Harbor
Github地址https://github.com/goharbor/harbor
官方地址:https://github.com/goharbor/harbor/releases
安装
注意在安装之前 需要确保已经安装了docker 和docker-compose
安装docker
# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun# systemctl daemon-reload# service docker restart# service docker status
可以设置开机自启动
# systemctl enable dockerCreated symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
# sudo curl -L https://github.com/docker/compose/releases/download/1.26.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
安装docker-compose
# pip install -U docker-compose
SSL证书创建
官方文档:https://github.com/goharbor/harbor/blob/master/docs/install-config/configure-https.md
创建CA证书
# openssl genrsa -out ca.key 2048Generating RSA private key, 2048 bit long modulus (2 primes).......................+++++................+++++e is 65537 (0x010001)openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=harbor/emailAddress=ca@harbor.com"
选项参数说明:
genrsa 生成私钥
-out filename 标准输出到filename文件
req 生成证书请求
-new 生成新证书签署请求
-x509 专用于CA生成自签证书;不自签的时候不要加该选项
-days num 证书的有效期限
-key file 生成请求时用到的私钥文件
-out filename 标准输出到filename文件
subj内容详解:
C = 国家ST = 省/州L = 城市O = Organization NameOU = Organizational Unit NameCN = Common NameemailAddress = 注册邮箱
如果出现如下错误
Can't load /root/.rnd into RNG140012552131008:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
执行如下
# cd /root# openssl rand -writerand .rnd
创建服务器证书
创建私钥
# openssl genrsa -out httpd.key 1024
生成签发请求
# openssl req -new -key httpd.key -out httpd.csr -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=OPS/CN=harbor/emailAddress=nlp@harbor.com"
使用CA证书进行签发
# openssl x509 -req -sha256 -in httpd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 36500 -out httpd.crtSignature oksubject=C = CN, ST = BJ, L = BeiJing, O = BTC, OU = OPS, CN = harbor, emailAddress = nlp@harbor.comGetting CA Private Key
验证签发证书是否有效
# openssl verify -CAfile ca.crt httpd.crthttpd.crt: OK
其中将httpd.key和httpd.crt,放到/etc/harbor/cert/目录下,后面harbor配置https 需要
一件脚本:https://rancher2.docs.rancher.cn/docs/installation/options/self-signed-ssl/_index/
修改配置
修改配置harbor.yml
hostname 这里设置本机的ip
harbor_admin_password 登录密码
port 端口号
安装
执行 ./prepare
# ./prepareprepare base dir is set to /root/app/harborClearing the configuration file: /config/core/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/jobservice/config.ymlClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/db/envGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir
执行./install.sh 安装命令
~/app/harbor# ./install.sh[Step 0]: checking if docker is installed ...Note: docker version: 19.03.12[Step 1]: checking docker-compose is installed ...Note: docker-compose version: 1.26.2
如果修改了Harbor的配置文件harbor.yml,因为Harbor是基于docker-compose服务编排的,我们可以使用docker-compose命令重启Harbor。
未修改配置文件,重启Harbor命令:docker-compose start | stop | restart
关于http
在docker.service文件中添加—insecure-registry参数指定仓库地址和端口。
ExecStart=/usr/bin/dockerd --insecure-registry=192.168.1.191:8888
重启docker
systemctl restart docker
镜像推送命令**
docker login 到镜像仓库服务器
docker login --username=testuser --password=xxxx harbor服务器地址
eg
docker login -u baxiang -p BAxiang123456 https://192.168.1.51:443WARNING! Using --password via the CLI is insecure. Use --password-stdin.Login Succeeded
打docker tag docker tag 对本地镜像打tag标签到镜像仓库服务器
docker tag hello-world:latest xxxx/project-test/hello-world:1.0
docker push 镜像到镜像仓库中
docker push xxxx/project-test/hello-world:1.0
docker客户端配置免https
Docker 默认不允许非 HTTPS 方式推送镜像。我们可以通过 Docker 的配置选项来取消这个限制。否则会出现如下错误信息:
Error response from daemon: Get https:// 172.16.1.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client
或者如下
x509: certificate signed by unknown authority
需要添加{ "insecure-registries":["host:port"] }
到/etc/docker/daemon.json
例如直接 vim
{"insecure-registries": ["IP:PORT"]}
eg:
vim /etc/docker/daemon.json{"insecure-registries": ["192.168.91.131:5000"]}
或者
# echo '{ "insecure-registries":["172.16.1.146:8888"] }' > /etc/docker/daemon.json
然后需要重启
systemctl daemon-reloadsystemctl restart docker
问题
denied: requested access to the resource is denied
需要登录harbor
参考
http://www.zhangblog.com/2020/05/13/docker06/
https://www.cnblogs.com/haorong/p/11097821.html
http://www.mydlq.club/article/66/
https://juejin.im/post/5d9c2f25f265da5bbb1e3de5
https://juejin.im/post/5e9dbe676fb9a03c5e0cefe9
https://github.com/docker/distribution/issues/948
https://mayanbin.com/post/installing-harbor.html
https://www.cnblogs.com/operationhome/p/10868498.html
若有收获,就点个赞吧
0 人点赞
