# 安装Docker和Docker Compose
[root@fgedu-harbor ~]# yum install -y docker-ce docker-compose

# 下载Harbor
[root@fgedu-harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-offline-installer-v2.10.0.tgz
[root@fgedu-harbor ~]# tar xzf harbor-offline-installer-v2.10.0.tgz -C /opt/

# 配置Harbor
[root@fgedu-harbor ~]# cat > /opt/harbor/harbor.yml << 'EOF' hostname: harbor.fgedu.net.cn http: port: 80 https: port: 443 certificate: /etc/pki/tls/certs/harbor.crt private_key: /etc/pki/tls/private/harbor.key harbor_admin_password: Harbor@123 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data/harbor trivy: enabled: true chart: absolute_url: enabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy EOF # 安装Harbor [root@fgedu-harbor ~]# cd /opt/harbor && ./install.sh --with-trivy --with-chartmuseum [Step 0]: checking if docker is installed ... [Step 1]: checking docker-compose is installed ... [Step 2]: loading Harbor images ... [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... [Step 5]: starting Harbor ... ----Harbor has been installed and started successfully.---- # 检查Harbor状态 [root@fgedu-harbor ~]# docker-compose ps Name Command State Ports --------------------------------------------------------------------------------------------- harbor-core /harbor/entrypoint.sh Up (healthy) harbor-db /docker-entrypoint.sh 96 13 Up (healthy) harbor-jobservice /harbor/entrypoint.sh Up (healthy) harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) harbor-portal nginx -g daemon off; Up (healthy) harbor-redis redis-server /etc/redis.conf Up (healthy) harbor-registry /home/harbor/start.sh Up (healthy) harbor-trivy /home/scanner/entrypoint.sh Up (healthy) nginx nginx -g daemon off; Up (healthy)

# 登录Harbor
[root@fgedu-client ~]# docker login harbor.fgedu.学习交流加群风哥QQ113257174net.cn
Username: admin
Password: Harbor@123
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning.
Login Succeeded

# 创建项目
[root@fgedu-client ~]# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects” \
-u admin:Harbor@123 \
-H “Content-Type: application/json” \
-d ‘{
“project_name”: “fgedu-apps”,
“public”: false,
“metadata”: {
“public”: “false”
}
}’

# 标记镜像
[root@fgedu-client ~]# docker tag nginx:latest harbor.fgedu.net.cn/fgedu-apps/nginx:v1.0

# 推送镜像
[root@fgedu-client ~]# docker push harbor.fgedu.net.cn/fgedu-apps/nginx:v1.0
The push refers to repository [harbor.fgedu.net.cn/fgedu-apps/nginx]
d874fe2a5a65: Pushed
32eceb2655b3: Pushed
f5b12e3eabf4: Pushed
e0a366e5a5ed: Pushed
v1.0: digest: sha256:abc123 size: 1365

# 拉取镜像
[root@fgedu-client ~]# docker pull harbor.fgedu.net.cn/fgedu-apps/nginx:v1.0
v1.0: Pulling from fgedu-apps/nginx
Digest: sha256:abc123
Status: Downloaded newer image for harbor.fgedu.net.cn/fgedu-apps/nginx:v1.0

# 查看镜像列表
[root@fgedu-client ~]# curl -s -u admin:Harbor@123 “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories” | jq ‘.[] | {name, tags_count}’
{
“name”: “fgedu-apps/nginx”,
“tags_count”: 1
}
{
“name”: “fgedu-apps/webapp”,
“tags_count”: 3
}

# 启用镜像扫描
[root@fgedu-harbor ~]# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/scanners” \
-u admin:Harbor@123 \
-H “Content-Type: application/json” \
-d ‘{“uuid”: “trivy-scanner”}’

# 扫描镜像
[root@fgedu-harbor ~]# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories/nginx/artifacts/v1.0/scan” \
-u admin:Harbor@123

# 查看扫描结果
[root@fgedu-harbor ~]# curl -s -u admin:Harbor@123 \
“https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories/nginx/artifacts/v1.0/additions/vulnerabilities” | jq ‘.vulnerabilities | length’
15

[root@fgedu-harbor ~]# curl -s -u admin:Harbor@123 \
“https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories/nginx/artifacts/v1.0/additions/vulnerabilities” | jq ‘.vulnerabilities[] | select(.severity == “CRITICAL”) | {id, package, severity}’
{
“id”: “CVE-2024-12345”,
“package”: “openssl”,
“severity”: “CRITICAL”
}

# 配置扫描策略
[root@fgedu-harbor ~]# cat > /tmp/scan-policy.json << 'EOF' { "type": "Schedule", "schedule": { "type": "Hourly", "cron": "0 0 * * * *" } } EOF [root@fgedu-harbor ~]# curl -X PUT "https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/vulnerability/policies" \ -u admin:Harbor@123 \ -H "Content-Type: application/json" \ -d @/tmp/scan-policy.json # 配置镜像签名 [root@fgedu-harbor ~]# cat > /tmp/sign-policy.json << 'EOF' { "project_id": 1, "severity": "high", "cvss_score_above_7": true, "block_new_images": true, "scan_images_on_push": true } EOF

# 创建Harbor监控脚本
[root@fgedu-harbor ~]# cat > /usr/local/bin/harbor-monitor.sh << 'EOF' #!/bin/bash # harbor-monitor.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== Harbor镜像仓库监控 ===" echo "监控时间: $(date)" echo "" echo "1. Harbor服务状态" cd /opt/harbor && docker-compose ps echo "" echo "2. 项目统计" curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.更多视频教程www.fgedu.net.cncn/api/v2.0/projects" | jq '.[] | {name, repo_count}' echo "" echo "3. 存储使用" curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.cn/api/v2.0/statistics" | jq '{ total_projects: .total_project_count, total_repos: .total_repo_count, total_storage: .total_storage }' echo "" echo "4. 镜像统计" curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.cn/api/v2.0/repositories?limit=10" | jq '.[] | {name, tags_count, pull_count}' echo "" echo "5. 安全扫描统计" curl -s -u admin:Harbo学习交流加群风哥微信: itpux-comr@123 "https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/scans/all/metrics" | jq '.' echo "" echo "6. 最近推送" curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.cn/api/v2.0/logs?limit=10" | jq '.[] | select(.operation == "push") | {username, repo_name, operation_time}' echo "" echo "=== 监控完成 ===" EOF [root@fgedu-harbor ~]# chmod +x /usr/local/bin/harbor-monitor.sh # 配置Prometheus监控 [root@fgedu-harbor ~]# cat >> /opt/harbor/harbor.yml << 'EOF' metric: enabled: true port: 9090 path: /metrics EOF [root@fgedu-harbor ~]# cd /opt/harbor && docker-compose down && docker-compose up -d # 配置Prometheus [root@fgedu-prometheus ~]# cat >> /etc/prometheus/prometheus.yml << 'EOF' - job_name: 'harbor' static_configs: - targets: ['192.168.1.100:9090'] EOF # 配置镜像清理 [root@fgedu-harbor ~]# cat > /usr/local/bin/harbor-gc.sh << 'EOF' #!/bin/bash # harbor-gc.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "开始镜像清理..." # 清理未标记的镜像 curl -X POST "https://harbor.fgedu.net.cn/api/v2.0/system/gc/schedule" \ -u admin:Harbor@123 \ -H "Content-Type: application/json" \ -d '{ "schedule": { "type": "Manual" }, "delete_untagged": true }' # 清理旧版本镜像（保留最近5个版本） for repo in $(curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories" | jq -r '.[].name'); do tags=$(curl -s -u admin:Harbor@123 "https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories/$repo/artifacts" | jq -r '.[].tags[].name' | sort -V | head -n -5) for tag in $tags; do echo "删除旧版本: $repo:$tag" curl -X DELETE "https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-apps/repositories/$repo/artifacts/$tag" -u admin:Harbor@123 done done echo "清理完成" EOF [root@fgedu-harbor ~]# chmod +x /usr/local/bin/harbor-gc.sh