docker搭建Harbor私有仓库
一、环境、软件准备
环境使用百度云,centos7.6
docker:19.03.8
docker-compose:1.21.2
Harbor:1.5.1
注意:Harbor的所有服务组件都是在Docker中部署的,所以官方安装使用Docker-compose快速部署,所以我们需要安装Docker、Docker-compose。由于Harbor是基于Docker Registry V2版本,所以就要求Docker版本不小于1.10.0,Docker-compose版本不小于1.6.0
二、安装
1、docker上篇文章已经安装,不在重复安装,点击查看
2、docker-compose安装
方式一
#下载docker compose sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose #将可执行权限引用于二进制文件 sudo chmod +x /usr/local/bin/docker-compose #测试安装 docker-compose --version
方式二
#安装python-pip
yum -y install epel-release python-pip
#升级一下pip
pip install --upgrade pip
#安装matplotlib
python -m pip install -U pip setuptools
python -m pip install matplotlib --upgrade
#使用pip安装docker-compose
pip3 install docker-compose
3、harbor服务搭建
#在线安装包 wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgz tar xvf harbor-online-installer-v1.1.2.tgz #离线安装包 wget https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.1.tgz tar xvf harbor-offline-installer-v1.5.1.tgz
4、修改harbor的配置文件
vim harbor/harbor.cfg ## Configuration file of Harbor #设置访问地址,可以使用域名、IP,不可设置为127.0.0.1和locahost hostname = 106.13.110.183 #访问协议默认http,也可使用https,如果设置https,则nginx ssl需要设置为on ui_url_protocol = http #mysql数据库root用户默认密码 db_password = root123 max_job_workers = 3 customize_crt = on ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data admiral_url = NA #邮箱设置,发送重置密码邮件 email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false #登陆密码 harbor_admin_password = Harbor12345 #认证方式,支持ADP、本次存储、数据库认证。本次默认db_auth auth_mode = db_auth #LDAP认证时配置 ldap_url = ldaps://ldap.mydomain.com ldap_basedn = ou=people,dc=mydomain,dc=com ldap_uid = uid ldap_scope = 3 ldap_timeout = 5 #是否开启自动注册 self_registration = on #token有效时间,默认30分钟 token_expiration = 30 #用户创建项目控制权限,everyone(所有人) adminonly(管理员) project_creation_restriction = everyone verify_remote_cert = on
5、启动harbor
cd harbor ./install.sh #harbor服务根据当前目录下的docker-compose.yml开始下载依赖镜像
6、在harbor目录下查看启动的容器
docker-compose ps
Name Command State Ports
-----------------------------------------------------------------
harbor- /harbor/harbor_ad Up
adminserver minserver
harbor-db docker- Up 3306/tcp
entrypoint.sh
mysqld
harbor-jobservice /harbor/harbor_jo Up
bservice
harbor-log /bin/sh -c crond Up 127.0.0.1:1514->5
&& rm -f ... 14/tcp
harbor-ui /harbor/harbor_ui Up
nginx nginx -g daemon Up 0.0.0.0:443->443/
off; tcp, 0.0.0.0:4443
->4443/tcp, 0.0.0
.0:80->80/tcp
registry /entrypoint.sh Up 5000/tcp
serve /etc/ ...
7、web端查看IP地址形式(默认为80端口的映射,也可以去docker-compose.yml中修改)
8、本地执行登陆操作
docker login 106.13.110.183 Username: admin Password: Error response from daemon: Get https://106.13.110.183/v2/: dial tcp 106.13.110.183:443: connect: connection refused #出现以上报错,是因为docker1.3.2后就开始默认docker registry使用的为https协议,而我们设置的为http #解决方法 vim /usr/lib/systemd/system/docker.service #在ExecStart行后加--insecure-registry 106.13.110.183 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 106.13.110.183 systemctl daemon-reload systemctl restart docker
#再次登陆
docker login 106.13.110.183
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
9、部署SSL认证(使用openssl)
#创建证书存放目录 mkdir -p /data/cert && cd /data/cert #创建自己的CA证书,生成根证书私钥(无加密) openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus .....................+++ ...............+++ e is 65537 (0x10001) #自己签名证书(使用自己的私钥ca.key自签发根证书) openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=Harbor-ca" req 产生证书签发申请命令 -x509 签发X.509格式证书命令。X.509是最通用的一种签名证书格式。 -new 生成证书请求 -key 指定私钥文件 -nodes 表示私钥不加密 -out 输出 -subj 指定用户信息 -days 有效期 #生成服务端私钥和CSR签名请求 openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr #一路回车 #签发服务证书 echo subjectAltName = IP:106.13.110.183 > extfile.cnf openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extfile extfile.cnf -out server.crt x509 签发X.509格式证书命令。 -req 表示证书输入请求。 -days 表示有效天数 -extensions 表示按OpenSSL配置文件v3_req项添加扩展。 -CA 表示CA证书,这里为ca.crt -CAkey 表示CA证书密钥,这里为ca.key -CAcreateserial 表示创建CA证书序列号 -extfile 指定文件
修改Harbor的配置文件harbor.cfg
vim /root/harbor/harbor.cfg ## Configuration file of Harbor hostname = 106.13.110.183 ui_url_protocol = https #改为https db_password = root123 max_job_workers = 3 customize_crt = on
#认证文件位置 ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key secretkey_path = /data
设置docker证书
# 如果如下目录不存在,请创建,如果有域名请按此格式依次创建 mkdir -p /etc/docker/certs.d/106.13.110.183 # mkdir -p /etc/docker/certs.d/[IP2] # mkdir -p /etc/docker/certs.d/[example1.com] # 如果端口为443,则不需要指定。如果为自定义端口,请指定端口 # /etc/docker/certs.d/yourdomain.com:port ------------------------------------------------------ mkdir -p /etc/docker/certs.d/106.13.110.183 cp /data/cert/ca.crt /etc/docker/certs.d/106.13.110.183/ cp /data/cert/server.crt /etc/docker/certs.d/106.13.110.183/
重启docker和harbor
systemctl restart docker ./harbor/install.sh
访问测试
#登陆 docker login 106.13.110.183 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #登出 docker logout 106.13.110.183 Removing login credentials for 106.13.110.183
注:其他服务器如果需要访问 Harbor 仓库,把 /etc/docker/certs.d/192.168.80.42 文件夹复制到该主机的相同位置即可
