Docker Harbor 1.9.0-rc1镜像仓库安装-https访问
1.安装docker
参考《Yum 安装Docker》
2.安装docker-compose
[root@k8s-harbor-git ~]# curl -L https://github.com/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 617 0 617 0 0 683 0 --:--:-- --:--:-- --:--:-- 684 100 16.2M 100 16.2M 0 0 3543k 0 0:00:04 0:00:04 --:--:-- 4432k [root@k8s-harbor-git ~]# chmod +x /usr/local/bin/docker-compose
3安装配置harbor
3.1配置证书机构
创建工作目录
[root@k8s-harbor-git ~]# mkdir cadir
[root@k8s-harbor-git cadir]# pwd
/root/cadir
创建证书机构
[root@k8s-harbor-git cadir]# openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ......................++ ............................................................................................................................................................................................++ e is 65537 (0x10001) [root@k8s-harbor-git cadir]# openssl req -x509 -new -nodes -sha512 -days 3650 \ > -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=ar.com" \ > -key ca.key \ > -out ca.crt [root@k8s-harbor-git cadir]# ls ca.crt ca.key
获取服务证书
[root@k8s-harbor-git cadir]# openssl genrsa -out reg.ar.com.key 4096 Generating RSA private key, 4096 bit long modulus ...............++ ...........................................++ e is 65537 (0x10001) [root@k8s-harbor-git cadir]# openssl req -sha512 -new \ > -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.ar.com" \ > -key reg.ar.com.key \ > -out reg.ar.com.csr [root@k8s-harbor-git cadir]# ls ca.crt ca.key reg.ar.com.csr reg.ar.com.key
生成个人注册的主机的证书
[root@k8s-harbor-git cadir]# cat > v3.ext <<-EOF > authorityKeyIdentifier=keyid,issuer > basicConstraints=CA:FALSE > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment > extendedKeyUsage = serverAuth > subjectAltName = @alt_names > > [alt_names] > DNS.1=reg.ar.com > DNS.2=reg.ar > DNS.3=hostname > EOF [root@k8s-harbor-git cadir]# ls ca.crt ca.key reg.ar.com.csr reg.ar.com.key v3.ext
生成证书
[root@k8s-harbor-git cadir]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in reg.ar.com.csr \ > -out reg.ar.com.crt Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.ar.com Getting CA Private Key [root@k8s-harbor-git cadir]# ls ca.crt ca.key ca.srl reg.ar.com.crt reg.ar.com.csr reg.ar.com.key v3.ext
将证书复制到存放harbor证书的指定目录(本例放置在/data/cert中)
[root@k8s-harbor-git cadir]# mkdir /data/cert [root@k8s-harbor-git cadir]# cp reg.ar.com.crt /data/cert/ [root@k8s-harbor-git cadir]# cp reg.ar.com.key /data/cert/
3.2为docker配置证书,密钥和ca机构
[root@k8s-harbor-git cadir]# openssl x509 -inform PEM -in reg.ar.com.crt -out reg.ar.com.cert [root@k8s-harbor-git cadir]# ls ca.crt ca.key ca.srl reg.ar.com.cert reg.ar.com.crt reg.ar.com.csr reg.ar.com.key v3.ext
为docker创建存放证书的目录/etc/docker/certs.d/reg.ar.com/(默认不存在该目录),将证书拷贝到该目录下,并重启docker
[root@k8s-harbor-git cadir]# mkdir -p /etc/docker/certs.d/reg.ar.com/ [root@k8s-harbor-git cadir]# cp reg.ar.com.cert /etc/docker/certs.d/reg.ar.com/ [root@k8s-harbor-git cadir]# cp reg.ar.com.key /etc/docker/certs.d/reg.ar.com/ [root@k8s-harbor-git cadir]# cp ca.crt /etc/docker/certs.d/reg.ar.com [root@k8s-harbor-git harbor]# systemctl restart docker
3.3上传harbor安装包并解压
[root@k8s-harbor-git harbor]# tar -zxvf harbor.v1.9.3.tar.gz [root@k8s-harbor-git ~]# ls anaconda-ks.cfg cadir harbor harbor-offline-installer-v1.9.3.tgz
修改harbor的配置文件,指定证书位置
[root@k8s-harbor-git harbor]# cat harbor.yml # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: reg.ar.com ###修改自己的域名地址 # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config https: ###开启https,注意缩进 # # https port for harbor, default is 443 port: 443 ###开启443端口,主机缩进 # # The path of cert and key files for nginx certificate: /data/cert/reg.ar.com.crt ###指定创建的证书 private_key: /data/cert/reg.ar.com.key ###指定证书密钥 # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: Harbor12345 ###修改haribor的默认密码,本例使用的默认 # Harbor DB configuration database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 50 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 100 for postgres. max_open_conns: 100 # The default data volume data_volume: /data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disabled: false # Clair configuration clair: # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. updaters_interval: 12 jobservice: # Maximum number of job workers in job service max_job_workers: 10 notification: # Maximum retry count for webhook job webhook_job_max_retry: 10 chart: # Change the value of absolute_url to enabled can enable absolute url in chart absolute_url: disabled # Log configurations log: # options are debug, info, warning, error, fatal level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor # Uncomment following lines to enable external syslog endpoint. # external_endpoint: # # protocol used to transmit log to external endpoint, options is tcp or udp # protocol: tcp # # The host of external endpoint # host: localhost # # Port of external endpoint # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 1.9.0 # Uncomment external_database if using external database. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port # db_name: clair_db_name # username: clair_db_username # password: clair_db_password # ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port # db_name: notary_signer_db_name # username: notary_signer_db_username # password: notary_signer_db_password # ssl_mode: disable # notary_server: # host: notary_server_db_host # port: notary_server_db_port # db_name: notary_server_db_name # username: notary_server_db_username # password: notary_server_db_password # ssl_mode: disable # Uncomment external_redis if using external Redis server # external_redis: # host: redis # port: 6379 # password: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. # Remove component from `components` array if want disable proxy # for it. If you want use proxy for replication, MUST enable proxy # for core and jobservice, and set `http_proxy` and `https_proxy`. # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. proxy: http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair components: - core - jobservice - clair [root@k8s-harbor-git harbor]#
3.4执行安装
[root@k8s-harbor-git harbor]# ./prepare prepare base dir is set to /root/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir 安装 [root@k8s-harbor-git harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 19.03.5 Note: docker-compose version: 1.25.0 [Step 1]: loading Harbor images ... f93c083be5bc: Loading layer [==================================================>] 9.009MB/9.009MB bf1b03029526: Loading layer [==================================================>] 44.41MB/44.41MB 3395eb0db37a: Loading layer [==================================================>] 2.048kB/2.048kB 630606b67737: Loading layer [==================================================>] 3.072kB/3.072kB b59ccb3639e4: Loading layer [==================================================>] 44.41MB/44.41MB Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.9.3 Loaded image: goharbor/prepare:v1.9.3 e80aab7b0662: Loading layer [==================================================>] 63.49MB/63.49MB f8b3d119e8a9: Loading layer [==================================================>] 54.42MB/54.42MB 5f496dd4633b: Loading layer [==================================================>] 5.632kB/5.632kB 9a2858fea72d: Loading layer [==================================================>] 2.048kB/2.048kB b7501a88cd95: Loading layer [==================================================>] 2.56kB/2.56kB c82e3969a2e2: Loading layer [==================================================>] 2.56kB/2.56kB 7cac869555ad: Loading layer [==================================================>] 2.56kB/2.56kB cca577be763d: Loading layer [==================================================>] 10.24kB/10.24kB Loaded image: goharbor/harbor-db:v1.9.3 9a508de7d2b7: Loading layer [==================================================>] 9.005MB/9.005MB 508382d944be: Loading layer [==================================================>] 3.072kB/3.072kB 6e9e3cb5d33e: Loading layer [==================================================>] 2.56kB/2.56kB 73ddaf5bf2d0: Loading layer [==================================================>] 21.76MB/21.76MB 9a276490655f: Loading layer [==================================================>] 21.76MB/21.76MB Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 4a0251807cc9: Loading layer [==================================================>] 9.004MB/9.004MB 897af7ff7b63: Loading layer [==================================================>] 6.239MB/6.239MB 3f4123d93010: Loading layer [==================================================>] 14.9MB/14.9MB 4e0bdb09cba5: Loading layer [==================================================>] 29.21MB/29.21MB 29c5283b24ee: Loading layer [==================================================>] 22.02kB/22.02kB 6f09075fda1a: Loading layer [==================================================>] 50.34MB/50.34MB Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.9.3 756ffb58fa91: Loading layer [==================================================>] 7.037MB/7.037MB 733009a88a23: Loading layer [==================================================>] 196.6kB/196.6kB 5cc05e9a6a60: Loading layer [==================================================>] 172kB/172kB eabe1b3a567b: Loading layer [==================================================>] 15.36kB/15.36kB dd83cfe76436: Loading layer [==================================================>] 3.584kB/3.584kB 28bde9e732c9: Loading layer [==================================================>] 10.84MB/10.84MB Loaded image: goharbor/harbor-portal:v1.9.3 0eb10921ee80: Loading layer [==================================================>] 78.25MB/78.25MB 74a7ce2b0571: Loading layer [==================================================>] 3.072kB/3.072kB 7d193a1c54ab: Loading layer [==================================================>] 59.9kB/59.9kB d45413cea5ea: Loading layer [==================================================>] 61.95kB/61.95kB Loaded image: goharbor/redis-photon:v1.9.3 7c53cafac35a: Loading layer [==================================================>] 337.9MB/337.9MB c6bad7449208: Loading layer [==================================================>] 119.8kB/119.8kB Loaded image: goharbor/harbor-migrator:v1.9.3 4bb3c8da2619: Loading layer [==================================================>] 50.3MB/50.3MB fa60bb5fba7f: Loading layer [==================================================>] 3.584kB/3.584kB 12a81f321c68: Loading layer [==================================================>] 3.072kB/3.072kB a94dcd551900: Loading layer [==================================================>] 2.56kB/2.56kB c684117da188: Loading layer [==================================================>] 3.072kB/3.072kB f14e11ea2c25: Loading layer [==================================================>] 3.584kB/3.584kB 2e2e439cb618: Loading layer [==================================================>] 12.29kB/12.29kB Loaded image: goharbor/harbor-log:v1.9.3 99ce145e19e6: Loading layer [==================================================>] 10.84MB/10.84MB Loaded image: goharbor/nginx-photon:v1.9.3 da7ad744c6fd: Loading layer [==================================================>] 16.4MB/16.4MB a03cee9d5ed3: Loading layer [==================================================>] 29.21MB/29.21MB f5f37ba098b1: Loading layer [==================================================>] 22.02kB/22.02kB c6e237d0effb: Loading layer [==================================================>] 51.85MB/51.85MB Loaded image: goharbor/notary-server-photon:v0.6.1-v1.9.3 01d39dbfbd65: Loading layer [==================================================>] 115.7MB/115.7MB 6d1186763503: Loading layer [==================================================>] 12.31MB/12.31MB 293c8dc3d8c6: Loading layer [==================================================>] 2.048kB/2.048kB d0ffe0bb8b6b: Loading layer [==================================================>] 48.13kB/48.13kB c9f0ab7d8bbb: Loading layer [==================================================>] 3.072kB/3.072kB 75c4044a879b: Loading layer [==================================================>] 12.36MB/12.36MB Loaded image: goharbor/clair-photon:v2.1.0-v1.9.3 b2329d5f99cf: Loading layer [==================================================>] 12.77MB/12.77MB 17c27eb4f7f8: Loading layer [==================================================>] 55.4MB/55.4MB 3c10f4815fc0: Loading layer [==================================================>] 5.632kB/5.632kB 5fb810768754: Loading layer [==================================================>] 36.35kB/36.35kB 376871497fae: Loading layer [==================================================>] 55.4MB/55.4MB Loaded image: goharbor/harbor-core:v1.9.3 2c38bb39e841: Loading layer [==================================================>] 12.77MB/12.77MB 20ef2473aa7f: Loading layer [==================================================>] 48.13MB/48.13MB Loaded image: goharbor/harbor-jobservice:v1.9.3 bc526ee3d965: Loading layer [==================================================>] 9.005MB/9.005MB d880cff24505: Loading layer [==================================================>] 3.072kB/3.072kB adc7407dd64d: Loading layer [==================================================>] 21.76MB/21.76MB aa1f551082be: Loading layer [==================================================>] 3.072kB/3.072kB 97bd8288c3d1: Loading layer [==================================================>] 8.661MB/8.661MB f184a9da0594: Loading layer [==================================================>] 30.42MB/30.42MB Loaded image: goharbor/harbor-registryctl:v1.9.3 [Step 2]: preparing environment ... prepare base dir is set to /root/harbor Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 3]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating registry ... done Creating registryctl ... done Creating harbor-db ... done Creating harbor-portal ... done Creating redis ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.ar.com. For more details, please visit https://github.com/goharbor/harbor .
3.5配置hosts文件,测试域名登陆
[root@k8s-harbor-git ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.100.10 reg.ar.com 测试登陆 [root@k8s-harbor-git harbor]# docker login reg.ar.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeede
浏览器访问
