docker 私有仓库harbor部署

 

1.生成https证书（如果已有则跳过）

1、生成CA证书私钥
mkdir /opt/cert
cd /opt/cert

openssl genrsa -out ca.key 4096

2、生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \
 -key ca.key \
 -out ca.crt

3、生成服务器证书
openssl genrsa -out 192.168.15.101.key 4096

4、生成证书签名请求
openssl req -sha512 -new \
    -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \
    -key 192.168.15.101.key \
    -out 192.168.15.101.csr

5、生成一个x509 v3扩展文件
# 域名版
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF

# IP版
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.15.101
EOF

6、使用该v3.ext文件生成证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 192.168.15.101.csr \
    -out 192.168.15.101.crt
    
7、提供证书给Harbor和Docker
openssl x509 -inform PEM -in 192.168.15.101.crt -out 192.168.15.101.cert
mkdir -pv /etc/docker/certs.d/192.168.15.101/

cp 192.168.15.101.cert /etc/docker/certs.d/192.168.15.101/
cp 192.168.15.101.key /etc/docker/certs.d/192.168.15.101/
cp ca.crt /etc/docker/certs.d/192.168.15.101/

# 如果nginx端口默认部署443和80
/etc/docker/certs.d/192.168.15.101:port
/etc/docker/certs.d/192.168.15.101:port

# 复制Harbor证书
mkdir -p /data/cert 
cp 192.168.15.101.crt  /data/cert
cp 192.168.15.101.key /data/cert
cd /data/cert

8、证书受信
在/etc/docker/daemon.json 中添加如下内容
{
  "insecure-registries": ["192.168.15.101"]
}

9、docker加载证书
systemctl restart docker

 

2.安装harbor

1、安装harbor
[root@localhost ~]# tar -xf harbor-offline-installer-v2.3.3.tgz  -C /usr/local/

2、修改harbor的配置文件
cp /usr/local/harbor/harbor.yml.tmpl   /usr/local/harbor/harbor.yml

vi

/usr/local/harbor/harbor.yml

hostname: 192.168.15.101 
https: 
  certificate: /data/cert/192.168.15.101.crt 
  private_key: /data/cert/192.168.15.101.key 

3、安装启动 ./install.sh

 

3.其他的docekr免密

mkdir -pv /etc/docker/certs.d/192.168.15.101/

scp 192.168.15.101.cert root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/
scp 192.168.15.101.key root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/
scp ca.crt root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/

# 证书受信
在/etc/docker/daemon.json 中添加如下内容
{
  "insecure-registries": ["192.168.15.101"]
}

systemctl restart docker