【Docker】企业级镜像仓库harbor的搭建(http/https)及使用

一:用途###

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。

二:安装docker-ce###

环境:阿里云轻量应用服务器CentOS 7.3
这里通过yum Docker源仓库安装:
①安装yum 管理依赖包

sudo yum install-y yum-utils device-mapper-persistent-data lvm2

②添加Docker 源仓库

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

③安装Docker CE

sudo yum install docker-ce docker-ce-cli containerd.io

三:安装docker-compose###

参考这篇博客:https://www.cnblogs.com/wucaiyun1/p/11811112.html

四:安装harbor###

https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
①下载harbor

wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz

或者到github releases下载
https://github.com/goharbor/harbor/releases
-------------------------------------------------------------------http方式-------------------------------------------------------------------
②配置安装(http方式)

[root@iZuf6hcb8yumasfp52oemxZ ailala]# tar -xf harbor-offline-installer-v1.6.1.tgz 
[root@iZuf6hcb8yumasfp52oemxZ ailala]# cd harbor
[root@iZuf6hcb8yumasfp52oemxZ harbor]# vi harbor.yml


-------------------------------------------------------------------http方式-------------------------------------------------------------------
-------------------------------------------------------------------https方式-------------------------------------------------------------------
②配置安装(https方式)
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

Getting Certificate Authority####

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work" \
-key ca.key \
-out ca.crt

Getting Server Certificate####

  1. Create your own Private Key:
openssl genrsa -out fixedbug.work.key 4096
  1. Generate a Certificate Signing Request:
openssl req -sha512 -new \
    -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work" \
    -key fixedbug.work.key \
    -out fixedbug.work.csr
  1. Generate the certificate of your registry host:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=fixedbug.work
DNS.2=fixedbug
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in fixedbug.work.csr \
    -out fixedbug.work.crt

Configuration and Installation####

  1. Configure Server Certificate and Key for Harbor
  cp yourdomain.com.crt /data/cert/
  cp yourdomain.com.key /data/cert/
  1. Configure Server Certificate, Key and CA for Docker
    Convert server yourdomain.com.crt to yourdomain.com.cert:
openssl x509 -inform PEM -in fixedbug.work.crt -out fixedbug.work.cert

Delpoy yourdomain.com.cert, yourdomain.com.key, and ca.crt for Docker:

  cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
  cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
  cp ca.crt /etc/docker/certs.d/yourdomain.com/
/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
  1. Configure Harbor

    -------------------------------------------------------------------https方式-------------------------------------------------------------------
[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./prepare
[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./install

③登录

五:上传镜像到harbor仓库###

在本机配置harbor仓库http可信
/etc/docker/daemon.json中添加“"insecure-registries":["reg.slito.com"]”,不然会报错,默认是走https的,重启docker;

登录harbor仓库

[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker login fixedbug.work:88
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传镜像

[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker tag mysql:8 fixedbug.work:88/library/mysql:v1
[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker push fixedbug.work:88/library/mysql:v1
The push refers to repository [fixedbug.work:88/library/mysql]
55f5c7d40658: Pushed
8d0c9963a6ad: Pushed
17b62e7a629c: Pushed
8eae701cdfcf: Pushing  31.11MB/341.1MB
d4078c1b9fdb: Pushed
8eae701cdfcf: Pushed
2a9aab74013a: Pushing  33.62MB/44.77MB
414373ffccb4: Pushed
2a9aab74013a: Pushed
51734435c93c: Pushed
5a8a245abd1c: Pushed
99b5261d397c: Pushing  23.78MB/55.34MB

99b5261d397c: Pushed
v1: digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3 size: 2828
[root@iZuf6hcb8yumasfp52oemxZ harbor]#

在harbor中查看

六:下载harbor中的镜像###

[root@iZuf6hcb8yumasfp52oemxZ ~]# docker rmi fixedbug.work:88/library/mysql:v1
Untagged: fixedbug.work:88/library/mysql:v1
Untagged: fixedbug.work:88/library/mysql@sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql
mysql                           8                               d435eee2caa5        12 days ago         456MB
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker pull fixedbug.work:88/library/mysql:v1
v1: Pulling from library/mysql
Digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3
Status: Downloaded newer image for fixedbug.work:88/library/mysql:v1
fixedbug.work:88/library/mysql:v1
[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql
mysql                            8                               d435eee2caa5        12 days ago         456MB
fixedbug.work:88/library/mysql   v1                              d435eee2caa5        12 days ago         456MB

踩坑记录:域名只是用来替代IP的,没有备案会封锁对应IP的80和433端口,这个IP必须是国内的才行。如果域名指向国外IP,备案还是不备案都不妨碍80和433端口的使用。

posted @ 2019-12-05 13:55  爱啦啦  阅读(2294)  评论(0编辑  收藏  举报