?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
 
 
yum -y install docker-ce
yum -y install docker-compose
# 查看版本, 满足要求
docker-compose --version
 
 
 
 
wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
mkdir /data
tar xf harbor-offline-installer-v2.4.1.tgz -C /data
加载镜像文件
cd /data/harbor
docker load -i harbor.v2.4.1.tar.gz
 
 
 
生成CA证书私钥
cd /etc/pki
openssl genrsa -out ca.key 4096
 
创建 CA 证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=hzde.com" \
 -key ca.key \
 -out ca.crt
  
 创建 Harbor 证书
 openssl genrsa -out harbor.key 4096
 openssl req -sha512 -new \
    -subj "/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=harbor.hzde.com" \
    -key harbor.key \
    -out harbor.csr
     
CN要跟你的域名保持一致,不然docker login登录不上
 
创建v3扩展插件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1=harbor.hzde.com
DNS.2=harbor
IP.1=192.168.14.132
EOF
 
 
创建harboy 证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.csr \
    -out harbor.crt
     
     
Signature ok
subject=/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=harbor.hzde.com
Getting CA Private Key
 
 
将harbor证书拷贝到/etc/harbor
mkdir -p /etc/harbor/ssl
cp harbor.crt harbor.key /etc/harbor/ssl/
 
修改 harbor 配置文件
cd /data/harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml
...
hostname: harbor.hzde.com
...
https:
  port: 443
  certificate: /etc/harbor/ssl/harbor.crt
  private_key: /etc/harbor/ssl/harbor.key
...
harbor_admin_password: 1234 # Harbor登录密码,根据自己的需要进行修改
默认是Harbor12345
 
启动服务
--with-notary:可保证镜像的真实性
--with-trivy:漏洞扫描工具,之前是--with-clair
--with-chartmuseum:启用chart仓库
 
 
[root@master harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum
 
[Step 0]: checking if docker is installed ...
 
 
检查服务运行状态
docker ps -a
 
docker 登录验证
echo '192.168.14.132 harbor.hzde.com' >> /etc/hosts
 
登录 harbor 有 2 种方式
 
1.为 docker 添加私有证书
 
mkdir /etc/docker/certs.d/harbor.hzde.com/ -p
cp /etc/harbor/ssl/harbor.crt /etc/docker/certs.d/harbor.hzde.com/ca.crt
 
2.将 harbor 添加到 insecure-registries 中
 
vim /etc/docker/daemon.json
...
  "insecure-registries": ["harbor.hzde.com"]
...
 
登录 harbor
 
docker login harbor.hzde.com -u admin -p 1234
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
Login Succeeded
 
Harbor 控制台登录
先修改 hosts,增加一条192.168.14.132 harbor.hzde.com,然后通过浏览器访问:https://harbor.hzde.com,默认用户名:admin,默认密码:Harbor12345,密码可以在harbor.yml中修改。
自定义设置为1234 密码
 
 
 
docker pull nginx:1.20.2-alpine
 
打 tag
docker tag nginx:1.20.2-alpine harbor.hzde.com/library/nginx:1.20.2-alpine
 
 
推送镜像到仓库
docker push harbor.hzde.com/library/nginx:1.20.2-alpine