Docker
1)安装依赖包:
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
2)官方一键脚本安装
curl -fsSL get.docker.com -o get-docker.sh
sh get-docker.sh --mirror Aliyun
3)添加内核参数
tee -a /etc/sysctl.conf <<-EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
将net.ipv4.ip_forward
赋值为1
sysctl -w net.ipv4.ip_forward=1
如果想永久保留配置,可以修改/etc/sysctl.conf文件
将 net.ipv4.ip_forward=0改为net.ipv4.ip_forward=1
然后刷新内核参数
sysctl -p
4.启动Docker
systemctl enable docker && systemctl start docker
Compose
compose是Docker提供的一个命令行工具,用来定义和运行由多个容器组成的应用。使用compose,我们可以通过YAML文件声明式的定义应用程序的各个服务,并由单个命令完成应用的创建和启动。
由于国内政策原因,可能在海外网站上下载文件速度较慢,建议下载本地后上传至服务器
1)下载docker-compose
并赋予可执行权限
# curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
NFS
服务端
1)安装必需的RPM包
yum -y install nfs-utils rpcbind
2)创建NFS共享目录
mkdir -p /data/harbor_data
chown nobody:nobody /data/harbor_data/
3)修改NFS服务配置文件
echo "/data/harbor_data 192.168.166.0/24(rw,sync,no_root_squash)" >> /etc/exports
4)启动NFS服务器
systemctl enable rpcbind && systemctl restart rpcbind
systemctl enable nfs && systemctl restart nfs
客户端
1)安装nfs-utils
yum -y install nfs-utils
2)在NFS客户端上查看NFS的连通性
# showmount -e 192.168.166.122
Export list for 192.168.166.122:
/data/harbor_data 192.168.166.0/24
###超时:
在/etc/sysconfig/nfs中添加一下设置即可
RQUOTAD_PORT=30001
LOCKD_TCPPORT=30002
LOCKD_UDPPORT=30002
MOUNTD_PORT=30003
STATD_PORT=30004
重启rpc、nfs的配置与服务:
systemctl restart rpcbind.service
systemctl restart nfs.service
在/etc/modprobe.d/lockd.conf中添加以下设置:
options lockd nlm_tcpport=30002
options lockd nlm_udpport=30002
重新加载NFS配置和服务:
systemctl restart nfs-config
systemctl restart nfs-idmap
systemctl restart nfs-lock
systemctl restart nfs-server
防火墙新增端口:
#111 2049 30001 30002 30003 30004 tcp/udp
firewall-cmd --add-port=111/tcp --permanent
firewall-cmd --add-port=111/udp --permanent
3)挂载NFS共享存储
创建挂载目录
mkdir /data
修改/etc/fstab配置文件加入以下内容
192.168.166.122:/data/harbor_data /data nfs defaults 0 0
mount挂载
mount -a
redis安装服务
$ wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
$ yum -y install redis
4.2 修改配置
$ vim /etc/redis.conf
#bind 127.0.0.1 #注释掉bind的行,允许任何主机连接;
daemonize yes #将no修改为yes,使redis可以使用守护进程方式启动(源码安装情况下,打开可以使用systemctl 管理);
requirepass redis #设置redis连接的登录密码 (注意如果带#号,后续harbor连接会出错,需要加转译,简单起见,建议不使用特殊字符)
4.3 启动服务
$ systemctl start redis && systemctl enable redis && systemctl status redis
4.4 验证服务
1. 检查端口
$ ss -ntulp | grep 6379
tcp LISTEN 0 128 *:6379 *:* users:(("redis-server",pid=21133,fd=5))
tcp LISTEN 0 128 [::]:6379 [::]:* users:(("redis-server",pid=21133,fd=4))
2. 测试客户端连接redis
##测试了直接传redis-cli工具测试连接不通,都下载了redis就测通了
#查看redis-cli工具位置,拷贝给客户端
$ which redis-cli
/usr/local/bin/redis-cli
$ scp /usr/local/bin/redis-cli 172.16.215.135:/usr/local/bin/
$ scp /usr/local/bin/redis-cli 172.16.215.136:/usr/local/bin/
[root@harbor-2 harbor]# redis-cli -h 172.16.215.137 -a redis
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
172.16.215.137:6379> ping
PONG
部署PostgreSQL服务
$ useradd postgres
$ id postgres
uid=1000(postgres) gid=1000(postgres) 组=1000(postgres)
安装依赖包
$ yum -y install readline-devel zlib-devel gcc zlib
下载源码并解压
$ wget https://ftp.postgresql.org/pub/source/v13.5/postgresql-13.5.tar.gz --no-check-certificate
$ tar zxvf postgresql-13.5.tar.gz -C /app/
编译安装
$ cd /app/postgresql-13.5/
$ ./configure --prefix=/usr/local/postgresql
$ make && make install
5.5 创建数据目录
$ mkdir -p /data/postgresql/data
$ chown -R postgres:postgres /usr/local/postgresql/
$ chown -R postgres:postgres /data/postgresql/data/
5.6 设置环境变量
[root@harbor-store postgresql-13.5]# su - postgres
[postgres@harbor-store ~]$ vim .bash_profile
PGHOME=/usr/local/postgresql #psql安装目录
export PGHOME
PGDATA=/data/postgresql/data #数据库目录
export PGDATA
PATH=$PATH:$HOME/bin:$HOME/.local/bin:$PGHOME/bin
export PATH
[postgres@harbor-store ~]$ source ./.bash_profile
[postgres@harbor-store ~]$ which psql
/usr/local/postgresql/bin/psql
[postgres@harbor-store ~]$ psql -V
psql (PostgreSQL) 13.5
5.7 初始化数据库
[postgres@harbor-store ~]$ initdb
......
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
pg_ctl -D /data/postgresql/data -l logfile start
#表示初始化成功
5.8 启动PostgreSQL
[postgres@harbor-store ~]$ pg_ctl -D /data/postgresql/data -l logfile start
waiting for server to start.... done
server started
5.9 设置PostgreSQL密码
PostgreSQL默认本地登录不需要密码,因为配置文件中pg_hba.conf中的local设置为trust. 为了安全设置密码
假设忘记了登录密码,可通过设置trust值来进行登录后修改密码操作
[postgres@harbor-store ~]$ psql
psql (13.5)
Type "help" for help.
postgres=# \password
Enter new password: #输入设置的密码
Enter it again: #确认密码(再次输入)
postgres=# \q #退出
5.10 设置可远程登录PostgreSQL
[postgres@harbor-store ~]$ vim /data/postgresql/data/postgresql.conf
listen_addresses = '*' #监听所有地址
post = 5432
[postgres@harbor-store ~]$ vi /data/postgresql/data/pg_hba.conf
# IPv4 local connections:增加服务器ip
host all all x.x.x.x/32 trust
host all all x.x.x.x/32 trust
host all all x.x.x.x/32 trust
5.11 重启PostgreSQL
$ pg_ctl -D /data/postgresql/data -l /data/postgresql/data/postgres.log restart
waiting for server to shut down.... done
server stopped
waiting for server to start.... done
server started
5.12 创建数据库
目前Harbor仅支持PostgraSQL数据库,需要手动在外部的PostgreSQL上创建registry、notary_signer、notary_servers三个数据库,Harbor启动时会自动在对应数据库下生成表。 建议创建普通账号对这三张表进行授权使用
[postgres@harbor-store ~]$ psql
Password for user postgres: #输入密码
postgres=# create database registry;
CREATE DATABASE
postgres=# create database notary_signer;
CREATE DATABASE
postgres=# create database notary_servers;
CREATE DATABASE
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
----------------+----------+----------+-------------+-------------+-----------------------
notary_servers | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
notary_signer | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
registry | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(6 rows)
5.13 创建用户
postgres=# create user test with password 'test';
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------------------+-----------
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
test | | {}
七、部署Harbor 实例
7.1 下载解压离线安装包
$ mkdir /app #创建安装目录
$ wget https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
$ tar zxvf harbor-offline-installer-v2.3.5.tgz -C /app/
7.2 修改配置文件
$ cd /app/harbor
$ cp harbor.yml.tmpl harbor.yml
$ vi harbor.yml
hostname: XXXXX
http:
port: 8090
#取消https安全加密访问方式:
#https:
# port: 443
# certificate: /your/certificate/path
# private_key: /your/private/key/path
harbor_admin_password: Harbor12345
data_volume: /data
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.3.0
external_database:
harbor:
host: XXXXX
port: 5432
db_name: registry
username: postgres
password: postgres
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: XXXX
port: 5432
db_name: notary_signer
username: postgres
password: postgres
ssl_mode: disable
notary_server:
host: XXXXX
port: 5432
db_name: notary_server
username: postgres
password: postgres
ssl_mode: disable
external_redis:
host: XXXX:6379
password: redis
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
trivy_db_index: 5
idle_timeout_seconds: 30
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
metric:
enabled: true
port: 9090
path: /metrics
7.3 将配置文件注入到组件中 & 安装
$ ./prepare
$ ./install.sh