From 24639cc41c5ea1e2471bd414afc2f92c9bf9c2ad Mon Sep 17 00:00:00 2001 From: lu Date: Fri, 8 Jun 2018 09:22:43 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8D=87=E7=BA=A7harbor=E7=89=88=E6=9C=AC?= =?UTF-8?q?=E5=88=B01.5.1=EF=BC=8C=E8=B0=83=E6=95=B4=E5=AE=89=E8=A3=85?= =?UTF-8?q?=E8=B7=AF=E5=BE=84=E4=B8=BA/data/harbor=EF=BC=8C=E4=BF=AE?= =?UTF-8?q?=E5=A4=8D=E5=AE=89=E8=A3=85=E8=A7=A3=E5=8E=8B=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/guide/harbor.md | 14 ++-- roles/harbor/tasks/main.yml | 16 +++-- roles/harbor/templates/harbor.cfg.j2 | 101 +++++++++++++++++++++++---- 3 files changed, 107 insertions(+), 24 deletions(-) diff --git a/docs/guide/harbor.md b/docs/guide/harbor.md index 0af4cea..a22b016 100644 --- a/docs/guide/harbor.md +++ b/docs/guide/harbor.md @@ -4,7 +4,7 @@ Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是 ### 安装步骤 -1. 在deploy节点下载最新的 [docker-compose](https://github.com/docker/compose/releases) 二进制文件,改名后把它放到项目 `/etc/ansible/bin`目录下,后续版本会一起打包进百度云盘`k8s.xxx.tar.gz`文件中,可以省略该步骤 +1. 在deploy节点下载最新的 [docker-compose](https://github.com/docker/compose/releases) 二进制文件,改名后把它放到项目 `/etc/ansible/bin`目录下,后续版本会一起打包进百度云盘`k8s.xxx.tar.gz`文件中,可以省略该步骤。注:k8s.1102.tar.gz已集成该工具 ``` bash wget https://github.com/docker/compose/releases/download/1.18.0/docker-compose-Linux-x86_64 @@ -12,7 +12,9 @@ mv docker-compose-Linux-x86_64 /etc/ansible/bin/docker-compose ``` 2. 在deploy节点下载最新的 [harbor](https://github.com/vmware/harbor/releases) 离线安装包,把它放到项目 `/etc/ansible/down` 目录下,也可以从分享的百度云盘下载 -3. 在deploy节点编辑/etc/ansible/hosts文件,可以参考 `example`目录下的模板,修改部分举例如下 +3. 由于ansible解压的一些问题,需要将官方的tgz包,重新打包为zip包 + +4. 在deploy节点编辑/etc/ansible/hosts文件,可以参考 `example`目录下的模板,修改部分举例如下 ``` bash # 如果启用harbor,请配置后面harbor相关参数 @@ -126,7 +128,7 @@ type: kubernetes.io/dockerconfigjson + 日志目录 `/var/log/harbor` + 数据目录 `/data` ,其中最主要是 `/data/database` 和 `/data/registry` 目录,如果你要彻底重新安装harbor,删除这两个目录即可 -先进入harbor安装目录 `cd /opt/harbor`,常规操作如下: +先进入harbor安装目录 `cd /data/harbor`,常规操作如下: 1. 暂停harbor `docker-compose stop` : docker容器stop,并不删除容器 2. 恢复harbor `docker-compose start` : 恢复docker容器运行 @@ -151,7 +153,7 @@ type: kubernetes.io/dockerconfigjson ``` bash # 进入harbor解压缩后的目录,停止harbor -cd /opt/harbor +cd /data/harbor docker-compose down # 备份这个目录 @@ -159,7 +161,7 @@ cd .. mkdir -p /backup && mv harbor /backup/harbor # 下载更新的离线安装包,并解压 -tar zxvf harbor-offline-installer-v1.2.2.tgz -C /opt +tar zxvf harbor-offline-installer-v1.2.2.tgz -C /data # 使用官方数据库迁移工具,备份数据库,修改数据库连接用户和密码,创建数据库备份目录 # 迁移工具使用docker镜像,镜像tag由待升级到目标harbor版本决定,这里由 1.1.2升级到1.2.2,所以使用 tag 1.2 @@ -171,7 +173,7 @@ docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mys docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator:1.2 up head # 修改新版本 harbor.cfg配置,需要保持与老版本相关配置项保持一致,然后执行安装即可 -cd /opt/harbor +cd /data/harbor vi harbor.cfg ./install.sh diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml index c1549dd..991c067 100644 --- a/roles/harbor/tasks/main.yml +++ b/roles/harbor/tasks/main.yml @@ -1,6 +1,12 @@ - name: 下载docker compose 二进制文件 copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755 +- name: 创建data目录 + file: + path: /data + state: directory + mode: 0755 + # 注册变量result,根据result结果判断是否已经安装过harbor # result|failed 说明没有安装过harbor,下一步进行安装 # result|succeeded 说明已经安装过harbor,下一步跳过安装 @@ -11,14 +17,14 @@ - name: 解压harbor离线安装包 unarchive: - src: "{{ base_dir }}/down/harbor-offline-installer-v1.2.2.tgz" - dest: /opt + src: "{{ base_dir }}/down/harbor-offline-installer-v1.5.1.zip" + dest: /data copy: yes keep_newer: yes when: result is failed - name: 导入harbor所需 docker images - shell: "{{ bin_dir }}/docker load -i /opt/harbor/harbor.v1.2.2.tar.gz" + shell: "{{ bin_dir }}/docker load -i /data/harbor/harbor.v1.5.1.tar.gz" when: result is failed - name: 创建harbor证书请求 @@ -34,11 +40,11 @@ when: result is failed - name: 配置 harbor.cfg 文件 - template: src=harbor.cfg.j2 dest=/opt/harbor/harbor.cfg + template: src=harbor.cfg.j2 dest=/data/harbor/harbor.cfg when: result is failed - name: 安装 harbor - shell: "cd /opt/harbor && \ + shell: "cd /data/harbor && \ export PATH={{ bin_dir }}:$PATH && \ ./install.sh" when: result is failed diff --git a/roles/harbor/templates/harbor.cfg.j2 b/roles/harbor/templates/harbor.cfg.j2 index 6d766e5..1e0692b 100644 --- a/roles/harbor/templates/harbor.cfg.j2 +++ b/roles/harbor/templates/harbor.cfg.j2 @@ -1,5 +1,7 @@ ## Configuration file of Harbor +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version = 1.5.0 #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname = {{ NODE_IP }} @@ -8,11 +10,8 @@ hostname = {{ NODE_IP }} #It can be set to https if ssl is enabled on nginx. ui_url_protocol = https -#The password for the root user of mysql db, change this before any production use. -db_password = Harbor12345 - #Maximum number of job workers in job service -max_job_workers = 3 +max_job_workers = 50 #Determine whether or not to generate certificate for the registry's token. #If the value is on, the prepare script creates new root cert and private key @@ -30,9 +29,18 @@ secretkey_path = /data #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone admiral_url = NA -#The password of the Clair's postgres database, only effective when Harbor is deployed with Clair. -#Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database. -clair_db_password = password +#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. +log_rotate_count = 50 +#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. +#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G +#are all valid. +log_rotate_size = 200M + +#Config http proxy for Clair, e.g. http://my.proxy.com:3128 +#Clair doesn't need to connect to harbor ui container via http proxy. +http_proxy = +https_proxy = +no_proxy = 127.0.0.1,localhost,ui #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES #only take effect in the first boot, the subsequent changes of these properties @@ -52,6 +60,7 @@ email_username = sample_admin@mydomain.com email_password = abc email_from = admin email_ssl = false +email_insecure = false ##The initial password of Harbor admin, only works for the first time when Harbor starts. #It has no effect after the first launch of Harbor. @@ -81,12 +90,27 @@ ldap_basedn = ou=people,dc=mydomain,dc=com # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD ldap_uid = uid -#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE -ldap_scope = 3 +#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE +ldap_scope = 2 #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds. ldap_timeout = 5 +#Verify certificate from LDAP server +ldap_verify_cert = true + +#The base dn from which to lookup a group in LDAP/AD +ldap_group_basedn = ou=group,dc=mydomain,dc=com + +#filter to search LDAP/AD group +ldap_group_filter = objectclass=group + +#The attribute used to name a LDAP/AD group, it could be cn, name +ldap_group_gid = cn + +#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE +ldap_group_scope = 2 + #Turn on or off the self-registration feature self_registration = on @@ -98,9 +122,60 @@ token_expiration = 30 #Set to "adminonly" so that only admin user can create project. project_creation_restriction = everyone -#Determine whether the job service should verify the ssl cert when it connects to a remote registry. -#Set this flag to off when the remote registry uses a self-signed or untrusted certificate. -verify_remote_cert = on #************************END INITIAL PROPERTIES************************ -############# + +#######Harbor DB configuration section####### + +#The address of the Harbor database. Only need to change when using external db. +db_host = mysql + +#The password for the root user of Harbor DB. Change this before any production use. +db_password = root123 + +#The port of Harbor database host +db_port = 3306 + +#The user name of Harbor database +db_user = root + +##### End of Harbor DB configuration####### + +#The redis server address. Only needed in HA installation. +#address:port[,weight,password,db_index] +redis_url = redis:6379 + +##########Clair DB configuration############ + +#Clair DB host address. Only change it when using an exteral DB. +clair_db_host = postgres + +#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair. +#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database. +clair_db_password = password + +#Clair DB connect port +clair_db_port = 5432 + +#Clair DB username +clair_db_username = postgres + +#Clair default database +clair_db = postgres + +##########End of Clair DB configuration############ + +#The following attributes only need to be set when auth mode is uaa_auth +uaa_endpoint = uaa.mydomain.org +uaa_clientid = id +uaa_clientsecret = secret +uaa_verify_cert = true +uaa_ca_cert = /path/to/ca.pem + + +### Docker Registry setting ### +#registry_storage_provider can be: filesystem, s3, gcs, azure, etc. +registry_storage_provider_name = filesystem +#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2". +#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration. +registry_storage_provider_config =