Skip to content
Dokumentatsiya
▶️ Konteynerlash
Harbor CR

Harbor Container Registry o'rnatish va sozlash

Harbor (opens in a new tab) - bu open-source (opens in a new tab) konteyner registri bo'lib, konteyner imagelarini saqlash, boshqarish va xavfsizligini ta'minlash uchun mo'ljallangan Bu Cloud Native Computing Foundation (CNCF) doirasidagi loyiha. Harbor access polisi va rollari, zaifliklarni(vulnerability) skanerlash va image signing kabi xususiyatlar bilan xavfsizlik va muvofiqlikni o'z dizayni markaziga qo'yadi.

Harbor dastlab VMware tomonidan ishlab chiqilgan bo'lib, keyinchalik CNCFga topshirilgan. 2020-yil 13-mayda chiqarilgan 2.0 versiyasida Harbor OCI (Open Container Initiative) standartlariga mos keladigan birinchi open-source registr sifatida e'lon qilindi. Bu versiya konteyner imagelari, Helm chartlari, OPAlar va Singularity kabi turli cloud-native artifactlarni saqlash imkoniyatini kengaytirdi.

Minimal konfiguratsiya bilan Harbor Docker command-line interface (CLI) va kubectl kabi toolar bilan birlashadi. Docker CLI-dan siz imagelarni xavfsiz push qilish va pull qilib olish uchun Harbor registryga kirishingiz mumkin. Kubernetes toollari ham sizning Harbor registringiz bilan ishonchli tarzda autentifikatsiya qilishi va registryda saqlangan imagelardan konteynerlarni to'g'ridan-to'g'ri joylashtirish imkonini beradi.

Ishni boshlash

Ushbu amaliyotda biz Harborni VM serverga o'rnatamiz, agar hohlasangiz Kubernetesga ham o'rnatishingiz mumkin. Amaliyotni amalga oshirish uchun bizga quyidagi minimum server talablaridagi server kerak bo'ladi.

Minimum Server talabi

HostOSRAMCPUXotiraStatic IP
harborUbuntu 20.048GB4vCPU,2 core100GBHa kerak

Biz Harbor Container Registyrni ikki xil o'rnatish usulini ko'rib chiqamiz manual va ansible bilan.

DNS sozlash

Harbor container registryni o'rnatishimiz uchun bizgda domen kerak bo'ladi. DNS hostingizdan domenga Harbor ishlab turgan server static IP manzilini qo'shishingiz kerak bo'ladi.

Quyida ahost.uz (opens in a new tab) DNS hostiga namuna ko'rsatilgan.

Kerakli domen sozlamalariga kirib DNS xosting bo'limga o'ting sizda quyidagi oyna ochilishi kerak.

Bu yerdan siz domen o'ziga yoki subdomenga Harbor server static IP maznilini ko'rsatishingiz kerak bo'ladi. Bizda helm.uz (opens in a new tab) domenimiz bor keling unga harbor subdomen qo'shamiz.

  • Name-> subdomen nomi
  • Type-> A
  • TTL-> 14440
  • RDATA-> harbor server Static IP manzili

Manual Harbor Container Registry o'rnatish

Bu bosqichda biz Harbor Container Registryni manual(qo'lda) holda setup qilishni ko'rib chiqamiz.

Docker va Docker Compose o'rnatish.

Harborni ishga tushirish uchun serverimizga Docker va Docker Compose o'rnatib olishimiz kerak bo'ladi. Dokcer va Docker Compose o'rnatish bo'yicha Linux serverlarga Docker o'rnatish (opens in a new tab) qo'llanmasi orqali o'rnatib olishingiz mumkin.

Ubuntu serverlarga Docker va Docker Compose o'rnatish.

1-> Repozitoriyani sozlash. apt paketi indeksini yangilang va aptga HTTPS orqali repositoriyadan foydalanishga ruxsat berish uchun paketlarni o'rnating:

 sudo apt-get update
 sudo apt-get install ca-certificates curl gnupg -y

2-> Dockerning rasmiy GPG kalitini qo'shing:

sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

3-> Repositoriyani sozlash uchun quyidagi buyruqdan foydalaning:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

4-> apt paketi indeksini yangilang

sudo apt-get update

5-> Docker Engine, containerd va Docker Compose-ni o'rnatamiz.

Eng so'nggi versiyani(latest) o'rnatish uchun quyidagilarni bajaring.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose -y

6-> Dockerni ishga tushiramiz, statusini ko'ramiz va server o'chib yonganida avtomatik ishga tushishini yoqamiz.

sudo ssystemctl enable docker
sudo systemctl enable docker
sudo systemctl status docker

SSL Sertifikat olish

SSLdan foydalanish port serveriga va undan keladigan trafikni himoya qilish imkonini beradi. Harborda o'zida Nginx mavjud bo'lib Nginx o'rnatib sozlamaymiz.

Web server HTTPS requestlarini qabul qilishidan oldin ishonchli sertifikat markazi tomonidan imzolangan public-key sertifikatiga ega bo'lishi kerak. Let's Encrypt - bu vakolatlarning eng keng tarqalganlaridan biri. U asosiy SSL/TLS sertifikatlarini tegishli veb-saytlarga tarqatuvchi bepul avtomatlashtirilgan xizmatni boshqaradi. Let's Encrypt sertifikat berish jarayonini sinovga javob berish usuli orqali avtomatlashtirish uchun Automatic Certificate Management Environment (ACME) protokolidan foydalanadi. Let's Encrypt (opens in a new tab) rasmiy saytida domenni tekshirish haqida batafsilroq texnik ma'lumotlarni taqdim teilgan.

Certbot HTTPS-ni yoqish orqali veb-xavfsizlikni yaxshilash maqsadida Electronic Frontier Foundation (EFF) tomonidan ishlab chiqilgan. U ko'pgina operatsion tizimlar, shuningdek, Apache va NGINX kabi eng mashhur veb-server dasturlari bilan mos keladi. Certbot sertifikatni so'rash, ACME bo'yicha barcha talablarni bajarish, sertifikatni o'rnatish va veb-serverni sozlash uchun Let's Encrypt bilan bog'lanish uchun javobgardir. Shuningdek, u sertifikatni yangilash jarayonini avtomatik ravishda boshqarishi mumkin. Qo'shimcha ma'lumot uchun Certbot veb-saytidagi About Certbot (opens in a new tab) sahifasini ko'rib chiqishingiz mumkin.

1-> Serverimizga certbot o'rnatib olamiz.

sudo apt update
sudo apt install certbot

2-> domenimiz uchun SSL sertifikat olamiz, bunihc uchun domenimiz DNS hostga serverimiz static IP manzili bog'langan bo'lishi kerak.

sudo certbot certonly --standalone -d harbor.helm.uz

Sizda rasmdagidek natija chiqishi kerak.

harbor.helm.uz domenimiz uchun SSL sertifikat quiyidagi papkada joylashganini ko'rsatadi.

Certificate: /etc/letsencrypt/live/harbor.helm.uz/fullchain.pem
Key:  /etc/letsencrypt/live/harbor.helm.uz/privkey.pem

Harbor o'rnatish

Harbor relizlar sahifasidan (opens in a new tab) eng so'nggi(latest) Harbor installerini bilan paketini yuklab oling . Siz onlayn yoki oflayn installerini tanlashingiz mumkin.

1-> Ushbu buyruq orqali v2.11.1 versiyali offline harbor installerni yuklab olamiz.

wget https://github.com/goharbor/harbor/releases/download/v2.11.1/harbor-offline-installer-v2.11.1.tgz

Harbor installerini o'rnatishdan keyin ham saqlab qo'yishingiz kerak, chunki u keyinchalik konfiguratsiya o'zgarishlarini amalga oshirish uchun skriptlarni o'z ichiga oladi. 2-> Yuklab olgan offline harbor installerni arxivdan chiqarib olamiz.

tar xzvf harbor-offline-installer.tgz

3-> harbor papakga kirib harbor.yml.tmpl namuna konfiguratsiya faylini harbor.yml o'zgartiramiz, bu bizning asosiy Harbor konfiguratsiya faylimiz bo'ladi.

cd harbor
cp harbor.yml.tmpl harbor.yml

4-> Asosiy harbor.yml konfiguratsiyani o'zizmizga moslab konfiguratsiya qilib olamiz.

sudo nano harbor.yml

ushbu konfiguratsiyada hostname:ga domenimiz yozamiz va SSL sertifikatimiz va keyini pathini beramiz.

hostname: harbor.helm.uz
 
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80
 
# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /etc/letsencrypt/live/harbor.helm.uz/fullchain.pem
  private_key: /etc/letsencrypt/live/harbor.helm.uz/privkey.pem
  # enable strong ssl ciphers (default: false)
  # strong_ssl_ciphers: false

Bu qismda Harbor uchun birinchi kirish admin parolini o'zgartirasiz. Xavfsizlik uchun default parolni o'zgartiring va parol generatsiya qilib qo'ying.

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

Bu qismda Harbor DB konfiguratsiya qilamiz DB parolini xavfsiz uchun o'zgartiring.

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900
  # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". V>
  conn_max_lifetime: 5m
  # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". V>
  conn_max_idle_time: 0
 
# The default data volume
data_volume: /data

5-> Konfiguratsiyani o'zingizga moslab olganingizdan keyin install.sh bash scriptni ishga tushirish orqali Harborni o'rnatamiz.

sudo ./install.sh

Harbor muvaffaqiyatli o'rnatilsa rasmdagidek natija chiqishi kerak.

Ansible bilan Harbor Container Registry o'rnatish

Bu bosqichda biz Harbor Container Registryni Ansible yordamida avtomatlashtirilgan holda setup qilishni ko'rib chiqamiz. Bu bosqichda biz open-source bo'lgan Ansible kolleksiyalardan foydalanamiz repo url github.com/ismoilovdevml/infra-as-code (opens in a new tab)

Ansible kolleksiya repositoriyani git clone qilib yuklab olamiz.

git clone https://github.com/ismoilovdevml/infra-as-code.git

Docker va Docker Compose o'rnatish

infra-as-code repodan Ansible kolleksiyaalrga o'tib docker uchun yozilgan playbookga o'tamiz.

cd infra-as-code/Ansible/docker

Bu directoriyadan inventory.ini faylini ochib docker va docker-compose o'rnatmoqchi bo'lgan serverimiz credentialslarini beramiz. ushbu ansible playbookni yurgizmoqchi bo'lgan kompyuter yoki serverda siz Harbor setup qilmqochi bo'lgan serveringizga ssh connectrion bo'lishi talab qilinadi.

inventory.ini
[all]
harbor-server ansible_host=24.144.106.189 ansible_user=root

Ushbu playbookni yurgizish uchun community.general ansible collectionnini o'rnatishimiz kerak bo'ladi

ansible-galaxy collection install community.general

Docker o'rnatamiz.

ansible-playbook -i inventory.ini install_docker.yml

Playbook muvaffaqiyatli ishga tushganida sizga quyidagi info chiqishi kerak Docker Compose o'rnatamiz.

ansible-playbook -i inventory.ini nstall_docker-compose.yml

Playbook muvaffaqiyatli ishga tushganida sizga quyidagi info chiqishi kerak

Okey yaxshi Docker va Docker Compose o'rnatib oldik endi esa Harbor setup qiladigan ansible playbookni ishga tushirsak bo'ladi.

Harbor o'rnatish

Harbor setup qiladigan ansible playbooklar directoriyasiga kiramiz.

cd infra-as-code/Ansible/harbor

Har doimgidek inventory.ini da Harbor serverimiz credentialslarini beramiz.

invnetory.ini
[harbor_server]
harbor-server ansible_host=24.144.106.189 ansible_user=root

vars.yml fileda esa kerak variablelarni yozib to'ldiramiz.

vars.yml
harbor_version: "v2.11.1"
harbor_hostname: "harbor.helm.uz"
harbor_admin_password: "Harbor12345"
harbor_db_password: "root123"
ssl_option: "certbot"  # "certbot" yoki "self_signed" qiymatlarini olishi mumkin
certbot_cert_path: "/etc/letsencrypt/live/{{ harbor_hostname }}/fullchain.pem"
certbot_key_path: "/etc/letsencrypt/live/{{ harbor_hostname }}/privkey.pem"
self_signed_cert_path: "/path/to/selfsigned/fullchain.pem"  # Self-signed sertifikat uchun to'liq path
self_signed_key_path: "/path/to/selfsigned/privkey.pem"      # Self-signed kalit uchun to'liq path
harbor_download_url: "https://github.com/goharbor/harbor/releases/download/{{ harbor_version }}/harbor-offline-installer-{{ harbor_version }}.tgz"

Yuqorida konfiguratsiyada Harbor versiyasi, domen nomi, admin parol va db parol o'zgaruvchilar kiritilgan ularni o'zinmgizga moslab kerakli versiya, domen va admin parol kiritasiz. SSL sertifikat olishda ikkita option qo'yilgan default holda certbot va self-signed optioni ham bor, agar certbot tanlanganda hech narsa o'zgartirilmaydi va certbot orqali SSL olib ishlanadi agar siz ssl_optionni self_signedga o'zgartirsangiz self-siogned SSL sertifikatlarga path berishingiz kerak bo'ladi.

Harborni Container Registryni setup qilish uchun playbokni ishga tushiramiz.

ansible-playbook -i inventory.ini bootstrap_harbor.yml

Playbook muvaffaqiyatli ishga tushganida sizga quyidagi info chiqishi kerak

Harbor bilan ishlash

Harborni muvaffaqiyatli o'rnatib ishga tushirganimizdan keyin, Harbor domenimizga brauzer orqali kiramiz, sizda quyidagicha oyna ochilishi kerak.

Birinchi krishingzida admin user bilan kirasiz default parol esa harbor.yml konfiguratsiyadagi parolimiz.

Harbor setup qilganimzidan keyin Proxy Cache sozlashimiz kerak bo'ladi, Proxy Cache iternetdagi global container registrylardan olingan docker imagelarni o'zini cacheda saqlab keyin marta pul qilinganda localni ishlatish uchun kerak bo'ladi. Masalan sizda CI/CD bor va har safar CI/CD run bo'lganida Dockerhubdan kerakli docker imagelarni internet orqali pull qilinadi agar Harborda Proxy Cache Docker Hubga config qilinganida harbor o'zida yo'q docker imagelarni birinchi marta Docker Hubdan yuklab olib o'zida saqlaydi va keyingi CI/CD run qilganizda kerakli docker imagelarni Docker Hubdan internet orqali emas Harbor Container Registrydan local pull qiladi bu samaradorlikni va tezlikni oshiradi.

Buning uchun default library projectni o'chiramiz.

Harbor UI'dan Administration -> Registries ga o'tamiz va NEW ENDPOINT bosamiz. Registry Endpointni quyidagicha sozlaymiz: Providerga Docker Hub va nom beramiz, Endpoint URL esa Docker Hub URL agar Docker Hub useringiz bo'lsa Accsess ID va Accsess Secretga yozasiz, hammasini tekshirish uchun esa TEST CONNECTION bosib tekshirib olasiz. Registry Endpoint yaratib olganimizdan keyin Registries bo'limda yaartganimiz chiqishi kerak

Harborda -> Projects ga o'tib library project yaratib olamiz. Projectni quyidagicha config qilamiz: Accsess levelni Public qilamiz va Proxy Cacheni enable qilib yuqorida yartagan dockerhub endpointni belgilaymiz va OK bosib yaratib olamiz.

Harbordan CI/CD va serverlardan foydalanish uchun Robot Account yaratib olamiz. Administration -> Robot Accounts ga o'tamiz va NEW ROBOT ACCOUNT bosamiz. Robot Accountga nom beramiz masalan cicd nomli robot account. Robot Accountga kerakli Permissionlarni beramiz masalan Delete va Stop dan boshqa barcha permissionlar. undan keyin esa Project tallanib projectdan foydalanish uchun yana kerakli permissionlarni beramiz. Masalan Delete va Stop dan boshqa barcha permissionlar. Robot Account yaratganimizdan keyin bizga robot account secret tokenini beradi biz uni saqlab qo'yishimiz kerak bo'ladi. Harbor tomonidan berilgan robor account token bilan Harbor Container Registrimizga docker login qilib kirib tekshirib ko'ramiz. Robot accountlar boshida robot$ qo'shiladi shunda bizning holatda Container Registri URL harbor.helm.uz (opens in a new tab) va robot account user robot$cicd password esa secret token bo'ladi.

Keling endi Proxy Cacheni ishlayotganini tekshirib ko'rish uchun Harbor Container Registrimizda yo'q bo'lgan docker imageni pull qilib ko'ramiz agar Proxy Cache ishlayotgan bo'lsa xatolik bermasdan o'zida bo'lmasa dockerhubdan o'ziga olib bizga berishi kerak Okey hammasi yaxshi ishladi Proxy Cache ishamoqda chunki Harborda hech qanday docker image yo'q edi va men harbor.helm.uz/library/redis:latest imageni so'radim u esa o'zida bo'lmagani uchun Registrie Endpoint orqali Dockerhubdan redis:latest imagheni o'ziga olib keyin bizga yo'naltirdi, keyingi docker pullda esa docker image to'gridan to'gri localni harbordan pull qilinadi.

Buni tekshirib ko'rish uchun Harbor UIdan library projectga kirsak bizada yuqorida pull qilga docker imagemiz turgan bo'lishi kerak.

Proxy Cache ishlamoqda hammasi yaxshi keling endi Harborga birortda docker image push qilib ko'ramiz. Buning uchun alohia bitta project yaratib olamiz yuqorida library project yaratgandek faqat proxy cache yoqmasdan.

Proxy Cache yoqilgan Harbor projectlarga docker image push qilib bo'maydi!!!

Bizning holatimizda nginx:latest nomli docker image bor edi uni qayta teglash kerak bo'ladi: registry-url/repo/image:tag bunda harbor.helm.uz/devops-journey/nginx:latest. Okey bizda hammasi ishladi. Keling buni Harbor UIdan projectimizga kirib ko'rishimiz mumkin.

Siz shu qimsgacha yetib kelgan bo'lsangiz tabriklayman siz buni muvaffaqiyatli uddaladingiz. Men ham bu postim orqali yordam berdim umid qilaman.

Sana: 2024.11.5(2024-yil 15-noyabr)

Oxirgi yangilanish: 2024.11.15(2024-yil 15-noyabr)

Muallif: Otabek Ismoilov

Telegram (opens in a new tab)GitHub (opens in a new tab)LinkedIn (opens in a new tab)
Mastering DockerDocker Registry