Harbor共享存储高可用安装文档

Harbor共享存储高可用安装文档

VIP							192.168.1.11
Haproxy+Keepalived			192.168.1.17/18
PG+Redis+NFS				192.168.1.12
Harbor1						192.168.1.14
Harbor2						192.168.1.15
1
2
3
4
5

2.4 Haproxy+Keepalived节点安装配置

Haproxy+Keepalived 192.168.1.17/18

[root@haproxy1 ~]# yum -y install wget
[root@haproxy1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@haproxy1 ~]# yum install -y keepalived
1
2
3

[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_master   #路由ID号
   vrrp_iptables		#清除防火墙的拦截规则

   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}
vrrp_script chk_haproxy {
   script "/etc/keepalived/check_haproxy.sh"    # 检测haproxy状态的脚本路径
   interval 1                    # 检测时间间隔1s
   weight 20                   # 如果脚本的条件成立，权重-2
}
vrrp_instance VI_1 {
    state MASTER   #主服务器为MASTER
    interface ens33		#VIP配在哪个网卡
    virtual_router_id 51  #主备服务器VRID号必须一致
    priority 100		#服务器优先级
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    track_script {             # 将track_script块加入instance配置块
        chk_haproxy               # 执行haproxy监控的服务
    }
    virtual_ipaddress {
        192.168.1.11/24
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

[root@haproxy2 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_slave
   vrrp_iptables

   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_script chk_haproxy {
     script "/etc/keepalived/check_haproxy.sh"    # 检测haproxy状态的脚本路径
     interval 1                    # 检测时间间隔1s
     weight 20                   # 如果脚本的条件成立，权重-2
}

vrrp_instance VI_1 {
    state SLAVE
    interface ens33
    virtual_router_id 51
    priority 10
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    track_script {             # 将track_script块加入instance配置块
        chk_haproxy               # 执行haproxy监控的服务
    }
    virtual_ipaddress {
        192.168.1.11/24
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

[root@haproxy1 ~]# cat /etc/keepalived/check_haproxy.sh
#!/bin/bash
A=`ps -C haproxy -no-header |wc -l`
if [ $A -eq 0 ];then
    service haproxy start
    sleep 2
    if [ `ps -C haproxy --no-header |wc -l` -eq 0 ];then
        killall keepalived
    fi
fi
1
2
3
4
5
6
7
8
9
10

[root@haproxy1 ~]# ip a s ens33    #vip出现会有延迟   稍等下
2: ens33:  mtu 1500 qdisc pfifo_fast state UP.
    link/ether 00:0c:29:70:10:14 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.17/24 brd 192.168.1.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.1.11/24 scope global secondary ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::3de:8234:6729:eade/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9

2.4.3 haproxy 安装

[root@haproxy1 ~]# vim /etc/haproxy/haproxy.cfg
global
maxconn 100000
#chroot /usr/local/haproxy
uid 99
gid 99
daemon
nbproc 1
pidfile /run/haproxy.pid   # 修改pid目录
stats socket /run/haproxy/admin.sock mode 600 level admin  # socket目录
log 127.0.0.1 local3 info

defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms

listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri /haproxy-status
 stats auth haadmin:123456

listen harbor
  mode tcp
  balance source
  bind 192.168.1.11:80
  server 192.168.1.14 192.168.1.14:80 weight 10 check inter 3s fall 3 rise 5
  server 192.168.1.15 192.168.1.15:80 weight 10 check inter 3s fall 3 rise 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

客户端连接超时、最大连接数 、连接失败、健康检查、网站数据信息监控

[root@haproxy2 ~]# echo 'net.ipv4.ip_nonlocal_bind = 1'>>/etc/sysctl.conf
#没有VIP的主机上启动haproxy启动会失败，该参数，允许忽视VIP的存在
[root@haproxy2 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
[root@haproxy2 ~]# systemctl restart haproxy.service
1
2
3
4
5

2.5 postgresql节点安装配置

192.168.1.12

[root@pg ~]# useradd postgres
[root@pg ~]# id postgres
uid=1000(postgres) gid=1000(postgres) groups=1000(postgres)
[root@pg ~]# wget https://ftp.postgresql.org/pub/source/v13.5/postgresql-13.5.tar.gz  --no-check-certificate
1
2
3
4

[root@pg ~]# tar xf postgresql-13.5.tar.gz
[root@pg ~]# yum -y install gcc make  readline-devel  zlib-devel
[root@pg postgresql-13.5]# ./configure --prefix=/usr/local/postgresql
[root@pg postgresql-13.5]# make && make install
1
2
3
4

合建数据目录
[root@pg postgresql-13.5]# mkdir  -p /data/postgresql/data
[root@pg postgresql-13.5]# chown -R postgres:postgres /usr/local/postgresql/
[root@pg postgresql-13.5]# chown -R postgres:postgres /data/postgresql/data/
[root@pg postgresql-13.5]# su - postgres

[postgres@pg ~]$ cat .bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/.local/bin:$HOME/bin
PGHOME=/usr/local/postgresql #psql安装目录
export PGHOME
PGDATA=/data/postgresql/data #数据库目录
export PGDATA
PATH=$PATH:$HOME/bin:$HOME/.local/bin:$PGHOME/bin
export PATH

[postgres@pg ~]$ source .bash_profile
[postgres@pg ~]$ psql -V
psql (PostgreSQL) 13.5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

初始化数据库
[postgres@pg ~]$ initdb
Success. You can now start the database server using:

    pg_ctl -D /data/postgresql/data -l logfile start
[postgres@pg ~]$ pg_ctl -D /data/postgresql/data -l logfile start
[postgres@pg ~]$ psql
postgres=# \password
Enter new password:
Enter it again:
postgres=# \q
[postgres@pg ~]$ vim  +60 /data/postgresql/data/postgresql.conf
listen_addresses = '*'    #60行，监听所有地址
[postgres@pg ~]$ vim  +90 /data/postgresql/data/pg_hba.conf
local   all             all                                 password
host    all             all             0.0.0.0/0           password   #90
host    all             all             ::1/128             password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

重启PostgreSQL
[postgres@pg ~]$ pg_ctl -D /data/postgresql/data -l logfile restart
[postgres@pg ~]$ psql
创建数据库
postgres=# create database registry;
CREATE DATABASE
postgres=# create database notary_signer;
CREATE DATABASE
postgres=# create database notary_servers;
CREATE DATABASE
postgres=# create database clair;
CREATE DATABASE
postgres=# \l
                                    List of databases
 Name      |  Owner   | Encoding |   Collate   |    Ctype   | Access privileges
----------------+----------+----------+-------------+-------------+------------
 clair          | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 notary_servers | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 notary_signer  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 postgres       | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 registry       | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 创建用户
postgres=# create user server with password '123456';
CREATE ROLE
postgres=# create user signer with password '123456';
CREATE ROLE
postgres=# create user clair with password '123456';
CREATE ROLE
postgres=# \du
                                   List of roles
 Role name |             Attributes                         | Member of
-----------+------------------------------------------------------------+------
 clair     |                                                            | {}
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
 server    |                                                            | {}
 signer    |                                                            | {}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

2.5.3 Redis 安装

[root@pg ~]# wget https://download.redis.io/releases/redis-6.2.7.tar.gz
[root@pg ~]# tar xf redis-6.2.7.tar.gz  -C /app/
[root@pg ~]# cd /app/redis-6.2.7/
[root@pg redis-6.2.7]# make  && make install
[root@pg redis-6.2.7]# vim redis.conf
#bind 127.0.0.1 -::1  	#75行，注释掉bind的行，允许任何主机连接；
daemonize yes       	#259行，将no修改为yes，使redis可以使用守护进程方式启动；
requirepass 123456    #903行，设置redis连接的auth密码（123456）
1
2
3
4
5
6
7
8

启动Redis服务

[root@pg redis-6.2.7]# redis-server redis.conf
[root@pg redis-6.2.7]# redis-cli -v
redis-cli 6.2.7
[root@pg redis-6.2.7]# ps -ef | grep redis
root      30040      1  0 22:00 ?        00:00:00 redis-server *:6379
1
2
3
4
5

harbor1和harbor2作为redis客户端连接Redis

[root@pg ~]# which redis-cli
/usr/local/bin/redis-cli
[root@pg ~]# scp /usr/local/bin/redis-cli root@192.168.1.17:/usr/local/bin/
[root@haproxy1 ~]# redis-cli -h 192.168.1.12 -p 6379 -a 123456 ping
PONG
1
2
3
4
5

postgresql节点安装nfs服务:

[root@pg ~]# yum -y install nfs-utils
[root@pg ~]# mkdir -p /data/harbor_data
[root@pg ~]# cat /etc/exports
/data/harbor_data 192.168.1.0/24(rw,no_root_squash)
[root@pg ~]# exportfs -arv
exporting 192.168.1.0/24:/data/harbor_data
[root@pg ~]# systemctl enable nfs-utils --now
[root@pg ~]# systemctl  restart  nfs-server
[root@pg ~]# showmount -e
Export list for pg:
/data/harbor_data 192.168.1.0/24
1
2
3
4
5
6
7
8
9
10
11

Harbor1、harbor2客户端挂载到nfs

[root@haproxy1 ~]# yum -y install nfs-utils
[root@haproxy1 ~]# mkdir -p /data/harbor_data
[root@haproxy1 ~]# echo "192.168.1.12:/data/harbor_data /data/harbor_data nfs defaults 0 0" >> /etc/fstab
[root@haproxy1 ~]# mount -a
1
2
3
4

[root@harbor ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor ~]# yum install -y docker-ce
[root@harbor ~]# systemctl enable docker --now
[root@harbor ~]# cat /etc/docker/daemon.json
{
    "registry-mirrors": ["https://xcg41ct3.mirror.aliyuncs.com"],
    "exec-opts": ["native.cgroupdriver=systemd"],
    "registry-mirrors": ["https://3hjcmqfe.mirror.aliyuncs.com"],
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "500m",
        "max-file": "2"
    }
}
[root@harbor ~]# systemctl daemon-reload
[root@harbor ~]# systemctl restart docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[root@harbor ~]# wget https://github.com/docker/compose/releases/download/v2.10.0/docker-compose-linux-x86_64 --no-check-certificate
[root@harbor ~]# mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
[root@harbor ~]# chmod +x /usr/local/bin/docker-compose
[root@harbor ~]# docker-compose version
docker-compose version 1.22.0, build f46880fe
docker-py version: 3.4.1
1
2
3
4
5
6

[root@harbor ~]# cat /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
[root@harbor ~]# modprobe br_netfilter
[root@harbor ~]# sysctl -p
1
2
3
4
5
6

[root@harbor ~]# tar xf harbor-offline-installer-v1.8.0.tgz
[root@harbor ~]# cd harbor/
[root@harbor harbor]# ls
harbor.v1.8.0.tar.gz  harbor.yml  install.sh  LICENSE  prepare
[root@harbor harbor]# vim harbor.yml

1
2
3
4
5
6

vim harbor.yml
hostname: 192.168.1.14    #实例地址
http:
  port: 80

#取消https安全加密访问方式：
#https:
#  port: 443
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path

## 启用外部代理，启用后hostname将不再使用
external_url: http://192.168.1.11:80

## 配置共享存储，即挂载的NFS目录
data_volume: /data/harbor_data

_version: 2.3.0

## 配置外部数据库
external_database:
  harbor:
    host: 192.168.1.12
    port: 5432
    db_name: registry
    username: postgres
    password: 123456
    ssl_mode: disable
    max_idle_conns: 2
    max_open_conns: 0
  clair:
    host: 192.168.1.12
    port: 5432
    db_name: clair
    username: postgres
    password: 123456
    ssl_mode: disable
  notary_signer:
    host: 192.168.1.12
    port: 5432
    db_name: notary_signer
    username: postgres
    password: 123456
    ssl_mode: disable
  notary_server:
    host: 192.168.1.12
    port: 5432
    db_name: notary_server
    username: postgres
    password: 123456
    ssl_mode: disable
##配置外部Redis实例：
external_redis:      
   host: 192.168.1.12:6379   #redis服务IP地址和端口号。
   port: 6379
   password:  123456  #连接外部redis服务的密码
#如果redis是哨兵模式，这里应该是
#host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2
#  sentinel_master_set:  #仅在使用 Sentinel模式（哨兵模式）时使用
   registry_db_index: 1
   jobservice_db_index: 2   #job服务的数据库索引
   chartmuseum_db_index: 3  #chartmuseum插件的Redis索引
   trivy_db_index: 5   #Trivy扫描器的数据索引
   idle_timeout_seconds: 30  #超时时间

#启用metrics数据采集插件：
metric:
   enabled: true   
   port: 9090
   path: /metrics

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

将配置文件注入到各级件中
[root@harbor2 harbor]# ./prepare
[root@harbor2 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://192.168.1.14.
1
2
3
4
5
6

此时,http://192.168.1.11/ http://192.168.1.14/都可访问镜像仓库

相关镜像管理人员可以根据自己的环境搭建适合自己的高可用仓库，各个组件可任意扩展，以下给出可扩展内容仅供参考。
3.1.  Postgresql数据库可部署高可用架构
3.2.  数据库可改造为Mysql及企业较为熟悉的数据库
3.3.  Redis可部署高可用架构
3.4.  后端存储支持NFS、CephFS、azure、gcs、AWS s3,、swift 以及阿里云oss
3.5.  访问方式可改进https安全加密方式访问
3.6.  部署方式可转为K8S部署，增加组件自愈能力
1
2
3
4
5
6
7