harbor安装和使用文档-阿里云开发者社区

第一部分：harbor安装篇

一、安装环境规划

机器ip：192.168.199.164

系统版本：CentOS7.6

cpu：4H

内存：6G

主机名：xianchao.lucky.me

二、修改主机名和hosts文件

hostnamectl set-hostname xianchao.lucky.me
cat  /etc/hosts
192.168.199.164 xianchao.lucky.me

三、签发证书-配置https访问时需要使用证书

1.生成ca证书

mkdir /data/ssl -p
cd /data/ssl/
#生成一个3072位的key，也就是私钥
openssl genrsa -out ca.key 3072
#生成一个数字证书ca.pem，1095表示证书的有效时间是3年
openssl req -new -x509 -days 1095 -key ca.key -out ca.pem

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
注：
[]表示默认不填写内容，其他的按上面配置即可

2.生成域名的证书

#生成一个3072位的key，也就是私钥
openssl genrsa -out xianchao.lucky.me.key  3072
#生成一个证书请求
openssl req -new -key xianchao.lucky.me.key  -out xianchao.lucky.me.csr

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:xianchao.lucky.me
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注：
[]表示默认不填写内容，其他的按上面配置即可
Common Name (eg, your name or your server's hostname)这个位置的
xianchao.lucky.me是harbor的主机名

#签发证书
openssl x509 -req -in xianchao.lucky.me.csr -CA ca.pem -CAkey ca.key  -CAcreateserial -out xianchao.lucky.me.pem -days 1095

显示如下，说明证书签发好了

Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/CN=xianchao.lucky.me
Getting CA Private Key

3.查看证书是否有效

openssl x509 -noout -text -in xianchao.lucky.me.pem

显示如下，说明有效

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            e5:5b:2e:bf:bf:61:da:5a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=Default Company Ltd
        Validity
            Not Before: Sep 26 08:58:11 2019 GMT
            Not After : Sep 25 08:58:11 2022 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=Default Company Ltd, CN=xianchao.lucky.me
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:f3:c9:53:28:34:22:67:18:e0:a5:4a:c0:24:ac:
                    0a:59:d7:f2:cd:ad:7e:bd:29:26:ad:67:2f:50:6f:
                    f5:c4:ba:75:35:c7:54:bf:b1:dc:15:21:20:b8:32:
                    5b:40:38:78:5e:b1:c7:d6:b6:5e:44:8d:f8:a1:88:
                    7e:01:43:35:b1:1b:53:9d:65:88:8a:7c:90:93:5f:
                    6d:66:71:d3:11:44:e4:3d:af:0d:d2:89:29:2a:55:
                    ee:ec:23:3b:6a:10:dc:99:68:e3:7c:05:97:11:66:
                    65:b9:98:e7:07:7c:7b:86:73:bd:43:a4:15:e6:36:
                    36:3d:f9:16:20:ed:d0:f2:cd:bd:8c:a1:ae:e5:cf:
                    ee:cc:ab:1b:02:4f:56:28:2e:54:f4:3c:38:aa:67:
                    0f:20:24:a5:cd:9d:3b:72:3a:81:18:dd:cc:57:fc:
                    24:5f:c8:22:c2:37:29:3b:63:c3:b0:4b:0e:77:18:
                    7e:49:32:72:17:76:41:53:29:b8:da:54:69:9b:11:
                    ad:86:cc:5e:3a:54:dd:0f:0a:3e:72:6f:cf:38:01:
                    0a:83:40:b4:bc:81:b2:b8:83:82:3f:b2:9e:dd:6c:
                    29:f4:68:1a:90:f9:32:07:ab:71:ef:f2:a2:ce:07:
                    61:44:25:0a:e9:ec:ad:28:7f:eb:a1:ee:2b:90:a6:
                    52:05:95:42:e1:d9:16:2b:97:84:20:32:0c:c7:aa:
                    1e:d9:c9:aa:58:c2:ee:a6:94:71:36:e0:0e:dd:f5:
                    6e:5f:c3:b0:d4:2e:e8:c4:73:89:65:91:54:1f:38:
                    37:a9:56:15:92:de:8e:86:72:89:56:d1:8c:d2:15:
                    78:59:3a:66:60:63:c3:af:66:6d:e0:dc:12:4c:a3:
                    76:f2:10:44:db:5d:36:8e:e7:33:27:49:e2:1f:ca:
                    e5:15:cb:52:05:06:0f:7d:89:3c:2f:cb:7d:10:60:
                    8c:4c:96:f2:54:1b:54:66:c1:54:d4:38:45:6b:dc:
                    29:ae:e5:2f:da:e1:45:e9:c2:39
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         1e:b8:34:f7:dc:74:4b:2a:92:8d:c7:00:de:e2:70:de:34:a2:
         75:b6:4b:88:9f:0a:99:79:e5:6b:78:78:38:0c:6c:12:af:94:
         d6:9d:19:30:95:14:cb:64:6c:c7:6a:8e:db:d1:bd:36:04:04:
         9b:64:8b:9d:c5:f8:ff:05:1b:98:53:01:3a:76:21:b8:56:a0:
         2a:cc:bd:33:f9:db:74:bd:09:f8:2e:50:8f:37:2d:ec:cb:6a:
         e1:cc:4f:fc:4a:3b:51:5f:17:53:7a:8c:13:99:38:bb:94:dd:
         b4:e5:26:97:6f:e8:84:ec:e9:e4:ba:95:3a:03:1d:d2:42:85:
         ad:33:2f:1d:1e:34:4f:f8:38:d6:fe:91:89:23:67:f1:e7:d7:
         54:e0:4d:26:22:b4:ec:9f:8f:04:f9:4d:e8:8e:d2:87:ff:58:
         7d:f3:87:a6:c9:91:2e:52:40:19:9f:87:63:32:47:a5:86:7f:
         ae:de:d9:f8:5a:97:c2:0a:4e:b3:15:f5:d1:09:cb:77:b4:41:
         f7:c2:08:6c:f8:e4:ef:b1:3b:98:52:e5:df:82:0f:79:20:ac:
         ae:5f:41:ca:99:c4:0b:f4:cb:e5:d0:8f:c9:f6:be:9a:32:3f:
         e4:21:74:d6:bb:a6:a5:09:4c:64:3a:b9:95:9a:c3:c1:88:74:
         aa:8f:ac:af:bc:2e:78:6d:b1:46:0e:7a:51:69:b8:1e:22:87:
         11:2e:5c:16:91:33:ad:f3:4f:52:44:0c:02:f4:b4:00:96:80:
         42:cc:b9:9e:3f:fa:f5:42:e0:d0:51:84:95:f2:84:b0:0e:81:
         dc:4c:94:ed:2a:4c:36:2c:35:1d:45:53:da:a3:52:84:63:56:
         76:90:96:79:7a:85:8e:29:1f:0e:99:ed:2a:99:7f:55:0f:93:
         bc:13:56:de:39:dd:c7:39:d3:68:2f:db:54:17:51:05:d3:db:
         01:02:a7:b6:a4:c8:40:48:1d:e9:8d:a0:03:c4:56:37:f5:2d:
         c2:ab:48:0e:a9:f5

四、信任自签发的域名证书

因为证书是自己签发的，系统是不信任的，需要加入到信任里，步骤如下

cd /data/ssl
cp ca.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust enable  && update-ca-trust extract

五、harbor安装与配置

1.创建安装目录

mkdir /data/install 
cd /data/install/

2.安装docker-ce

yum install -y yum-utils device-mapper-persistent-data lvm2
#设置dacoker安装的yum源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo                
cat /etc/yum.repos.d/docker-ce.repo 
显示如下：

[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-edge]
name=Docker CE Edge - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-edge-debuginfo]
name=Docker CE Edge - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-edge-source]
name=Docker CE Edge - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

#安装docker
yum install docker-ce -y   
#启动docker
systemctl start docker   
#设置docker为开机自启动
systemctl enable docker
#查看docker版本
docker version     
Version:  19.03.2

配置docker加速器：

cat /etc/docker/daemon.json    
添加如下一行
{"registry-mirrors": ["http://6e9e5b27.m.daocloud.io"]
}
#重启docker
systemctl daemon-reload
systemctl restart docker.service
这样我们就配置好了docker hub的加速器了，docker pull镜像的时候速度就会加快！

3.安装harbor

ll /data/ssl

有两个证书文件
xianchao.lucky.me.key      xianchao.lucky.me.pem

4.habor官方网站

https://github.com/vmware/harbor

5.下载地址，在release里面下载二进制包：

#下载地址
https://github.com/goharbor/harbor/releases
#下载方法
curl -LO  'https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.4.tgz'

上述是官网，可能下载不下来，可以从国内镜像站点下载

#下载地址
http://harbor.orientsoft.cn/
cd /data/install
wget 'http://harbor.orientsoft.cn/harbor-v1.4.0/harbor-offline-installer-v1.4.0.tgz'

解压

tar zxvf harbor-offline-installer-v1.4.0.tgz
cd harbor
common目录：存放模板配置
ha目录：做harbor高可用的

修改配置文件：

cat harbor.cfg
hostname = xianchao.lucky.me
#修改hostname，跟上面签发的证书域名保持一致
ui_url_protocol = https
#协议用https
ssl_cert = /data/ssl/xianchao.lucky.me.pem
ssl_cert_key = /data/ssl/xianchao.lucky.me.key
邮件和ldap不需要配置，在harbor的web界面可以配置
harbor默认的账号密码：admin/Harbor12345
其他配置采用默认即可

6.安装docker-compose

yum install docker-compose -y

7.安装harbor

#官方安装文档说明：
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
./install.sh --with-notary --with-clair   
#clair 开启镜像的漏洞扫描
显示如下说明安装完成

✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://xianchao.lucky.me. 
For more details, please visit https://github.com/vmware/harbor .

在自己计算机搜索hosts文件，在hosts文件添加如下一行

192.168.199.164   xianchao.lucky.me

保存退出

8.登陆harbor：

在浏览器输入：
https://xianchao.lucky.me
出现如下界面，说明可以正常访问harbor

默认的账号密码如下

账号：admin

密码：Harbor12345

第二部分：harbor使用篇

一、harbor web界面配置

1.输入账号密码登录到harbor之后做如下配置

系统管理-->配置管理处修改如下
项目创建：仅管理员
允许自动注册：取消

2.harbor公共的镜像仓库说明

所有基础镜像都会放在library里面，这是一个公开的镜像仓库
公有项目下的镜像任何成员都能下载
私有项目下的镜像需要添加对应的的成员才可以下载

二、上传镜像到harbor私有镜像仓库

1.在192.168.199.164上拉取镜像

docker pull  centos

2.给镜像打标签

docker tag centos:latest xianchao.lucky.me/library/centos:v1

3.在192.168.199.164上登陆harbor仓库

docker login -u admin  xianchao.lucky.me
密码：Harbor123

显示如下说明登陆成功

Login Succeeded

4.把164机器上的本地镜像上传到harbor镜像仓库

docker push xianchao.lucky.me/library/centos:v1

5.在library这个项目里可以看到有一个名称是library/centos的镜像

点进去library/centos这个镜像，显示如下：

6.扫描漏洞

选中v1这个标签的镜像，点击扫描

点击箭头标注的部分可以看到扫描结果

7.镜像签名

项目------>library----->配置管理，显示如下

内容信任：仅允许部署通过认证的镜像，也就是需要给镜像签名
阻止危险级别严重的镜像运行：如果镜像漏洞危险级别高，则阻止其拉取下载
如果这个选项打开的话，需要对上传的镜像都做扫描，否则将阻止拉取下载

选中阻止潜在漏洞镜像
   组织危险级别设置成严重
选中自动扫描镜像

修改之后的配置如下

8.上传镜像测试

（1）登录到hub仓库

docker login
Username: xianchao
Password:1989*****

（2）拉取镜像

docker pull tomcat

（3）镜像打标签

docker tag tomcat  xianchao.lucky.me/library/tonmcat:v1

（4）登陆harbor仓库

docker login xianchao.lucky.me

（5）上传镜像到harbor仓库

docker push xianchao.lucky.me/library/tonmcat:v1

在harbor管理界面的library仓库可以看到刚才上传的镜像了

（6）在164上把之前打过标签的镜像删除

docker rmi -f xianchao.lucky.me/library/tonmcat:v1

（7）在harbor仓库下载镜像

docker login xianchao.lucku.me
docker pull xianchao.lucky.me/library/tonmcat:v1

报错如下

Error response from daemon: unknown: Cannot get the image severity.

上面报错是因为我们之前做了第7步，配置了镜像签名

需要在harbor console界面对tonmcat:v1做扫描，这样才能拉取镜像

扫描之后的结果如下

可以看到有9个严重的漏洞，我们在之前配置镜像签名的时候设置了如果漏洞程度有严重级别，会组织拉取镜像，所以我们现在拉取镜像

docker pull xianchao.lucky.me/library/tonmcat:v1

报错如下

Error response from daemon: unknown: The severity of vulnerability of the image: "high" is equal or higher than the threshold in project setting: "high".

说明漏洞危险级别高

9.取消镜像签名

项目------>library----->配置管理把之前的阻止潜在漏洞镜像和自动扫描取消，如下

修改之后点击保存

拉取镜像

docker pull xianchao.lucky.me/library/tonmcat:v1

这回就可以正常拉取了

harbor安装和使用文档

热门文章

最新文章

相关课程

相关电子书

相关实验场景