同時發佈於schnappi618’s blog
harbor默認安裝會使用官方打包的PostgreSQL docker鏡像goharbor/harbor-db,harbor啓動之後的數據均存放在改數據庫上,後續管理可能存在不便,故使用harbor配置外部數據庫。
一、搭建PostgreSQL數據庫
harbor從1.6版本之後僅支持PostgreSQL數據庫作爲外部數據庫,故需要搭建PostgreSQL數據庫使用。這裏目前作爲測試,故僅安裝了單節點,未配置主從,搭建步驟如下:
1. 安裝
- 系統版本:CentOS7
## 1. 安裝依賴包
yum install -y cmake gcc gcc-c++ perl readline readline-devel openssl openssl-devel zlib zlib-devel ncurses-devel readline readline-devel zlib zlib-devel
## 2. 源碼安裝PostgreSQL
[postgres@xxxx dba]$ wget https://ftp.postgresql.org/pub/source/v12.2/postgresql-12.2.tar.gz
[postgres@xxxx dba]$ tar zxf postgresql-12.2.tar.gz
[postgres@xxxx dba]$ cd postgresql-12.2
[postgres@xxxx postgresql-12.2]$ ./configure --prefix=/usr/local/postgresql
[postgres@xxxx postgresql-12.2]$ make && make install
### 這裏configure的時候制定了安裝目錄,故需要將該目錄下的bin目錄寫入到環境變量中去,以方便後面直接使用,也可不指定,安裝到默認路徑下
2. 配置
# 1. 創建數據目錄
[postgres@xxxx data]$ mkdir -p /work/harbor-db/data
# 2. 創建日誌目錄
[postgres@xxxx data]$ mkdir -p /work/harbor-db/log
# 3. 創建socket目錄
[postgres@xxxx data]$ mkdir -p /work/harbor-db/tmp
# 4. 授權
[postgres@xxxx data]$ chown -R postgres.postgres /work/harbor-db/
# 5. 初始化pg實例
[postgres@xxxx data]$ initdb --username=postgres -D /work/harbor-db/data/
## 這裏PostgreSQL數據庫與harbor並未在同一臺主機上,故除了修改配置文件postgresql.conf外還需要修改客戶端認證配置pg_hba.conf文件,若在同一臺主機上沒有網絡以及認證需求的話,可以不修改
# 6. 根據需要修改初始化的配置文件,修改位置如下:
[postgres@xxxx data]$ vim /work/harbor-db/data/postgresql.conf
# 數據目錄指定
data_directory = '/work/harbor-db/data'
# 客戶端可連接ip,默認爲localhost,若不需要可不修改,*爲所有
listen_addresses = '*'
# 端口設置
port = 7002
# 允許最大連接數
max_connections = 100
# socket目錄及權限設置
unix_socket_directories = '/work/harbor-db/tmp'
unix_socket_group = ''
unix_socket_permissions = 0777
# 內存大小
shared_buffers = 128MB
# 時區修改
timezone = 'Asia/Shanghai'
# 日誌:
## 是否開啓日誌
logging_collector = on
## 日誌存放目錄
log_directory = '/work/harbor-db/log'
## 每個日誌最大size
log_rotation_size = 1GB
## 日誌時區
log_timezone = 'Asia/Shanghai'
## 記錄執行時間大於100ms的sql及執行時間,相當於慢SQL日誌
log_min_duration_statement = 100
## 由於這裏需要遠程可以連接,所以需要添加認證配置pg_hba.conf,根據自己需求配置,若不需要的話可不配置該文件
[postgres@xxxx data]$ vim pg_hba.conf
# 在文件末尾添加,以下配置表示,允許ADDRESS對應的主機,通過harbor用戶訪問該庫的所有數據庫
# TYPE DATABASE USER ADDRESS METHOD
host all harbor x.x.x.x/x trust
3. 啓動
[postgres@xxxx data]$ su - postgres
## 啓動方式使用以下1種即可
[postgres@xxxx data]$ pg_ctl -D /work/harbor-db/data/ -l /work/harbor-db/log/start.log start
或使用 postgres -D /work/harbor-db/data > /work/harbor-db/log/start.log 2>&1 & 命令啓動
4. 登陸測試
## 1. 本地測試
# 安裝完成後會有postgres用戶,相當於MySQL的root用戶,默認沒有密碼
[postgres@xxxx data]$ psql -h 127.0.0.1 -p 7002 -U postgres
psql (12.2)
Type "help" for help.
### 修改postgres用戶的密碼
postgres=# \password postgres
Enter new password:
Enter it again:
### 創建harbor用戶,並創建harbor所涉及數據庫及進行授權
postgres=# create user harbor with password 'harbor123';
CREATE ROLE
postgres=# CREATE DATABASE harbor;
CREATE DATABASE
postgres=# create database harbor_clair;
CREATE DATABASE
postgres=# create database harbor_notary_server;
CREATE DATABASE
postgres=# create database harbor_notary_signer;
CREATE DATABASE
postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor to harbor;
GRANT
postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_clair to harbor;
GRANT
postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_notary_server to harbor;
GRANT
postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor_notary_signer to harbor;
GRANT
## 2. 遠程主機harbor用戶測試
[root@remote harbor]# psql -h x.x.x.x -p 7002 -U harbor -W
Password:
psql (12.2)
Type "help" for help.
harbor=>
至此,PostgreSQL數據庫及基礎配置設置完畢。
二、Harbor配置
1. 配置文件修改
[root@remote harbor]# vim harbor.yml
# Uncomment external_database if using external database.
external_database:
harbor:
host: x.x.x.x
port: 7002
db_name: harbor
username: harbor
password: xxxxxxxx
ssl_mode: disable
max_idle_conns: 50
max_open_conns: 100
clair:
host: x.x.x.x
port: 7002
db_name: harbor_clair
username: harbor
password: xxxxxxxx
ssl_mode: disable
notary_signer:
host: x.x.x.x
port: 7002
db_name: harbor_notary_signer
username: harbor
password: xxxxxxxx
ssl_mode: disable
notary_server:
host: x.x.x.x
port: 7002
db_name: harbor_notary_server
username: harbor
password: xxxxxxxx
2. docker-compose文件修改
設置了外部數據庫之後,便不再需要harbor本身的harbor-db鏡像來支持,由安裝重啓文件install.sh可看出最終的安裝等操作都由docker-compose.yml文件來完成,故需要在docker-compose文件中刪除或註釋掉harbor-db相關,修改完成後執行sh install.sh文件重啓harbor服務即可。
三、測試驗證
1. 數據庫驗證
當harbor服務重啓完成後,進入外部數據庫中會發現剛纔配置的庫裏面有了harbor的一些相關表。
[root@remote harbor]# psql -h x.x.x.x -p 7002 -U harbor -W
Password:
psql (12.2)
Type "help" for help.
# 查看有哪些庫
harbor=> \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
----------------------+----------+----------+-------------+-------------+-----------------------
harbor | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres+
| | | | | harbor=CTc/postgres
harbor_clair | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres+
| | | | | harbor=CTc/postgres
harbor_notary_server | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres+
| | | | | harbor=CTc/postgres
harbor_notary_signer | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres+
| | | | | harbor=CTc/postgres
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(7 rows)
# 進入harbor庫中
harbor=> \c harbor
Password for user harbor:
You are now connected to database "harbor" as user "harbor".
# 查看該庫有哪些表
harbor=> \dt
List of relations
Schema | Name | Type | Owner
--------+--------------------------+-------+--------
public | access | table | harbor
public | access_log | table | harbor
public | admin_job | table | harbor
public | alembic_version | table | harbor
public | artifact | table | harbor
public | artifact_blob | table | harbor
public | blob | table | harbor
public | cve_whitelist | table | harbor
public | harbor_label | table | harbor
public | harbor_resource_label | table | harbor
public | harbor_user | table | harbor
public | immutable_tag_rule | table | harbor
public | job_log | table | harbor
public | notification_job | table | harbor
public | notification_policy | table | harbor
public | oidc_user | table | harbor
public | project | table | harbor
public | project_blob | table | harbor
public | project_member | table | harbor
public | project_metadata | table | harbor
public | properties | table | harbor
public | quota | table | harbor
public | quota_usage | table | harbor
public | registry | table | harbor
public | replication_execution | table | harbor
public | replication_policy | table | harbor
public | replication_schedule_job | table | harbor
public | replication_task | table | harbor
public | repository | table | harbor
public | retention_execution | table | harbor
public | retention_policy | table | harbor
public | retention_task | table | harbor
public | robot | table | harbor
public | role | table | harbor
public | scan_report | table | harbor
public | scanner_registration | table | harbor
public | schedule | table | harbor
public | schema_migrations | table | harbor
public | user_group | table | harbor
(39 rows)
## 由於並沒有開啓其他三個組件的功能,所以其他三個庫裏面沒有表,當harbor庫中有表存在後,則外部數據庫配置成功
2. Web頁面測試
根據之前的harbor搭建中最後的web頁面創建鏡像倉庫的演示,可新創建一個鏡像倉庫,並上傳一個鏡像,完成後,在數據庫中可看到記錄
harbor_notary_signer=> \c harbor
Password for user harbor:
You are now connected to database "harbor" as user "harbor".
# 查看操作日誌,創建了一個pingcap倉庫,並上傳了一個tikv:v3.0.12的鏡像到pingcap倉庫中,所有的操作均爲admin用戶執行
harbor=> select * from access_log;
log_id | username | project_id | repo_name | repo_tag | guid | operation | op_time
--------+----------+------------+--------------+----------+------+-----------+----------------------------
1 | admin | 2 | pingcap/ | N/A | | create | 2020-04-08 18:02:50.369493
2 | admin | 2 | pingcap/tikv | v3.0.12 | | push | 2020-04-08 18:03:48.824079
(2 rows)
# 查看目前有哪些倉庫,即project
harbor=> select * from project;
project_id | owner_id | name | creation_time | update_time | deleted
------------+----------+---------+----------------------------+----------------------------+---------
1 | 1 | library | 2020-04-08 17:48:10.024358 | 2020-04-08 17:48:10.024358 | f
2 | 1 | pingcap | 2020-04-08 18:02:50 | 2020-04-08 18:02:50 | f
(2 rows)
# 查看目前有哪些鏡像
harbor=> select * from repository;
repository_id | name | project_id | description | pull_count | star_count | creation_time | update_t
ime
---------------+--------------+------------+-------------+------------+------------+----------------------------+----------------
------------
1 | pingcap/tikv | 2 | | 0 | 0 | 2020-04-08 18:03:48.824717 | 2020-04-08 18:0
3:48.824717
(1 row)
可以看到,所有的結果均符合預期,harbor配置外部數據庫及測試完成。_