一、配置https
#1、获得认证权限 openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \ -key ca.key \ -out ca.crt #2、生成私钥 openssl genrsa -out 10.151.11.52.key 4096 #3、生成证书签名请求 openssl req -sha512 -new \ -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \ -key 10.151.11.52.key \ -out 10.151.11.52.csr #4、生成注册主机的证书 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=10.151.11.52(或者yourdoamin.com) DNS.2=hostname IP=10.151.11.52 EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in 10.151.11.52.csr \ -out 10.151.11.52.crt #5、将10.151.11.52.crt转换为10.151.11.52.cert openssl x509 -inform PEM -in 10.151.11.52.crt -out 10.151.11.52.cert
#证书生成结果
二、配置和安装harbor和notary
2.1 配置harbor
#配置服务器证书和harbor密钥 #将10.151.11.52.crt和10.151.11.52.key 放入harbor data目录 mkdir -p /data/certs cp 10.151.11.52.crt /data/certs/ cp 10.151.11.52.key /data/certs/ #为docker配置服务器证书、密钥和CA mkdir -p /etc/docker/certs.d/10.151.11.52 cp 10.151.11.52.crt 10.151.11.52.key ca.crt /etc/docker/certs.d/10.151.11.52 #配置操作系统级别的信任证书 #(1)ubuntu系统 cp 10.151.11.52.crt /usr/local/share/ca-certificates/yourdomain.com.crt update-ca-certificates #(2)centos系统 cp 10.151.11.52.crt /etc/pki/ca-trust/source/anchors update-ca-trust
2.2 安装notary
1、下载notary二进制文件notary-Linux-amd64
https://github.com/theupdateframework/notary/releases/tag/v0.6.1
2、mv notary-Linux-amd64 notary
3、安装go,notary二进制文件需要go来运行
# 安装wget yun install -y wget # 下载 wget https://dl.google.com/go/go1.14.6.linux-amd64.tar.gz # 解压压缩包到/usr/local/golang目录 mkdir -p /usr/local/golang tar -C /usr/local/golang -xzf go1.14.6.linux-amd64.tar.gz --strip-components 1 # 将/usr/local/golang/bin 目录添加至/etc/profile PATH环境变量 export PATH=$PATH:/usr/local/golang/bin # 重新读取环境变量 source /etc/profile # 查看版本 go version go version go1.14.6 linux/amd64 4、将notary复制到/usr/local/golang/bin目录下,然后直接可以在linux终端使用notary命令
2.3 配置notary
mkdir -p ~/.docker/tls/10.151.11.52:4443 cp ca.crt ~/.docker/tls/10.151.11.52:4443 #设置别名,执行notary命令时不需要输入-s和-d alias notary="notary -s https://10.151.11.52:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/10.151.11.52/ca.crt" #使用镜像签名时,在终端输入 export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443 #使用notary签名的镜像,必须移除签名后,才可以删除,不能直接删除签名镜像,移除签名时,需要输入登录harbor的用户名(admin)和密码,然后输入签名密码 notary remove -p 10.151.11.52:5000/notary/centos v4 #如果使用新建的用户取消签名,则删除信息数据,然后再使用harbor的admin移除签名 #找到对应的信息用户的key notary key list #删除该用户的key notary key remove 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 #删除所有信息数据 notary delete registry.example.com/admin/demo --remote notary其它使用方式参考如下链接 https://docs.docker.com/notary/getting_started/
三、安装harbor
3.1 配置harbor.yml文件
## Configuration file of Harbor #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: 10.151.11.52 # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 5001 # https related config https: # # https port for harbor, default is 443 port: 5000 # # The path of cert and key files for nginx certificate: /data/certs/10.151.11.52.crt private_key: /data/certs/10.151.11.52.key # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: Harbor12345 ## Harbor DB configuration database: #The password for the root user of Harbor DB. Change this before any production use. password: root123 # The default data volume data_volume: /data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disabled: false # Clair configuration clair: # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. updaters_interval: 12 # Config http proxy for Clair, e.g. http://my.proxy.com:3128 # Clair doesn't need to connect to harbor internal components via http proxy. http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,core,registry jobservice: # Maximum number of job workers in job service max_job_workers: 10 # Log configurations log: # options are debug, info, warn, error level: info # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 1.8.0 # Uncomment external_database if using external database. Currently only support POSTGRES. # Four databases are needed to be create first by users for Harbor core, Clair, Notary server # and Notary signer. And the tables will be generated automatically when Harbor starting up. # NOTE: external_database is unable to custom attributes individually, you must do them in block. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # clair: # host: clair_db_host # port: clair_db_port # db_name: clair_db_name # username: clair_db_username # password: clair_db_password # ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port # db_name: notary_signer_db_name # username: notary_signer_db_username # password: notary_signer_db_password # ssl_mode: disable # notary_server: # host: notary_server_db_host # port: notary_server_db_port # db_name: notary_server_db_name # username: notary_server_db_username # password: notary_server_db_password # ssl_mode: disable # Uncomment external_redis if using external Redis server # external_redis: # host: redis # port: 6379 # password: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca
3.2 在解压的harbor目录下,执行安装命令
./install.sh --with-notary
出现以下提示,表示安装成功
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://10.151.11.52.
For more details, please visit https://github.com/goharbor/harbor .
#查看harbor容器状态
#cd harbor 安装目录
docker-compose ps
# 停止容器
docker-compose stop
# 后台启动容器
docker-compose up -d
访问页面
https://10.151.11.52:5000
使用默认的账号:admin,密码:Harbor12345登录验证
登录成功之后,效果如下:
3.3 push签名镜像
#使用镜像签名时,在终端输入 export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443 然后使用docker push镜像,输入签名密码,push完成后,可以在harbor仓库中查看镜像签名状态 docker push 10.151.11.52:5000/library/centos:latest
3.4 删除签名镜像
#移除签名时,需要输入登录harbor的用户名(admin)和密码,然后输入签名密码
notary remove -p 10.151.11.52:5000/notary/centos latest
#然后在harbor页面删除该镜像
参考链接:
https://github.com/goharbor/harbor
https://docs.docker.com/notary/getting_started/