1、安装依赖
yum install ebtables ethtool iproute iptables socat util-linux wget openssl-devel -y
2、安装docker
yum install docker-ce
3、安装 docker-compose
yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
docker-compose --version
4、证书存放目录mkdir -p /mnt/hgfs/data/harbor/cert
cd /mnt/hgfs/data/harbor/cert
5、创建证书
参考官方文档:https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
生成CA证书
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/emailAddress=183906280@qq.com"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/emailAddress=183906280@qq.com"
生成证书签名请求
openssl genrsa -out harbor.key 4096
openssl req -sha512 -new -key harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/emailAddress=183906280@qq.com"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/emailAddress=183906280@qq.com"
生成服务端证书
新建v3.ext文件内容:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor
IP.1 = 192.168.3.35
# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
# openssl x509 -inform PEM -in harbor.crt -out harbor.cert
# cp harbor.cert /etc/docker/certs.d/192.168.3.35/
# cp harbor.key /etc/docker/certs.d/192.168.3.35/
# cp ca.crt /etc/docker/certs.d/192.168.3.35/
上述IP地址92.168.3.35和v3.ext里面的ip地址保持一致
先让本机信任证书,将证书复制到信任证书的目录里
# cp harbor.crt /etc/pki/ca-trust/source/anchors/
然后让它立即生效
# update-ca-trust enable
# update-ca-trust extract
# systemctl restart docker
8、上传/解压harbor离线包
# cd /opt
# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz
(wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.6.tgz)
(官网地址:https://github.com/goharbor/harbor/releases)
# tar -zxf harbor-offline-installer-v1.7.5.tgz
# cd harbor
9、修改配置文件
$ vi harbor.cfg
hostname = 192.168.3.35
ui_url_protocol = https
ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt
ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key
secretkey_path = /mnt/hgfs/data/harbor
或者通过sed行编辑命令修改
## 修改配置文件harbor.cfg参数
sed -i "s#hostname = reg.mydomain.com#hostname = 192.168.3.35#g" harbor.cfg
## 可以是主机IP,或者是以后要用的域名
sed -i "s#ui_url_protocol = http#ui_url_protocol = https#g" harbor.cfg
## 使用的协议,此处用的是https,后面安装的时候,再添加漏洞检查的时候需要https的支持
sed -i "s#ssl_cert = /data/cert/server.crt#ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt#g" harbor.cfg
## 证书的路径必须先创建好,并把秘钥放入配置文件
sed -i "s#ssl_cert_key = /data/cert/server.key#ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key#g" harbor.cfg
sed -i "s#secretkey_path = /data#secretkey_path = /mnt/hgfs/data/harbor#g" harbor.cfg
## 可以使用默认的路径
## 修改配置文件docker-compose.yml
## 由于指定安装路径需求,需要修改一下所有部署相关文件的指定路径()
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/ca_download#/mnt/hgfs/data/harbor/ca_download#g" docker-compose.yml
sed -i "s#/data/config#/mnt/hgfs/data/harbor/config#g" docker-compose.yml
##postgresql用到了符号链接,不能使用windows共享目录
sed -i "s#/data/database#/data/harbor/database#g" docker-compose.yml
sed -i "s#/data/job_logs#/mnt/hgfs/data/harbor/job_logs#g" docker-compose.yml
sed -i "s#/data/psc#/mnt/hgfs/data/harbor/psc#g" docker-compose.yml
sed -i "s#/data/redis#/mnt/hgfs/data/harbor/redis#g" docker-compose.yml
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/secretkey#/mnt/hgfs/data/harbor/secretkey#g" docker-compose.yml
sed -i "s#/data/clair-db#/mnt/hgfs/data/harbor/clair-db#g" docker-compose.clair.yml
sed -i "s#/data/notary-db#/mnt/hgfs/data/harbor/notary-db#g" docker-compose.yml
sed -i "s#/data/:/data/:z#/mnt/hgfs/data/harbor/:/data/:z#g" docker-compose.yml
sed -i "s#/data/chart_storage#/mnt/hgfs/data/harbor/chart_storage#g" docker-compose.chartmuseum.yml
## 修改配置文件prepare
sed -i "s#"/data"#/mnt/hgfs/data/harbor#" prepare
参数说明:
hostname:配置主机名称,不可以设置127.0.0.1,localhost这样的主机名,可以是IP或者域名
ui_url_protocol:指定使用HTTP协议还是HTTPS协议
Email settings:邮箱设置,option配置,只在首次启动生效,可以登陆UI后修改
harbor_admin_password:设置管理员的初始密码,只在第一次登录时使用
auth_mode:用户认证模式,默认是db_auth,也可以使用ldap_auth验证。
db_password:使用db需要指定连接数据库的密码
self_registration:是否允许自行注册用户,默认是on,新版本可以在图形界面中修改。
max_job_workers:最大工作数,默认是10个
customize_crt:是否为token生成证书,默认为on
ssl_cert:nginx cert与key文件的路径, 只有采用https协议是才有意义
ssl_cert:nginx cert与key文件的路径, 只有采用https协议是才有意义
secretkey_path:The path of secretkey storage
admiral_url:Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
clair_db_password:未启用calir服务,但解压目录下的"./prepare"文件中要检查以下相关参数配置,不能注释,否则环境准备检查不能通过,报"ConfigParser.NoOptionError: No option u'clair_db_password' in section: u'configuration' "相关错误;或者在"./prepare"中注释相关检查与定义,但需要注意,文件中的关联太多,推荐修改"harbor.cfg"文件即可
ldap_url:ladp相关设置,如未采用ldap认证,但解压目录下的"./prepare"文件中要检查以下相关参数配置,不能注释,否则环境准备检查不能通过,报"ConfigParser.NoOptionError: No option u'ldap_timeout' in section: u'configuration' "相关错误;或者在"./prepare"中注释相关检查与定义,但需要注意,文件中的关联太多,推荐修改"harbor.cfg"文件即可
ldap_scope:
self_registration:默认开启自注册,off为关闭
token_expiration:token有效时间,默认30minutes
project_creation_restriction:创建项目权限控制,默认是"everyone"(所有人),可设置为"adminonly"(管理员)
verify_remote_cert:与远程registry通信时是否采用验证ssl
其他使用默认值
修改docker-compose.yml文件避免端口冲突
proxy:
image: goharbor/nginx-photon:v1.7.5
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
dns_search: .
ports:
- 5080:80
- 5443:443
- 4443:4443
修改 common/templates/registry/config.yml
auth:
token:
issuer: harbor-token-issuer
realm: $public_url:5443/service/token
rootcertbundle: /mnt/hgfs/data/harbor/cert/harbor.crt
确认无误后,使用./install.sh命令开始安装
10、安装harbor
./install.sh --with-notary --with-clair --with-chartmuseum
# --with-notary启用镜像签名,--with-clair启用漏洞扫描如果需要在Harbor中启用Notary,请设置--with-notary,并在harbor.cfg中设置ui_url_protocol/ssl_cert/ssl_cert_key,因为公证必须在https下运行。
# 如果需要启用Clair in Harbour,请设置--with-clair
# 如果需要在Harbor启用Chartmuseum,请设置--with-chartmuseum
docker-compose常用命令
docker-compose start ## 启动 Harbor
docker-compose stop ## 停止 Harbor
docker-compose restart ## 重启 Harbor
docker-compose ps ## 列出容器
docker-compose create ## 创建服务
docker-compose down ## 停止并删除容器、network、images和volumes
docker-compose log ## 容器的视图输出
docker-compose up ## 创建和启动容器
重启容器
docker-compose down -v
vi harbor.cfg ## 修改要更新的配置
vi docker-compose.yml ## 修改要更新的配置
- ./prepare
docker-compose up -d
docker login 192.168.3.35
复制ca.crt文件到的/etc/docker/certs.d/192.168.3.35目录下
在192.168.3.34登录192.168.3.35的harbor:
在192.168.3.34push镜像到192.168.3.35的harbor私服:
浏览器访问https://192.168.3.35
使用admin/Harbor12345登录成功并查看从192.168.3.34 push的镜像
参考&踩坑足迹:
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
http://www.youdzone.com/signature.html
https://www.jianshu.com/p/0046add931df
https://www.jianshu.com/p/44a3efae1d84
https://www.jianshu.com/p/f9b8a3e62af1
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
http://www.apetec.com/support/GenerateSAN-CSR.htm
http://blog.zencoffee.org/2013/04/creating-and-signing-an-ssl-cert-with-alternative-names/
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
https://zhuanlan.zhihu.com/p/26646377
https://blog.csdn.net/u013066244/article/details/78725842/
178
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
