多实例共享存储架构图本文没有使用Nginx做LB,而是使用阿里SLB。本文的架构需要考虑三个问题1.共享存储的选择。Harbor后端存储目前支持??AWSS3、OpenstackSwift、Ceph等,本文使用阿里云极速NAS,磁盘IO性能优于单盘。使用NFSversion3挂载。2.Session不能在不同实例上共享,所以HarborRedis需要单独部署,多个实例连接同一个Redis。3、Harbor多实例数据库问题,需要单独部署一个数据库,多个实例连接同一个数据库。注意:如果生产环境使用阿里云NAS,建议使用极速NAS,不建议使用通用NAS。阿里云NAS性能参考文档https://help.aliyun.com/document_detail/124577.html?spm=a2c4g.11186623.6.552.2eb05ea0HJUgUBDeploymentResourceDeploymentHarbor选择在线部署,使用docker-compose部署,docker-compose和Docker部署环境本文不做介绍,相关文档可以在网上找到。1、挂载阿里云极速NASharbor1和harbor2机器,需要执行mountNAS配置开机自动挂载,打开/etc/fstab配置文件,添加mount命令。#创建NAS挂载目录$mkdir/data#增加同时发起的NFS请求数$sudoecho"optionssunrpctcp_slot_table_entries=128">>/etc/modprobe.d/sunrpc.conf$sudoecho"optionssunrpctcp_max_slot_table_entries=128">>/etc/modprobe.d/sunrpc.conf挂载NFSv4文件系统,添加如下命令:file-system-id.region.nas.aliyuncs.com://datanfsvers=4,minorversion=0,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,_netdev,noresvport00如果要挂载NFSv3文件系统,添加如下命令:file-system-id.region.nas.aliyuncs.com://datanfsvers=3,nolock,proto=tcp,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,_netdev,noresvport00#在/etc/fstab配置文件中添加挂载,执行挂载$mount-a#检查挂载,如果结果文件系统中有NFS文件系统的挂载地址,则说明挂载成功$df-h|grepaliyun2,单机Harbor临时部署在harbor1上操作machine#在线部署Harbor$cd/opt/$wgethttps://github.com/goharbor/harbor/releases/download/v2.2.1/harbor-online-installer-v2.2.1.tgz$tarxfharbor-online-installer-v2.2.1.tgz$cd/opt/harbor$cpharbor.yml.tmplharbor.yml#创建Harbor数据存储$mkdir/data/harbor#添加域名证书,已有域名SSL证书$mkdir/data/harbor/cert#上传SSL证书公钥和私钥转移到/data/harbor/cert目录下$scpharbor.example.pemroot@192.168.10.10:/data/harbor/cert/$scpharbor.example.keyroot@192.168.10.10:/data/harbor/cert/#Configureharbor。yml文件,下面是修改后的文件和原文件的对比结果$diffharbor.ymlharbor.yml.tmpl5c5hostname:reg.mydomain.com17,18c17,18certificate:/your/certificate/path>private_key:/your/private/key/path29c29#external_url:https://reg.mydomain.com:8433data_volume:/data#生成配置文件$cd/opt/harbor#harbor打开helmcharts和镜像漏洞扫描$./prepare--with-notary--with-trivy--with-chartmuseum#install$./install.sh--with-notary--with-trivy--with-chartmuseum#查看$docker-composeps3,分别部署Harbor数据库和Redis#创建postgres和redis存储目录$mkdir-p/data/harbor-redis/data/harbor-postgresql#修改group$chown-R999.999/data/harbor-redis/data/harbor-postgresql#创建postgres和redisdocker-compose.yml文件$vimdocker-compose.ymlversion:'2.3'services:redis:image:goharbor/redis-photon:v2.2.1container_name:harbor-redisrestart:alwayscap_drop:-ALLcap_add:-CHOWN-SETGID-SETUIDvolumes:-/data/harbor-redis:/var/lib/redisnetworks:-harbor-dbports:-6379:6379postgresql:image:goharbor/harbor-db:v2.2.1container_name:harbor-postgresqlrestart:alwayscap_drop:-ALLcap_add:-CHOWN-DAC_OVERRIDE-SETGID-SETUIDenvironment:POSTGRES_USER:postgresPOSTGRES_PASSWORD:test2021volumes:-/data/harbor-postgresql:/var/lib/postgresql/data:znetworks:-harbor-dbports:-5432:5432networks:harbor-db:driver:bridge#部署postgres和redis$docker-composeup-d4,导入postgres数据#进入临时harbor-db容器导出相关表和数据$dockerexec-it-upostgresharbor-dbbash#导出数据$pg_dump-Upostgresregistry>/tmp/registry.sql$pg_dump-Upostgresnotarysigner>/tmp/notarysigner.sql$pg_dump-Upostgresnotaryserver>/tmp/notaryserver.sql#导入数据到单独部署的PostgreSQL数据库e$psql-h192.168.10.10-Upostgresregistry-Whostname:reg.mydomain.com17,18c17,18certificate:/your/certificate/path>private_key:/your/private/key/path29c29#external_url:https://reg.mydomain.com:843337c37<#database:--->database:39c39<#password:root123--->password:root12341c41<#max_idle_conns:50--->max_idle_conns:5044c44<#max_open_conns:1000--->max_open_conns:100047c47data_volume:/data135,158c135,158#external_database:>#harbor:>#host:harbor_db_host>#port:harbor_db_port>#db_name:harbor_db_name>#username:harbor_db_username>#password:harbor_db_password>#ssl_mode:disable>#max_idle_conns:2>#max_open_conns:0>#notary_signer:>#host:notary_signer_db_host>#port:notary_signer_db_port>#db_name:notary_signer_db_name>#用户名:notary_signer_db_用户名>#password:notary_signer_db_password>#ssl_mode:disable>#notary_server:>#host:notary_server_db_host>#port:notary_server_db_port>#db_name:notary_server_db_name>#username:notary_server_db_username>#password:notary_server_db_password>#ssl_mode:disable161,175c161,175external_redis:<#supportredis,redis+sentinel<#hostforredis::<#hostforredis+sentinel:<#:,:,:#external_redis:>##supportredis,redis+sentinel>##hostforredis::>##hostforredis+sentinel:>##:,:,:>#host:redis:6379>#password:>##sentinel_master_setmustbesettosupportredis+sentinel>##sentinel_master_set:>##db_index0是forcore,不可更改>#registry_db_index:1>#jobservice_db_index:2>#chartmuseum_db_index:3>#trivy_db_index:5>#idle_timeout_seconds:30#部署第一个节点harbor$cd/opt/harbor#harbor打开helmcharts和镜像漏洞扫描$./prepare--with-notary--with-trivy--with-chartmuseum#install$./install.sh--with-notary--with-trivy--with-chartmuseum#查看$docker-composeps#复制配置到harbor2机器$scp-r/opt/harbor192.168.10.11:/opt/在harbor2机器上操作#部署第二个节点harbor$cd/opt/harbor#harbor开启helmcharts和镜像漏洞扫描$./prepare--with-notary--with-trivy--with-chartmuseum#Install$./install.sh--with-notary--with-trivy--with-chartmuseum#查看$docker-composeps6,con图阿里云SLB没有具体介绍SLB配置方法,具体配置方法参考下面的阿里云SLB配置文档,配置443端口,使用TCP协议,后端映射到harbor1和harbor2两个端口。443端口SLB配置方法参考阿里云文档https://help.aliyun.com/document_detail/205495.html?spm=a2c4g.11174283.6.666.f9aa1192jngFKC
