centos 7.9 部署 harbor 镜像仓库实践

2022-12-14 544

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

本文涉及的产品

Digicert DV 证书单域名，20个 3个月

容器镜像服务 ACR，镜像仓库100个不限时长

简介： centos 7.9 部署 harbor 镜像仓库实践

centos 7.9 harbor 部署镜像仓库

tags: registry

文章目录

1. 安装 docker

1.1 配置 docker

2. 安装 docker-compose

3. 下载 harbor

4. 定制配置文件 harbor.yml

5. 配置证书

5.1 生成证书颁发机构证书

5.2 生成服务器证书

5.3 向 Harbor 和 Docker 提供证书

6. 部署 harbor

7. 测试

1. 安装 docker

Docker 安装

1.1 配置 docker

$ cat /etc/docker/daemon.json 
{
   "exec-opts": ["native.cgroupdriver=systemd"],
   "log-driver": "json-file",
   "log-opts": {
   "max-size":  "100m"
    },
   "registry-mirrors": [
    "https://hub-mirror.c.163.com",
    "https://mirror.baidubce.com"
  ]
 }

启动 docker

systemctl start docker && systemctl enable docker

2. 安装 docker-compose

下载最新版本：https://github.com/docker/compose/releases

 sudo curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
 sudo chmod +x /usr/local/bin/docker-compose  
 sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

$ docker-compose --version
Docker Compose version v2.12.2

3. 下载 harbor

下载最新harbor：https://github.com/goharbor/harbor/releases

sudo curl -L "https://github.com/goharbor/harbor/releases/download/v2.6.2/harbor-offline-installer-v2.6.2.tgz" -o harbor-offline-installer-v2.6.2.tgz

$ tar xzvf harbor-offline-installer-v2.6.2.tgz
harbor/harbor.v2.6.2.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
$ ls harbor
common.sh  harbor.v2.6.2.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare

4. 定制配置文件 harbor.yml

cp harbor.yml.tmpl harbor.yml

$ vim harbor.yml
hostname: harbor.fumai.com
http:
  port: 80
https:
  port: 443
  certificate: /data/cert/harbor.fumai.com.crt
  private_key: /data/cert/harbor.fumai.com.key
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  security_check: vuln
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.6.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false
cache:
  enabled: false
  expire_hours: 24

5. 配置证书

5.1 生成证书颁发机构证书

生成 CA 证书私钥ca.key

openssl genrsa -out ca.key 4096

#生成 CA 证书

openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.fumai.com" -key ca.key -out ca.crt

5.2 生成服务器证书

生成私钥

openssl genrsa -out harbor.fumai.com.key 4096

生成证书签名请求 (CSR)

openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.fumai.com"  -key harbor.fumai.com.key -out harbor.fumai.com.csr

生成 x509 v3 扩展文件

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.fumai.com
DNS.2=harbor.fumai
DNS.3=hostname
EOF

使用该v3.ext文件为您的 Harbor 主机生成证书

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.fumai.com.csr -out harbor.fumai.com.crt

5.3 向 Harbor 和 Docker 提供证书

将服务器证书和密钥复制到 Harbor 主机上的 certficates 文件夹中

mkdir -p /data/cert
cp harbor.fumai.com.crt /data/cert/
cp harbor.fumai.com.key /data/cert/

转换harbor.fumai.com.crt为harbor.fumai.com.key.cert，供 docker使用

openssl x509 -inform PEM -in harbor.fumai.com.crt -out harbor.fumai.com.cert

将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 docker 证书文件夹中。您必须首先创建适当的文件夹

mkdir -p /etc/docker/certs.d/harbor.fumai.com/
cp harbor.fumai.com.cert /etc/docker/certs.d/harbor.fumai.com/
cp harbor.fumai.com.key /etc/docker/certs.d/harbor.fumai.com/
cp ca.crt /etc/docker/certs.d/harbor.fumai.com/

配置生效

systemctl daemon-reload &&  systemctl restart docker

6. 部署 harbor

运行prepare脚本以启用 HTTPS

./prepare

输出：

prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v2.6.2' locally
v2.6.2: Pulling from goharbor/prepare
d46c4d5563bc: Pulling fs layer
2014728b1023: Pulling fs layer
aab288eb9305: Pulling fs layer
f5624bd14a09: Waiting
d706af45859a: Waiting
758da3aa4679: Waiting
af6231a55025: Waiting
8c758607ff4a: Waiting
fb477479c0dd: Waiting
99767f301e98: Waiting
v2.6.2: Pulling from goharbor/prepare
d46c4d5563bc: Pull complete
2014728b1023: Pull complete
aab288eb9305: Pull complete
f5624bd14a09: Pull complete
d706af45859a: Pull complete
758da3aa4679: Pull complete
af6231a55025: Pull complete
8c758607ff4a: Pull complete
fb477479c0dd: Pull complete
99767f301e98: Pull complete
Digest: sha256:43e0c17257f4ebe982edd0fbf8e8f2081c81550769dc92ed06ed16e1641fc8a9
Status: Downloaded newer image for goharbor/prepare:v2.6.2
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

启动

docker-compose up -d

查看容器状态

$ docker-compose ps
NAME                COMMAND                  SERVICE             STATUS              PORTS
harbor-core         "/harbor/entrypoint.…"   core                running (healthy)
harbor-db           "/docker-entrypoint.…"   postgresql          running (healthy)
harbor-jobservice   "/harbor/entrypoint.…"   jobservice          running (healthy)
harbor-log          "/bin/sh -c /usr/loc…"   log                 running (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       "nginx -g 'daemon of…"   portal              running (healthy)
nginx               "nginx -g 'daemon of…"   proxy               running (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp
redis               "redis-server /etc/r…"   redis               running (healthy)
registry            "/home/harbor/entryp…"   registry            running (healthy)
registryctl         "/home/harbor/start.…"   registryctl         running (healthy)

7. 测试

命令行登陆

$  docker login harbor.fumai.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded