1. 镜像仓库概述
容器镜像仓库是存储和分发容器镜像的核心基础设施,Harbor是企业级镜像仓库解决方案。更多学习教程www.fgedu.net.cn
# docker version
Client:
Version: 24.0.5
API version: 1.43
Go version: go1.20.6
Git commit: abc123
Built: Fri Jan 15 10:00:00 2026
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 24.0.5
API version: 1.43 (minimum version 1.12)
Go version: go1.20.6
Git commit: def456
Built: Fri Jan 15 10:00:00 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.0
GitCommit: ghi789
runc:
Version: 1.1.7
GitCommit: jkl012
docker-init:
Version: 0.19.0
GitCommit: mno345
# 查看现有镜像
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest abc123def456 2 weeks ago 142MB
mysql 8.0 def456ghi789 3 weeks ago 577MB
redis latest ghi789jkl012 4 weeks ago 117MB
fgedu/app v1.0 jkl012mno345 1 week ago 256MB
# 查看Harbor服务状态
# docker-compose -f /opt/harbor/docker-compose.yml ps
Name Command State Ports
—————————————————————————————————————-
harbor-core /harbor/entrypoint.sh Up 0.0.0.0:80->8080/tcp,:::80->8080/tcp
harbor-db /docker-entrypoint.sh 96 13 Up 5432/tcp
harbor-jobservice /harbor/entrypoint.sh Up
harbor-log /bin/sh -c /usr/local/bin/ … Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 8080/tcp
harbor-registry /home/harbor/entrypoint.sh Up 5000/tcp
harbor-redis redis-server /etc/redis.conf Up 6379/tcp
nginx nginx -g daemon off; Up 0.0.0.0:443->8443/tcp,:::443->8443/tcp
2. Harbor仓库部署
Harbor是企业级容器镜像仓库,提供安全、管理和监控功能。学习交流加群风哥微信: itpux-com
# cd /opt
# wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-offline-installer-v2.10.0.tgz
–2026-04-03 10:00:00– https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-offline-installer-v2.10.0.tgz
Resolving github.com… 192.30.255.113
Connecting to github.com|192.30.255.113|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 789123456 (752M) [application/octet-stream]
Saving to: ‘harbor-offline-installer-v2.10.0.tgz’
2026-04-03 10:10:00 (1.25 MB/s) – ‘harbor-offline-installer-v2.10.0.tgz’ saved [789123456/789123456]
# 解压安装包
# tar -xzf harbor-offline-installer-v2.10.0.tgz
# cd harbor
# 配置Harbor
# cat harbor.yml
hostname: harbor.fgedu.net.cn
http:
port: 80
https:
port: 443
certificate: /opt/harbor/cert/harbor.crt
private_key: /opt/harbor/cert/harbor.key
harbor_admin_password: Fgedu@Harbor123
database:
password: Fgedu@DB123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data/harbor
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
security_check: true
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.10.0
# mkdir -p /opt/harbor/cert
# cd /opt/harbor/cert
# 生成私钥
# openssl genrsa -out harbor.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..++++
……………………………………………++++
e is 65537 (0x010001)
# 生成证书签名请求
# openssl req -new -key harbor.key -out harbor.csr -subj “/C=CN/ST=Beijing/L=Beijing/O=FGedu/OU=IT/CN=harbor.fgedu.net.cn”
# 生成自签名证书
# openssl x509 -req -days 3650 -in harbor.csr -signkey harbor.key -out harbor.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = FGedu, OU = IT, CN = harbor.fgedu.net.cn
Getting Private key
# 安装Harbor
# cd /opt/harbor
# ./install.sh –with-trivy –with-chartmuseum
[Step 0]: checking if docker is installed …
Note: docker version: 24.0.5
[Step 1]: checking docker-compose is installed …
Note: docker-compose version: 2.20.0
[Step 2]: loading Harbor images …
Loaded image: goharbor/harbor-core:v2.10.0
Loaded image: goharbor/harbor-portal:v2.10.0
Loaded image: goharbor/harbor-jobservice:v2.10.0
Loaded image: goharbor/harbor-registry:v2.10.0
Loaded image: goharbor/harbor-db:v2.10.0
Loaded image: goharbor/harbor-redis:v2.10.0
Loaded image: goharbor/nginx-photon:v2.10.0
Loaded image: goharbor/trivy-adapter-photon:v2.10.0
Loaded image: goharbor/chartmuseum-photon:v2.10.0
[Step 3]: preparing environment …
[Step 4]: preparing harbor configs …
prepare base dir is set to /opt/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /config/chartserver/env
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/certificates/tls.crt
Generated configuration file: /config/core/certificates/tls.key
[Step 5]: starting Harbor …
Creating network “harbor_harbor” with the default driver
Creating harbor-log … done
Creating harbor-redis … done
Creating harbor-db … done
Creating harbor-registry … done
Creating harbor-portal … done
Creating harbor-core … done
Creating harbor-jobservice … done
Creating nginx … done
—-Harbor has been installed and started successfully.—-
3. 仓库配置管理
仓库配置包括项目配置、存储配置、系统设置等。
# docker login harbor.fgedu.net.cn
Username: admin
Password: Fgedu@Harbor123
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 创建项目(通过API)
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“project_name”: “fgedu-production”,
“public”: false,
“metadata”: {
“public”: “false”
},
“storage_limit”: 107374182400
}’
# 查看项目列表
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“project_id”: 1,
“name”: “library”,
“metadata”: {
“public”: “true”
}
},
{
“project_id”: 2,
“name”: “fgedu-production”,
“metadata”: {
“public”: “false”
},
“creation_time”: “2026-04-03T10:00:00.000Z”
}
]
# 配置项目配额
# curl -X PUT “https://harbor.fgedu.net.cn/api/v2.0/projects/2” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“storage_limit”: 214748364800
}’
# cat /opt/harbor/harbor.yml
# …
storage_service:
ca_bundle: /path/to/ca/bundle
filesystem:
maxthreads: 100
# 配置S3存储后端
s3:
region: cn-north-1
bucket: fgedu-harbor-storage
accesskey: fgedu_access_key
secretkey: fgedu_secret_key
regionendpoint: https://s3.cn-north-1.amazonaws.com.cn
encrypt: true
keyid: my-key-id
secure: true
v4auth: true
chunksize: 5242880
rootdirectory: /harbor
storageclass: STANDARD_IA
# 配置垃圾回收
# 配置定时垃圾回收
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/system/gc/schedule” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“schedule”: {
“type”: “Weekly”,
“cron”: “0 0 0 * * 0”
},
“delete_untagged”: true
}’
# 手动执行垃圾回收
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/system/gc” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz”
4. 镜像管理
镜像管理包括推送、拉取、标记、删除等操作。学习交流加群风哥QQ113257174
# docker tag nginx:latest harbor.fgedu.net.cn/fgedu-production/nginx:1.25
# 推送镜像
# docker push harbor.fgedu.net.cn/fgedu-production/nginx:1.25
The push refers to repository [harbor.fgedu.net.cn/fgedu-production/nginx]
5f70bf18a086: Pushed
abc123def456: Pushed
def456ghi789: Pushed
ghi789jkl012: Pushed
1.25: digest: sha256:1234567890abcdef size: 1234
# 拉取镜像
# docker pull harbor.fgedu.net.cn/fgedu-production/nginx:1.25
1.25: Pulling from fgedu-production/nginx
Digest: sha256:1234567890abcdef
Status: Downloaded newer image for harbor.fgedu.net.cn/fgedu-production/nginx:1.25
# 查看项目中的镜像
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“id”: 1,
“name”: “fgedu-production/nginx”,
“project_id”: 2,
“description”: “”,
“pull_count”: 100,
“star_count”: 0,
“tags_count”: 3,
“creation_time”: “2026-04-03T10:00:00.000Z”,
“update_time”: “2026-04-03T10:30:00.000Z”
},
{
“id”: 2,
“name”: “fgedu-production/mysql”,
“project_id”: 2,
“description”: “”,
“pull_count”: 50,
“tags_count”: 2,
“creation_time”: “2026-04-03T11:00:00.000Z”
}
]
# 查看镜像标签
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“id”: 1,
“type”: “IMAGE”,
“media_type”: “application/vnd.docker.distribution.manifest.v2+json”,
“manifest_media_type”: “application/vnd.docker.distribution.manifest.v2+json”,
“digest”: “sha256:1234567890abcdef”,
“size”: 142000000,
“tags”: [
{
“id”: 1,
“name”: “1.25”,
“push_time”: “2026-04-03T10:00:00.000Z”,
“pull_time”: “2026-04-03T10:30:00.000Z”
}
]
}
]
# curl -X DELETE “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef/tags/old-tag” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz”
# 删除镜像
# curl -X DELETE “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz”
# 批量清理未标记镜像
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/artifacts” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“with_tag”: false,
“with_label”: false,
“with_scan_overview”: false,
“with_signature”: false,
“with_immutable_status”: false
}’
# 查看镜像扫描结果
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef?with_scan_overview=true” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq ‘.scan_overview’
{
“application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0”: {
“report_id”: “abc123-def456”,
“scan_status”: “Success”,
“severity”: “High”,
“duration”: 30,
“summary”: {
“total”: 15,
“fixable”: 10,
“summary”: {
“Critical”: 2,
“High”: 5,
“Medium”: 5,
“Low”: 3
}
},
“start_time”: “2026-04-03T10:00:00.000Z”,
“end_time”: “2026-04-03T10:00:30.000Z”
}
}
5. 安全扫描
安全扫描检测镜像中的漏洞和安全问题。更多学习教程公众号风哥教程itpux_com
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef/scan” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz”
# 查看扫描状态
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq ‘.scan_overview’
{
“scan_status”: “Success”,
“severity”: “High”,
“vulnerabilities”: {
“total”: 15,
“fixable”: 10
}
}
# 获取详细漏洞报告
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/repositories/nginx/artifacts/sha256:1234567890abcdef/additions/vulnerabilities” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
{
“application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0”: {
“GeneratedAt”: “2026-04-03T10:00:30.000Z”,
“Artifact”: {
“Repository”: “fgedu-production/nginx”,
“Digest”: “sha256:1234567890abcdef”,
“MediaType”: “application/vnd.docker.distribution.manifest.v2+json”
},
“Scanner”: {
“Name”: “Trivy”,
“Vendor”: “Aqua Security”,
“Version”: “0.45.0”
},
“Severity”: “High”,
“Vulnerabilities”: [
{
“id”: “CVE-2026-12345”,
“package”: “openssl”,
“version”: “1.1.1k”,
“fix_version”: “1.1.1l”,
“severity”: “Critical”,
“description”: “Buffer overflow in OpenSSL”,
“links”: [“https://nvd.nist.gov/vuln/detail/CVE-2026-12345”]
},
{
“id”: “CVE-2026-23456”,
“package”: “curl”,
“version”: “7.79.0”,
“fix_version”: “7.80.0”,
“severity”: “High”,
“description”: “Authentication bypass in curl”,
“links”: [“https://nvd.nist.gov/vuln/detail/CVE-2026-23456”]
}
]
}
}
# 配置自动扫描
# curl -X PUT “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“metadata”: {
“auto_scan”: “true”
}
}’
6. 访问控制
访问控制管理用户权限和项目访问。
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/users” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“username”: “fgedu_dev”,
“email”: “dev@fgedu.net.cn”,
“realname”: “FGedu Developer”,
“password”: “Fgedu@Dev123”,
“comment”: “Development team user”
}’
# 创建机器人账户
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/robots” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“name”: “ci-robot”,
“description”: “CI/CD pipeline robot”,
“permissions”: [
{
“kind”: “push”,
“namespace”: “fgedu-production”
},
{
“kind”: “pull”,
“namespace”: “fgedu-production”
}
],
“duration”: 31536000
}’
# 查看机器人账户
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/robots” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“id”: 1,
“name”: “ci-robot”,
“description”: “CI/CD pipeline robot”,
“expires_at”: 1712120400,
“creation_time”: “2026-04-03T10:00:00.000Z”,
“update_time”: “2026-04-03T10:00:00.000Z”
}
]
# 配置项目成员
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/members” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“role_id”: 2,
“member_user”: {
“user_id”: 3
}
}’
# 角色说明:
# 1 – 项目管理员
# 2 – 开发者
# 3 – 访客
# 4 – 维护者
7. 镜像复制
镜像复制实现跨仓库的镜像同步。author:www.itpux.com
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/registries” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“name”: “remote-harbor”,
“type”: “harbor”,
“url”: “https://harbor-dr.fgedu.net.cn”,
“credential”: {
“type”: “basic”,
“access_key”: “admin”,
“access_secret”: “Fgedu@DR123”
},
“insecure”: false
}’
# 创建复制规则
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/replication/policies” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“name”: “production-to-dr”,
“description”: “Replicate production images to DR site”,
“src_registry”: {
“id”: 1
},
“dest_registry”: {
“id”: 2
},
“dest_namespace”: “fgedu-production”,
“trigger”: {
“type”: “event_based”,
“trigger_settings”: {
“resource_filter”: {
“deletion”: false,
“name_pattern”: “**”,
“tag_pattern”: “**”
}
}
},
“filters”: [
{
“type”: “name”,
“value”: “fgedu-production/**”
}
],
“enabled”: true,
“override”: true,
“speed”: -1
}’
# 手动触发复制
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/replication/executions” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“policy_id”: 1
}’
# 查看复制状态
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/replication/executions” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“id”: 1,
“policy_id”: 1,
“status”: “Success”,
“total”: 10,
“failed”: 0,
“succeed”: 10,
“in_progress”: 0,
“start_time”: “2026-04-03T10:00:00.000Z”,
“end_time”: “2026-04-03T10:05:00.000Z”
}
]
8. 备份与恢复
备份与恢复确保镜像仓库数据安全。
# tar -czvf harbor-backup-$(date +%Y%m%d).tar.gz /opt/harbor/harbor.yml /data/harbor/database /data/harbor/redis
# 备份镜像数据
# 使用快照备份存储卷
# lvcreate -L 100G -s -n harbor-snap /dev/vg_data/lv_harbor
Logical volume “harbor-snap” created.
# 导出镜像列表
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq -r ‘.[].name’ > projects.txt
# for project in $(cat projects.txt); do
curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/$project/repositories” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq -r ‘.[].name’ >> repositories.txt
done
# 恢复Harbor
# 停止服务
# docker-compose -f /opt/harbor/docker-compose.yml down
# 恢复数据
# tar -xzvf harbor-backup-20260403.tar.gz -C /
# 启动服务
# docker-compose -f /opt/harbor/docker-compose.yml up -d
# 验证恢复
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/systeminfo” | jq
{
“harbor_version”: “v2.10.0”,
“registry_url”: “harbor.fgedu.net.cn”,
“external_url”: “https://harbor.fgedu.net.cn”,
“auth_mode”: “db_auth”,
“project_creation_restriction”: “everyone”
}
9. 监控与告警
监控与告警确保镜像仓库稳定运行。
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/statistics” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
{
“total_project_count”: 10,
“public_project_count”: 1,
“public_repo_count”: 5,
“total_repo_count”: 50,
“total_storage_usage”: 107374182400
}
# 查看系统健康状态
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/health” | jq
{
“status”: “healthy”,
“components”: [
{
“name”: “core”,
“status”: “healthy”
},
{
“name”: “portal”,
“status”: “healthy”
},
{
“name”: “registry”,
“status”: “healthy”
},
{
“name”: “registryctl”,
“status”: “healthy”
},
{
“name”: “database”,
“status”: “healthy”
},
{
“name”: “jobservice”,
“status”: “healthy”
},
{
“name”: “redis”,
“status”: “healthy”
},
{
“name”: “trivy”,
“status”: “healthy”
}
]
}
# 配置Webhook通知
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/webhook/policies” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“name”: “image-push-notification”,
“description”: “Notify on image push events”,
“targets”: [
{
“type”: “http”,
“address”: “https://api.fgedu.net.cn/webhook/harbor”,
“auth_header”: “Bearer token123”
}
],
“event_types”: [
“PUSH_ARTIFACT”,
“DELETE_ARTIFACT”,
“SCANNING_FAILED”,
“SCANNING_COMPLETED”
],
“enabled”: true
}’
# 查看日志
# curl -s “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/logs” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” | jq
[
{
“log_id”: 1,
“operation”: “push”,
“repository”: “fgedu-production/nginx”,
“tag”: “1.25”,
“user_id”: 1,
“username”: “admin”,
“op_time”: “2026-04-03T10:00:00.000Z”
}
]
10. 生产环境最佳实践
生产环境镜像仓库需要遵循最佳实践确保安全稳定。
# 启用Notary服务
# ./install.sh –with-notary
# 签名镜像
# docker trust sign harbor.fgedu.net.cn/fgedu-production/nginx:1.25
Signing and pushing trust metadata for harbor.fgedu.net.cn/fgedu-production/nginx:1.25
Enter passphrase for root key with ID abc1234:
Enter passphrase for new repository key with ID def5678:
Repeat passphrase for new repository key with ID def5678:
Finished initializing “harbor.fgedu.net.cn/fgedu-production/nginx”
Successfully signed harbor.fgedu.net.cn/fgedu-production/nginx:1.25
# 验证签名
# docker trust inspect harbor.fgedu.net.cn/fgedu-production/nginx:1.25
[
{
“SignedTags”: [
{
“SignedTag”: “1.25”,
“Digest”: “sha256:1234567890abcdef”,
“Signers”: [
“admin”
]
}
],
“Signers”: {}
}
]
# 配置镜像不可变性
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/projects/fgedu-production/immutabletagrules” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“tag_filter”: “v*”,
“disabled”: false
}’
# 配置保留策略
# curl -X POST “https://harbor.fgedu.net.cn/api/v2.0/retentions” \
-H “Authorization: Basic YWRtaW46RmdlZHVASGFyYm9yMTIz” \
-H “Content-Type: application/json” \
-d ‘{
“algorithm”: “or”,
“rules”: [
{
“template”: “latestPushedK”,
“params”: {
“latestPushedK”: 10
},
“tag_selectors”: [
{
“kind”: “doublestar”,
“decoration”: “matches”,
“pattern”: “**”
}
],
“scope_selectors”: {
“repository”: [
{
“kind”: “doublestar”,
“decoration”: “repoMatches”,
“pattern”: “**”
}
]
}
}
],
“scope”: {
“level”: “project”,
“ref”: 2
},
“trigger”: {
“kind”: “Schedule”,
“settings”: {
“cron”: “0 0 0 * * *”
}
}
}’
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
