17. [docker] Private Registry(Harbor) 설치 및 Portainer 연동

1. 필수 유틸 : Docker, Docker-compose
 - 참조 : 기본 SSL 통신을 하며 인증서가 필요하지만 테스트 구축에는 https 없이 http로 통신 

## DOCKER 설치
[root@Harbor harbor]# curl -s https://get.docker.com | sudo sh
 
 
## docker-compose 설치
[root@Harbor harbor]# curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@Harbor harbor]# chmod +x /usr/local/bin/docker-compose
[root@Harbor harbor]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
[root@Harbor harbor]# docker-compose -version
docker-compose version 1.24.1, build 4667896b
 
 
## harbor 설치
[root@Harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
[root@Harbor ~]# tar zxvf harbor-offline-installer-v1.10.1.tgz
[root@Harbor ~]# cd harbor
[root@Harbor harbor]# ll
total 662128
drwxr-xr-x 3 root root        20 Sep 16 16:34 common
-rw-r--r-- 1 root root      3398 Feb 10  2020 common.sh
-rw-r--r-- 1 root root      5289 Sep 16 16:34 docker-compose.yml
-rw-r--r-- 1 root root 677974489 Feb 10  2020 harbor.v1.10.1.tar.gz
-rw-r--r-- 1 root root      5888 Sep 16 15:19 harbor.yml
-rwxr-xr-x 1 root root      2284 Feb 10  2020 install.sh
-rw-r--r-- 1 root root     11347 Feb 10  2020 LICENSE
-rwxr-xr-x 1 root root      1749 Feb 10  2020 prepare
 
## harbor.yml 수정
[root@Harbor harbor]# vim harbor.yml
 
# Configuration file of Harbor
 
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
## domain or ip 입력. SSL 통신시 도메인 입력
hostname: 192.168.87.100
 
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
## http port 번호
  port: 80
 
# https related config
## https를 사용하지 않을 예정이므로 주석처리
#https:
  # https port for harbor, default is 443
#  port: 443
  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path
 
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
 
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
## harbor web ui 초기 패스워드
harbor_admin_password: seAdmin!!9
 
# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
## DB 패스워드
  password: {db password}
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 100 for postgres.
  max_open_conns: 1024
 
# The default data volume
## harbor data 디렉토리 지정
data_volume: /data
 
## iptables 은 disable 한다
[root@Harbor ~]# systemctl disable firewalld
[root@Harbor ~]# systemctl stop firewalld
 
 
## docker 시작
[root@Harbor ~]# systemctl restart docker
 
 
## harbor 설치
[root@Harbor harbor]# ./install.sh
[root@Harbor harbor]# docker-compose ps
      Name                     Command                  State                 Ports         
---------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up (healthy)                           
harbor-db           /docker-entrypoint.sh            Up (healthy)   5432/tcp                
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (healthy)                           
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   8080/tcp                
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->8080/tcp    
redis               redis-server /etc/redis.conf     Up (healthy)   6379/tcp                
registry            /home/harbor/entrypoint.sh       Up (healthy)   5000/tcp                
registryctl         /home/harbor/start.sh            Up (healthy)                        
 
 
## harbor 로그 위치
[root@Harbor harbor]# ll
total 33896
-rw-r--r-- 1 10000 10000 3336640 Sep 21 16:29 core.log
-rw-r--r-- 1 10000 10000   35099 Sep 20 16:51 jobservice.log
-rw-r--r-- 1 10000 10000 9485443 Sep 21 16:30 portal.log
-rw-r--r-- 1 10000 10000    7923 Sep 16 16:51 postgresql.log
-rw-r--r-- 1 10000 10000 1779363 Sep 21 16:30 proxy.log
-rw-r--r-- 1 10000 10000  751257 Sep 21 16:25 redis.log
-rw-r--r-- 1 10000 10000 7056341 Sep 21 16:30 registryctl.log
-rw-r--r-- 1 10000 10000 8052506 Sep 21 16:30 registry.log
 
## 참조 : docker-compose restart 시 일부 컨테이너가 재시작에 실패하는 경우가 있음.
## 대부분 harbor-log가 늦게 up되어 발생되는 문제로 재시작에 실패한 컨테이너를 개별적으로 재시작 해준다.

 

2. https(default) → http 변경을 위한 설정 변경

## harbor를 바로보고 있는 worker, portainer 등 docker 설정을 아래와 같이 추가하여 재시작한다.
## harbor IP : 192.168.87.100
[root@Docker-Worker1 ~]# cat /etc/docker/daemon.json
{
  "insecure-registries" : ["192.168.87.100:80"]
}
 
[root@Docker-Worker1 ~]# systemctl restart docker
 
 
## docker swarm service로 올라가있는 컨터이너는 docker 재시작시 replication 됨.

 

3. harbor registry 테스트

- harbor에 test project, levi user 생성 및 권한 부여

## worker에서 ubuntu를 docker.io에서 pull 받은 후 harbor에 push 할 예정
## push를 위해 tag지정이 필요
 
 
## harbor 로그인
[root@Docker-Worker1 ~]# docker login 192.168.87.100:80
Username: levi
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
Login Succeeded
 
## ubuntu pull
[root@Docker-Worker1 ~]# docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
e6ca3592b144: Pull complete
534a5505201d: Pull complete
990916bd23bb: Pull complete
Digest: sha256:cbcf86d7781dbb3a6aa2bcea25403f6b0b443e20b9959165cf52d2cc9608e4b9
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest
 
## 이미지 확인
[root@Docker-Worker1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              bb0eaf4eee00        4 days ago          72.9MB
nginx               latest              7e4d58f0e5f3        10 days ago         133MB
centos              <none>              0d120b6ccaa8        5 weeks ago         215MB
 
## tag 변경
[root@Docker-Worker1 ~]# docker tag ubuntu 192.168.87.100:80/test/ubuntu
[root@Docker-Worker1 ~]# docker images
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
192.168.87.100:80/test/ubuntu   latest              bb0eaf4eee00        4 days ago          72.9MB
ubuntu                       latest              bb0eaf4eee00        4 days ago          72.9MB
nginx                        latest              7e4d58f0e5f3        10 days ago         133MB
centos                       <none>              0d120b6ccaa8        5 weeks ago         215MB
 
## harbor에 push
[root@Docker-Worker1 ~]# docker push 192.168.87.100:80/test/ubuntu
The push refers to repository [192.168.87.100:80/test/ubuntu]
128fa0b0fb81: Pushed
c0151ca45f27: Pushed
b2fd17df2071: Pushed
latest: digest: sha256:028d7303257c7f36c721b40099bf5004a41f666a54c0896d5f229f1c0fd99993 size: 943

 

- harbor 에서 확인

 

4. Portainer와 연동 : Registries - Add registry 

 

5. image pull 테스트

 

6. image export, import
- export 시 tag를 지정해야함. tag 미지정시 default로 붙는 latest는 export할 수 없음.
- harbor에서 해당 이미지를 retag해야함.

- portainer에서 이미지 export는 tar로 다운로드 되며 import도 tar형태로 import됨.

 

7. clair 기능 추가 : 이미지 취약점 스캔 도구로 habor install 시 해당 이미지도 같이 로드되게 해야함.

## 설치
[root@Harbor harbor]# ./install.sh --with-clair --with-chartmuseum