🏴 Harbor 私有镜像仓库部署
与权限配置指南

企业级 Docker Registry 完整部署方案 —— 从环境准备、Docker Compose 部署、Kubernetes Helm 安装到 RBAC 权限管理、CI/CD 集成的全流程实操手册

📅 更新日期:2026 年 3 月 12 日 📦 Harbor 版本:v2.11.0 🔐 安全级别:企业生产环境 ⏱️ 预计耗时:60-90 分钟

1. Harbor 概述与核心特性

🏢 企业级特性

  • 基于角色的访问控制(RBAC)
  • 多租户支持与项目隔离
  • LDAP/AD 身份验证集成
  • 审计日志与合规性报告
  • 镜像漏洞扫描(Clair/Trivy)

🔄 镜像管理

  • 镜像复制与同步
  • 镜像签名与内容信任
  • 镜像生命周期策略
  • Helm Chart 托管
  • OCI Artifact 支持

🛡️ 安全能力

  • CVE 漏洞扫描
  • 镜像签名验证
  • 敏感信息检测
  • 访问策略控制
  • 安全基线检查

📈 可扩展性

  • 水平扩展架构
  • 高可用部署模式
  • 对象存储后端
  • 外部数据库支持
  • RESTful API

1.1 Harbor 架构组成

┌─────────────────────────────────────────────────────────────────┐
│                         Harbor Architecture                      │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐          │
│  │   Portal     │  │    Core      │  │   JobSvc     │          │
│  │  (UI Web)    │  │   (API)      │  │  (Scheduler) │          │
│  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘          │
│         │                 │                 │                   │
│         └─────────────────┼─────────────────┘                   │
│                           │                                     │
│              ┌────────────┴────────────┐                       │
│              │                         │                       │
│       ┌──────▼──────┐           ┌──────▼──────┐               │
│       │  Registry   │           │    Clair    │               │
│       │  (Storage)  │           │  (Scanner)  │               │
│       └──────┬──────┘           └──────┬──────┘               │
│              │                         │                       │
│       ┌──────▼──────┐           ┌──────▼──────┐               │
│       │ PostgreSQL  │           │    Redis    │               │
│       │  (Database) │           │   (Cache)   │               │
│       └─────────────┘           └─────────────┘               │
│                                                                  │
│  External Services (Optional):                                   │
│  • LDAP/AD Authentication                                        │
│  • Object Storage (S3/GCS/OSS)                                  │
│  • External PostgreSQL/Redis                                    │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

2. 系统要求与环境准备

2.1 硬件配置要求

资源 最低配置 推荐配置 生产环境
CPU 2 Core 4 Core 8+ Core
内存 4 GB 8 GB 16+ GB
磁盘 40 GB 160 GB 500GB+ SSD
网络 1 Gbps 1 Gbps 10 Gbps

2.2 软件依赖

Docker Compose 部署

  • Docker Engine 20.10.0+
  • Docker Compose 2.0.0+
  • Linux: Ubuntu 18.04+, CentOS 7+
  • OpenSSL latest(证书生成)

Kubernetes 部署

  • Kubernetes 1.20+
  • Helm 3.2.0+
  • Ingress Controller(Nginx/Traefik)
  • StorageClass(动态存储)

外部服务(可选)

  • PostgreSQL 12+(外部数据库)
  • Redis 5.0+(外部缓存)
  • 对象存储(S3/OSS/GCS)
  • LDAP/AD 服务器

2.3 端口要求

端口 协议 用途 可修改
443 HTTPS Harbor Portal 和 API
80 HTTP HTTP 重定向到 HTTPS
5000 HTTPS Registry API(推送/拉取)
5432 TCP PostgreSQL 数据库 内部使用
6379 TCP Redis 缓存 内部使用

2.4 环境诊断命令

# ===== 系统检查 ===== # 1. 检查 CPU 和内存 lscpu | grep "CPU(s)" free -h # 2. 检查磁盘空间 df -h / df -h /var/lib/docker # 3. 检查 Docker 版本 docker --version docker compose version # 4. 检查端口占用 netstat -tlnp | grep -E ':(80|443|5000)' ss -tlnp | grep -E ':(80|443|5000)' # 5. 检查网络连接 curl -I https://github.com curl -I https://hub.docker.com # ===== Kubernetes 检查(如使用 Helm 部署)===== # 6. 检查 K8s 集群 kubectl version --short kubectl get nodes # 7. 检查 Helm helm version # 8. 检查 StorageClass kubectl get sc # 9. 检查 Ingress kubectl get ingress -A

3. 安装方式选择与对比

安装方式 适用场景 优点 缺点 推荐度
Docker Compose 开发测试/中小规模 简单快速、资源占用少 单点故障、扩展性差 ⭐⭐⭐⭐
Helm on K8s 生产环境/大规模 高可用、易扩展、自动化 复杂度高、需要 K8s ⭐⭐⭐⭐⭐
离线安装包 内网隔离环境 无需外网、一次性下载 包体积大、更新麻烦 ⭐⭐⭐⭐
源码编译 定制开发 完全掌控、可定制 复杂耗时、维护成本高 ⭐⭐
💡 推荐方案:
  • 开发/测试环境:Docker Compose 部署(快速简单)
  • 生产环境:Kubernetes Helm 部署(高可用、易扩展)
  • 内网环境:离线安装包 + Docker Compose

4. Docker Compose 部署(单机版)

步骤 1:下载安装 Harbor 离线安装包

# 创建安装目录 mkdir -p /opt/harbor && cd /opt/harbor # 下载离线安装包(替换为最新版本号) wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz # 验证下载完整性(可选) wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz.asc gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C gpg --verify harbor-offline-installer-v2.11.0.tgz.asc # 解压安装包 tar -xzf harbor-offline-installer-v2.11.0.tgz cd harbor # 查看解压后的文件结构 ls -la # common/ docker-compose.yml harbor.yml.tmpl install.sh prepare

步骤 2:配置 harbor.yml

# 复制配置文件模板 cp harbor.yml.tmpl harbor.yml # 编辑配置文件 vi harbor.yml # ===== harbor.yml 关键配置项 ===== hostname: harbor.yourcompany.com http: port: 8080 https: port: 443 certificate: /data/cert/server.crt private_key: /data/cert/server.key harbor_admin_password: Harbor12345 # 首次安装后必须修改! database: password: root123 max_idle_conns: 50 max_open_conns: 1000 data_volume: /data/harbor clair: updaters_interval: 12 jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.11.0 # 外部存储(可选,生产环境推荐使用对象存储) storage_service: filesystem: maxthreads: 100 s3: region: us-east-1 bucket: harbor-storage accesskey: AKIAIOSFODNN7EXAMPLE secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

步骤 3:生成自签名证书(测试环境)

# 创建证书目录 mkdir -p /data/cert # 生成 CA 证书 openssl genrsa -out /data/cert/ca.key 4096 openssl req -new -x509 -days 3650 \ -key /data/cert/ca.key \ -subj "/C=CN/ST=Beijing/L=Beijing/O=YourCompany/OU=IT/CN=harbor.yourcompany.com" \ -out /data/cert/ca.crt # 生成服务器证书 openssl genrsa -out /data/cert/server.key 4096 openssl req -new -key /data/cert/server.key \ -subj "/C=CN/ST=Beijing/L=Beijing/O=YourCompany/OU=IT/CN=harbor.yourcompany.com" \ -out /data/cert/server.csr openssl x509 -req -days 3650 \ -in /data/cert/server.csr \ -CA /data/cert/ca.crt \ -CAkey /data/cert/ca.key \ -CAcreateserial \ -out /data/cert/server.crt # 设置证书权限 chmod 600 /data/cert/server.key chmod 644 /data/cert/server.crt /data/cert/ca.crt # 将 CA 证书添加到系统信任列表 cp /data/cert/ca.crt /usr/local/share/ca-certificates/harbor-ca.crt update-ca-certificates # Docker 信任证书 mkdir -p /etc/docker/certs.d/harbor.yourcompany.com cp /data/cert/ca.crt /etc/docker/certs.d/harbor.yourcompany.com/

步骤 4:执行安装脚本

# 运行安装脚本 ./install.sh # 安装选项: # --with-clair 包含漏洞扫描组件 # --with-trivy 包含 Trivy 扫描器(推荐) # --with-notary 包含内容签名工具 # --with-chartmuseum 包含 Helm Chart 仓库 # 完整安装(推荐) ./install.sh --with-trivy --with-chartmuseum # 安装过程输出: [Step 0]: checking if docker is installed ... [Step 1]: checking docker compose version ... [Step 2]: loading Harbor images ... [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... [Step 5]: starting Harbor ... ✔ ----Harbor has been installed and started successfully.---- # 查看容器状态 docker compose ps # 查看日志 docker compose logs -f

步骤 5:验证安装

# 1. 检查所有容器运行状态 docker compose ps # 应看到:core, registry, portal, jobservice, redis, postgresql 等容器 # 2. 访问 Web 界面 curl -k https://harbor.yourcompany.com # 应返回 HTML 页面 # 3. 测试 API curl -k -u admin:Harbor12345 https://harbor.yourcompany.com/api/v2.0/systeminfo # 4. Docker 登录测试 docker login harbor.yourcompany.com -u admin -p Harbor12345 # Login Succeeded # 5. 推送测试镜像 docker pull hello-world docker tag hello-world harbor.yourcompany.com/library/hello-world:latest docker push harbor.yourcompany.com/library/hello-world:latest # 6. 拉取测试镜像 docker rmi harbor.yourcompany.com/library/hello-world:latest docker pull harbor.yourcompany.com/library/hello-world:latest

5. Kubernetes Helm 部署(高可用)

5.1 前置要求

📋 Helm 部署前置条件:
  • Kubernetes 集群 1.20+
  • Helm 3.2.0+
  • 高可用 Ingress Controller
  • 外部 PostgreSQL 数据库(可选但推荐)
  • 外部 Redis 集群(可选但推荐)
  • 共享存储或对象存储

5.2 添加 Helm Repository

# 添加 Harbor Helm Chart 仓库 helm repo add harbor https://helm.goharbor.io helm repo update # 查看可用版本 helm search repo harbor --versions # 下载 Chart 到本地 helm fetch harbor/harbor --version 1.14.0 --untar cd harbor

5.3 配置 values.yaml

# values.yaml 关键配置 expose: type: ingress tls: enabled: true certSource: secret secret: secretName: harbor-tls-secret ingress: hosts: core: harbor.yourcompany.com annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" externalURL: https://harbor.yourcompany.com portal: replicas: 2 core: replicas: 2 resources: requests: memory: 256Mi cpu: 100m limits: memory: 2Gi cpu: 2000m jobservice: replicas: 2 maxJobWorkers: 10 registry: replicas: 2 resources: requests: memory: 256Mi cpu: 100m database: type: external external: host: postgresql-ha.postgres.svc.cluster.local port: 5432 username: harbor password: your_password coreDatabase: harbor_core clairDatabase: harbor_clair notaryServerDatabase: harbor_notary_server notarySignerDatabase: harbor_notary_signer redis: type: external external: host: redis-master.redis.svc.cluster.local port: 6379 password: your_redis_password persistence: enabled: true persistentVolumeClaim: registry: storageClass: nfs-client accessMode: ReadWriteMany size: 100Gi chartmuseum: storageClass: nfs-client accessMode: ReadWriteMany size: 20Gi trivy: enabled: true replicas: 2 notary: enabled: true chartmuseum: enabled: true

5.4 创建 TLS Secret

# 创建命名空间 kubectl create namespace harbor # 创建 TLS Secret kubectl create secret tls harbor-tls-secret \ --cert=/path/to/tls.crt \ --key=/path/to/tls.key \ -n harbor # 验证 Secret kubectl get secret harbor-tls-secret -n harbor

5.5 安装 Harbor

# 使用 Helm 安装 helm install harbor harbor/harbor \ --namespace harbor \ --values values.yaml \ --version 1.14.0 # 或者使用本地 Chart helm install harbor . \ --namespace harbor \ --values values.yaml # 查看安装状态 helm status harbor -n harbor helm list -n harbor # 等待所有 Pod 就绪 kubectl get pods -n harbor -w # 检查 Service 和 Ingress kubectl get svc -n harbor kubectl get ingress -n harbor

5.6 升级与卸载

# 升级 Harbor helm upgrade harbor harbor/harbor \ --namespace harbor \ --values values.yaml \ --version 1.15.0 # 回滚到上一个版本 helm rollback harbor -n harbor # 查看发布历史 helm history harbor -n harbor # 卸载 Harbor helm uninstall harbor -n harbor # 清理 PVC(谨慎操作,会删除数据) kubectl delete pvc -n harbor -l app=harbor

6. HTTPS 证书配置

6.1 Let's Encrypt 免费证书

# 安装 Certbot apt-get install certbot python3-certbot-nginx -y # 获取证书 certbot certonly --standalone \ -d harbor.yourcompany.com \ --email admin@yourcompany.com \ --agree-tos \ --non-interactive # 证书位置: # /etc/letsencrypt/live/harbor.yourcompany.com/fullchain.pem # /etc/letsencrypt/live/harbor.yourcompany.com/privkey.pem # 配置自动续期 crontab -e # 添加:0 0 1 * * certbot renew --quiet

6.2 Nginx Ingress 自动申请证书

# 安装 cert-manager kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml # 创建 ClusterIssuer cat > cluster-issuer.yaml << EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@yourcompany.com privateKeySecretRef: name: letsencrypt-prod-key solvers: - http01: ingress: class: nginx EOF kubectl apply -f cluster-issuer.yaml # 在 Harbor values.yaml 中配置 expose: tls: certSource: secret auto: commonName: harbor.yourcompany.com issuerName: letsencrypt-prod issuerKind: ClusterIssuer

7. 用户与项目管理

7.1 创建项目

# 通过 Web UI 创建项目 1. 登录 Harbor Web 界面 2. 点击"+ 新建项目" 3. 填写项目名称和描述 4. 选择访问级别: - 公开:任何人都可以拉取镜像 - 私有:只有项目成员可以访问 # 通过 API 创建项目 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/projects \ -d '{ "project_name": "my-project", "public": false, "metadata": { "enable_content_trust": true, "prevent_vulnerable_images": true } }' # 列出所有项目 curl -k -u admin:Harbor12345 \ https://harbor.yourcompany.com/api/v2.0/projects

7.2 创建用户

# 通过 API 创建用户 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/users \ -d '{ "username": "developer1", "email": "developer1@yourcompany.com", "realname": "Developer One", "password": "SecurePass123!", "comment": "Development team member" }' # 列出用户 curl -k -u admin:Harbor12345 \ "https://harbor.yourcompany.com/api/v2.0/users?page=1&page_size=10" # 删除用户 curl -k -X DELETE \ -u admin:Harbor12345 \ https://harbor.yourcompany.com/api/v2.0/users/123

7.3 添加项目成员

# 添加用户到项目并分配角色 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/projects/1/members \ -d '{ "role_id": 2, "member_user": { "username": "developer1" } }' # 角色 ID 说明: 1 - 项目管理员(ProjectAdmin) 2 - 开发者(Developer) 3 - 访客(Guest) 4 - 维护者(Maintainer) 5 - 有限访客(LimitedGuest)

8. RBAC 权限模型详解

8.1 Harbor 角色体系

角色 系统权限 项目权限 适用场景
系统管理员 全部权限 所有项目 Harbor 运维团队
项目管理员 项目管理、成员管理 项目负责人
开发者 推送/拉取/删除镜像 开发工程师
维护者 推送/拉取(不可删除) CI/CD 系统
访客 仅拉取镜像 只读用户
有限访客 仅拉取镜像(部分 API 受限) 外部合作方

8.2 自定义角色(Harbor 2.10+)

# 创建自定义角色 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/usergroups \ -d '{ "group_name": "devops-team", "group_type": 1, "ldap_group_dn": "cn=devops,ou=groups,dc=example,dc=com" }' # 为角色分配权限 curl -k -X PUT \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/projects/1/members/456 \ -d '{ "role_id": 4 }' # 权限资源类型: - repository: 镜像仓库 - artifact: 镜像制品 - tag: 镜像标签 - helm-chart: Helm Chart - scan: 漏洞扫描 - scanner: 扫描器管理 - label: 标签管理 - accessory: 附件管理 - immutable: 不可变规则 - webhook: Webhook 配置 - replication: 复制规则 - audit-log: 审计日志

8.3 LDAP/AD 集成

# 配置 LDAP 认证 curl -k -X PUT \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/configurations \ -d '{ "auth_mode": "ldap_auth", "ldap_url": "ldap://ldap.yourcompany.com", "ldap_base_dn": "dc=example,dc=com", "ldap_search_dn": "cn=admin,dc=example,dc=com", "ldap_search_password": "ldap_password", "ldap_filter": "(objectClass=person)", "ldap_uid_attribute": "uid", "ldap_scope": 2, "ldap_connection_timeout": 10, "ldap_verify_cert": true }' # 导入 LDAP 用户组 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/usergroups \ -d '{ "group_type": 1, "ldap_group_dn": "cn=developers,ou=groups,dc=example,dc=com" }'

9. 机器人账户配置

9.1 什么是机器人账户

机器人账户是专为 CI/CD 系统和自动化脚本设计的轻量级账户,具有以下特点:

  • 细粒度权限控制(可精确到具体操作)
  • 可设置过期时间
  • 可限制访问特定项目
  • 不支持 Web 登录,仅用于 API/Docker CLI

9.2 创建机器人账户

# 通过 API 创建项目级机器人 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/projects/1/robots \ -d '{ "name": "jenkins-deploy", "description": "Jenkins CI deployment robot", "expires_at": 1735689600, "permissions": [ { "kind": "project", "namespace": "my-project", "access": [ {"resource": "repository", "action": "push"}, {"resource": "repository", "action": "pull"}, {"resource": "artifact", "action": "read"}, {"resource": "artifact", "action": "create"}, {"resource": "tag", "action": "create"}, {"resource": "tag", "action": "delete"} ] } ] }' # 响应包含机器人凭证: { "name": "robot$jenkins-deploy", "token": "JaNgT0kEn123456789...", "expires_at": 1735689600 } # 系统级机器人(可访问多个项目) curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/robots \ -d '{ "name": "global-ci", "level": "system", "permissions": [ { "kind": "project", "namespace": "project-a", "access": [{"resource": "repository", "action": "push"}] }, { "kind": "project", "namespace": "project-b", "access": [{"resource": "repository", "action": "pull"}] } ] }'

9.3 使用机器人账户

# Docker 登录使用机器人 docker login harbor.yourcompany.com \ -u 'robot$jenkins-deploy' \ -p 'JaNgT0kEn123456789...' # Jenkins Pipeline 示例 pipeline { agent any environment { HARBOR_REGISTRY = 'harbor.yourcompany.com' HARBOR_USER = 'robot$jenkins-deploy' HARBOR_PASSWORD = credentials('harbor-robot-token') } stages { stage('Build & Push') { steps { script { docker.withRegistry("https://${HARBOR_REGISTRY}", [usernamePassword(credentialsId: 'harbor-robot-token', usernameVariable: 'USER', passwordVariable: 'PASS')]) { def image = docker.build("${HARBOR_REGISTRY}/my-project/app:${BUILD_NUMBER}") image.push() } } } } } }

10. CI/CD 集成配置

10.1 Jenkins 集成

# Jenkins Harbor Plugin 配置 1. 安装 Harbor Plugin 2. 系统管理 → 系统配置 → Harbor Server 3. 添加 Harbor 连接: - Name: harbor-prod - Server URL: https://harbor.yourcompany.com - Credentials: 机器人账户凭证 # Declarative Pipeline 示例 pipeline { agent any tools { maven 'Maven 3.8' } environment { HARBOR_URL = 'https://harbor.yourcompany.com' PROJECT_NAME = 'backend-service' } stages { stage('Checkout') { steps { git url: 'git@gitlab:team/backend.git' } } stage('Build') { steps { sh 'mvn clean package -DskipTests' } } stage('Unit Test') { steps { sh 'mvn test' } } stage('Build Image') { steps { script { def image = docker.build("${HARBOR_URL}/${PROJECT_NAME}:${env.BUILD_NUMBER}") } } } stage('Push to Harbor') { steps { script { docker.withRegistry(HARBOR_URL, 'harbor-credentials') { def image = docker.image("${HARBOR_URL}/${PROJECT_NAME}:${env.BUILD_NUMBER}") image.push() image.push('latest') } } } } stage('Vulnerability Scan') { steps { sh ''' curl -k -X POST \ -u ${HARBOR_USER}:${HARBOR_PASSWORD} \ "${HARBOR_URL}/api/v2.0/projects/${PROJECT_NAME}/repositories/${PROJECT_NAME}/artifacts/latest/scan" ''' } } } }

10.2 GitLab CI 集成

# .gitlab-ci.yml 示例 variables: HARBOR_URL: harbor.yourcompany.com PROJECT: my-project APP_NAME: frontend-app stages: - build - test - package - deploy build: stage: build script: - npm ci - npm run build artifacts: paths: - dist/ docker-build: stage: package image: docker:24 services: - docker:24-dind before_script: - docker login -u ${HARBOR_ROBOT_USER} -p ${HARBOR_ROBOT_PASSWORD} ${HARBOR_URL} script: - docker build -t ${HARBOR_URL}/${PROJECT}/${APP_NAME}:${CI_COMMIT_SHA} . - docker push ${HARBOR_URL}/${PROJECT}/${APP_NAME}:${CI_COMMIT_SHA} - docker tag ${HARBOR_URL}/${PROJECT}/${APP_NAME}:${CI_COMMIT_SHA} ${HARBOR_URL}/${PROJECT}/${APP_NAME}:latest - docker push ${HARBOR_URL}/${PROJECT}/${APP_NAME}:latest only: - main - develop deploy: stage: deploy script: - kubectl set image deployment/${APP_NAME} ${APP_NAME}=${HARBOR_URL}/${PROJECT}/${APP_NAME}:${CI_COMMIT_SHA} environment: name: production url: https://app.yourcompany.com when: manual only: - main

11. 镜像复制与同步

11.1 配置复制规则

# 创建复制目标(Destination) curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/registries \ -d '{ "name": "backup-harbor", "type": "harbor", "url": "https://backup-harbor.example.com", "credential": { "type": "basic", "access_key": "admin", "access_secret": "BackupHarbor123" } }' # 创建复制规则 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/replication/policies \ -d '{ "name": "backup-to-dr", "description": "Replicate all images to disaster recovery site", "src_registry": null, "dest_registry": 1, "trigger": { "type": "scheduled", "trigger_settings": { "cron": "0 0 * * *" } }, "filters": [ { "type": "project", "value": "production/**" }, { "type": "tag", "value": "v*.*.*,latest" } ], "deletion": true, "override": true, "copy_by_chunk": false }' # 手动触发复制 curl -k -X POST \ -u admin:Harbor12345 \ -H "Content-Type: application/json" \ https://harbor.yourcompany.com/api/v2.0/replication/executions \ -d '{"policy_id": 1}'

11.2 复制策略类型

策略类型 说明 适用场景
Push-based 主动推送到目标仓库 备份、多地域分发
Pull-based 从源仓库拉取 集中管理、镜像聚合
实时复制 镜像推送时立即复制 高可用、灾备
定时复制 按 Cron 表达式定时执行 定期同步、带宽优化

12. 监控告警与运维

12.1 Prometheus 监控指标

# Harbor 暴露的 Prometheus 指标端点 curl -k https://harbor.yourcompany.com/metrics # 主要指标: harbor_system_info - 系统信息 harbor_project_count_total - 项目总数 harbor_repository_count_total - 仓库总数 harbor_artifact_count_total - 制品总数 harbor_quota_usage_bytes - 配额使用情况 harbor_scan_queue_length - 扫描队列长度 harbor_replication_task_count - 复制任务数 # Prometheus scrape 配置 scrape_configs: - job_name: 'harbor' static_configs: - targets: ['harbor.yourcompany.com'] scheme: https metrics_path: /metrics basic_auth: username: admin password: Harbor12345

12.2 Grafana 仪表盘

📊 推荐监控面板:
  • 系统健康状态(CPU、内存、磁盘)
  • 镜像仓库统计(项目数、仓库数、制品数)
  • 存储使用情况(配额、使用率)
  • 漏洞扫描统计(扫描次数、漏洞数量)
  • 复制任务状态(成功率、延迟)
  • API 请求指标(QPS、错误率、延迟)

12.3 日常运维命令

# ===== Docker Compose 运维 ===== # 重启 Harbor cd /opt/harbor/harbor docker compose restart # 停止 Harbor docker compose stop # 启动 Harbor docker compose start # 查看日志 docker compose logs -f core docker compose logs -f registry tail -f /var/log/harbor/core.log # 进入容器调试 docker compose exec core bash docker compose exec registry bash # ===== 数据库维护 ===== # 备份数据库 docker compose exec postgresql pg_dumpall \ -U postgres > /backup/harbor_db_$(date +%Y%m%d).sql # 恢复数据库 cat /backup/harbor_db_20260312.sql | \ docker compose exec -T postgresql psql -U postgres # 清理旧镜像释放空间 docker image prune -af --filter "until=168h"

12.4 备份策略

#!/bin/bash # backup-harbor.sh - Harbor 完整备份脚本 BACKUP_DIR="/backup/harbor" DATE=$(date +%Y%m%d_%H%M%S) RETENTION_DAYS=30 # 创建备份目录 mkdir -p ${BACKUP_DIR}/{database,certs,configs} # 1. 备份数据库 docker compose exec -T postgresql pg_dumpall -U postgres > \ ${BACKUP_DIR}/database/harbor_db_${DATE}.sql # 2. 备份证书 cp -r /data/cert/* ${BACKUP_DIR}/certs/ # 3. 备份配置文件 cp /opt/harbor/harbor/harbor.yml \ ${BACKUP_DIR}/configs/harbor.yml.${DATE} # 4. 备份 Docker Compose 配置 cp /opt/harbor/harbor/docker-compose.yml \ ${BACKUP_DIR}/configs/docker-compose.yml.${DATE} # 5. 压缩备份 tar -czf ${BACKUP_DIR}/harbor_backup_${DATE}.tar.gz \ ${BACKUP_DIR}/database/${DATE}.sql \ ${BACKUP_DIR}/certs/ \ ${BACKUP_DIR}/configs/ # 6. 删除旧备份 find ${BACKUP_DIR} -name "*.tar.gz" -mtime +${RETENTION_DAYS} -delete echo "Backup completed: ${DATE}"
# 添加到 crontab(每天凌晨 2 点备份) crontab -e # 添加以下行 0 2 * * * /opt/harbor/backup-harbor.sh >> /var/log/harbor-backup.log 2>&1