搭建自己的容器安全环境
本文章为终极缝合怪,人比较菜,一直出问题,找了许多教程解决,部分教程如下:
Harbor镜像仓库(含clair镜像扫描) - 完整部署记录
Harbor安装配置全过程
Harbor安装流程
harbor-scanner搭建
前期准备
提前准备虚机一台(我的机器:192.168.122.147)
安装组件
1.docker-compose
2.harbor-scanner
部署过程如下:
一、基础部署部分
1、开SSH
systemctl enable sshd
2、关闭SELINUX
vi /etc/sysconfig/selinux
修改下边标示部分
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled **##修改为disabled**
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
3、安装rz
yum -y install lrzsz
之后上传文件一定要用-be参数(其中-b是–binary用二进制的方式上传,-e是–escape强制escape所有控制字符),否则上传的文件不完整
rz –be
4、安装wget
yum -y install wget
5、更换yum源,用于提速yum
(1)备份yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
(2)下载新的CentOS-Base.repo 到/etc/yum.repos.d/
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
清理缓存
yum clean all
重新生成缓存
yum makecache
6、关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
二、组件部署部分
1.python安装(Centos7默认安装python2)
2.docker安装(不要偷懒使用yum install docker –y安装,安装的不是最新版)
(1)安装所需的软件包 yum-utils、device-mapper-persistent-data和 lvm2
yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
可能出现问题:提示无法连接docker官网提供的源
解决办法:使用阿里云的镜像节点供测试使用
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg
yum makecache fast
yum -y install docker-ce
检查docker运行状态
systemctl start docker
systemctl status docker
将docker加入启动项
systemctl enable docker
查看docker版本
docker --version
3.安装pip和 setuptools
(1)离线安装
前往官网下载最新离线包[setuptools 官网地址]pip 官网地址(https://pypi.org/project/setuptools/)
将离线包上传至服务器
-rw-r--r--. 1 root root 2141309 8月 20 11:21 setuptools-57.4.0.tar.gz
-rw-r--r--. 1 root root 1564487 8月 20 11:30 pip-21.2.4.tar.gz
解压文件安装
tar -zxvf setuptools-57.4.0.tar.gz
tar -zxvf pip-21.2.4.tar.gz
cd setuptools-57.4.0
python install setuptools
cd pip-21.2.4
python setup.py install
(2)在线安装
略
修改pip为国内源
vim ~/.pip/pip.conf
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
(2)在线安装
可能出现问题:yum安装报错
解决办法:清除yum缓存
yum clean all
yum makecache
安装pip和setuptools
yum install python-pip
yum -y install epel-release python-pip
yum -y install python-pip
pip install --upgrade pip --user
pip install --upgrade pip ##升级最新版本
yum install setuptool
yum install ntsysv
yum install iptables
yum install system-config-securitylevel-tui
yum install system-config-network-tui
4.安装docker-compose
官方教程
(1)运行此命令以下载 Docker Compose 的当前稳定版本:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
(2)对二进制文件应用可执行权限:
sudo chmod +x /usr/local/bin/docker-compose
(3)测试安装
docker-compose --version
(4)升级
docker-compose migrate-to-labels
还可以使用pip安装:
pip install docker-compose
5.安装Harbor
下载解压安装包
wget -c https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.2-rc1.tgz
yum-config-manager --add-repo http://mirr
cd harbor
修改配置文件
vim harbor.yml
按情况修改,hostname=IP地址或域名,harbor_admin_password=Web端admin用户密码
安装harbor:
./prepare
./install.sh --with-clair
........
........
✔ ----Harbor has been installed and started successfully.----
查看启动状态:
docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------
clair ./docker-entrypoint.sh Up (healthy) 6060/tcp, 6061/tcp
clair-adapter /home/clair-adapter/entryp ... Up (healthy) 8080/tcp
harbor-core /harbor/entrypoint.sh Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/entrypoint.sh Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
状态全部为UP即可使用web访问harbor:
e.g.web、拉取镜像等操作可见第一个教程链接。
6.harbor-scanner 部署
可见第四个教程链接。
(1)下载 Harbor-Scanner 的离线安装包并解压
wget https://github.com/dosec-cn/harbor-scanner/releases/download/v1.2/dosec-scanner.tgz
# 解压
tar zxf dosec-scanner.tgz
# 进入项目
cd dosec-scanner
(2)运行 Install 脚本
./Install.sh