生产环境搭建高可用Harbor（包括恢复演练实操）（一）

前言
因资源成本问题，本Harbor高可用架构为最小开销方案，如果资源充足，可以将PG、Redis全部使用使用云厂商集群模式。

同时为了配置简单，并没有使用keepalived与heartbeat等高可用开源组件。

 harbor-arch

准备工作

操作系统为Ubuntu18.04，在2台ECS上搭建主从PG，如果不想用阿里云redis，也可以使用ECS搭建Redis。

安装Harbor，用于导出基础harbor数据，恢复到PG集群中.
1.安装docker-compose

curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
# 添加国内阿里云
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
#更新
sudo apt-get update
[[查看docker]]版本
apt-cache madison docker-ce
#安装最新版
sudo apt-get install -y docker-ce
[[安装5]]:19.03.6~3-0~ubuntu-bionic版
sudo apt-get install -y docker-ce=5:19.03.6~3-0~ubuntu-bionic

2.Docker配置镜像加速与国内docker-cn源

sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://8sab4djv.mirror.aliyuncs.com"],
    "registry-mirrors": ["https://registry.docker-cn.com"],
  "insecure-registries": ["https://harbor.unixsre.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

 镜像加速

3.安装Harbor2.3

# 下载Harbor
wget -P /usr/local wget https://github.com/goharbor/harbor/releases/download/v2.3.2/harbor-online-installer-v2.3.2.tgz

tar zxf /usr/local/harbor-online-installer-v2.3.2.tgz -C /data/harbor

# 修改配置文件，根据自己的需求进行修改
cd /data/harbor
cp harbor.yml.tmpl harbor.yml
# harbor.yml中按需修改或添加如下内容
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.unixsre.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/harbor/ssl/unixsre.com.cer
  private_key: /data/harbor/ssl/unixsre.com.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
# 初始密码，可以修改成自己需要的，然后后续在WEBUI上自行修改。
harbor_admin_password: 1234567
## 添加禁止用户自注册
self_registration: off
## 设置只有管理员可以创建项目
project_creation_restriction: adminonly
# The default data volume
data_volume: /data/harbor
# 执行安装命令
bash /data/harbor/install.sh
# 如果对配置文件harbor.yml，需要使用./prepare脚本重新生成
./prepare
# 重启
docker-compose restart

4.常用命令示例

# 登录
docker login https://harbor.unixsre.com
# 拉取
docker pull busybox
# 打包
docker build -t busybox:v1 . 
docker build -t busybox:v1 -f Dockerfile .
# 打TAG
docker tag busybox:latest harbor.unixsre.com/ops/busybox:latest
# 上传
docker push harbor.unixsre.com/library/busybox:latest
# k3s pull
k3s crictl pull harbor.unixsre.com/library/busybox

5.备份Harbor使用到的数据库，并且导出用于恢复.

# 进入容器备份
docker container exec -it harbor-db /bin/bash
# 执行pg备份
pg_dump -U postgres registry > /tmp/registry.sql 
pg_dump -U postgres notarysigner > /tmp/notarysigner.sql  
pg_dump -U postgres notaryserver > /tmp/notaryserver.sql
# 复制到本地宿主机
docker container cp harbor-db:/tmp/registry.sql /data/harbor/backup_sql/
docker container cp harbor-db:/tmp/notarysigner.sql /data/harbor/backup_sql/
docker container cp harbor-db:/tmp/notaryserver.sql /data/harbor/backup_sql/

欢迎大家关注我的公众号ID:k8stech

文章转自公众号：Kubernetes技术栈