一、配置https
#1、獲得認證權限 openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \ -key ca.key \ -out ca.crt #2、生成私鑰 openssl genrsa -out 10.151.11.52.key 4096 #3、生成證書簽名請求 openssl req -sha512 -new \ -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \ -key 10.151.11.52.key \ -out 10.151.11.52.csr #4、生成注冊主機的證書 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=10.151.11.52(或者yourdoamin.com) DNS.2=hostname IP=10.151.11.52 EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in 10.151.11.52.csr \ -out 10.151.11.52.crt #5、將10.151.11.52.crt轉換為10.151.11.52.cert openssl x509 -inform PEM -in 10.151.11.52.crt -out 10.151.11.52.cert
#證書生成結果
二、配置和安裝harbor和notary
2.1 配置harbor
#配置服務器證書和harbor密鑰 #將10.151.11.52.crt和10.151.11.52.key 放入harbor data目錄 mkdir -p /data/certs cp 10.151.11.52.crt /data/certs/ cp 10.151.11.52.key /data/certs/ #為docker配置服務器證書、密鑰和CA mkdir -p /etc/docker/certs.d/10.151.11.52 cp 10.151.11.52.crt 10.151.11.52.key ca.crt /etc/docker/certs.d/10.151.11.52 #配置操作系統級別的信任證書 #(1)ubuntu系統 cp 10.151.11.52.crt /usr/local/share/ca-certificates/yourdomain.com.crt update-ca-certificates #(2)centos系統 cp 10.151.11.52.crt /etc/pki/ca-trust/source/anchors update-ca-trust
2.2 安裝notary
1、下載notary二進制文件notary-Linux-amd64
https://github.com/theupdateframework/notary/releases/tag/v0.6.1
2、mv notary-Linux-amd64 notary
3、安裝go,notary二進制文件需要go來運行
# 安裝wget yun install -y wget # 下載 wget https://dl.google.com/go/go1.14.6.linux-amd64.tar.gz # 解壓壓縮包到/usr/local/golang目錄 mkdir -p /usr/local/golang tar -C /usr/local/golang -xzf go1.14.6.linux-amd64.tar.gz --strip-components 1 # 將/usr/local/golang/bin 目錄添加至/etc/profile PATH環境變量 export PATH=$PATH:/usr/local/golang/bin # 重新讀取環境變量 source /etc/profile # 查看版本 go version go version go1.14.6 linux/amd64 4、將notary復制到/usr/local/golang/bin目錄下,然后直接可以在linux終端使用notary命令
2.3 配置notary
mkdir -p ~/.docker/tls/10.151.11.52:4443 cp ca.crt ~/.docker/tls/10.151.11.52:4443 #設置別名,執行notary命令時不需要輸入-s和-d alias notary="notary -s https://10.151.11.52:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/10.151.11.52/ca.crt" #使用鏡像簽名時,在終端輸入 export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443 #使用notary簽名的鏡像,必須移除簽名后,才可以刪除,不能直接刪除簽名鏡像,移除簽名時,需要輸入登錄harbor的用戶名(admin)和密碼,然后輸入簽名密碼 notary remove -p 10.151.11.52:5000/notary/centos v4 #如果使用新建的用戶取消簽名,則刪除信息數據,然后再使用harbor的admin移除簽名 #找到對應的信息用戶的key notary key list #刪除該用戶的key notary key remove 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 #刪除所有信息數據 notary delete registry.example.com/admin/demo --remote notary其它使用方式參考如下鏈接 https://docs.docker.com/notary/getting_started/
三、安裝harbor
3.1 配置harbor.yml文件
## Configuration file of Harbor #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: 10.151.11.52 # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 5001 # https related config https: # # https port for harbor, default is 443 port: 5000 # # The path of cert and key files for nginx certificate: /data/certs/10.151.11.52.crt private_key: /data/certs/10.151.11.52.key # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: Harbor12345 ## Harbor DB configuration database: #The password for the root user of Harbor DB. Change this before any production use. password: root123 # The default data volume data_volume: /data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disabled: false # Clair configuration clair: # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. updaters_interval: 12 # Config http proxy for Clair, e.g. http://my.proxy.com:3128 # Clair doesn't need to connect to harbor internal components via http proxy. http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,core,registry jobservice: # Maximum number of job workers in job service max_job_workers: 10 # Log configurations log: # options are debug, info, warn, error level: info # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 1.8.0 # Uncomment external_database if using external database. Currently only support POSTGRES. # Four databases are needed to be create first by users for Harbor core, Clair, Notary server # and Notary signer. And the tables will be generated automatically when Harbor starting up. # NOTE: external_database is unable to custom attributes individually, you must do them in block. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # clair: # host: clair_db_host # port: clair_db_port # db_name: clair_db_name # username: clair_db_username # password: clair_db_password # ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port # db_name: notary_signer_db_name # username: notary_signer_db_username # password: notary_signer_db_password # ssl_mode: disable # notary_server: # host: notary_server_db_host # port: notary_server_db_port # db_name: notary_server_db_name # username: notary_server_db_username # password: notary_server_db_password # ssl_mode: disable # Uncomment external_redis if using external Redis server # external_redis: # host: redis # port: 6379 # password: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca
3.2 在解壓的harbor目錄下,執行安裝命令
./install.sh --with-notary
出現以下提示,表示安裝成功
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://10.151.11.52.
For more details, please visit https://github.com/goharbor/harbor .
#查看harbor容器狀態
#cd harbor 安裝目錄
docker-compose ps
# 停止容器
docker-compose stop
# 后台啟動容器
docker-compose up -d
訪問頁面
https://10.151.11.52:5000
使用默認的賬號:admin,密碼:Harbor12345登錄驗證
登錄成功之后,效果如下:
3.3 push簽名鏡像
#使用鏡像簽名時,在終端輸入 export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443 然后使用docker push鏡像,輸入簽名密碼,push完成后,可以在harbor倉庫中查看鏡像簽名狀態 docker push 10.151.11.52:5000/library/centos:latest
3.4 刪除簽名鏡像
#移除簽名時,需要輸入登錄harbor的用戶名(admin)和密碼,然后輸入簽名密碼
notary remove -p 10.151.11.52:5000/notary/centos latest
#然后在harbor頁面刪除該鏡像
參考鏈接:
https://github.com/goharbor/harbor
https://docs.docker.com/notary/getting_started/