Harbor - 企业级 Docker 私有仓库 一、安装底层需求 一、安装底层需求 Python应该是 应该是2.7或更高版本 或更高版本 Docker引擎应为 引擎应为1.10或更高版本 或更高版本 Docker Compose需要为 需要为1.6.0或更高版本 或更高版本 docker-compose： ：curl -L https://github.com/docker/compose/releases/download/1 com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 二、 二、Harbor 安装： 安装：Harbor 官方地址： 官方地址：https://github.com/vmware/harbor/releases 1、解压软件包： 、解压软件包：tar xvf 6、上传镜像进行上传测试 、上传镜像进行上传测试 a、指定镜像仓库地址 、指定镜像仓库地址 vim /etc/docker/daemon.json { "insecure-registries": ["serverip"] } b、下载测试镜像 、下载测试镜像 docker pull hello-world c、给镜像重新打标签 、给镜像重新打标签 docker tag hello-world

Harbor开源项目 容器镜像远程复制的实现 Henry Zhang (张海宁) Chief Architect VMWare China 自我介绍 • VMware中国研发首席架构师 • Harbor开源企业级容器Registry项目创始人 • Cloud Foundry中国社区最早技术布道师之一 • 多年全栈工程师 • 《区块链技术指南》、《软件定义存储》作者之一 亨利笔记 《区块链技术指南》 No Do you recommend Harbor to others? (%) Survey based on Chinese user community, 53 responses Docker Container Lifecycle: Build-Ship-Run Build-Ship-Run through Registry Cloud • Registry is a key and easy deployment 14 Project Harbor - Microservices Architecture Basic Registry (Docker Distribution) Docker Client Revers e Proxy (Nginx) API Harbor Browser Auth UI DB (MySQL) AD / LDAP

Registry实现高效安全的容 器镜像运维 姜坦 VMware中国研发中心资深研发工程师 Runtime Package Cluster 开场 1 镜像运维 2 开源企业级镜像仓库-Harbor 3 集成Harbor 4 总结 议程 4 Registry 镜像 Images Push Pull • 镜像存储仓库 • 分发镜像的媒介 • 访问控制和镜像管理较佳节点 Registry – 镜像管理的重要部件 • 基础镜像 ubuntu:latest 可能在不同构建时间会有差别 • 即使 ubuntu:14.04 也可能会有改变（补丁不同） • apt-get (curl, wget..) 无法保证安装同样的软件包 • ADD 依赖构建时候的文件 5 例子: FROM ubuntu RUN /myapp/app.jar 同一个 Dockerfile 始终生成同一个镜像? • 容器镜像贯穿软件生命周期各个阶段 – 开发 – 测试 – 准生产 – 产线 • 镜像一致性重要性 – 版本控制 – 问题追踪 – 审计 6 二进制格式 镜像一致性 • 企业用户通常把镜像存放在组织内部 – 知识产权不泄漏 – 高效率: LAN vs WAN

基于Harbor的高可用企业级私有容器 镜像仓库部署实践 Tony Bai @Neusoft Cloud Technology About Me • 白明 (Tony Bai) • @Neusoft Cloud Technology • Gopher • Translator & Author • GopherChina lecturer • Blogger • mainly mainly focus on docker & kubernetes recently 五年前 Now Linux container(LXC) by Google at 2008 namespaces Cgroups + Developer eXperience(DX) + Union File System Docker by dotCloud at at 2013 After 4 years docker run ubuntu “echo hello” Solaris container by Sun at 2005 build, ship and run any app and anywhere What is Docker Docker bring us 1. 交付标准化 2. 执行高效化 3

Downloads Stars Users 55 Contributors 700+ Forks 6 Partners 10 Harbor Architecture 11 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Core Service Log Collector ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ... Other security considerations • Enable content trust by installing Master-Slave Replication 27 ����.��� ����.����.� Docker Client ���� Docker host Docker host ���� Docker host Docker host Docker host Docker host • �������������� • �������.���������

4 4.1 Docker-ce 安装 ............................................................................................................................................................. 4 4.2 Docker-compose ...................................................................... 5 4.4 制作 harbor-core-base 镜像(可选) .............................................................................................. Harbor 环境搭建指导书 – CentOS 7.6 1 软件介绍 1 1 软件介绍 Harbor 是构建企业级私有 docker 镜像的仓库的开源解决方案，是 Docker Registry 的更 高级封装。除了提供友好的 Web UI 界面，角色和用户权限管理，用户操作审计等功能 外，还整合了 K8s 的插件(Add-ons)仓库，即 Helm

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control ����LDAP/AD�� ���� �� Members �� Images ���Guest�: ����Developer�: ����Admin�: docker pull ... docker pull/push ... �� operation & management Settings ���� ���� • ���������� ������ �������� • ���������� ��Digest� Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest ����� ����� Verify signature status

Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging Docker Kubernetes 14 Publicly Referenceable Customers Agenda 1 Containers 101 2 Introduction to Harbor 21 Role-Based Access Control (RBAC) 22 Members Images Guest: Developer: Admin: docker pull ... docker pull/push Project operation & management Settings Other security considerations • trust for image provenance 24 Registry Notary 1. docker push tag 2. Signature of tag’s manifest 3. Verify signature status, fetch digest. 4. docker pull $digest Image Creator Image Consumer Verify

Using a Harbor registry, you can host container images in a local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity management, and a graphical of the VMs in the cluster and login to the Harbor registry with the admin password from Step 4. docker login -u admin -p ***** https://:443 Using Harbor Chartmuseum in Tenant Clusters