Harbor Container Registry o'rnatish va sozlash
Harbor (opens in a new tab) container image registryni self-hosting uchun open-source (opens in a new tab) yechimni taklif qiladi. Bu Cloud Native Computing Foundation (CNCF) doirasidagi loyiha. Harbor access polisi va rollari, zaifliklarni(vulnerability) skanerlash va image signing kabi xususiyatlar bilan xavfsizlik va muvofiqlikni o'z dizayni markaziga qo'yadi.
Minimal konfiguratsiya bilan Harbor Docker command-line interface (CLI) va kubectl kabi toolar bilan birlashadi. Docker CLI-dan siz imagelarni xavfsiz push qilish va pull qilib olish uchun Harbor registryga kirishingiz mumkin. Kubernetes toollari ham sizning Harbor registringiz bilan ishonchli tarzda autentifikatsiya qilishi va registryda saqlangan imagelardan konteynerlarni to'g'ridan-to'g'ri joylashtirish imkonini beradi.
Ishni boshlash
Ushbu amaliyotda biz Harborni VM serverga o'rnatamiz, agar hohlasangiz Kubernetesga ham o'rnatishingiz mumkin. Amaliyotni amalga oshirish uchun bizga quyidagi minimum server talablaridagi server kerak bo'ladi.
Minimum Server talabi
Host | OS | RAM | CPU | Xotira | Static IP |
---|---|---|---|---|---|
harbor | Ubuntu 20.04 | 8GB | 4vCPU,2 core | 100GB | Ha kerak |
DNS sozlash
Harbor container registryni o'rnatishimiz uchun bizgda domen kerak bo'ladi. DNS hostingizdan domenga Harbor ishlab turgan server static IP manzilini qo'shishingiz kerak bo'ladi.
Quyida ahost.uz (opens in a new tab) DNS hostiga namuna ko'rsatilgan.
Kerakli domen sozlamalariga kirib DNS xosting bo'limga o'ting sizda quyidagi oyna ochilishi kerak.
Bu yerdan siz domen o'ziga yoki subdomenga Harbor server static IP maznilini ko'rsatishingiz kerak bo'ladi. Bizda helm.uz (opens in a new tab) domenimiz bor keling unga harbor subdomen qo'shamiz.
- Name-> subdomen nomi
- Type-> A
- TTL-> 14440
- RDATA-> harbor server Static IP manzili
Docker o'rnatish.
Harborni ishga tushirish uchun serverimizga Docker va Docker Compose o'rnatib olishimiz kerak bo'ladi. Dokcer va Docker Compose o'rnatish bo'yicha Linux serverlarga Docker o'rnatish (opens in a new tab) qo'llanmasi orqali o'rnatib olishingiz mumkin.
Ubuntu serverlarga Docker va Docker Compose o'rnatish.
1-> Repozitoriyani sozlash. apt
paketi indeksini yangilang va aptga HTTPS orqali repositoriyadan foydalanishga ruxsat berish uchun paketlarni o'rnating:
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg -y
2-> Dockerning rasmiy GPG kalitini qo'shing:
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
3-> Repositoriyani sozlash uchun quyidagi buyruqdan foydalaning:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
4-> apt
paketi indeksini yangilang
sudo apt-get update
5-> Docker Engine, containerd va Docker Compose-ni o'rnatamiz.
Eng so'nggi versiyani(latest) o'rnatish uchun quyidagilarni bajaring.
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose -y
6-> Dockerni ishga tushiramiz, statusini ko'ramiz va server o'chib yonganida avtomatik ishga tushishini yoqamiz.
sudo ssystemctl enable docker
sudo systemctl enable docker
sudo systemctl status docker
SSL Sertifikat olish
SSLdan foydalanish port serveriga va undan keladigan trafikni himoya qilish imkonini beradi. Harborda o'zida Nginx mavjud bo'lib Nginx o'rnatib sozlamaymiz.
Web server HTTPS requestlarini qabul qilishidan oldin ishonchli sertifikat markazi tomonidan imzolangan public-key sertifikatiga ega bo'lishi kerak. Let's Encrypt - bu vakolatlarning eng keng tarqalganlaridan biri. U asosiy SSL/TLS sertifikatlarini tegishli veb-saytlarga tarqatuvchi bepul avtomatlashtirilgan xizmatni boshqaradi. Let's Encrypt sertifikat berish jarayonini sinovga javob berish usuli orqali avtomatlashtirish uchun Automatic Certificate Management Environment (ACME) protokolidan foydalanadi. Let's Encrypt (opens in a new tab) rasmiy saytida domenni tekshirish haqida batafsilroq texnik ma'lumotlarni taqdim teilgan.
Certbot HTTPS-ni yoqish orqali veb-xavfsizlikni yaxshilash maqsadida Electronic Frontier Foundation (EFF) tomonidan ishlab chiqilgan. U ko'pgina operatsion tizimlar, shuningdek, Apache va NGINX kabi eng mashhur veb-server dasturlari bilan mos keladi. Certbot sertifikatni so'rash, ACME bo'yicha barcha talablarni bajarish, sertifikatni o'rnatish va veb-serverni sozlash uchun Let's Encrypt bilan bog'lanish uchun javobgardir. Shuningdek, u sertifikatni yangilash jarayonini avtomatik ravishda boshqarishi mumkin. Qo'shimcha ma'lumot uchun Certbot veb-saytidagi About Certbot (opens in a new tab) sahifasini ko'rib chiqishingiz mumkin.
1-> Serverimizga certbot o'rnatib olamiz.
sudo apt update
sudo apt install certbot
2-> domenimiz uchun SSL sertifikat olamiz, bunihc uchun domenimiz DNS hostga serverimiz static IP manzili bog'langan bo'lishi kerak.
sudo certbot certonly --standalone -d harbor.helm.uz
Sizda rasmdagidek natija chiqishi kerak.
harbor.helm.uz domenimiz uchun SSL sertifikat quiyidagi papkada joylashganini ko'rsatadi.
Certificate: /etc/letsencrypt/live/harbor.helm.uz/fullchain.pem
Key: /etc/letsencrypt/live/harbor.helm.uz/privkey.pem
Harbor o'rnatish
Harbor relizlar sahifasidan (opens in a new tab) eng so'nggi(latest) Harbor installerini bilan paketini yuklab oling . Siz onlayn yoki oflayn installerini tanlashingiz mumkin.
1-> Ushbu u script orqali buni osonlashtirishimiz mumkin. Bu script Harbor releaselarda latest offline installerini yuklab oladi.
curl -s https://api.github.com/repos/goharbor/harbor/releases/latest \
| grep "browser_download_url.*harbor-offline-installer.*.tgz\"" \
| tail -n 1 \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -O harbor-offline-installer.tgz -qi -
Yoki sizga biror versiya kerak bo'lsa release sahifasidan offline installerni yuklab olaszi.
sudo wget https://github.com/goharbor/harbor/releases/download/v2.10.2/harbor-offline-installer-v2.10.2.tgz
Harbor installerini o'rnatishdan keyin ham saqlab qo'yishingiz kerak, chunki u keyinchalik konfiguratsiya o'zgarishlarini amalga oshirish uchun skriptlarni o'z ichiga oladi. 2-> Yuklab olgan latest offline harbor isntallerni arxivdan chiqarib olamiz.
tar xzvf harbor-offline-installer.tgz
3-> harbor
papakga kirib harbor.yml.tmpl
namuna konfiguratsiya faylini harbor.yml
o'zgartiramiz, bu bizning asosiy Harbor konfiguratsiya faylimiz bo'ladi.
cd harbor
cp harbor.yml.tmpl harbor.yml
4-> Asosiy harbor.yml
konfiguratsiyani o'zizmizga moslab konfiguratsiya qilib olamiz.
sudo nano harbor.yml
ushbu konfiguratsiyada hostname:
ga domenimiz yozamiz va SSL sertifikatimiz va keyini pathini beramiz.
hostname: harbor.helm.uz
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/letsencrypt/live/harbor.helm.uz/fullchain.pem
private_key: /etc/letsencrypt/live/harbor.helm.uz/privkey.pem
# enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
Bu qismda Harbor uchun birinchi kirish admin parolini o'zgartirasiz. Xavfsizlik uchun default parolni o'zgartiring va parol generatsiya qilib qo'ying.
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
Bu qismda Harbor DB konfiguratsiya qilamiz DB parolini xavfsiz uchun o'zgartiring.
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". V>
conn_max_lifetime: 5m
# The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". V>
conn_max_idle_time: 0
# The default data volume
data_volume: /data
5-> Konfiguratsiyani o'zingizga moslab olganingizdan keyin install.sh
bash scriptni ishga tushirish orqali Harborni o'rnatamiz.
sudo ./install.sh
Harbor muvaffaqiyatli o'rnatilsa rasmdagidek natija chiqishi kerak.
Harbor bilan ishlash
Harborni muvaffaqiyatli o'rnatib ishga tushirganimizdan keyin, Harbor domenimizga brauzer orqali kiramiz, sizda quyidagicha oyna ochilishi kerak.
Birinchi krishingzida admin
user bilan kirasiz default parol esa harbor.yml
konfiguratsiyadagi parolimiz.