Harbor从1.5.1升级和迁移到1.6.2

这次升级还算比较顺利,以前我从1.2版本升级到1.5版本没有升级成功,镜像全洗白了,所以这次升级我及其谨慎,官方文档看了又看(主要是文档排版太糟糕了),生怕又给洗白了,当然结果是好的,成功升级。

  • 官方改了三次数据库,从最早使用的MySQL迁移到MariaDB,从1.6.0开始又迁移到了Postgresql
  • 在1.5.1版中我并没有安装运行Notary和Clair这两个组件
  • 升级到1.6.2版后我新部署了Notary,Clair和Helm Chart这3个组件

备份Harbor

停止Harbor

1
2
# cd harbor
# docker-compose down

备份Harbor的当前文件,以便在必要时回滚到当前版本

1
2
# cd ..
# mv harbor harbor-backup

下载迁移工具

1
2
# docker pull goharbor/harbor-migrator:v1.6.0
goharbor/harbor-migrator v1.6.0 22775c4e4066 2 months ago 803MB

备份数据

1
2
3
4
5
6
7
# mkdir backup
# docker run -it --rm -e DB_USR=root -e DB_PWD=root123 -v /data/database:/var/lib/mysql -v /root/harbor-backup/harbor.cfg:/harbor-migration/harbor-cfg/harbor.cfg -v /root/backup:/harbor-migration/backup goharbor/harbor-migrator:v1.6.0 backup
......
Backup performed.
Success to backup harbor.cfg.
# ls backup
harbor.cfg registry.sql

命令参考: docker run -it –rm -e DB_USR=root -e DB_PWD={db_pwd} -v ${harbor_db_path}:/var/lib/mysql -v ${harbor_cfg}:/harbor-migration/harbor-cfg/harbor.cfg -v ${backup_path}:/harbor-migration/backup goharbor/harbor-migrator:[tag] backup

升级数据库架构、harbor.cfg并迁移数据

注意:您必须在启动Harbor之前运行Notary和Clair的DB的迁移。
注意:在v1.6.0中,您需要执行三个连续步骤才能完全迁移Harbor,Notary和Clair的DB。

1
2
3
4
5
6
7
8
9
10
11
# docker run -it --rm -e DB_USR=root -e DB_PWD=root123 -v /data/database:/var/lib/mysql -v /root/backup/harbor.cfg:/harbor-migration/harbor-cfg/harbor.cfg goharbor/harbor-migrator:v1.6.0 up
Please backup before upgrade,
Enter y to continue updating or n to abort: y
Trying to start mysql server...
Waiting for MySQL start...
......
server stopped
The path of the migrated harbor.cfg is not set, the input file will be overwritten.
input version: 1.5.0, migrator chain: ['1.6.0']
migrating to version 1.6.0
Written new values to /harbor-migration/harbor-cfg/harbor.cfg

命令参考: docker run -it –rm -e DB_USR=root -e DB_PWD={db_pwd} -v ${harbor_db_path}:/var/lib/mysql -v ${harbor_cfg}:/harbor-migration/harbor-cfg/harbor.cfg -v ${backup_path}:/harbor-migration/backup goharbor/harbor-migrator:[tag] backup

将harbor.cfg迁移至新版本的安装目录

1
2
3
4
5
6
# docker run -it --rm -v /root/backup/harbor.cfg:/harbor-migration/harbor-cfg/harbor.cfg goharbor/harbor-migrator:v1.6.0 --cfg up
# grep ^[a-z] backup/harbor.cfg
# tar -zxvf harbor-offline-installer-v1.6.2.tgz
# cd harbor
# mv harbor.cfg harbor.cfg.bak
# cp /root/backup/harbor.cfg /root/harbor

命令参考: docker run -it –rm -v ${harbor_cfg}:/harbor-migration/harbor-cfg/harbor.cfg goharbor/harbor-migrator:[tag] –cfg up

安装Harbor

载入镜像

1
2
# docker load -i harbor.v1.6.2.tar.gz
# docker images|grep 1.6.2

安装Notary,Clair和Helm Chart服务

1
2
3
4
5
6
7
# ./install.sh --with-notary --with-clair --with-chartmuseum

......
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://192.168.100.100.
For more details, please visit https://github.com/goharbor/harbor .

在安装升级过程中我又重新使用docker-compose命令安装了一次,供参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml -f ./docker-compose.chartmuseum.yml down -v
# vim harbor.cfg
# ./prepare --with-notary --with-clair --with-chartmuseum
......
The configuration files are ready, please use docker-compose to start the service.
# docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml -f ./docker-compose.chartmuseum.yml up -d
# docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml -f ./docker-compose.chartmuseum.yml ps
Name Command State Ports
-----------------------------------------------------------------------------
chartmuseum /docker-entrypoint.sh Up (healthy) 9999/tcp
clair /docker-entrypoint.sh Up (healthy) 6060/tcp, 6061/tcp
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
notary-server /bin/server-start.sh Up
notary-signer /bin/signer-start.sh Up
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp

如果要同时安装Notary,Clair和Helm Chart服务,则应在docker-compose和prepare命令中包含所有组件.

如上,harbor已经完成升级,可使用浏览器登陆harbor查看是否成功升级.

Notary 使用

如果要启用内容信任以确保图像已签名,请在推送或拉取任何图像之前在命令行中设置两个环境变量:

1
2
# export DOCKER_CONTENT_TRUST=1
# export DOCKER_CONTENT_TRUST_SERVER=https://192.168.100.100:4443

这里以上传kubernetes-dashboard为例子说明notary的使用.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# docker push 192.168.100.100/google_containers/kubernetes-dashboard-amd64:v1.10.0
The push refers to repository [192.168.100.100/google_containers/kubernetes-dashboard-amd64]
5f222ffea122: Pushed
v1.10.0: digest: sha256:1d2e1229a918f4bc38b5a3f9f5f11302b3e71f8397b492afac7f273a0008776a size: 529
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.

## 第一次push镜像,系统将要求您输入根密钥密码
Enter passphrase for new root key with ID 7ffe68f:
Repeat passphrase for new root key with ID 7ffe68f:

## 密码设置弱系统会进行提示
Enter passphrase for new repository key with ID e8c208d:
Passphrase is too short. Please use a password manager to generate and store a good random passphrase.
Enter passphrase for new repository key with ID e8c208d:
Repeat passphrase for new repository key with ID e8c208d:
Finished initializing "192.168.100.100/google_containers/kubernetes-dashboard-amd64"
Successfully signed 192.168.100.100/google_containers/kubernetes-dashboard-amd64:v1.10.0

注1: 根密钥生成于: /root/.docker/trust/private/
镜像密码生成于: /root/.docker/trust/tuf/[registry name]/[imagepath]
注2: 要使用notary,必须在Harbor中启用HTTPS.
注3: 当镜像被签名时,它在UI中显示勾号; 否则,显示交叉符号(X)。
注4:如果您省略标签,则跳过内容信任。提示”No tag specified, skipping trust metadata push”,所以即便是 latest 也需要提供镜像 tag 值。

通过Clair进行漏洞扫描

Clair依靠漏洞元数据来完成分析过程。第一次初始安装后,Clair将自动开始从不同的漏洞存储库更新元数据数据库。更新过程可能需要一段时间,具体取决于数据大小和网络连接。如果数据库尚未完全填充,则存储库数据网格视图的页脚会显示警告消息。

数据库准备就绪后,整个数据库更新的时间戳将显示在“管理”下“ 配置”部分的“漏洞”选项卡中。这时候就可以进行漏洞扫描了。

注意:只有具有“项目管理员”角色的用户才有权启动分析过程。

分析过程可能显示如下状态:

  • 未扫描:标签从未被扫描过。
  • 排队:扫描任务已安排但尚未执行。
  • 扫描:扫描过程正在进行中。
  • 错误:扫描过程未能完成。
  • 完成:扫描过程已成功完成。

关于漏洞的严重级别:

  • 红色: 高安全漏洞的级别
  • 橙色: 中等级别的漏洞
  • 黄色: 漏洞程度低
  • 灰色: 未知级别的漏洞
  • 绿色: 没有漏洞

由于Harbor是由VMware中国的团队研发并开源的,对中文支持友好,对于使用问题无需过多担心。

附:
有关Notary和Docker Content Trust的更多信息,请参阅Docker的文档:
https://docs.docker.com/engine/security/trust/content_trust/
关于Clair:https://github.com/coreos/clair
Harbor用户指南: https://github.com/goharbor/harbor/blob/master/docs/user_guide.md

ZhiJian wechat
欢迎您扫一扫上面的二维码,订阅我的微信公众号!
-------------本文结束,感谢您的阅读-------------