👋Harbor基于docker-compose部署
⚽️介绍
Harbor 是一个开源的私有镜像中心,它通过策略和基于角色的访问控制来提供保护机制,可以对镜像进行漏洞扫描,并将镜像签名为可信任的。
⚽️1. 安装步骤
- 环境要求
- 系统配置
- 配置SSL证书
- 下载harbor
- 解压安装包
- 配置harbor.yml
- 部署harbor
- 测试使用
⚽️2. 开始部署
⚾️2.1. 环境要求
- 硬件要求:
| Spec | 最低 | 推荐 |
| CPU | 2核 | 4核 |
| RAM | 4GB | 8GB |
- 软件环境:
| Software | Version |
| operating system | CentOS 7.9-x86_64(DVD) |
| openssl | 1.0.2k-fips |
| containerd | v1.6.21 |
| docker | v24.0.1 |
| docker-compose | v2.18.1 |
- 服务器规划:
| Role | IP |
| k8s-main | 192.168.81.128 |
- 域名:
| Name | Domain |
| harbor | hub.loongstudio.com |
⚾️2.2. 系统配置
- 配置本地域名
vi /etc/hosts
192.168.81.133 harbor hub.loongstudio.com
- 配置 docker 守护文件
cat /etc/docker/daemon.json
{ "registry-mirrors": [ "https://docker.m.daocloud.io", "https://dockerproxy.com", "https://docker.mirrors.ustc.edu.cn", "https://docker.nju.edu.cn" ], "insecure-registries": ["hub.loongstudio.com","0.0.0.0","192.168.81.128"], "exec-opts": ["native.cgroupdriver=systemd"], "dns": ["8.8.8.8"] }
- 重启docker服务
systemctl daemon-reload && systemctl restart docker
⚾️2.3. 配置SSL证书
生成证书颁发机构证书
- 创建CA文件夹并进入目录
mkdir -pv /root/docker/compose/harbor/ca cd /root/docker/compose/harbor/ca
- 生成CA证书私钥
openssl genrsa -out ca.key 4096
- 生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Guangdong/L=Beijing/O=loongstudio/OU=loongstudio/CN=hub.loongstudio.com" \ -key ca.key \ -out ca.crt
生成服务器证书
- 生成私钥
openssl genrsa -out hub.loongstudio.com.key 4096
- 生成证书签名请求(CSR)
openssl req -sha512 -new \ -subj "/C=CN/ST=Guangdong/L=Beijing/O=loongstudio/OU=loongstudio/CN=hub.loongstudio.com" \ -key hub.loongstudio.com.key \ -out hub.loongstudio.com.csr
- 生成x509 v3扩展文件
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=hub.loongstudio.com DNS.2=hub.loongstudio DNS.3=k8s-main EOF
- 使用v3.txt为harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in hub.loongstudio.com.csr \ -out hub.loongstudio.com.crt
向Harbor和Docker提供证书
- 创建证书文件夹
mkdir -pv /data/cert/
- 将服务器证书和密钥复制到证书文件夹中
cp hub.loongstudio.com.crt /data/cert/ cp hub.loongstudio.com.key /data/cert/
- 将hub.loongstudio.com.crt转换为hub.loongstudio.com.cert,以供Docker使用
openssl x509 -inform PEM -in hub.loongstudio.com.crt -out hub.loongstudio.com.cert
- 将服务器证书、密钥和CA文件复制到Docker证书文件夹中
mkdir -pv /etc/docker/certs.d/hub.loongstudio.com/ cp hub.loongstudio.com.cert /etc/docker/certs.d/hub.loongstudio.com/ cp hub.loongstudio.com.key /etc/docker/certs.d/hub.loongstudio.com/ cp ca.crt /etc/docker/certs.d/hub.loongstudio.com/
- 重启docker服务
systemctl daemon-reload && systemctl restart docker
⚾️2.4. 下载harbor(以下两种方式任选其一)
- 命令行下载
这里我们进入到工作目录,并执行以下命令开始下载
sudo curl -L "https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz" -o harbor-offline-installer-v2.8.2.tgz
- 手动下载
这里我们选择离线下载包,下载完成后上传到服务器
- 查看下载的安装包
⚾️2.5. 解压安装包
- 解压
tar xzvf harbor-offline-installer-v2.8.2.tgz
- 解压后的文件
harbor/harbor.v2.8.2.tar.gz harbor/prepare harbor/LICENSE harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl
⚾️2.6. 配置harbor.yml
cp harbor.yml.tmpl harbor.yml vi harbor.yml
hostname: hub.loongstudio.com # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/hub.loongstudio.com.crt private_key: /data/cert/hub.loongstudio.com.key harbor_admin_password: nogx3PIHiZm5pBsf
⚾️2.7. 部署harbor
- 使用prepare脚本配置nginx使用HTTPS
./prepare
- 部署harbor
docker-compose up -d
- 检查
docker-compose ps
⚾️2.8. 测试使用
命令行登录
docker login hub.loongstudio.com
浏览器登录
- 配置hosts文件
192.168.81.128 hub.loongstudio.com
- 启动
https://hub.loongstudio.com/
- 注意
如果显示 无法访问此网站,请关闭VPN后再尝试刷新网页。
👬 交友小贴士:
