Harbor 是一個開源鏡像倉庫,可通過基於角色的訪問控制來保護鏡像,新版本的Harbor還增加了掃描鏡像中的漏洞並將鏡像簽名為受信任。
作為CNCF孵化項目,Harbor提供合規性,性能和互操作性,以幫助你跨Kubernetes和Docker等雲原生計算平台持續,安全地管理鏡像。
Harbor組件均以Docker容器方式啟動,因此,你可以將其部署在任何支持Docker的Linux發行版上。
硬件要求
軟件要求
網絡端口
下載地址
https://github.com/goharbor/harbor/releases
Harbor官方分別提供了在線版(不含組件鏡像,相對較小)和離線版(包含組件鏡像,相對較大)。
由於github下載非常非常的慢,本文底部已提供最新離線版包(harbor-offline-installer-v1.10.1.tgz)。
創建 https 證書(根據情況選擇)
# 創建證書目錄,並賦予權限
mkdir -p /data/cert && chmod -R 777 /data/cert && cd /data/cert
# 生成私鑰,需要設置密碼
openssl genrsa -des3 -out harbor.key 2048
# 生成CA證書,需要輸入密碼
openssl req -sha512 -new \
-subj "/C=CN/ST=JS/L=WX/O=zwx/OU=jhmy/CN=hub.jhmy.com" \
-key harbor.key \
-out harbor.csr
# 備份證書
cp harbor.key harbor.key.org
# 退掉私鑰密碼,以便docker訪問(也可以參考官方進行雙向認證)
openssl rsa -in harbor.key.org -out harbor.key
# 使用證書進行簽名
openssl x509 -req -days 365 -in harbor.csr -signkey harbor.key -out harbor.crt
部署安裝
-
編輯harbor.yml,修改hostname、https證書路徑、admin密碼
-
運行install.sh即可,可帶參數(--with-notary)
流程:檢查環境 -> 導入鏡像 -> 准備環境 -> 准備配置(含移除舊版本)-> 開始啟動
[root@hub harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.8
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.23.1
[Step 2]: loading Harbor images ...
Loaded image: goharbor/clair-adapter-photon:v1.0.1-v1.10.1
Loaded image: goharbor/harbor-jobservice:v1.10.1
Loaded image: goharbor/redis-photon:v1.10.1
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.10.1
Loaded image: goharbor/clair-photon:v2.1.1-v1.10.1
Loaded image: goharbor/harbor-log:v1.10.1
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.10.1
Loaded image: goharbor/chartmuseum-photon:v0.9.0-v1.10.1
Loaded image: goharbor/harbor-registryctl:v1.10.1
Loaded image: goharbor/nginx-photon:v1.10.1
Loaded image: goharbor/harbor-migrator:v1.10.1
Loaded image: goharbor/prepare:v1.10.1
Loaded image: goharbor/harbor-portal:v1.10.1
Loaded image: goharbor/harbor-core:v1.10.1
Loaded image: goharbor/harbor-db:v1.10.1
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/conf.d/notary.upstream.conf
Clearing the configuration file: /config/nginx/conf.d/notary.server.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/notary/server-config.postgres.json
Clearing the configuration file: /config/notary/server_env
Clearing the configuration file: /config/notary/signer_env
Clearing the configuration file: /config/notary/signer-config.postgres.json
Clearing the configuration file: /config/notary/notary-signer.crt
Clearing the configuration file: /config/notary/notary-signer.key
Clearing the configuration file: /config/notary/notary-signer-ca.crt
Clearing the configuration file: /config/notary/root.crt
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
# 如果已安裝harbor將會自動移除
Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing redis ... done
Removing harbor-portal ... done
Removing registry ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing harbor-log ... done
Removing network harbor_harbor
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registry ... done
Creating redis ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
應用配置
# 配置鏡像倉庫地址(推薦配置域名)
vim/etc/docker/daemon.json
{
"insecure-registries": ["serverip"]
}
# 下載測試鏡像
docker pull hello-world
# 給鏡像重新打標簽
docker tag hello-world serverip/hello-world:latest
# 登錄進行上傳
docker login serverip
docker push serverip/hello-world:latest
客戶端配置證書
1、訪問,https://配置的ip或域名(若nginx的443配置了其他端口需要加上對應端口號)
2、# docker login xxxx
若報錯x509: certificate signed by unknown authority:
需要把之前制作的ca證書添加到信任(因為是自簽名證書):
# mkdir –p /etc/docker/certs.d/serverip
# cp ca.crt /etc/docker/certs.d/serverip/ca.crt
# systemc restart docker.service
注意:
每一個客戶端都需要復制上面的ca.crt到Docker相應目錄,然后重啟Docker,這里的ca.crt就是harbor.crt,cp harbor.crt ca.crt。
其他說明
- 新版本的harbor使用的是pg數據庫,如果你是很老的版本,可能使用的還是mysql,所以需要手動暫停老服務。
並且需要備份並刪除/data/database文件夾,否則新版本pg將無法解析老的mysql數據,而導致安裝失敗,對於兩個數據庫數據轉換是個麻煩事。
鏈接: https://pan.baidu.com/s/1IKhBILaocDJkUveG-rXgVQ 提取碼: 7bts
作者:Leozhanggg
出處:https://www.cnblogs.com/leozhanggg/p/12554399.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。
