Harbor服务
$ cd /root/harbor
$ docker compose up -d
输出示例如下:
[+] Running 13/13
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 1.0s
✔ Container harbor-db Started 2.0s
✔ Container redis Started 2.1s
✔ Container registryctl Started 2.8s
✔ Container registry Started 2.9s
✔ Container harbor-portal Started 3.5s
✔ Container harbor-core Started 3.9s
✔ Container harbor-jobservice Started 4.8s
✔ Container nginx Started 5.5s
✔ Container trivy-adapter Started 5.6s
✔ Container chartmuseum Started 5.7s
✔ Container harbor-exporter Started 5.8s
# 恢复数据库(如需要)
$ docker cp /backup/harbor_db_backup.sql harbor-db:/tmp/
$ docker exec -it harbor-db psql -U postgres registry -f /tmp/harbor_db_backup.sql
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
