概述
搭建一個私有倉庫
harbor介紹
harbor是一個開源的docker容器倉庫,由下面幾個組件組成
+ proxy:用來接收docker客戶端和瀏覽器端的請求,並且把請求轉發給后端的服務
+ registry:就是倉庫,用來存儲鏡像的,
+ 核心服務:提供web ui,數據庫,token認證,webhook等功能
+ 日志服務
- database:用來存儲核心服務的一些數據
vmware出品,支持下面幾種部署方式
- 在線安裝
- 離線安裝
- ova安裝,這個直接在vcenter上導入就可以了
官方最小配置
- 2個cpu
- 4g內存
- 40g硬盤,因為是存儲鏡像的所以推薦硬盤大點
官方安裝幫助
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
Software
| Software | Version | Description |
|---|---|---|
| Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
| Docker engine | version 17.03.0-ce+ or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
Network ports
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
安裝docker:
https://docs.docker.com/install/linux/docker-ce/centos/
可選安裝docker方式1: curl -fsSL get.docker.com -o get-docker.sh
- 移除舊版
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
安裝依賴包
```
sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
```
添加源
```
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
```
安裝和啟動
sudo yum-config-manager --enable docker-ce-nightly
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
docker-compose安裝:
- 安裝和測試docker-compose
官網文檔 https://docs.docker.com/compose/install/
下載docker-compose可執行文件
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
設可執行權限
sudo chmod +x /usr/local/bin/docker-compose
軟連接到/usr/bin
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
查看安裝是否成功
docker-compose --version
安裝步驟:
-
Download the installer:
下載離線安裝包:
https://github.com/goharbor/harbor/releasesOnline installer:
$ tar xvf harbor-online-installer-<version>.tgzOffline installer:
$ tar xvf harbor-offline-installer-<version>.tgz -
Configure harbor.cfg/harbor.yml(新版已經改成harbor.yml);
- 修改配置,協議,證書,管理員密碼
hostname = reg.lvusyy.com
ui_url_protocol = https
ssl_cert = ./ssl/reg.lvusyy.com.crt
ssl_cert_key = ./ssl/reg.lvusyy.com.key
harbor_admin_password = harbor12345 - 生成配置文件
-
證書可以從 letsencrypt 生成免費的證書..(默認瀏覽器和工具都不會提示不安全警告的.)
詳情參考:https://github.com/Neilpang/acme.sh/wiki/說明
關於配置:
-
生成https證書(手動自簽發的證書,沒有根證書信任)
參考 https://github.com/goharbor/harbor/blob/master/docs/configure_https.md#生成key `openssl genrsa -out ca.key 4096`#根據key生成ca.crt
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Hangzhou/L=Hangzhou/O=example/OU=Personal/CN=lvusyy.com" \ -key ca.key \ -out ca.crt-
Create your own Private Key:
openssl genrsa -out reg.lvusyy.com.key 4096 -
Generate a Certificate Signing Request:
openssl req -sha512 -new
-subj "/C=CN/ST=Hangzhou/L=Hangzhou/O=example/OU=Personal/CN=reg.lvusyy.com"
-key reg.lvusyy.com.key
-out reg.lvusyy.com.csrcat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=reg.lvusyy.com DNS.2=lvusyy DNS.3=harbor EOFopenssl x509 -req -sha512 -days 3650
-extfile v3.ext
-CA ca.crt -CAkey ca.key -CAcreateserial
-in reg.lvusyy.com.csr
-out reg.lvusyy.com.crt
-
-
導入docker鏡像
sudo docker load < harbor.v1.8.0.tar.gz -
生成配置
-
./prepare
-
- 修改配置,協議,證書,管理員密碼
-
Run install.sh to install and start Harbor;
-
開始安裝
- #注意網絡問題哦
./install
到此 harbor 已經安裝完成了。
- #注意網絡問題哦
192.168.1.xx reg.lvusyy.com
你可以導入你的根證書讓瀏覽器或wget 不報ssl警告
mkdir /usr/share/ca-certificates/harbor/
cp /media/makeit/Document/harborCa/ca.crt /usr/share/ca-certificates/harbor/
sudo update-ca-certificates
這樣就ok了。
wget -q -O - https://reg.lvusyy.com
如果 curl 訪問呢?
* Rebuilt URL to: https://reg.lvusyy.com/
* Trying 10.1.1.53...
* TCP_NODELAY set
* Connected to reg.lvusyy.com (10.1.1.53) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /home/makeit/anaconda3/ssl/cacert.pem
CApath: none
它使用 /home/makeit/anaconda3/ssl/cacert.pem ,我們把我們ca重定向進去就可以了唄。
轉換格式 .cer 到 .pem
openssl x509 -inform der -in lvusyy.cer -out lvusyy.pem
追加到信任列表
cat lvusyy.pem >> /home/makeit/anaconda3/ssl/cacert.pem
妥了!
chrome呢,firefox,oprea呢
自己設置窗口導入即可。
enjoy!