目錄
安裝 docker
yum -y install yum-utils
yum-config-manager --add-repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce
systemctl enable docker
systemctl start docker
systemctl status docker
$ docker --version
Docker version 20.10.11, build dea9396
安裝 docker-compose
安裝 pip,本來可以使用 yum install python-pip,但是 centos 7.9 默認源只有 python3-pip 版本的,所以這里使用源碼安裝
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip2.py
python get-pip2.py
pip install docker-compose
$ docker-compose --version
docker-compose version 1.26.2, build unknown
下載 harbor 安裝包
下載地址:https://github.com/goharbor/harbor/releases
有兩種方式 online 或者 offline 安裝方式,這里下載 2.3.4 版本 offline 離線包
tar zxvf harbor-offline-installer-v2.3.4.tgz
安裝 harbor
http 方式
修改配置
$ cd harbor
$ ls
common.sh harbor.v2.3.4.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
$ cp harbor.yml.tmpl harbor.yml
# 修改配置文件
$ vi harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: hub.leffss.com # 修改為本地郁悶或者本機監聽IP
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config # 注釋掉 https 的相關配置
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
...
...
...
- harbor_admin_password 管理員初始密碼
- data_volume 數據存放目錄
安裝啟動
$ ./install.sh
...
...
...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db ... done
Creating harbor-portal ... done
Creating registry ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
harbor的停止與啟動
$ cd harbor
$ docker-compose stop # 停止
$ docker-compose start # 啟動(第一次需要使用 up -d)
$ docker-compose down # 停止並刪除容器(慎用)
$ docker-compose up -d # 創建並啟動
訪問 harbor
或者域名(需要設置本地 hosts)
默認賬號密碼:admin Harbor12345
配置 docker 主機
修改docker主機配置文件,使docker支持harbor
vi /etc/docker/daemon.json
{"insecure-registries":["10.10.10.21:80"]}
或者
{"insecure-registries":["hub.leffss.com:80"]}
重啟 docker
systemctl restart docker
https 方式
默認情況下,Harbor不附帶證書。可以在沒有安全性的情況下部署Harbor,以便您可以通過HTTP連接到它。但是,只有在沒有外部網絡連接的空白測試或開發環境中,才可以使用HTTP。在沒有空隙的環境中使用HTTP會使您遭受中間人攻擊。在生產環境中,請始終使用HTTPS。如果啟用Content Trust with Notary來正確簽名所有圖像,則必須使用HTTPS。
要配置HTTPS,必須創建SSL證書。您可以使用由受信任的第三方CA簽名的證書,也可以使用自簽名證書
生成證書頒發機構證書
在生產環境中,您應該從CA獲得證書。在測試或開發環境中,您可以生成自己的CA。要生成CA證書,請運行以下命令。
生成CA證書私鑰
cd ~
mkdir certs
cd certs
openssl genrsa -out ca.key 4096
生成CA證書
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=hub.leffss.com" \
-key ca.key \
-out ca.crt
- 如果是 ip 訪問, 將
hub.leffss.com改成 ip 地址
生成服務器證書
證書通常包含一個.crt文件和一個.key文件
生成私鑰
openssl genrsa -out hub.leffss.com.key 4096
生成證書簽名請求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=hub.leffss.com" \
-key hub.leffss.com.key \
-out hub.leffss.com.csr
- 如果是 ip 訪問, 將
hub.leffss.com改成 ip 地址
生成一個x509 v3擴展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=hub.leffss.com
DNS.2=hub.leffss.com
DNS.3=hub.leffss.com
EOF
- 如果是 ip 訪問
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:10.10.10.21
EOF
使用該v3.ext文件為您的Harbor主機生成證書
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in hub.leffss.com.csr \
-out hub.leffss.com.crt
- 如果是 ip 訪問, 將
hub.leffss.com改成 ip 地址
配置 harbor
mkdir -p /data/certs
cp hub.leffss.com.crt /data/certs
cp hub.leffss.com.key /data/certs
$ cd harbor
$ ls
common.sh harbor.v2.3.4.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
$ cp harbor.yml.tmpl harbor.yml
# 修改配置文件
$ vi harbor.yml
...
...
...
hostname: hub.leffss.com
https:
port: 443
certificate: /data/certs/hub.leffss.com.crt
private_key: /data/certs/hub.leffss.com.key
external_url: https://hub.leffss.com
...
...
...
安裝啟動
運行 prepare 腳本以啟用 HTTPS
./prepare
開始安裝
./install.sh
harbor的停止與啟動
$ cd harbor
$ docker-compose stop # 停止
$ docker-compose start # 啟動(第一次需要使用 up -d)
$ docker-compose down # 停止並刪除容器(慎用)
$ docker-compose up -d # 創建並啟動
訪問 harbor
或者域名(需要設置本地 hosts)
默認賬號密碼:admin Harbor12345
配置 docker 主機
首先轉換hub.leffss.com.crt為hub.leffss.com.cert,供Docker使用
openssl x509 -inform PEM -in hub.leffss.com.crt -out hub.leffss.com.cert
所有需要訪問 hub 的 docker 主機都需要配置
mkdir -p /etc/docker/certs.d/hub.leffss.com/
cp hub.leffss.com.cert /etc/docker/certs.d/hub.leffss.com/
cp hub.leffss.com.key /etc/docker/certs.d/hub.leffss.com/
cp ca.crt /etc/docker/certs.d/hub.leffss.com/
- 如果 hub 是其他端口,則文件夾為:/etc/docker/certs.d/hub.leffss.com:[端口]/
重啟 docker 生效
systemctl restart docker
驗證
登陸 harbor 新建一個私有項目
docker 主機測試上傳鏡像
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.4 41f7fb260d0d 2 weeks ago 81.1MB
goharbor/chartmuseum-photon v2.3.4 f460981da720 2 weeks ago 179MB
goharbor/redis-photon v2.3.4 e4780c57b230 2 weeks ago 155MB
goharbor/trivy-adapter-photon v2.3.4 af0652363af0 2 weeks ago 130MB
goharbor/notary-server-photon v2.3.4 66c118fdbe3e 2 weeks ago 110MB
goharbor/notary-signer-photon v2.3.4 27d49a4ae0d3 2 weeks ago 108MB
goharbor/harbor-registryctl v2.3.4 0daeaba57fc6 2 weeks ago 133MB
goharbor/registry-photon v2.3.4 8497f259228a 2 weeks ago 81.9MB
goharbor/nginx-photon v2.3.4 2218fcda1ff0 2 weeks ago 45MB
goharbor/harbor-log v2.3.4 4d507b2e8131 2 weeks ago 159MB
goharbor/harbor-jobservice v2.3.4 5924b12f0b85 2 weeks ago 211MB
goharbor/harbor-core v2.3.4 dc8b74f8c4f3 2 weeks ago 193MB
goharbor/harbor-portal v2.3.4 770e6950323b 2 weeks ago 58.2MB
goharbor/harbor-db v2.3.4 8e2ed50e4699 2 weeks ago 228MB
goharbor/prepare v2.3.4 cce1a590410d 2 weeks ago 254MB
$ docker tag goharbor/nginx-photon:v2.3.4 hub.leffss.com/leffss/nginx-photon:v2.3.4
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.4 41f7fb260d0d 2 weeks ago 81.1MB
goharbor/chartmuseum-photon v2.3.4 f460981da720 2 weeks ago 179MB
goharbor/redis-photon v2.3.4 e4780c57b230 2 weeks ago 155MB
goharbor/trivy-adapter-photon v2.3.4 af0652363af0 2 weeks ago 130MB
goharbor/notary-server-photon v2.3.4 66c118fdbe3e 2 weeks ago 110MB
goharbor/notary-signer-photon v2.3.4 27d49a4ae0d3 2 weeks ago 108MB
goharbor/harbor-registryctl v2.3.4 0daeaba57fc6 2 weeks ago 133MB
goharbor/registry-photon v2.3.4 8497f259228a 2 weeks ago 81.9MB
goharbor/nginx-photon v2.3.4 2218fcda1ff0 2 weeks ago 45MB
hub.leffss.com/leffss/nginx-photon v2.3.4 2218fcda1ff0 2 weeks ago 45MB
goharbor/harbor-log v2.3.4 4d507b2e8131 2 weeks ago 159MB
goharbor/harbor-jobservice v2.3.4 5924b12f0b85 2 weeks ago 211MB
goharbor/harbor-core v2.3.4 dc8b74f8c4f3 2 weeks ago 193MB
goharbor/harbor-portal v2.3.4 770e6950323b 2 weeks ago 58.2MB
goharbor/harbor-db v2.3.4 8e2ed50e4699 2 weeks ago 228MB
goharbor/prepare v2.3.4 cce1a590410d 2 weeks ago 254MB
$ docker login hub.leffss.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker push hub.leffss.com/leffss/nginx-photon:v2.3.4
The push refers to repository [hub.leffss.com/leffss/nginx-photon]
e1768f3b0fc8: Pushed
103405848fd2: Pushed
v2.3.4: digest: sha256:fde18ca6ae5fd7fb0bf69aaab9a24acdd7d9a5b8725fa612be5a2aa3cab7d3ca size: 740
$ docker logout https://hub.leffss.com
Removing login credentials for hub.leffss.com
設置 harbor 開啟啟動
vi /lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
# 需要注意 harbor 的安裝位置
ExecStart=/usr/bin/docker-compose -f /root/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /root/harbor/docker-compose.yml stop
[Install]
WantedBy=multi-user.target
- 必須使用 docker-compose up 命令啟動
systemctl daemon-reload
systemctl enable harbor # 開機自啟
systemctl start harbor # 啟動
harbor 高可用
參考:https://www.cnblogs.com/Gmiaomiao/p/14265246.html
原理是使用 harbor 官方默認提供主從復制的方案