轉載於網絡
我們采用Harbor作為Docker的鏡像中心。
有幾個原因:
- Harbor采用Docker Compose拉起維護,簡單方便。
- 采用Nginx作為入口網關,各種參數配置相對熟悉。
- 基於Nginx的HTTPS證書配置相對方便。
- Harbor已支持在線清理廢棄的鏡像歷史,這點很重要。
...
一句話,夠簡單,夠方便。
環境准備
Host List
| IP Address | Hosts | Disk | Comment |
|---|---|---|---|
| 192.168.0.21 | harbor | 1TB | Docker Image Registry |
OS
並將內核升級到最新穩定版本4.20.
[root@localhost ~]# uname -sr Linux 4.20.0-1.el7.elrepo.x86_64 [root@localhost ~]# [root@localhost ~]# 安裝步驟
下載harbor安裝包
Harbor提供兩種安裝方式:在線安裝和離線安裝,由於GitHub服務器是在國外,國內的很多服務器都是在內網,即使可以訪問公網,下載速度也不快,推薦外部下載,然后上傳到內網。
本人的服務器速度還可以,直接通過服務器下載,並解壓
[root@localhost harbor]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz --2019-01-07 15:16:27-- https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.160.112, 2404:6800:4012:1::2010 Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.160.112|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 597857483 (570M) [application/x-tar] Saving to: ‘harbor-offline-installer-v1.7.1.tgz.1’ 100%[====================================================================>] 597,857,483 4.64MB/s in 5m 23s 2019-01-07 15:21:51 (1.77 MB/s) - ‘harbor-offline-installer-v1.7.1.tgz.1’ saved [597857483/597857483] [root@localhost harbor]# [root@localhost harbor]# tar -zxvf harbor-offline-installer-v1.7.1.tgz 准備SSL證書
參考Docker的安全策略推薦,我們對我們的Docker鏡像中心采用TLS證書驗證的HTTPS訪問方式。
准備證書目錄
[root@localhost harbor]# mkdir -p data/cert [root@localhost harbor]# cd data/cert [root@localhost cert]# pwd /home/harbor/data/cert 生成證書
生成根證書
生成CA證書。
[root@localhost cert]# openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ......................++ ..................................++ e is 65537 (0x10001) [root@localhost cert]# 生成CA Key。
[root@localhost cert]# openssl req -x509 -new -nodes -sha512 -days 3650 \ > -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net" \ > -key ca.key \ > -out ca.crt [root@localhost cert]# [root@localhost cert]# ls -al total 8 drwxr-xr-x 2 root root 44 Jan 7 15:35 . drwxr-xr-x 3 root root 17 Jan 7 15:26 .. -rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt -rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key [root@localhost cert]# 生成服務器證書
生成私有Key
[root@localhost cert]# openssl genrsa -out hub.twikle.net.key 4096 Generating RSA private key, 4096 bit long modulus ............................................++ ................................................++ e is 65537 (0x10001) [root@localhost cert]# ls -al total 12 drwxr-xr-x 2 root root 73 Jan 7 15:40 . drwxr-xr-x 3 root root 17 Jan 7 15:26 .. -rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt -rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key -rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key [root@localhost cert]# 生成證書的簽名。
[root@localhost cert]# openssl req -sha512 -new \ > -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net" \ > -key hub.twikle.net.key \ > -out hub.twikle.net.csr [root@localhost cert]# [root@localhost cert]# [root@localhost cert]# ls -al total 16 drwxr-xr-x 2 root root 102 Jan 7 15:43 . drwxr-xr-x 3 root root 17 Jan 7 15:26 .. -rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt -rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key -rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr -rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key [root@localhost cert]# 生成證書。
[root@localhost cert]# cat > v3.ext <<-EOF > authorityKeyIdentifier=keyid,issuer > basicConstraints=CA:FALSE > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment > extendedKeyUsage = serverAuth > subjectAltName = @alt_names > > [alt_names] > DNS.1=hub.twikle.net > DNS.2=hub.twikle > DNS.3=xxx.xxx.xxx.xxx #注意替換為自己的主機名 > EOF [root@localhost cert]# [root@localhost cert]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in hub.twikle.net.csr \ > -out hub.twikle.net.crt Signature ok subject=/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net Getting CA Private Key [root@localhost cert]# ls -al total 32 drwxr-xr-x 2 root root 4096 Jan 7 15:49 . drwxr-xr-x 3 root root 17 Jan 7 15:26 .. -rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt -rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key -rw-r--r-- 1 root root 17 Jan 7 15:49 ca.srl -rw-r--r-- 1 root root 2114 Jan 7 15:49 hub.twikle.net.crt -rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr -rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key -rw-r--r-- 1 root root 270 Jan 7 15:47 v3.ext [root@localhost cert]# 證書格式調整。
[root@localhost cert]# openssl x509 -inform PEM -in hub.twikle.net.crt -out hub.twikle.net.cert [root@localhost cert]# ls -al total 36 drwxr-xr-x 2 root root 4096 Jan 7 15:51 . drwxr-xr-x 3 root root 17 Jan 7 15:26 .. -rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt -rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key -rw-r--r-- 1 root root 17 Jan 7 15:49 ca.srl -rw-r--r-- 1 root root 2114 Jan 7 15:51 hub.twikle.net.cert -rw-r--r-- 1 root root 2114 Jan 7 15:49 hub.twikle.net.crt -rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr -rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key -rw-r--r-- 1 root root 270 Jan 7 15:47 v3.ext [root@localhost cert]# 配置Harbor安裝參數
修改harbor.cfg文件中的相關安裝參數。在第一步中的解壓目錄中找到要修改的harbor.cfg。
[root@localhost harbor]# vi harbor.cfg ...... #set hostname hostname = hub.twikle.net:8443 #set ui_url_protocol ui_url_protocol = https ...... #The path of cert and key files for nginx, they are applied, pls use your own crt path here. ssl_cert = /home/harbor/data/cert/hub.twikle.net.crt ssl_cert_key = /home/harbor/data/cert/hub.twikle.net.key ...... #Change the admin password from UI after launching Harbor. harbor_admin_password = xxxxx ...... #Turn on or off the self-registration feature self_registration = off ...... #Set to "adminonly" so that only admin user can create project. project_creation_restriction = adminonly ...... #######Harbor DB configuration section####### #The address of the Harbor database. Only need to change when using external db. db_host = ***.***.***.*** #The password for the root user of Harbor DB. Change this before any production use. db_password = xxxxxx #The port of Harbor database host db_port = 5432 #The user name of Harbor database db_user = harbor ...... 注意,請勿修改,這個是Harbor的一個bug,修改過后,admin server會一直啟動失敗。
#The path of secretkey storage secretkey_path = /data 報錯:
adminserver[14789]: 2017-05-04T03:09:55Z [FATAL] [main.go:46]: failed to initialize the system: read /etc/adminserver/key: is a directory 修改默認啟動端口
修改docker-compose的腳本,進入harbor的解壓目錄,找到docker-compose.yml,修改nginx相關的映射端口。
......
ports: - 8080:80 - 8443:443 ...... 修改存儲路徑
依舊是修改docker-compose.yml文件,替換所有的/data目錄為自己的目錄。或者就用默認的/data路徑
......
volumes: - /home/harbor/harbor/data/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z networks: ...... 執行環境准備腳本
進入harbor的解壓目錄。
[root@localhost harbor]# cd harbor/ [root@localhost harbor]# ls -al total 590240 drwxr-xr-x 3 root root 4096 Jan 8 09:55 . drwxr-xr-x 4 root root 88 Jan 7 15:26 .. drwxr-xr-x 3 root root 30 Jan 7 15:23 common -rw-r--r-- 1 root root 939 Jan 4 19:23 docker-compose.chartmuseum.yml -rw-r--r-- 1 root root 975 Jan 4 19:23 docker-compose.clair.yml -rw-r--r-- 1 root root 1434 Jan 4 19:23 docker-compose.notary.yml -rw-r--r-- 1 root root 5608 Jan 4 19:23 docker-compose.yml -rw-r--r-- 1 root root 8088 Jan 9 10:53 harbor.cfg -rw-r--r-- 1 root root 603562385 Jan 4 19:24 harbor.v1.7.1.tar.gz -rwxr-xr-x 1 root root 5739 Jan 4 19:23 install.sh -rw-r--r-- 1 root root 11347 Jan 4 19:23 LICENSE -rw-r--r-- 1 root root 748160 Jan 4 19:23 open_source_license -rwxr-xr-x 1 root root 36337 Jan 4 19:23 prepare [root@localhost harbor]# ./prepare Generated and saved secret to file: /home/harbor/data/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [root@localhost harbor]# [root@localhost harbor]# 啟動Harbor
[root@localhost harbor]# docker-compose up -d Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating registry ... done Creating harbor-adminserver ... done Creating redis ... done Creating registryctl ... done Creating harbor-db ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating harbor-portal ... done Creating nginx ... done [root@localhost harbor]# 宿主機防火牆開放端口
[root@localhost harbor]# firewall-cmd --zone=public --add-port=8443/tcp --permanent success [root@localhost harbor]# firewall-cmd --reload success [root@localhost harbor]# 檢查安裝結果
image.png
[root@localhost ~]# docker login xxx.xxx.xxx:8443 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@localhost ~]#
報錯:
x509: cannot validate certificate because of not containing any IP SANs 這是因為使用IP地址的原因,如使用域名做為地址應該不會
解決方法:
參考:
https://blog.csdn.net/zsd498537806/article/details/79290732
log:
harbor 運行時產生的文件、目錄
harbor 將日志打印到 /var/log/harbor 的相關目錄下,使用 docker logs XXX 或 docker-compose logs XXX 將看不到容器的日志。
$ # 日志目錄 $ ls /var/log/harbor adminserver.log jobservice.log mysql.log proxy.log registry.log ui.log $ # 數據目錄,包括數據庫、鏡像倉庫 $ ls /data/ ca_download config database job_logs registry secretkey
請參考 https://github.com/opsnull/follow-me-install-kubernetes-cluster/blob/master 的harbot11.yaml
docker 解決 x509: certificate signed by unknown authority
添加如下配置
# vim /etc/docker/daemon.json { "insecure-registries": ["registry.svc.xxx.cn"] } 本機拉本機倉庫,那直接把crt證書拉本地,放
/etc/pki/ca-trust/source/anchors/然后執行
update-ca-trust一定要重啟docker,即可。