一、环境准备
1. 系统配置
bash
# 安装Docker
apt update
apt install -y docker.io docker-compose
# 系统配置优化
cat >>/etc/sysctl.conf << EOF
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
EOF
sysctl -p
2. 证书配置
bash
# 生成SSL证书
mkdir -p /data/cert
cd /data/cert
openssl req -newkey rsa:4096-nodes -sha256 -keyout ca.key -x509 -days 365-out ca.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=harbor.example.com"
# 配置Docker证书
mkdir -p /etc/docker/certs.d/harbor.example.com/
cp ca.crt /etc/docker/certs.d/harbor.example.com/
二、Harbor安装
1. 下载配置
bash
# 下载Harbor
wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-online-installer-v2.5.0.tgz
tar xvf harbor-online-installer-v2.5.0.tgz
# 配置Harbor
cp harbor.yml.tmpl harbor.yml
2. 基础配置
yaml
# harbor.yml
hostname: harbor.example.com
https:
certificate:/data/cert/ca.crt
private_key:/data/cert/ca.key
harbor_admin_password:Harbor12345
database:
password: root123
max_idle_conns:100
max_open_conns:900
data_volume:/data/harbor
三、安全配置
1. 身份认证
yaml
# harbor.yml
auth_mode: ldap
ldap_url: ldap://ldap.example.com
ldap_searchdn: cn=admin,dc=example,dc=com
ldap_search_pwd: password
ldap_base_dn: dc=example,dc=com
ldap_uid: uid
2. 项目安全
bash
# 配置项目访问级别
curl -X PUT -H "Content-Type: application/json" \
-u "admin:Harbor12345" \
"https://harbor.example.com/api/v2.0/projects/1" \
-d '{"metadata":{"public":"false"}}'
四、仓库管理
1. 仓库配置
bash
# 创建项目
curl -X POST -H "Content-Type: application/json" \
-u "admin:Harbor12345" \
"https://harbor.example.com/api/v2.0/projects" \
-d '{"project_name":"test-project","public":false}'
# 配置镜像清理
./harbor.sh garbage-collection
2. 复制策略
yaml
# 配置镜像复制
curl -X POST -H "Content-Type: application/json" \
-u "admin:Harbor12345" \
"https://harbor.example.com/api/v2.0/replication/policies" \
-d '{
"name": "sync-policy",
"src_registry": {"id": 1},
"dest_registry": {"id": 2},
"filters": [{
"type": "name",
"value": "test-project/**"
}]
}'
五、性能优化
1. Nginx配置
nginx
# nginx.conf
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 10240;
}
http {
client_max_body_size 500m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
2. 存储优化
yaml
# harbor.yml
storage:
filesystem:
maxthreads:50
cache:
enabled:true
expiry:24h
六、监控告警
1. 监控配置
yaml
# prometheus.yml
scrape_configs:
- job_name:'harbor'
static_configs:
- targets:['harbor.example.com']
metrics_path:'/metrics'
2. 告警规则
yaml
# alert.rules
groups:
- name: harbor_alerts
rules:
- alert:HarborDown
expr: up ==0
for:5m
labels:
severity: critical
关注官方微信