Docker客户端登录启用了HTTPS的Harbor要注意的事项

  首先在Harbor将要部署的主机上创建Harbor专用的证书目录:

mkdir -p /data/harbor/certs/
cd /data/harbor/certs
  • 生成CA证书的私钥
openssl genrsa -out ca.key 4096
  • 生成CA证明(注意替换其中红色标记的参数,yourdomain.com可以使用Harbor所在的主机hostname)
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
 -key ca.key \
 -out ca.crt
  •  生成Harbor服务器证书私钥(注意替换其中红色标记的参数,yourdomain.com可以使用Harbor所在的主机hostname)
openssl genrsa -out yourdomain.com.key 4096
  • 生成Harbor服务器证书签发请求文件(注意替换其中红色标记的参数,yourdomain.com可以使用Harbor所在的主机hostname)
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr
  • 生成x509 v3扩展文件,用于协助签发Harbor服务器证书(注意替换其中红色标记的参数,DNS.1、DNS.2和DNS.3都可以使用Harbor所在的主机hostname)
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
  • 使用CA证书、CA私钥和v3扩展文件,结合Harbor服务器证书签发请求文件为Harbor服务器签发(生成)证书(注意替换其中红色标记的参数,yourdomain.com可以使用Harbor所在的主机hostname)
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt
  • 将Harbor服务器证书复制到Harbor服务器上的Harbor证书目录下(我们是直接在该目录生成证所的,可以不用复制了,需要复制的话用如下的命令)
cp yourdomain.com.crt /data/harbor/certs/
cp yourdomain.com.key /data/harbor/certs/
  • 给Docker用的话需要先将 yourdomain.com.crt 转换成 yourdomain.com.cert
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
  • 然后Harbor服务器证书、私钥,以及CA证书文件复制到Harbor服务器上的Docker证书目录下(没有此目录的话需要先行创建)
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
  • 最后重启Docker,服务器端的证书就搞好了
systemctl restart docker
  • 在安装Harbor前需要修改Harbor安装配置文件harbor.yml,指定好Harbor服务器的证书和私钥文件路径(master1是我自己的Harbor服务器的hostname):
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: master1

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config(其实Harbor私服最好禁用https,使用过程中要配置太多安全相关的东西了)
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/harbor/certs/master1.crt
  private_key: /data/harbor/certs/master1.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to t
  • 最后一个非常重要的事情:如果Docker客户端想要登录并访问Harbor服务器,则必须把Harbor服务器的证书发给Docker客户端,并放在Docker客户端的特定证书目录(例如 /etc/docker/certs.d/master1 ,没有的话需要客户端创建)
 scp -r /etc/docker/certs.d/master1/master1.crt root@node1:/etc/docker/certs.d/master1/master1.crt                                                                          100% 2078     1.1MB/s   00:00

 scp -r /etc/docker/certs.d/master1/master1.crt root@node2:/etc/docker/certs.d/master1/master1.crt                                                                          100% 2078     1.1MB/s   00:00
#Harbor服务器没有分发证书给node2时,node2上的Docker无法登录Harbor
[root@node2 ~]# docker login master1
Username: admin
Password: 
Error response from daemon: Get https://master1/v2/: x509: certificate signed by unknown authority

#有了Harbor服务器证书,node2上的Docker便可登录Harbor了
[root@node2 ~]# docker login master1
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

 

  最后,如果Harbor服务器安装出现问题的话,可以进到安装文件所在目录,执行以下操作:

#停止并删除Harbor实例(镜像文件保存在文件系统,不会丢失)
docker-compose down -v

#必要的话删除harbor.yml是data_volume指定目录下的文件(注意换成你自己指定的目录,数据会被清除)
rm -rf /data/harbor/*

#执行安装文件里的prepare命令
./prepare

#重启一下Harbor
docker-compose up -d

 

  docker-compose的安装方法:

# 安装epel源
yum install -y epel-release
# 安装docker-compose,如果没有python3会安装python3(可能会慢,多试几次)
yum install -y docker-compose

  附上将Harbor创建为系统服务的脚本(红色部分根自己身的实际情况改,然后命名为harbor.service 并放在/etc/systemd/system目录下):

[Unit]
Description=harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f  /opt/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f  /opt/harbor/docker-compose.yml down

[Install]
WantedBy=multi-user.target

   一定记得将harbor.service设置为立即启用,并设置为开机自启

systemctl enable harbor --now

 

posted @ 2023-02-17 00:16  岁月已走远  阅读(1171)  评论(0编辑  收藏  举报