作者从毕业开始一直从事游戏开发,提供大量游戏实战模块代码及案例供大家学习与交流,希望以下知识可以带来一些帮助,如有任何疑问,请加群641792143交流与学习. 或关注微信公众号 程序员干货区
闻道有先后,术业有专攻,希望大家不吝赐教
Harbor安装
下载安装包/解压:
[root@localhost harbor]# ll
总用量 551220
drwxr-xr-x 3 root root 20 7月 12 15:22 common
-rw-r----- 1 root root 5401 7月 12 15:30 docker-compose.yml
-rw-r--r-- 1 root root 564403568 6月 17 11:30 harbor.v1.8.1.tar.gz
-rw-r--r-- 1 root root 4510 7月 12 15:30 harbor.yml
-rwxr-xr-x 1 root root 5088 6月 17 11:29 install.sh
-rw-r--r-- 1 root root 11347 6月 17 11:29 LICENSE
-rwxr-xr-x 1 root root 1654 6月 17 11:29 prepare
配置HTTPS所需证书
mkdir /data
mkdir /root/data
cd /root/data
# 创建自已的CA证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
#------------------------------------------------------------
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Harbin
Locality Name (eg, city) []:Harbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
Organizational Unit Name (eg, section) []:ydgw
Common Name (e.g. server FQDN or YOUR name) []:192.168.0.59
Email Address []:liuyajun@ydgw.cn
#------------------------------------------------------------
# 生成一个证书签名请求
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.59.key -out 192.168.0.59.csr
#------------------------------------------------------------
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Harbin
Locality Name (eg, city) []:Harbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
Organizational Unit Name (eg, section) []:ydgw
Common Name (e.g. server FQDN or YOUR name) []:192.168.0.59
Email Address []:liuyajun@ydgw.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码留空即可
An optional company name []:
#------------------------------------------------------------
# 创建文件夹和辅助内容
mkdir demoCA
cd demoCA
touch index.txt
echo '01' > serial
cd ..
ll
#------------------------------------------------------------
total 28
drwxr-xr-x 3 root root 4096 Jan 30 22:11 ./
drwx------ 5 root root 4096 Jan 30 22:09 ../
-rw-r--r-- 1 root root 1740 Jan 31 01:38 192.168.0.59.csr
-rw-r--r-- 1 root root 3272 Jan 31 01:38 192.168.0.59.key
-rw-r--r-- 1 root root 2098 Jan 31 01:37 ca.crt
-rw-r--r-- 1 root root 3272 Jan 31 01:37 ca.key
drwxr-xr-x 2 root root 4096 Jan 31 01:39 demoCA/
#------------------------------------------------------------
# 签名证书
echo subjectAltName = IP:192.168.0.59 > extfile.cnf
openssl ca -in 192.168.0.59.csr -out 192.168.0.59.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days 3650 -outdir .
#------------------------------------------------------------
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 31 06:39:39 2018 GMT
Not After : Jan 31 06:39:39 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Harbin
organizationName = ydgw
organizationalUnitName = ydgw
commonName = 192.168.0.59
emailAddress =
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.0.59
Certificate is to be certified until Jan 31 06:39:39 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#------------------------------------------------------------
ll
#------------------------------------------------------------
total 48
drwxr-xr-x 3 root root 4096 Jan 30 22:20 ./
drwx------ 5 root root 4096 Jan 30 22:09 ../
-rw-r--r-- 1 root root 6873 Jan 31 01:39 01.pem
-rw-r--r-- 1 root root 6873 Jan 31 01:39 192.168.0.59.crt
-rw-r--r-- 1 root root 1740 Jan 31 01:38 192.168.0.59.csr
-rw-r--r-- 1 root root 3272 Jan 31 01:38 192.168.0.59.key
-rw-r--r-- 1 root root 2098 Jan 31 01:37 ca.crt
-rw-r--r-- 1 root root 3272 Jan 31 01:37 ca.key
drwxr-xr-x 2 root root 4096 Jan 31 01:39 demoCA/
-rw-r--r-- 1 root root 33 Jan 31 01:39 extfile.cnf
#------------------------------------------------------------
修改配置文件:
[root@localhost harbor]# cat harbor.yml
hostname: 192.168.0.59
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 8080
# https related config
https:
# https port for harbor, default is 443
port: 443
# # The path of cert and key files for nginx
certificate: /root/data/192.168.0.59.crt
private_key: /root/data/192.168.0.59.key
客户端使用仓库要将ca.crt 复制目录下
[root@localhost harbor]# tree /etc/docker/certs.d/
/etc/docker/certs.d/
└── 192.168.0.59
└── ca.crt
运行
./prepare && ./install.sh
测试
docker login 192.168.0.59
下载镜像并上传仓库
docker pull nginx
docker tag nginx 192.168.0.59/good/nginx
docker push 192.168.0.59/good/nginx
错误1
openssl ca -in 192.168.0.59.csr -out 192.168.0.59.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days 3650 -outdir .
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140154698893200:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140154698893200:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
解决:
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 > /etc/pki/CA/serial
错误2
[root@localhost data]# openssl ca -in 192.168.0.59.csr -out 192.168.0.59.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days 3650 -outdir .
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The mandatory stateOrProvinceName field was missing
解决:
vim /etc/pki/tls/openssl.cnf
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
错误3
[root@k8s-master ~]# docker login 192.168.0.59
Username: admin
Password:
Error response from daemon: Get https://192.168.0.59/v2/: x509: certificate signed by unknown authority
解决:
将生成的ca.crt 传到客户端(/etc/docker/certs.d)目录下
[root@k8s-master certs.d]# tree 192.168.0.59
192.168.0.59
└── ca.crt
0 directories, 1 file