5.4 测试结果
5.4.1 仓库登陆
$ docker login 192.168.211.70 Authenticating with existing credentials... Stored credentials invalid or expired Username (admin): admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
5.4.2 界面登陆
用户密码:admin/Harbor12345
5.4.3 推送镜像
$ docker push 192.168.211.70/library/alpine:v1.0 The push refers to repository [192.168.211.70/library/alpine] e2eb06d8af82: Pushed v1.0: digest: sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a size: 528
5.4.4 拉取镜像
我们换到另一台机器尝试一下拉取这个镜像,需要什么配置呢,不需要什么,只需连通即可。
$ cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ] }
$ docker pull 192.168.211.70/library/alpine:v1.0 v1.0: Pulling from library/alpine a0d0a0d46f8b: Pull complete Digest: sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a Status: Downloaded newer image for 192.168.211.70/library/alpine:v1.0 192.168.211.70/library/alpine:v1.0
harbor https ip访问部署成功结束
6 Harbor https 域名访问部署
6.1 清理杂质
$ docker-compose down [+] Running 10/10 ⠿ Container harbor-jobservice Removed 10.5s ⠿ Container registryctl Removed 10.5s ⠿ Container nginx Removed 0.5s ⠿ Container harbor-portal Removed 0.4s ⠿ Container harbor-core Removed 10.5s ⠿ Container redis Removed 1.0s ⠿ Container harbor-db Removed 0.9s ⠿ Container registry Removed 11.1s ⠿ Container harbor-log Removed 10.7s ⠿ Network harbor_harbor Removed $ rm -rf /data/* $ rm -rf common $ rm -rf /etc/docker/certs.d/*
6.2 修改配置
6.2.1 harbor.yaml
harbor.yaml配置文件修改hostname参数并重新配置了https相关参数
$ cat harbor.yml|grep -v '#' | grep -v '^$' hostname: ghost.harbor.com http: port: 80 https: port: 443 certificate: /data/cert/ghost.harbor.com.crt private_key: /data/cert/ghost.harbor.com.key harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data trivy: ignore_unfixed: false skip_update: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.3.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
6.2.2 /etc/docker/daemon.json
如下:
$ cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ] }
并重启docker
systemctl daemon-reload && systemctl restart docker
6.3 配置证书
6.3.1 生成证书颁发机构证书
#生成 CA 证书私钥 $ openssl genrsa -out ca.key 4096 #生成 CA 证书 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=ghost.harbor.com" \ -key ca.key \ -out ca.crt
6.3.2 生成服务器证书
#生成私钥 openssl genrsa -out ghost.harbor.com.key 4096 #生成证书签名请求 (CSR) openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=ghost.harbor.com" \ -key ghost.harbor.com.key \ -out ghost.harbor.com.csr #生成 x509 v3 扩展文件** cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=ghost.harbor.com DNS.2=ghost.harbor DNS.3=hostname EOF #使用该v3.ext文件为您的 Harbor 主机生成证书 openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in ghost.harbor.com.csr \ -out ghost.harbor.com.crt
6.3.4 向 Harbor 和 Docker 提供证书
#a. 将服务器证书和密钥复制到 Harbor 主机上的 certficates 文件夹中** mkdir /data/cert cp ghost.harbor.com.crt /data/cert/ cp ghost.harbor.com.key /data/cert/ #b. 转换ghost.harbor.com.crt为ghost.harbor.com.cert,供 Docker 使用** openssl x509 -inform PEM -in ghost.harbor.com.crt -out ghost.harbor.com.cert #**c. 将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中。您必须首先创建适当的文件夹。** mkdir -p /etc/docker/certs.d/ghost.harbor.com/ cp ghost.harbor.com.cert /etc/docker/certs.d/ghost.harbor.com/ cp ghost.harbor.com.key /etc/docker/certs.d/ghost.harbor.com/ cp ca.crt /etc/docker/certs.d/ghost.harbor.com/
如果您将默认nginx端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/ghost.harbor.com:port或/etc/docker/certs.d/harbor_IP:port。
重启docker
systemctl daemon-reload && systemctl restart docker
6.3.5 操作系统级别信任证书
e. 当 Docker 守护程序在某些操作系统上运行时,您可能需要在操作系统级别信任证书。
ubuntu
$ cp ghost.harbor.com.crt /usr/local/share/ca-certificates/ghost.harbor.com.crt $ update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Red Hat (CentOS etc):
$ cp ghost.harbor.com.crt /etc/pki/ca-trust/source/anchors/ghost.harbor.com.crt $ update-ca-trust
6.4 部署或重新配置 Harbor
如果您尚未部署 Harbor,请参阅 配置 Harbor YML 文件以获取有关如何通过在 中指定hostname和https属性来配置 Harbor 以使用证书的信息harbor.yml。
如果您已经使用 HTTP 部署了 Harbor 并希望将其重新配置为使用 HTTPS,请执行以下步骤。
a. 运行prepare脚本以启用 HTTPS
./prepare
b. 如果 Harbor 正在运行,请停止并删除现有实例
您的图像数据保留在文件系统中,因此不会丢失任何数据。
docker-compose down -v
c. 重启
docker-compose up -d
6.5 测试
6.5.1 仓库登陆
$ docker login ghost.harbor.com Authenticating with existing credentials... WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
6.5.2 界面登陆
6.5.3 推送镜像
$ docker push ghost.harbor.com/library/busybox:latest The push refers to repository [ghost.harbor.com/library/busybox] cfd97936a580: Pushed latest: digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b size: 527
6.5.4 拉取镜像
我们换到另一台机器192.168.211.71尝试一下拉取这个镜像,需要什么配置呢,
/etc/docker/daemon.json配置如下:
$ cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "registry-mirrors": [ "https://hub-mirror.c.163.com", "https://mirror.baidubce.com" ] }
配置/etc/hosts
192.168.211.70 ghost.harbor.com
如果没有配置hosts可能会报这样的错 $ docker pull
ghost.harbor.com/library/busybox:latest Error response from daemon:
Get https://ghost.harbor.com/v2/: x509: certificate has expired or is
not yet valid 当然,也有可能是两台机器的时间没有同步,需要配置ntp
另外要配置docker证书
mkdir -p /etc/docker/certs.d/ghost.harbor.com/ scp root@192.168.211.70:/etc/docker/certs.d/ghost.harbor.com/ghost.harbor.com.cert /etc/docker/certs.d/ghost.harbor.com/ scp root@192.168.211.70:/etc/docker/certs.d/ghost.harbor.com/ghost.harbor.com.key /etc/docker/certs.d/ghost.harbor.com/ scp root@192.168.211.70:/etc/docker/certs.d/ghost.harbor.com/ca.crt /etc/docker/certs.d/ghost.harbor.com/
如果没有证书将会这样报错
$ docker pull ghost.harbor.com/library/busybox:latest
Error response from daemon: Get https://ghost.harbor.com/v2/: x509:
certificate signed by unknown authority
最后,经历重重险阻,成功了。
docker pull ghost.harbor.com/library/busybox:latest latest: Pulling from library/busybox Digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b Status: Downloaded newer image for ghost.harbor.com/library/busybox:latest ghost.harbor.com/library/busybox:latest
harbor https ip访问部署成功结束
浏览器界面清理缓存
参考:
