使用docker环境安装Harbor仓库-https部署
Harbor 是一个开源的云原生镜像仓库,用于存储和分发容器镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源 Docker Distribution。作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。
本文记录使用docker环境安装部署Harbor仓库,使用https协议,采用自签名证书。
本文时间部署Harbor v2.11.0版本,采用离线部署安装包。最新的官方安装步骤参考:https://goharbor.io/docs/latest/install-config/
1. 准备工作
- 下载 Harbor 离线安装包
从 Harbor GitHub releases 页面下载离线安装包,例如 harbor-offline-installer-v2.11.0.tgz。
- 安装 Docker 和 Docker Compose
确保目标机器上已经安装了 Docker 和 Docker Compose。
在 Linux 主机上:需要 Docker 20.10.10-ce 及以上版本和 Docker Compose 1.18.0 及以上版本。
- 证书相关
生成证书颁发机构证书及私钥:
# 修改主机名
root@ubuntu-svr:~# hostnamectl set-hostname harbor
root@harbor:~# mkdir -p /data/harbor/certs
root@harbor:~# cd /data/harbor/certs/
root@harbor:/data/harbor/certs# openssl genrsa -out ca.key 4096
root@harbor:/data/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=matrix/OU=test/CN=harbor.test.com" -key ca.key -out ca.crt
root@harbor:/data/harbor/certs# ls
ca.crt ca.key
生成服务器私钥及证书签名请求(CSR):
root@harbor:/data/harbor/certs# openssl genrsa -out harbor.test.com.key 4096
# 生成证书签名请求
root@harbor:/data/harbor/certs# openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=matrix/OU=test/CN=harbor.test.com" -key harbor.test.com.key -out harbor.test.com.csr
root@harbor:/data/harbor/certs# ls
ca.crt ca.key harbor.test.com.csr harbor.test.com.key
生成 x509 v3 扩展文件:
root@harbor:/data/harbor/certs# cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.test.com
DNS.2=test.com
DNS.3=harbor
使用该v3.ext文件为 Harbor 服务器生成证书:
root@harbor:/data/harbor/certs# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.test.com.csr -out harbor.test.com.crt
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = matrix, OU = test, CN = harbor.test.com
将 harbor.snow.com.crt 转换为 harbor.snow.com.cert , 供 Docker 使用。Docker 守护进程将.crt文件解释为 CA 证书,.cert将文件解释为客户端证书:
root@harbor:/data/harbor/certs# openssl x509 -inform PEM -in harbor.test.com.crt -out harbor.test.com.cert
2. 安装部署
将 harbor-offline-installer-v2.11.0.tgz 上传到待部署机器并解压:
root@harbor:~# tar xf harbor-offline-installer-v2.11.0.tgz
root@harbor:~# cd harbor/
root@harbor:~/harbor# ls
common.sh harbor.v2.11.0.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
配置 Harbor:
root@harbor:~/harbor# cp harbor.yml.tmpl harbor.yml
root@harbor:~/harbor# vi harbor.yml
编辑 harbor.yml 文件,根据实际需求进行配置:
hostname: harbor.test.com # 使用域名
...
http:
port: 80 # http端口
...
harbor_admin_password: Harbor12345 # web界面admin密码
...
database:
password: root123 # 后端数据库root密码
...
data_volume: /data/harbor # 数据存放路径
...
https:
# https port for harbor, default is 443
port: 443 # https端口
# The path of cert and key files for nginx
certificate: /data/harbor/certs/harbor.test.com.cert
private_key: /data/harbor/certs/harbor.test.com.key
# enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
...
加载镜像和启动 Harbor:
# 执行安装
root@harbor:~/harbor# bash install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 26.1.3
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.27.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-core:v2.11.0
Loaded image: goharbor/harbor-db:v2.11.0
Loaded image: goharbor/nginx-photon:v2.11.0
Loaded image: goharbor/trivy-adapter-photon:v2.11.0
Loaded image: goharbor/redis-photon:v2.11.0
Loaded image: goharbor/registry-photon:v2.11.0
Loaded image: goharbor/prepare:v2.11.0
Loaded image: goharbor/harbor-portal:v2.11.0
Loaded image: goharbor/harbor-log:v2.11.0
Loaded image: goharbor/harbor-jobservice:v2.11.0
Loaded image: goharbor/harbor-registryctl:v2.11.0
Loaded image: goharbor/harbor-exporter:v2.11.0
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
WARN[0000] /root/harbor/docker-compose.yml: `version` is obsolete
[+] Running 10/10
✔ Container registryctl Removed 0.3s
✔ Container harbor-jobservice Removed 0.4s
✔ Container nginx Removed 0.0s
✔ Container harbor-portal Removed 0.3s
✔ Container harbor-core Removed 3.1s
✔ Container registry Removed 0.2s
✔ Container redis Removed 0.3s
✔ Container harbor-db Removed 0.2s
✔ Container harbor-log Removed 10.2s
✔ Network harbor_harbor Removed 0.2s
[Step 5]: starting Harbor ...
WARN[0000] /root/harbor/docker-compose.yml: `version` is obsolete
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.3s
✔ Container harbor-db Started 1.0s
✔ Container redis Started 0.9s
✔ Container harbor-portal Started 0.9s
✔ Container registry Started 1.0s
✔ Container registryctl Started 1.3s
✔ Container harbor-core Started 1.4s
✔ Container nginx Started 2.0s
✔ Container harbor-jobservice Started 1.9s
✔ ----Harbor has been installed and started successfully.----
说明:
- 当前机器如果存在同名的容器,也会导致harbor部署失败,例如
redis,nginx等,部署之前停止可能冲突的容器。- 注意端口冲突,如果本地已经部署nginx或者httpd等web服务器,注意修改端口。
- 安装trivy扫描工具:
./install.sh --with-trivy
3. 检查部署情况
- 查看 Harbor 服务状态
[root@harbor harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cb5c79df4e4c goharbor/harbor-jobservice:v2.11.0 "/harbor/entrypoint.…" 3 minutes ago Up 3 minutes (healthy) harbor-jobservice
39486ae87f17 goharbor/nginx-photon:v2.11.0 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
09098205ec51 goharbor/harbor-core:v2.11.0 "/harbor/entrypoint.…" 3 minutes ago Up 3 minutes (healthy) harbor-core
0e968a41d58c goharbor/redis-photon:v2.11.0 "redis-server /etc/r…" 3 minutes ago Up 3 minutes (healthy) redis
8552f9919837 goharbor/harbor-db:v2.11.0 "/docker-entrypoint.…" 3 minutes ago Up 3 minutes (healthy) harbor-db
4985901e00f5 goharbor/harbor-portal:v2.11.0 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes (healthy) harbor-portal
9c297f67dd64 goharbor/harbor-registryctl:v2.11.0 "/home/harbor/start.…" 3 minutes ago Up 3 minutes (healthy) registryctl
e0d91f7bfd29 goharbor/registry-photon:v2.11.0 "/home/harbor/entryp…" 3 minutes ago Up 3 minutes (healthy) registry
3c06f80eb9f0 goharbor/harbor-log:v2.11.0 "/bin/sh -c /usr/loc…" 3 minutes ago Up 3 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
- 访问 Harbor Web 界面
打开浏览器,访问 https://harbor.test.com,或https://ip,使用配置文件中设置的管理员用户名(默认是 admin)和密码登录。
- 推送镜像测试
配置docker客户端:
root@harbor:~# mkdir -p /etc/docker/certs.d/harbor.test.com
root@harbor:~# cp /data/harbor/certs/harbor.test.com.cert /etc/docker/certs.d/harbor.test.com/
修改docker的daemon.json文件,使其信任harbor.test.com仓库:
[root@k8s ~]# cat /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": [
"https://registry.docker-cn.com",
"https://registry-1.docker.io",
"https://registry.hub.docker.com",
"https://mirror.baidubce.com",
"https://ccr.ccs.tencentyun.com",
"https://wnsrsn9i.mirror.aliyuncs.com"
],
"insecure-registries": ["192.168.0.159", "harbor.test.com"]
修改完成后重启docker服务生效。
测试登录:
[root@k8s ~]# docker login -u admin -p Harbor12345 harbor.test.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
推送镜像测试:
[root@k8s ~]# docker tag 192.168.0.159/library/nginx:1.27.0 harbor.test.com/library/nginx:1.27.0
[root@k8s ~]# docker push harbor.test.com/library/nginx:1.27.0
The push refers to repository [harbor.test.com/library/nginx]
3cf30c944fca: Pushed
16d40ad06803: Pushed
cf1614267117: Pushed
e5ec4dd3995c: Pushed
e8186e892c11: Pushed
a9a1ca1cae25: Pushed
1387079e86ad: Pushed
1.27.0: digest: sha256:9d1cac272a1ff8c4f4d6607940f179c9716b28c956231e61ae40a63990400c15 size: 1778
说明:
library为harbor默认自带的项目,根据自己使用需求创建自定义的项目存放容器镜像。
4. 常见问题排查
- 确保防火墙允许 Harbor 端口
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
- 检查 Docker 和 Docker Compose 版本
确保安装的 Docker 和 Docker Compose 版本满足 Harbor 的最低要求。
- x509: cannot validate certificate
[root@k8s ~]# docker login -u admin -p Harbor12345 192.168.0.157
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://192.168.0.157/v2/: x509: cannot validate certificate for 192.168.0.157 because it doesn't contain any IP SANs
解决:改用域名登录。
- 502 Bad Gateway
[root@k8s ~]# docker login -u admin -p Harbor12345 harbor.test.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: login attempt to https://harbor.test.com/v2/ failed with status: 502 Bad Gateway
解决:
重启下部署harbor机器的docker服务,然后重新登录:
[root@k8s ~]# docker login -u admin -p Harbor12345 harbor.test.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
- 在harbor本地机器使用docker测试登录,报错如下:
root@harbor:~# docker login -u admin -p Harbor12345 harbor.test.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "http://harbor.test.com/v2/": EOF
这个错误通常是由于 Docker 无法连接到指定的 Harbor 导致,由于是本地连接测试,不存在网络连接问题,进一步排查为docker配置了代理导致,取消代理后测试正常。
- k8s部署pod从harbor拉取镜像提示“ x509: certificate signed by unknown authority”
本地部署的harbor使用的是https,证书是自签名的,不受信任。需要配置docker、containerd、CRI-O(取决于k8s使用的容器运行时)信任harbor仓库。
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
