鏈接:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
提取碼:ldt5
復制這段內容后打開百度網盤手機App,操作更方便哦
1. Harbor簡介
- VMware的開源項目https://github.com/vmware/harbor
- Harbor可幫助用戶迅速搭建企業級的注冊服務。它提供了管理圖形界面,基於角色的訪問控制(Role Based Access Control),鏡像遠程復制(同步),AD/LDAP集成,以及審計日志等企業用戶需求的功能,同時還原生支持中文,深受中國用戶的喜愛。
- 該項目自推出以來,在GitHub獲得了超過3300多個star和900多個forks。
1.1 基於角色的訪問控制
用戶與Docker鏡像倉庫通過“項目”進行組織管理,一個用戶可以對多個鏡像倉庫在同一命名空間(project)里有不同的權限。
1.2 圖形化用戶界面
用戶可以通過瀏覽器來瀏覽,檢索當前Docker鏡像倉庫,管理項目和命名空間
1.3 審計管理
所有針對鏡像倉庫的操作都可以被記錄追溯,用於審計管理。
1.4 國際化
基於英文與中文語言進行了本地化。可以增加更多的語言支持。
1.5 RESTful API:
提供給管理員對於Harbor更多的操控,使得與其他管理軟件集成變得更容易。
1.6 LDAP認證
1.7 鏡像復制
基於策略的Docker鏡像復制功能,可在不同的數據中心,不同的運行環境之間同步鏡像,並提供友好的管理界面,大大簡化了實際運維中的鏡像管理工作。
1.8 與Clair集成
與Clair集成,添加漏洞掃描功能。Clair是coreos開源的容器漏洞掃描工具,在容器逐漸普及的今天,容器鏡像安全問題日益嚴重。Clair是目前少數的開源安全掃描工具。
1.9 Notary簽名工具
Notary是Docker鏡像的簽名工具,用來保證鏡像在pull,push和傳輸工程中的一致性和完整性,避免中間人攻擊,避免非法的鏡像更新和運行。
2. 為Harbor簽發域名證書
openssl是目前最流行的SSL密碼庫工具,提供了一個通用,功能完備的工具套件,用以支持SSL/TLS協議的實現。
官網:https://www.openssl.org/source/
環境准備
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Harbor-master | 192.168.200.16 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
[root@Harbor-master ~]# hostname -I 192.168.200.16 [root@Harbor-master ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@Harbor-master ~]# uname -r 3.10.0-957.12.1.el7.x86_64 官方文檔:https://github.com/vmware/harbor/blob/master/docs/configure_https.md
#創建自己的CA證書 [root@Harbor-master ~]# mkdir -p /data/ssl [root@Harbor-master ~]# cd /data/ssl/ [root@Harbor-master ssl]# which openssl /usr/bin/openssl [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt Generating a 4096 bit RSA private key ......++ .....................................++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:yunjisuan Organizational Unit Name (eg, section) []:yunjisuan Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com Email Address []: #生成證書簽名請求 [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr Generating a 4096 bit RSA private key ...........................................................................................................................................................................................++ ............++ writing new private key to 'www.yunjisuan.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:yunjisuan Organizational Unit Name (eg, section) []:yunjisuan Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #生成注冊表主機的證書 [root@Harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com Getting CA Private Key #查看證書情況 [root@Harbor-master ssl]# ll 總用量 24 -rw-r--r-- 1 root root 2049 7月 24 14:43 ca.crt -rw-r--r-- 1 root root 3272 7月 24 14:43 ca.key -rw-r--r-- 1 root root 17 7月 24 14:45 ca.srl -rw-r--r-- 1 root root 1931 7月 24 14:45 www.yunjisuan.com.crt -rw-r--r-- 1 root root 1716 7月 24 14:45 www.yunjisuan.com.csr -rw-r--r-- 1 root root 3272 7月 24 14:45 www.yunjisuan.com.key 3. 信任自簽發的域名證書
由於CA證書是我們自己簽發的Linux操作系統是不信任的,因此我們需要把證書加入到系統的信任證書里
#將自簽ca證書添加到系統信任 [root@Harbor-master ssl]# pwd /data/ssl [root@Harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/ [root@Harbor-master ssl]# ll /etc/pki/ca-trust/source/anchors/ 總用量 4 -rw-r--r-- 1 root root 1931 7月 24 14:49 www.yunjisuan.com.crt #讓系統ca信任設置立刻生效 [root@Harbor-master ssl]# update-ca-trust enable [root@Harbor-master ssl]# update-ca-trust extract 4.Harbor 1.4 版本配置與安裝
4.1 安裝docker-ce社區版
[root@Harbor-master ssl]# sestatus SELinux status: disabled [root@Harbor-master ssl]# yum -y install yum-utils device-mapper-persistent-data lvm2 [root@Harbor-master ssl]# rpm -qa yum-utils device-mapper-persistent-data lvm2 yum-utils-1.1.31-50.el7.noarch device-mapper-persistent-data-0.7.3-3.el7.x86_64 lvm2-2.02.180-10.el7_6.8.x86_64 [root@Harbor-master ssl]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2424 100 2424 0 0 112 0 0:00:21 0:00:21 --:--:-- 686 [root@Harbor-master ssl]# yum -y install docker-ce [root@Harbor-master ssl]# systemctl start docker [root@Harbor-master ssl]# systemctl enable docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. [root@Harbor-master ssl]# docker version Client: Docker Engine - Community Version: 19.03.0 API version: 1.40 Go version: go1.12.5 Git commit: aeac9490dc Built: Wed Jul 17 18:15:40 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.0 API version: 1.40 (minimum version 1.12) Go version: go1.12.5 Git commit: aeac9490dc Built: Wed Jul 17 18:14:16 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.6 GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc: Version: 1.0.0-rc8 GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f docker-init: Version: 0.18.0 GitCommit: fec3683 4.2 下載並安裝harbor私有倉庫
#創建harbor的證書目錄,並復制 [root@Harbor-master ssl]# mkdir -p /etc/ssl/harbor [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/ [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/ [root@Harbor-master ssl]# ll /etc/ssl/harbor/ 總用量 8 -rw-r--r-- 1 root root 1931 7月 24 15:43 www.yunjisuan.com.crt -rw-r--r-- 1 root root 3272 7月 24 15:43 www.yunjisuan.com.key #創建harbor下載目錄並下載harbor-offline-installer-v1.5.0.tgz [root@Harbor-master ~]# mkdir -p /data/install [root@Harbor-master ~]# cd /data/install/ [root@Harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz [root@Harbor install]# ls harbor-offline-installer-v1.5.0.tgz [root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz [root@Harbor install]# ls harbor harbor-offline-installer-v1.5.0.tgz [root@Harbor install]# cd harbor [root@Harbor harbor]# ll 總用量 854960 drwxr-xr-x 3 root root 23 7月 16 22:29 common #模板目錄 -rw-r--r-- 1 root root 1185 5月 2 23:34 docker-compose.clair.yml -rw-r--r-- 1 root root 1725 5月 2 23:34 docker-compose.notary.yml -rw-r--r-- 1 root root 3596 5月 2 23:34 docker-compose.yml drwxr-xr-x 3 root root 156 5月 2 23:34 ha #harbor高可用配置 -rw-r--r-- 1 root root 6687 5月 2 23:34 harbor.cfg #harbor配置文件 -rw-r--r-- 1 root root 875401338 5月 2 23:36 harbor.v1.5.0.tar.gz -rwxr-xr-x 1 root root 5773 5月 2 23:34 install.sh -rw-r--r-- 1 root root 10771 5月 2 23:34 LICENSE -rw-r--r-- 1 root root 482 5月 2 23:34 NOTICE -rwxr-xr-x 1 root root 27379 5月 2 23:34 prepare [root@Harbor harbor]# cp harbor.cfg{,.bak} #修改harbor.cfg配置文件 [root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p' 7 hostname = reg.mydomain.com #要修改成我們證書的域名 11 ui_url_protocol = http #啟用加密傳輸協議https 23 ssl_cert = /data/cert/server.crt #證書的位置 24 ssl_cert_key = /data/cert/server.key #證書密鑰位置 68 harbor_admin_password = Harbor12345 #默認管理員及密碼 #修改成如下配置 [root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p' 7 hostname = www.yunjisuan.com 11 ui_url_protocol = https 23 ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt 24 ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key 68 harbor_admin_password = Harbor12345 #安裝命令docker-compose(需要1.21版本) [root@Harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 617 0 617 0 0 519 0 --:--:-- 0:00:01 --:--:-- 519 100 10.3M 100 10.3M 0 0 354k 0 0:00:29 0:00:29 --:--:-- 494k [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose -rw-r--r-- 1 root root 10858808 7月 24 17:30 /usr/local/bin/docker-compose [root@Harbor-master harbor]# chmod +x /usr/local/bin/docker-compose [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose -rwxr-xr-x 1 root root 10858808 7月 24 17:30 /usr/local/bin/docker-compose [root@Harbor-master harbor]# which docker-compose /usr/local/bin/docker-compose [root@Harbor-master harbor]# docker-compose --version docker-compose version 1.21.2, build a133471 #安裝harbor私有鏡像倉庫 [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair #--with-notary啟用鏡像簽名;--with-clair啟用漏洞掃描 #查看harbor啟動的鏡像 [root@Harbor-master harbor]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3b0f60eb2260 vmware/harbor-jobservice:v1.5.0 "/harbor/start.sh" 23 seconds ago Up 15 seconds harbor-jobservice 005954f3ec5c vmware/nginx-photon:v1.5.0 "nginx -g 'daemon of…" 23 seconds ago Up 21 seconds (health: starting) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx e5a4e4d0cf56 vmware/notary-server-photon:v0.5.1-v1.5.0 "/bin/server-start.sh" 23 seconds ago Up 21 seconds notary-server 0ece0afef7a6 vmware/notary-signer-photon:v0.5.1-v1.5.0 "/bin/signer-start.sh" 24 seconds ago Up 22 seconds notary-signer b7549c31328b vmware/clair-photon:v2.0.1-v1.5.0 "/docker-entrypoint.…" 24 seconds ago Up 18 seconds (health: starting) 6060-6061/tcp clair 1e6d6bb0bbdf vmware/harbor-ui:v1.5.0 "/harbor/start.sh" 24 seconds ago Up 22 seconds (health: starting) harbor-ui e0fe40b6804a vmware/mariadb-photon:v1.5.0 "/usr/local/bin/dock…" 25 seconds ago Up 23 seconds 3306/tcp notary-db 30331b6c8918 vmware/postgresql-photon:v1.5.0 "/entrypoint.sh post…" 25 seconds ago Up 23 seconds (health: starting) 5432/tcp clair-db 24e4856ac9a3 vmware/harbor-adminserver:v1.5.0 "/harbor/start.sh" 25 seconds ago Up 23 seconds (health: starting) harbor-adminserver 0901a7fa027c vmware/harbor-db:v1.5.0 "/usr/local/bin/dock…" 25 seconds ago Up 23 seconds (health: starting) 3306/tcp harbor-db 1cea792c4656 vmware/redis-photon:v1.5.0 "docker-entrypoint.s…" 25 seconds ago Up 24 seconds 6379/tcp redis 7ea870371dcc vmware/registry-photon:v2.6.2-v1.5.0 "/entrypoint.sh serv…" 25 seconds ago Up 23 seconds (health: starting) 5000/tcp registry cceb28b45a0d vmware/harbor-log:v1.5.0 "/bin/sh -c /usr/loc…" 25 seconds ago Up 24 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log 通過瀏覽器進行訪問測試https://192.168.200.16
項目創建:設定為僅管理員(企業中不會讓注冊用戶隨便創建) 不允許自動注冊
5.鏡像管理與安全:漏洞掃描和鏡像簽名
5.1 添加docker國內公有鏡像源
[root@Harbor-master harbor]# cat /etc/docker/daemon.json { "registry-mirrors":[ "https://registry.docker-cn.com" ] } [root@Harbor-master harbor]# systemctl daemon-reload [root@Harbor-master harbor]# systemctl restart docker 5.2 重新啟動Harbor私有鏡像倉庫
#讓harbor修改過的配置立刻生效
[root@Harbor-master harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/ui/env Clearing the configuration file: ./common/config/ui/app.conf Clearing the configuration file: ./common/config/ui/private_key.pem ##以下省略若干。。。 #清理所有harbor容器進程 [root@Harbor-master harbor]# docker-compose down Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-ui ... done Stopping harbor-adminserver ... done Stopping harbor-db ... done Stopping redis ... done Stopping registry ... done Stopping harbor-log ... done WARNING: Found orphan containers (notary-server, notary-signer, clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. Removing harbor-jobservice ... done Removing nginx ... done Removing harbor-ui ... done Removing harbor-adminserver ... done Removing harbor-db ... done Removing redis ... done Removing registry ... done Removing harbor-log ... done Removing network harbor_harbor #后台啟動所有harbor容器進程 [root@Harbor-master harbor]# docker-compose up -d Creating network "harbor_harbor" with the default driver WARNING: Found orphan containers (clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. Creating harbor-log ... done Creating redis ... done Creating registry ... done Creating harbor-db ... done Creating harbor-adminserver ... done Creating harbor-ui ... done Creating nginx ... done Creating harbor-jobservice ... done 5.3 下載一個公有鏡像並上傳到harbor
#harbor本地下載一個公有倉庫鏡像centos:7 [root@Harbor-master install]# docker pull centos:7 #本地映射私有倉庫域名 [root@Harbor-master harbor]# tail -1 /etc/hosts 192.168.200.16 www.yunjisuan.com #將centos:7鏡像改名並上傳私有鏡像倉庫 [root@Harbor-master install]# docker tag centos:7 www.yunjisuan.com/library/centos:7 [root@Harbor-master install]# docker images | grep centos centos 7 9f38484d220f 4 months ago 202MB www.yunjisuan.com/library/centos 7 9f38484d220f 4 months ago 202MB #登陸驗證harbor私有倉庫,並上傳鏡像 [root@Harbor-master install]# docker login www.yunjisuan.com Username: admin Password: Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@Harbor-master install]# docker push www.yunjisuan.com/library/centos:7 The push refers to repository [www.yunjisuan.com/library/centos] d69483a6face: Pushed 7: digest: sha256:ca58fe458b8d94bc6e3072f1cfbd334855858e05e1fd633aa07cf7f82b048e66 size: 529 #重新啟用漏洞掃描 [root@Harbor-master install]# cd /data/install/harbor [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair 5.4 登陸瀏覽器查看鏡像上傳結果,並掃描漏洞
5.5 設置鏡像倉庫安全等級
5.6 為docker客戶端下發域名證書
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
#映射harbor私有倉庫域名 [root@Docker-client ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@Docker-client ~]# uname -r 3.10.0-957.12.1.el7.x86_64 [root@Docker-client ~]# hostname -I 192.168.200.17 [root@Docker-client ~]# tail -1 /etc/hosts 192.168.200.16 www.yunjisuan.com #安裝docker-ce社區版 [root@Docker-client ~]# sestatus SELinux status: disabled [root@Docker-client ~]# systemctl stop firewalld [root@Docker-client ~]# systemctl disable firewalld [root@Docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2 [root@Docker-client ~]# rpm -qa yum-utils device-mapper-persistent-data lvm2 yum-utils-1.1.31-50.el7.noarch device-mapper-persistent-data-0.7.3-3.el7.x86_64 lvm2-2.02.180-10.el7_6.8.x86_64 [root@Docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2424 100 2424 0 0 3925 0 --:--:-- --:--:-- --:--:-- 3922 [root@Docker-client ~]# yum -y install docker-ce [root@Docker-client ~]# systemctl start docker [root@Docker-client ~]# systemctl enable docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. [root@Docker-client ~]# docker version Client: Docker Engine - Community Version: 19.03.0 API version: 1.40 Go version: go1.12.5 Git commit: aeac9490dc Built: Wed Jul 17 18:15:40 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.0 API version: 1.40 (minimum version 1.12) Go version: go1.12.5 Git commit: aeac9490dc Built: Wed Jul 17 18:14:16 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.6 GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc: Version: 1.0.0-rc8 GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f docker-init: Version: 0.18.0 GitCommit: fec3683 #配置國內公有鏡像源 [root@Docker-client ~]# cat /etc/docker/daemon.json { "registry-mirrors":[ "https://registry.docker-cn.com" ] } [root@Docker-client ~]# systemctl daemon-reload [root@Docker-client ~]# systemctl restart docker #下載mongo公有鏡像 [root@Docker-client ~]# docker pull mongo Using default tag: latest latest: Pulling from library/mongo f7277927d38a: Pull complete 8d3eac894db4: Pull complete edf72af6d627: Pull complete 3e4f86211d23: Pull complete 5747135f14d2: Pull complete f56f2c3793f6: Pull complete f8b941527f3a: Pull complete 4000e5ef59f4: Pull complete ad518e2379cf: Pull complete 919225fc3685: Pull complete 45ff8d51e53a: Pull complete 4d3342ddfd7b: Pull complete 26002f176fca: Pull complete Digest: sha256:7df93c5e2d140beabc39ef225da618df28cc916a5f5f295a41858accc0f46a0b Status: Downloaded newer image for mongo:latest docker.io/library/mongo:latest [root@Docker-client ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE mongo latest 9c02a5a12c52 18 hours ago 413MB #為docker客戶端下發域名(在harbor本地執行操作) #將harbor上自簽發的域名證書www.yunjisuan.com.crt復制到docker客戶端對應目錄下 [root@Harbor-master install]# cd /data/ssl/ [root@Harbor-master ssl]# scp www.yunjisuan.com.crt 192.168.200.17:/etc/pki/ca-trust/source/anchors/ root@192.168.200.17's password: www.yunjisuan.com.crt 100% 1931 1.6MB/s 00:00 #在docker客戶端上執行操作,讓證書立刻生效 [root@Docker-client ~]# update-ca-trust enable [root@Docker-client ~]# update-ca-trust extract #下發證書后必須重啟動docker-client的docker服務 [root@Docker-client ~]# systemctl restart docker #docker-client登陸harbor倉庫進行登陸驗證 [root@Docker-client ~]# cd /etc/pki/ca-trust/source/anchors/ [root@Docker-client anchors]# ll 總用量 4 -rw-r--r-- 1 root root 1931 7月 24 19:56 www.yunjisuan.com.crt [root@Docker-client anchors]# docker login www.yunjisuan.com Username: admin Password: Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #修改鏡像的名字並上傳harbor私有倉庫 [root@Docker-client anchors]# docker tag mongo:latest www.yunjisuan.com/library/mongo [root@Docker-client anchors]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE mongo latest 9c02a5a12c52 18 hours ago 413MB www.yunjisuan.com/library/mongo latest 9c02a5a12c52 18 hours ago 413MB [root@Docker-client anchors]# docker push www.yunjisuan.com/library/mongo The push refers to repository [www.yunjisuan.com/library/mongo] 3ea1af4d89d2: Pushed d1badfd80c45: Pushed be68547708c3: Pushed 26c9058be51d: Pushed 689158adef1e: Pushed 2ee7e1a20686: Pushed 6a272ecc48d7: Pushed 4ad102c46894: Pushed b03801a3ccd1: Pushed e79142719515: Pushed aeda103e78c9: Pushed 2558e637fbff: Pushed f749b9b0fb21: Pushed latest: digest: sha256:7328ced1dd646dd65a20dbf3ae430835ce75ad6cdbfe59c83185ddb719dd5913 size: 3030 瀏覽器登陸harbor進行查看:https://192.168.200.16
出現漏洞的鏡像截圖:
5.7 FAQ:問題解答
windows10最新版本默認拒絕非認證的域名證書
如果啟動harbor采用的https加密證書的方式,最新版本windows10瀏覽器訪問的話,默認會直接說“站點不安全,拒絕連接”。 那么我們可以采用非https的方式啟動harbor
[root@harbor-master ~]# sed -n '11p' /data/install/harbor/harbor.cfg ui_url_protocol = http 但是我們要是采用非https加密方式啟動harbor的話。最新版本的docker是登陸不了的。這是因為新版本docker默認是以https方式登陸harbor
[root@Harbor-Slave docker]# docker login -uadmin -pHarbor12345 www.yunjisuan.com WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://www.yunjisuan.com/v2/: dial tcp 192.168.200.74:443: connect: connection refused 為了解決登陸問題,我們需要在/etc/docker/下創建一個daemon.json名字的文件,加入http方式登陸的harbor域名
[root@Harbor-Slave docker]# cat /etc/docker/daemon.json { "insecure-registries":[ "www.yunjisuan.com" ] } [root@Harbor-Slave docker]# systemctl restart docker #需要重啟 #然后我們再次登陸harbor [root@harbor-slave harbor]# docker login -uadmin -pHarbor12345 www.yunjisuan.com WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #登陸成功 6. Harbor鏡像的復制與同步
harbor私有倉庫的主從復制,類似於MySQL,屬於1對多的復制
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| Harbor-slave | 192.168.200.18 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
6.1 部署Habor-Slave
再安裝一個harbor私有倉庫作為harbor的從庫,域名為www2.yunjisuan.com
在Harbor-Master和Harbor-Slave上做域名映射 #主Harbor [root@Harbor-master ~]# tail -2 /etc/hosts 192.168.200.16 www.yunjisuan.com 192.168.200.18 www2.yunjisuan.com #從Harbor [root@Harbor-slave ~]# tail -2 /etc/hosts 192.168.200.16 www.yunjisuan.com 192.168.200.18 www2.yunjisuan.com 特別提示:離線方式安裝的Habor容器默認會從LDNS處獲取對應的域名的IP解析,並不找本地的hosts文件
由於我們是自己是自己設定的域名,因此,需要搭建用於內網解析的LDNS域名解析服務器
6.2 搭建LDNS域名解析服務器
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| Harbor-slave | 192.168.200.18 | harbor私有鏡像倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| LDNS | 192.168.200.19 | 本地DNS |
[root@LDNS ~]# yum -y install bind bind-chroot bind-utils [root@LDNS ~]# rpm -qa bind bind-chroot bind-utils bind-chroot-9.9.4-74.el7_6.1.x86_64 bind-9.9.4-74.el7_6.1.x86_64 bind-utils-9.9.4-74.el7_6.1.x86_64 [root@LDNS ~]# cd /etc/ [root@LDNS etc]# cp named.conf{,.bak} #配置文件修改成如下所示: [root@LDNS etc]# cat named.conf options { listen-on port 53 { 192.168.200.19; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; forwarders { 192.168.200.2; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "yunjisuan.com" IN { type master; file "yunjisuan.com.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; #檢查配置文件是否有錯 [root@LDNS etc]# named-checkconf /etc/named.conf #創建正向解析文件 [root@LDNS etc]# cd /var/named [root@LDNS named]# ls chroot data dynamic named.ca named.empty named.localhost named.loopback slaves [root@LDNS named]# cp -p named.empty yunjisuan.com.zone [root@LDNS named]# vim yunjisuan.com.zone [root@LDNS named]# cat yunjisuan.com.zone $TTL 1D @ IN SOA yunjisuan.com. root.ns1.yunjisuan.com. ( 20190725 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.yunjisuan.com. ns1 A 192.168.200.19 www A 192.168.200.16 www2 A 192.168.200.18 #測試正向解析文件是否有錯 [root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone zone yunjisuan.com/IN: loaded serial 20190725 OK #啟動域名解析服務 [root@LDNS named]# systemctl start named [root@LDNS named]# ss -antup | grep named udp UNCONN 0 0 192.168.200.19:53 *:* users:(("named",pid=7085,fd=512)) tcp LISTEN 0 10 192.168.200.19:53 *:* users:(("named",pid=7085,fd=21)) tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=7085,fd=22)) tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=7085,fd=23)) #將本地DNS改成自己,進行解析測試 [root@LDNS named]# cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search localdomain nameserver 192.168.200.19 [root@LDNS named]# nslookup www.baidu.com Server: 192.168.200.19 Address: 192.168.200.19#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 61.135.169.125 Name: www.a.shifen.com Address: 61.135.169.121 [root@LDNS named]# nslookup www.yunjisuan.com Server: 192.168.200.19 Address: 192.168.200.19#53 Name: www.yunjisuan.com Address: 192.168.200.16 [root@LDNS named]# nslookup www2.yunjisuan.com Server: 192.168.200.19 Address: 192.168.200.19#53 Name: www2.yunjisuan.com Address: 192.168.200.18 6.3 構建Harbor主從同步
提示:如果Harbor不是已經綁定的公網域名,那么必須構建自己的本地LDNS
#修改Harbor-master上的域名解析DNS服務器為本地構建的LDNS [root@Harbor-master harbor]# cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search localdomain nameserver 192.168.200.19 [root@Harbor-master harbor]# nslookup www2.yunjisuan.com Server: 192.168.200.19 Address: 192.168.200.19#53 Name: www2.yunjisuan.com Address: 192.168.200.18 
至此,Harbor倉庫主從復制已經構建完畢。
備注:如果勾選了阻止潛在漏洞的選項會影響harbor主從復制
特別提示:如果是harbor經歷過vmware虛擬機的暫停和恢復。那么很可能之前能夠訪問的harbor倉庫,恢復后卻不行了。此時,需要重啟dorker進程並重新harbor容器進程。