0.安装harbor
0.1 下载安装包
github下载巨慢
链接:https://pan.baidu.com/s/1_l_FaqkKleqoiR3FAi2p5A
提取码:7b1r
–来自百度网盘超级会员V4的分享
0.2安装
解压下载的压缩包修改配置并执行install
tar -zxvf harbor-offline-installer-v1.10.10.tgz harbor]# ll -rw-r--r-- 1 root root 612306524 Jan 12 12:09 harbor.v1.10.10.tar.gz -rw-r--r-- 1 root root 5895 Apr 22 10:02 harbor.yml -rwxr-xr-x 1 root root 2284 Jan 12 12:08 install.sh -rw-r--r-- 1 root root 11347 Jan 12 12:08 LICENSE -rwxr-xr-x 1 root root 1750 Jan 12 12:08 prepare #修改配置 修改hostname 和port 以及数据存储目录 hostname: 10.50.10.185 http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 8199 # The default data volume data_volume: /opt/harbor/data [root@p1edaspk02 harbor]# sh ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 18.06.3 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.29.1 [Step 2]: loading Harbor images ... Loaded image: goharbor/harbor-portal:v1.10.10 ... [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /opt/harbor /usr/src/app/utils/configs.py:100: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. configs = yaml.load(f) .... [Step 5]: starting Harbor ... Creating nginx ... done ✔ ----Harbor has been installed and started successfully.----
0.3启动和关闭
# 启动harbor docker-compose up -d # 关闭harbor docker-compose down
要配置HTTPS,必须创建SSL证书。您可以使用由受信任的第三方CA签名的证书,也可以使用自签名证书
默认情况下,Harbor不附带证书。可以在没有安全性的情况下部署Harbor,以便您可以通过HTTP连接到它。但是,只有在没有外部网络连接的空白测试或开发环境中,才可以使用HTTP。在没有空隙的环境中使用HTTP会使您遭受中间人攻击。在生产环境中,请始终使用HTTPS。如果启用Content Trust with Notary来正确签名所有图像,则必须使用HTTPS。
1. 生成证书颁发机构证书
在生产环境中,您应该从CA获得证书。在测试或开发环境中,您可以生成自己的CA。要生成CA证书,请运行以下命令。
1.1 生成CA证书私钥。
openssl genrsa -out ca.key 4096
1.2 生成CA证书
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=XianYang/L=XianYang/O=example/OU=Personal/CN=10.50.10.185" \ -key ca.key \ -out ca.crt
如果是ip访问, 将 10.50.10.185 改成 ip地址
2. 生成服务器证书
证书通常包含一个.crt文件和一个.key文件
2.1 生成私钥
Copyopenssl genrsa -out 10.50.10.185.key 4096
2.2 生成证书签名请求(CSR)
openssl req -sha512 -new \ -subj "/C=CN/ST=XianYang/L=XianYang/O=example/OU=Personal/CN=10.50.10.185" \ -key 10.50.10.185.key \ -out 10.50.10.185.csr
如果是ip访问, 将 10.50.10.185 改成 ip地址
2.3 生成一个x509 v3扩展文件
无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域
Copycat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=10.50.10.185 DNS.2=10.50.10.185 DNS.3=10.50.10.185 EOF
12
如果是ip访问
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = IP:10.50.10.185 EOF
2.4 使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in 10.50.10.185.csr \ -out 10.50.10.185.crt
如果是ip访问, 将 10.50.10.185 改成 ip地址
3. 提供证书给Harbor和Docker
生成后ca.crt,10.50.10.185.crt和10.50.10.185.key文件,必须将它们提供给Harbor和docker,重新配置它们
3.1 将服务器证书和密钥复制到Harbor主机上的/data/cert/文件夹中
mkdir -p /data/cert/ cp 10.50.10.185.crt /data/cert/ cp 10.50.10.185.key /data/cert/
3.2 转换10.50.10.185.crt为10.50.10.185.cert,供Docker使用
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书
openssl x509 -inform PEM -in 10.50.10.185.crt -out 10.50.10.185.cert
3.3 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹
mkdir -p /etc/docker/certs.d/10.50.10.185/ cp 10.50.10.185.cert /etc/docker/certs.d/10.50.10.185/ cp 10.50.10.185.key /etc/docker/certs.d/10.50.10.185/ cp ca.crt /etc/docker/certs.d/10.50.10.185/ harbor]# tree /etc/docker/certs.d/10.50.10.185/ /etc/docker/certs.d/10.50.10.185/ ├── 10.50.10.185.cert ├── 10.50.10.185.key └── ca.crt
如果将默认nginx端口443 映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port
例如https的port为8443
mkdir -p /etc/docker/certs.d/10.50.10.185:8843 cp 10.50.10.185.cert 10.50.10.185.key ca.crt /etc/docker/certs.d/10.50.10.185:8843
3.4 重新启动Docker Engine
systemctl restart docker
3.5 证书的目录结构
ca]# tree /etc/docker/certs.d/ /etc/docker/certs.d/ └── 10.50.10.185 ├── 10.50.10.185.cert ├── 10.50.10.185.key └── ca.crt
4. 部署或重新配置Harbor
harbor.yml hostname: 10.50.10.185 http: port: 8199 https: port: 443 certificate: /opt/harbor/ca/10.50.10.185.crt private_key: /opt/harbor/ca/10.50.10.185.key external_url: https://10.50.10.185 harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 50 max_open_conns: 100 data_volume: /data/harbor clair: updaters_interval: 12 jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /data/harbor/logs _version: 1.10.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - clair
4.1 运行prepare脚本以启用HTTPS
Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTPS
./prepare
4.2 如果Harbor正在运行,请停止并删除现有实例
您的images数据保留在文件系统中,因此不会丢失任何数据
harbor]# docker-compose down -v Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-core ... done Stopping registryctl ... done Stopping harbor-db ... done Stopping redis ... done Stopping registry ... done Stopping harbor-portal ... done Stopping harbor-log ... done Removing harbor-jobservice ... done Removing nginx ... done Removing harbor-core ... done Removing registryctl ... done Removing harbor-db ... done Removing redis ... done Removing registry ... done Removing harbor-portal ... done Removing harbor-log ... done Removing network harbor_harbor
4.3 重启Harbor
harbor]# docker-compose up -d Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating registryctl ... done Creating redis ... done Creating harbor-portal ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done
12
5. 验证HTTPS连接
打开浏览器,然后输入https://10.50.10.185。它应该显示Harbor界面
6. 推送以及拉去镜像
6.1 登录harbor仓库
# docker login harbor域名地址:端口号 harbor]# docker login https://10.50.10.185 -u admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
如上所示为登录成功
如果登录报错:
harbor]# docker login 10.50.10.185:8199 -u admin Password: Error response from daemon: Get https://10.50.10.185:8199/v2/: http: server gave HTTP response to HTTPS client
6.2 在harbor dashboar创建项目
项目 -> 新建项目
创建用户
推送镜像
在项目中标记镜像: docker tag SOURCE_IMAGE[:TAG] 10.50.10.185/harbortest/IMAGE[:TAG] 推送镜像到当前项目: docker push 10.50.10.185/harbortest/IMAGE[:TAG]
推送镜像的例子
harbor]# docker tag registry.aliyuncs.com/openspug/spug:latest 10.50.10.185/harbortest/registry.aliyuncs.com/openspug/spug:latest harbor]# docker login https://10.50.10.185 -u admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded harbor]# docker push 10.50.10.185/harbortest/registry.aliyuncs.com/openspug/spug:latest The push refers to repository [10.50.10.185/harbortest/registry.aliyuncs.com/openspug/spug] 7f7d97906ce8: Pushed 260a2403f5c7: Pushed 26b6e6155c9a: Pushed 8e1aef93890d: Pushed b220652480d3: Pushed d30f3e7469cb: Pushed 8d395243207e: Pushed 4b4158158262: Pushed 5fcede3d79f6: Pushed 72bd99349a58: Pushed 27e935fbee66: Pushed 737c272b1ba6: Pushed fb82b029bea0: Pushed latest: digest: sha256:8137ad64f0e6ae455171fd4c45a4c0ca42d069262d66f15f66a487f357312350 size: 3032
harbor上查看镜像
其他docker服务器注意
如果服务器要推送代码到harbor, 必须在docker的配置文件的目录 /etc/docker/certs.d/10.50.10.185/ 配置 服务器证书(10.50.10.185.cert),密钥(10.50.10.185.key)和CA文件(ca.crt)
7. 其他探索
7.1 域名访问
7.2 harbor swagger
