Centos7搭建Harbor1.10.2,使用自签证书
2020-04-23 本文已影响0人
Rainy丶Wang
Docker官方提供的registry这个小工具比较丑陋,如果只是测试的话可以尝试,但是想要在企业内部使用的话,就有点不够!
今天介绍的是企业中大部分使用得docker私仓Harbor。
Harbor介绍:
Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. As a CNCF Incubating project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.
翻译:
Harbor是一个开放源代码容器映像注册表,可通过基于角色的访问控制来保护镜像,扫描映像中的漏洞并将映像签名为受信任。作为CNCF孵化项目,Harbor提供合规性,性能和互操作性,以帮助您跨Kubernetes和Docker等云原生计算平台持续,安全地管理镜像
安装、配置、启动
官方地址这里有所有的版本,大家可以去选择!
我选择的是当时最新的版本[v1.10.2],600M左右。V1.10.2地址
V1.10.2
也可以下载Onlink版本,相对于小一点,但是安装的时候会在线下载!
安装
- 依赖软件提示
docker
docker-compose(这个在EPEL源中)
- 解压安装包
[root@rainy src]# ls
harbor-offline-installer-v1.10.2.tgz ossimport-2.3.4
jdk-7u79-linux-x64.tar.gz ossimport-2.3.4.zip
[root@rainy src]# tar zxvf harbor-offline-installer-v1.10.2.tgz -C ../
harbor/harbor.v1.10.2.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml
- 修改Harbor配置
一般情况下只需要修改文件中的hostname属性和https证书即可。
如果是只是测试的话修改 hostanem,直接把https相关的配置删除即可执行后面的命令。直接跳过自签证书配置
[root@rainy harbor]# ls
common docker-compose.yml harbor.yml LICENSE
common.sh harbor.v1.10.2.tar.gz install.sh prepare
[root@rainy harbor]# vim harbor.yml # 配置文件
不使用https,请直接删除https文件
harbor.yml
使用自签证书配置
作者Centos主机名称为wang.com,大家操作的时候请替换为自己的主机名称
# 生成证书颁发机构证书
# 生成CA证书私钥。
openssl genrsa -out ca.key 4096
# 生成CA证书。
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=wang.com" \
-key ca.key \
-out ca.crt
##生成服务器证书
# 生成私钥。
openssl genrsa -out wang.com.key 4096
# 生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=wang.com" \
-key wang.com.key \
-out wang.com.csr
# 生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=wang.com
DNS.2=wang
DNS.3=hostname
EOF
# 使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in wang.com.csr \
-out wang.com.crt
# 提供证书给Harbor和Docker
# 将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。
mkdir -p /data/cert/
cp wang.com.crt /data/cert/
cp wang.com.key /data/cert/
# 转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用。
openssl x509 -inform PEM -in wang.com.crt -out wang.com.cert
# 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker certificate文件夹中。您必须首先创建适当的文件夹。
mkdir -p /etc/docker/certs.d/wang.com/
cp wang.com.cert /etc/docker/certs.d/wang.com/
cp wang.com.key /etc/docker/certs.d/wang.com/
cp ca.crt /etc/docker/certs.d/wang.com/
- 安装
执行./prepare(我记得1.4版本中是没有这个执行文件的)
[root@wang harbor]# ./prepare
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
执行./install.sh
[root@wang harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.8
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-db:v1.10.2
Loaded image: goharbor/notary-server-photon:v1.10.2
Loaded image: goharbor/clair-photon:v1.10.2
Loaded image: goharbor/harbor-portal:v1.10.2
Loaded image: goharbor/harbor-core:v1.10.2
Loaded image: goharbor/harbor-jobservice:v1.10.2
Loaded image: goharbor/harbor-registryctl:v1.10.2
Loaded image: goharbor/redis-photon:v1.10.2
Loaded image: goharbor/nginx-photon:v1.10.2
Loaded image: goharbor/chartmuseum-photon:v1.10.2
Loaded image: goharbor/harbor-log:v1.10.2
Loaded image: goharbor/registry-photon:v1.10.2
Loaded image: goharbor/notary-signer-photon:v1.10.2
Loaded image: goharbor/harbor-migrator:v1.10.2
Loaded image: goharbor/prepare:v1.10.2
Loaded image: goharbor/clair-adapter-photon:v1.10.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Creating nginx ... doneice ... done
Creating harbor-log ... done
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating harbor-db ... done
Creating harbor-core ... done
[Step 5]: starting Harbor ...
Creating registryctl ...
Creating registry ...
Creating redis ...
Creating harbor-db ...
Creating harbor-portal ...
Creating harbor-core ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
验证服务是否启动成功
如果配置文件中删除掉https相关的配置,443端口不会监听
[root@wang harbor]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:1514 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:2375 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:23 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:443 [::]:*
-
访问Harbor
浏览器访问:htttps://<harborIP> | htttp://<harborIP>
http默认端口是80,https默认是443,访问的时候直接可以不写端口号
Harbor首页
默认账户:amdin
默认密码:如果没有修改配置文件就是Harbor12345
登录成功
-
管理Harbor
切换到安装目录执行
docker-compose 进行管理
暂停访问
[root@rainy harbor]# docker-compose pause
Pausing harbor-log ... done
Pausing harbor-db ... done
Pausing redis ... done
Pausing registryctl ... done
Pausing harbor-portal ... done
Pausing registry ... done
Pausing harbor-core ... done
Pausing harbor-jobservice ... done
Pausing nginx ... done
恢复访问
[root@rainy harbor]# docker-compose unpause
Unpausing nginx ... done
Unpausing harbor-jobservice ... done
Unpausing harbor-core ... done
Unpausing registry ... done
Unpausing harbor-portal ... done
Unpausing registryctl ... done
Unpausing redis ... done
Unpausing harbor-db ... done
Unpausing harbor-log ... done
更多管理命令:
Commands:
build Build or rebuild services
bundle Generate a Docker bundle from the Compose file
config Validate and view the Compose file
create Create services
down Stop and remove containers, networks, images, and volumes
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker-Compose version information
