docker镜像仓库harbor集成trivy及仓库api等全家桶

一、安装docker

[root@localhost home]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@localhost home]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost home]# yum makecache fast
#指定一个路径作为docker的根目录，以免系统目录被占满
[root@localhost home]# mkdir /home/dockerData
[root@localhost home]# ln -s /home/dockerData /var/lib/docker
[root@localhost home]# yum -y install docker-ce-19.03.6
[root@localhost home]# systemctl start docker
[root@localhost home]# systemctl enable docker
[root@localhost home]# docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)
​
Server:
 Containers: 13
  Running: 13
  Paused: 0
  Stopped: 0
 Images: 27
 Server Version: 19.03.6
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs

二、安装dockercompose

[root@localhost home]# curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@localhost home]# chmod +x /usr/local/bin/docker-compose
[root@localhost home]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
#或者
[root@localhost home]# yum -y install epel-release
[root@localhost home]# yum -y install docker-compose
[root@localhost home]# docker-compose --version
docker-compose version 1.25.4, build 8d51620a

三、安装harbor及使用

安装：

[root@localhost home]# wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
​
[root@localhost home]# tar -zxvf ./harbor-offline-installer-v1.10.1.tgz
[root@localhost home]# cd /home/harbor
#修改配置文件，端口、ip等
[root@localhost home/harbor]# vi harbor.yml
# Configuration file of Harbor
​
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.56.12
#skip_update:true
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 7655
​
# https related config
#https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path
​
#安装-每次修改配置文件都需要执行这里
[root@localhost home/harbor]# ./prepare
[root@localhost home/harbor]# ./install.sh --with-clair --with-chartmuseum

#启动

[root@localhost home/harbor]# docker-compose up -d

#关闭

[root@localhost home/harbor]# docker-compose down

#接下来配置好防火墙端口策略或关闭防火墙就能访问7655端口了

#配置允许登录，否则docker 登录会失败，这里的ip自行调整

[root@localhost home/harbor]# echo '{ "insecure-registries":["ip:7655"] }' > /etc/docker/daemon.json
[root@localhost home/harbor]# systemctl restart docker
[root@localhost home/harbor]# docker-compose up -d

#本机使用docker客户端登录到仓库，以便在本机制作镜像后推送到harbor

[root@localhost home/harbor]# docker login 192.168.56.13:7655 -u harbor用户 -p 密码
​

#浏览器访问(若无法访问请留意防火墙端口策略配置)

http://192.168.56.12:7655

harbor-api

由于swagger插件似乎无法下载，只能将将就着记录下以下接口信息：

Harbor镜像仓库地址：172.168.1.249

​
# 获取项目信息
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2"
​
# 获取所有项目信息
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects?"
​
# 搜索镜像
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/search?q=asset"
​
# 删除项目
​
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/projects/3"
​
# 创建项目
​
curl -u "admin:Harbor12345" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/projects" -d @createproject.json
​
createproject.json为文件名,文件内容参考createproject.json
​
# 0为私有
​
{
​
    "project_name": "项目名",
​
    "public": 0
​
}
​
# 创建用户
​
curl -u "admin:Harbor12345" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/users" -d @user.json
​
文件内容参考user.json
​
{
​
    "user_id": 5,
​
    "username": "test",
​
    "email": "test@qq.com",
​
    "password": "Harbor12345",
​
    "realname": "test",
​
    "role_id": 0
​
}
​
# 获取用户信息,除admin外
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/users"
​
# 查看当前用户信息
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/users/current"
​
# 删除用户,3是用户user_id
​
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/users/34"
​
# 修改用户密码
​
curl -u "admin:Harbor12345" -X PUT -H "Content-Type: application/json" "http://172.168.1.249/api/users/4/password" -d @uppwd.json
​
# 查看项目相关角色
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2/members/"
​
# 项目添加角色
​
curl -u "jaymarco:Harbor123456" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2/members/" -d @role.json
​
# 查看镜像
​
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/repositories?project_id=2&q=镜像名"
​
# 删除镜像
​
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/repositories/marktrace%2Fasset/tags/latest"
​
# 获取镜像标签
​
curl -s -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/repositories/marktrace%2Fasset/tags/" |grep "digest" -C 2 |grep ""name""
#列出所有项目

curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/projects?"

#列出指定项目的所有镜像

curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories?project_id=37"

curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories/marktrace%2Fasset/tags/" |grep "digest" -C 2 |grep ""name""

curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories/test_lab/easyview-api-uj/tags/"

curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/search?q=asset"

​

进入harbor数据库方法

1、进入[harbor-db]容器内部
​
    docker exec -it harbor-db /bin/bash
​
2、进入postgresql命令行
​
    psql -h postgresql -d postgres -U postgres #这要输入默认密码：root123 。
    psql -U postgres -d postgres -h 127.0.0.1 -p 5432 #或者用这个可以不输入密码。
​
3、切换到harbor所在的数据库
​
    \c registry
​
4、查看harbor_user表
​
    select * from harbor_user;
​
5、例如修改admin的密码，修改为初始化密码 Harbor12345 ，修改好了之后再可以从web ui上再改一次。
​
update harbor_user set password='a71a7d0df981a61cbb53a97ed8d78f3e',salt='ah3fdh5b7yxepalg9z45bu8zb36sszmr' where username='admin';
6、退出 \q 退出postgresql，exit退出容器。
​
    \q
    exit
​

完成后通过WEB UI，就可以使用admin 、Harbor12345 这个密码登录了，记得修改这个默认密码哦，避免安全问题。

四、安装trivy

#查看版本https://github.com/aquasecurity/harbor-scanner-trivy

[root@localhost home/harbor]# docker pull aquasec/harbor-scanner-trivy:0.19.0

#重构该镜像，使用root账号运行否则会有权限报错

Dockerfile内容：

ARG TRIVY_VERSION=0.19.0
FROM aquasec/harbor-scanner-trivy:${TRIVY_VERSION}
USER root
ENTRYPOINT ["/home/scanner/bin/scanner-trivy"]
​

#构建镜像

[root@localhost home/harbor]# docker build -f /home/dockerWorkSpace/trivy/Dockerfile -t aquasec/harbor-scanner-trivy-ys:Release.0.19.0 /home/dockerWorkSpace/trivy

#创建离线扫描数据目录及上传数据文件（可在githug下载：）

[root@localhost home/harbor]# mkdir -p /data/trivy-adapter/trivy

[root@localhost home/harbor]# ls /data/trivy-adapter/trivy

metadata.json

trivy.db

​

#启动trivy，指定端口8181和名称trivy-adapter（该名称将用于harbor连接时），另外确保redis容器已启动

[root@localhost home/harbor]# docker run -d -p 8181:8181 --name trivy-adapter -v /data/trivy-adapter/trivy:/home/scanner/.cache/trivy/db \
-e "SCANNER_LOG_LEVEL=trace" \
-e "SCANNER_TRIVY_DEBUG_MODE=true" \
-e "TRIVY_NON_SSL=true" \
-e "SCANNER_API_SERVER_ADDR=:8181" \
-e "SCANNER_REDIS_URL=redis://redis:6379" \
-e "SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue" \
--network harbor_harbor \
aquasec/harbor-scanner-trivy-ys:Release.0.19.0

五、harbor添加trivy

六、添加https（该步骤在安装harbor前后均可进行）

# 创建证书目录，并赋予权限
[root@localhost home]# mkdir -p /data/cert && chmod -R 777 /data/cert && cd /data/cert
# 生成私钥，需要设置密码 2021lt007
[root@localhost cert]# openssl genrsa -des3 -out harbor.key 2048
​
# 生成CA证书申请文件（xxx.csr），需要输入密码
# C国家名，ST省份名，O组织名，U组织单位名，CN域名，L城市位置
[root@localhost cert]# openssl req -sha512 -new \
    -subj "/C=CN/ST=GD/L=SZ/O=lt/OU=ltdev/CN=thhub.ltdev.com" \
    -key harbor.key \
    -out harbor.csr
    
# 备份私钥
[root@localhost cert]# cp harbor.key harbor.key.org
​
# 退掉私钥密码，以便docker访问（也可以参考官方进行双向认证）
[root@localhost cert]# openssl rsa -in harbor.key.org -out harbor.key
​
# 使用CA证书申请文件签名生成客户端证书（xxx.crt）
[root@localhost cert]# openssl x509 -req -days 365 -in harbor.csr -signkey harbor.key -out harbor.crt
​
#配置域名
[root@localhost home/harbor]# vi /etc/hosts
192.168.56.12 thhub.ltdev.com
​
#修改harbor配置文件并重新安装harbor
#修改配置文件，端口、域名等
[root@localhost home/harbor]# vi harbor.yml

# Configuration file of Harbor
​
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: thhub.ltdev.com
#skip_update:true
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 7655
​
# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/harbor.crt
  private_key: /data/cert/harbor.key

#准备配置nginx 开启https
[root@localhost home/harbor]# ./prepare
#安装harbor  
[root@localhost home/harbor]# ./install.sh --with-clair --with-chartmuseum
#启动
[root@localhost home/harbor]# docker-compose up -d
​
#浏览器访问(若无法访问请留意防火墙端口策略配置)
https://192.168.56.12
​
​
​
## 报错问题1：
#docker-client的登录harbor报错
#docker登录harbor
[root@thhub cert]# docker login thhub.ltdev.com -u 用户名 -p 密码
Error response from daemon: Get https://192.168.56.12:443/v2/: x509: cannot validate certificate for 192.168.56.13 because it doesn't contain any IP SANs
​
#编辑如下配置文件，在v3_ca 下添加 subjectAltName = IP:域名|IP地址
/etc/pki/tls/openssl.cnf,
subjectAltName = IP:192.168.56.12
​
#将证书**.crt（docker-daemon使用）转换成docker（客户端使用）的证书文件**.cert
[root@localhost cert]# openssl x509 -inform PEM -in harbor.crt -out harbor.cert
​
#将证书、秘钥拷贝到dockerCA目录
[root@localhost cert]# cp harbor.cert /etc/docker/certs.d/thhub.ltdev.com/
[root@localhost cert]# cp harbor.key /etc/docker/certs.d/thhub.ltdev.com/
[root@localhost cert]# cp harbor.crt /etc/docker/certs.d/thhub.ltdev.com/
​
#将生成的证书追加到系统（docker-client所在系统）的证书管理文件中 
#[root@localhost home/harbor]# cat /data/cert/harbor.crt >> /etc/pki/tls/certs/ca-bundle.crt
​
#将证书绑定到系统
[root@localhost cert]# cp harbor.crt /etc/pki/ca-trust/source/anchors/harbor.crt
[root@localhost cert]# update-ca-trust
​
#重启docker
[root@localhost home/harbor]# systemctl restart docker
​
#docker登录harbor---注意，必须使用域名登录才会使用https证书！！
[root@thhub cert]# docker login thhub.ltdev.com -u 用户名 -p 密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
​
Login Succeeded