Harbor镜像管理
大约 5 分钟容器化技术Harbor镜像管理
Harbor镜像管理
Harbor镜像管理概述
Harbor作为企业级镜像仓库,提供了完整的镜像生命周期管理功能,包括镜像的推送、拉取、复制、扫描、清理等操作。通过Harbor的Web界面和命令行工具,可以方便地管理Docker镜像。
镜像推送与拉取
1. 登录Harbor
# 登录Harbor仓库
docker login harbor.example.com
# 登录时指定用户名和密码
docker login harbor.example.com -u username -p password2. 推送镜像
# 1. 标记本地镜像
docker tag nginx:latest harbor.example.com/library/nginx:latest
# 2. 推送镜像到Harbor
docker push harbor.example.com/library/nginx:latest
# 推送特定标签的镜像
docker push harbor.example.com/library/nginx:v1.20.03. 拉取镜像
# 拉取镜像
docker pull harbor.example.com/library/nginx:latest
# 拉取特定标签的镜像
docker pull harbor.example.com/library/nginx:v1.20.04. 多架构镜像支持
# 构建多架构镜像
docker buildx build --platform linux/amd64,linux/arm64 \
-t harbor.example.com/library/myapp:latest \
--push .项目管理
1. 创建项目
通过Web界面创建项目:
- 登录Harbor Web界面
- 点击"项目"菜单
- 点击"新建项目"按钮
- 输入项目名称
- 选择项目类型(公有/私有)
- 点击"确定"
2. 项目配置
# 通过API创建项目
curl -X POST \
"https://harbor.example.com/api/v2.0/projects" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-u "admin:Harbor12345" \
-d '{
"project_name": "myproject",
"public": false,
"metadata": {
"auto_scan": "true",
"severity": "high"
}
}'3. 项目权限管理
项目支持以下权限角色:
- 项目管理员:拥有项目的完全控制权限
- 开发者:可以推送和拉取镜像
- 访客:只能拉取镜像
- 维护者:可以管理项目配置和成员
镜像扫描与安全
1. 漏洞扫描
Harbor集成了Trivy和Clair等漏洞扫描工具,可以自动扫描镜像中的安全漏洞。
# 手动触发扫描
curl -X POST \
"https://harbor.example.com/api/v2.0/projects/myproject/repositories/nginx/artifacts/latest/scan" \
-H "accept: application/json" \
-u "admin:Harbor12345"2. 扫描策略配置
# 项目扫描策略配置
metadata:
auto_scan: "true" # 自动扫描新推送的镜像
severity: "high" # 漏洞严重性阈值
reuse_sys_cve_allowlist: "true" # 使用系统CVE白名单3. 漏洞报告查看
通过Web界面查看漏洞报告:
- 进入项目页面
- 选择镜像仓库
- 点击特定镜像标签
- 查看"漏洞"标签页
镜像复制
1. 创建复制规则
# 创建复制适配器
curl -X POST \
"https://harbor.example.com/api/v2.0/registries" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-u "admin:Harbor12345" \
-d '{
"name": "target-harbor",
"type": "harbor",
"url": "https://target-harbor.example.com",
"credential": {
"access_key": "admin",
"access_secret": "TargetHarbor12345"
},
"insecure": false
}'# 创建复制规则
curl -X POST \
"https://harbor.example.com/api/v2.0/replication/policies" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-u "admin:Harbor12345" \
-d '{
"name": "replicate-to-target",
"src_registry": null,
"dest_registry": {
"id": 1
},
"trigger": {
"type": "event_based"
},
"filters": [
{
"type": "name",
"value": "library/**"
}
],
"dest_namespace": "library",
"dest_namespace_replace_count": 1,
"speed": -1,
"override": true
}'2. 手动触发复制
# 手动触发复制任务
curl -X POST \
"https://harbor.example.com/api/v2.0/replication/executions" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-u "admin:Harbor12345" \
-d '{
"policy_id": 1
}'镜像签名与验证
1. Notary配置
# 安装Notary客户端
wget https://github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64
chmod +x notary-Linux-amd64
sudo mv notary-Linux-amd64 /usr/local/bin/notary2. 镜像签名
# 设置Notary服务器
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://harbor.example.com:4443
# 推送并签名镜像
docker push harbor.example.com/library/nginx:signed3. 镜像验证
# 拉取并验证签名镜像
docker pull harbor.example.com/library/nginx:signed
# 查看签名信息
notary -s https://harbor.example.com:4443 \
-d ~/.docker/trust \
list harbor.example.com/library/nginx镜像清理与垃圾回收
1. 删除镜像标签
# 通过API删除镜像标签
curl -X DELETE \
"https://harbor.example.com/api/v2.0/projects/myproject/repositories/nginx/artifacts/latest" \
-H "accept: application/json" \
-u "admin:Harbor12345"2. 垃圾回收
# 手动执行垃圾回收
docker exec harbor-core /harbor/entrypoint.sh -- gc
# 定时垃圾回收脚本
#!/bin/bash
# 每天凌晨2点执行垃圾回收
0 2 * * * docker exec harbor-core /harbor/entrypoint.sh -- gc --delete-untagged=true3. 清理策略配置
# 自动清理策略
cleanup_policy:
delete_untagged: true # 删除未标记的镜像
retention_hour: 0 # 保留时间(0表示不保留)
include_references: true # 包含引用镜像访问控制
1. 基于项目的访问控制
# 为用户分配项目角色
curl -X POST \
"https://harbor.example.com/api/v2.0/projects/myproject/members" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-u "admin:Harbor12345" \
-d '{
"member_user": {
"username": "developer"
},
"role_id": 2 # 2=开发者, 3=访客, 1=项目管理员
}'2. LDAP/AD集成
# LDAP配置
ldap:
url: ldaps://ldap.example.com:636
search_dn: cn=admin,dc=example,dc=com
search_password: ldap_password
base_dn: dc=example,dc=com
uid: uid
filter: (objectClass=person)
scope: 2
connection_timeout: 5镜像标签管理
1. 标签策略
# 使用语义化版本标签
docker tag myapp:latest harbor.example.com/myproject/myapp:v1.0.0
docker push harbor.example.com/myproject/myapp:v1.0.0
# 使用Git提交ID作为标签
docker tag myapp:latest harbor.example.com/myproject/myapp:$(git rev-parse --short HEAD)
docker push harbor.example.com/myproject/myapp:$(git rev-parse --short HEAD)2. 标签同步
# 同步多个标签
for tag in latest v1.0 v1.0.0; do
docker tag myapp:latest harbor.example.com/myproject/myapp:$tag
docker push harbor.example.com/myproject/myapp:$tag
done镜像审计与监控
1. 审计日志
# 查看审计日志
curl -X GET \
"https://harbor.example.com/api/v2.0/audit-logs" \
-H "accept: application/json" \
-u "admin:Harbor12345"2. 监控指标
# 获取系统信息
curl -X GET \
"https://harbor.example.com/api/v2.0/systeminfo" \
-H "accept: application/json" \
-u "admin:Harbor12345"
# 获取统计信息
curl -X GET \
"https://harbor.example.com/api/v2.0/statistics" \
-H "accept: application/json" \
-u "admin:Harbor12345"镜像管理最佳实践
1. 镜像命名规范
# 推荐的镜像命名格式
# 项目名/应用名:版本标签
harbor.example.com/myproject/myapp:v1.0.0
harbor.example.com/myproject/myapp:latest
harbor.example.com/myproject/myapp:develop-$(git rev-parse --short HEAD)2. 镜像安全策略
# 项目安全配置
metadata:
auto_scan: "true" # 自动扫描
severity: "critical" # 仅允许严重级别以下的漏洞
prevent_vul: "true" # 阻止有漏洞的镜像运行3. 镜像生命周期管理
# 定期清理脚本
#!/bin/bash
# 保留最近10个标签
REPO="harbor.example.com/myproject/myapp"
TAGS=$(curl -s -u "admin:Harbor12345" \
"https://harbor.example.com/api/v2.0/projects/myproject/repositories/myapp/artifacts" \
| jq -r '.[].tags[].name' | sort -r | tail -n +11)
for tag in $TAGS; do
curl -X DELETE \
"https://harbor.example.com/api/v2.0/projects/myproject/repositories/myapp/artifacts/$tag" \
-u "admin:Harbor12345"
done常用镜像管理命令
| 命令 | 说明 |
|---|---|
docker login harbor.example.com | 登录Harbor |
docker tag image harbor.example.com/project/image:tag | 标记镜像 |
docker push harbor.example.com/project/image:tag | 推送镜像 |
docker pull harbor.example.com/project/image:tag | 拉取镜像 |
curl -u user:pass https://harbor.example.com/api/v2.0/projects | 查看项目列表 |
docker exec harbor-core /harbor/entrypoint.sh -- gc | 执行垃圾回收 |
总结
Harbor提供了完整的镜像管理功能,通过合理的配置和使用,可以有效管理企业级Docker镜像。在实际使用中,应遵循最佳实践,建立规范的镜像命名和标签策略,定期进行安全扫描和清理,确保镜像仓库的安全性和高效性。