一、安装docker
[root@localhost home]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@localhost home]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost home]# yum makecache fast
#指定一个路径作为docker的根目录,以免系统目录被占满
[root@localhost home]# mkdir /home/dockerData
[root@localhost home]# ln -s /home/dockerData /var/lib/docker
[root@localhost home]# yum -y install docker-ce-19.03.6
[root@localhost home]# systemctl start docker
[root@localhost home]# systemctl enable docker
[root@localhost home]# docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.8.0)
Server:
Containers: 13
Running: 13
Paused: 0
Stopped: 0
Images: 27
Server Version: 19.03.6
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
二、安装dockercompose
[root@localhost home]# curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@localhost home]# chmod +x /usr/local/bin/docker-compose
[root@localhost home]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
#或者
[root@localhost home]# yum -y install epel-release
[root@localhost home]# yum -y install docker-compose
[root@localhost home]# docker-compose --version
docker-compose version 1.25.4, build 8d51620a
三、安装harbor及使用
安装:
[root@localhost home]# wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
[root@localhost home]# tar -zxvf ./harbor-offline-installer-v1.10.1.tgz
[root@localhost home]# cd /home/harbor
#修改配置文件,端口、ip等
[root@localhost home/harbor]# vi harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.56.12
#skip_update:true
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 7655
# https related config
#https:
# https port for harbor, default is 443
#port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
#安装-每次修改配置文件都需要执行这里
[root@localhost home/harbor]# ./prepare
[root@localhost home/harbor]# ./install.sh --with-clair --with-chartmuseum
#启动
[root@localhost home/harbor]# docker-compose up -d
#关闭
[root@localhost home/harbor]# docker-compose down
#接下来配置好防火墙端口策略或关闭防火墙就能访问7655端口了
#配置允许登录,否则docker 登录会失败,这里的ip自行调整
[root@localhost home/harbor]# echo '{ "insecure-registries":["ip:7655"] }' > /etc/docker/daemon.json
[root@localhost home/harbor]# systemctl restart docker
[root@localhost home/harbor]# docker-compose up -d
#本机使用docker客户端登录到仓库,以便在本机制作镜像后推送到harbor
[root@localhost home/harbor]# docker login 192.168.56.13:7655 -u harbor用户 -p 密码
#浏览器访问(若无法访问请留意防火墙端口策略配置)
http://192.168.56.12:7655
harbor-api
由于swagger插件似乎无法下载,只能将将就着记录下以下接口信息:
Harbor镜像仓库地址:172.168.1.249
# 获取项目信息
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2"
# 获取所有项目信息
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects?"
# 搜索镜像
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/search?q=asset"
# 删除项目
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/projects/3"
# 创建项目
curl -u "admin:Harbor12345" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/projects" -d @createproject.json
createproject.json为文件名,文件内容参考createproject.json
# 0为私有
{
"project_name": "项目名",
"public": 0
}
# 创建用户
curl -u "admin:Harbor12345" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/users" -d @user.json
文件内容参考user.json
{
"user_id": 5,
"username": "test",
"email": "test@qq.com",
"password": "Harbor12345",
"realname": "test",
"role_id": 0
}
# 获取用户信息,除admin外
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/users"
# 查看当前用户信息
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/users/current"
# 删除用户,3是用户user_id
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/users/34"
# 修改用户密码
curl -u "admin:Harbor12345" -X PUT -H "Content-Type: application/json" "http://172.168.1.249/api/users/4/password" -d @uppwd.json
# 查看项目相关角色
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2/members/"
# 项目添加角色
curl -u "jaymarco:Harbor123456" -X POST -H "Content-Type: application/json" "http://172.168.1.249/api/projects/2/members/" -d @role.json
# 查看镜像
curl -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/repositories?project_id=2&q=镜像名"
# 删除镜像
curl -u "admin:Harbor12345" -X DELETE -H "Content-Type: application/json" "http://172.168.1.249/api/repositories/marktrace%2Fasset/tags/latest"
# 获取镜像标签
curl -s -u "admin:Harbor12345" -X GET -H "Content-Type: application/json" "http://172.168.1.249/api/repositories/marktrace%2Fasset/tags/" |grep "digest" -C 2 |grep ""name""
#列出所有项目
curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/projects?"
#列出指定项目的所有镜像
curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories?project_id=37"
curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories/marktrace%2Fasset/tags/" |grep "digest" -C 2 |grep ""name""
curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/repositories/test_lab/easyview-api-uj/tags/"
curl -u "xxxxxxx:xxxxxxx" -X GET -H "Content-Type: application/jsn" "https://xxxxx/api/search?q=asset"
进入harbor数据库方法
1、进入[harbor-db]容器内部
docker exec -it harbor-db /bin/bash
2、进入postgresql命令行
psql -h postgresql -d postgres -U postgres #这要输入默认密码:root123 。
psql -U postgres -d postgres -h 127.0.0.1 -p 5432 #或者用这个可以不输入密码。
3、切换到harbor所在的数据库
\c registry
4、查看harbor_user表
select * from harbor_user;
5、例如修改admin的密码,修改为初始化密码 Harbor12345 ,修改好了之后再可以从web ui上再改一次。
update harbor_user set password='a71a7d0df981a61cbb53a97ed8d78f3e',salt='ah3fdh5b7yxepalg9z45bu8zb36sszmr' where username='admin';
6、退出 \q 退出postgresql,exit退出容器。
\q
exit
完成后通过WEB UI,就可以使用admin 、Harbor12345 这个密码登录了,记得修改这个默认密码哦,避免安全问题。
四、安装trivy
#查看版本https://github.com/aquasecurity/harbor-scanner-trivy
[root@localhost home/harbor]# docker pull aquasec/harbor-scanner-trivy:0.19.0
#重构该镜像,使用root账号运行否则会有权限报错
Dockerfile内容:
ARG TRIVY_VERSION=0.19.0
FROM aquasec/harbor-scanner-trivy:${TRIVY_VERSION}
USER root
ENTRYPOINT ["/home/scanner/bin/scanner-trivy"]
#构建镜像
[root@localhost home/harbor]# docker build -f /home/dockerWorkSpace/trivy/Dockerfile -t aquasec/harbor-scanner-trivy-ys:Release.0.19.0 /home/dockerWorkSpace/trivy
#创建离线扫描数据目录及上传数据文件(可在githug下载:)
[root@localhost home/harbor]# mkdir -p /data/trivy-adapter/trivy
[root@localhost home/harbor]# ls /data/trivy-adapter/trivy
metadata.json
trivy.db
#启动trivy,指定端口8181和名称trivy-adapter(该名称将用于harbor连接时),另外确保redis容器已启动
[root@localhost home/harbor]# docker run -d -p 8181:8181 --name trivy-adapter -v /data/trivy-adapter/trivy:/home/scanner/.cache/trivy/db \
-e "SCANNER_LOG_LEVEL=trace" \
-e "SCANNER_TRIVY_DEBUG_MODE=true" \
-e "TRIVY_NON_SSL=true" \
-e "SCANNER_API_SERVER_ADDR=:8181" \
-e "SCANNER_REDIS_URL=redis://redis:6379" \
-e "SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue" \
--network harbor_harbor \
aquasec/harbor-scanner-trivy-ys:Release.0.19.0
五、harbor添加trivy
六、添加https(该步骤在安装harbor前后均可进行)
# 创建证书目录,并赋予权限 [root@localhost home]# mkdir -p /data/cert && chmod -R 777 /data/cert && cd /data/cert # 生成私钥,需要设置密码 2021lt007 [root@localhost cert]# openssl genrsa -des3 -out harbor.key 2048 # 生成CA证书申请文件(xxx.csr),需要输入密码 # C国家名,ST省份名,O组织名,U组织单位名,CN域名,L城市位置 [root@localhost cert]# openssl req -sha512 -new \ -subj "/C=CN/ST=GD/L=SZ/O=lt/OU=ltdev/CN=thhub.ltdev.com" \ -key harbor.key \ -out harbor.csr # 备份私钥 [root@localhost cert]# cp harbor.key harbor.key.org # 退掉私钥密码,以便docker访问(也可以参考官方进行双向认证) [root@localhost cert]# openssl rsa -in harbor.key.org -out harbor.key # 使用CA证书申请文件签名生成客户端证书(xxx.crt) [root@localhost cert]# openssl x509 -req -days 365 -in harbor.csr -signkey harbor.key -out harbor.crt #配置域名 [root@localhost home/harbor]# vi /etc/hosts 192.168.56.12 thhub.ltdev.com #修改harbor配置文件并重新安装harbor #修改配置文件,端口、域名等 [root@localhost home/harbor]# vi harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: thhub.ltdev.com
#skip_update:true
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 7655
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/harbor.crt
private_key: /data/cert/harbor.key
#准备配置nginx 开启https [root@localhost home/harbor]# ./prepare #安装harbor [root@localhost home/harbor]# ./install.sh --with-clair --with-chartmuseum #启动 [root@localhost home/harbor]# docker-compose up -d #浏览器访问(若无法访问请留意防火墙端口策略配置) https://192.168.56.12 ## 报错问题1: #docker-client的登录harbor报错 #docker登录harbor [root@thhub cert]# docker login thhub.ltdev.com -u 用户名 -p 密码 Error response from daemon: Get https://192.168.56.12:443/v2/: x509: cannot validate certificate for 192.168.56.13 because it doesn't contain any IP SANs #编辑如下配置文件,在v3_ca 下添加 subjectAltName = IP:域名|IP地址 /etc/pki/tls/openssl.cnf, subjectAltName = IP:192.168.56.12 #将证书**.crt(docker-daemon使用)转换成docker(客户端使用)的证书文件**.cert [root@localhost cert]# openssl x509 -inform PEM -in harbor.crt -out harbor.cert #将证书、秘钥拷贝到dockerCA目录 [root@localhost cert]# cp harbor.cert /etc/docker/certs.d/thhub.ltdev.com/ [root@localhost cert]# cp harbor.key /etc/docker/certs.d/thhub.ltdev.com/ [root@localhost cert]# cp harbor.crt /etc/docker/certs.d/thhub.ltdev.com/ #将生成的证书追加到系统(docker-client所在系统)的证书管理文件中 #[root@localhost home/harbor]# cat /data/cert/harbor.crt >> /etc/pki/tls/certs/ca-bundle.crt #将证书绑定到系统 [root@localhost cert]# cp harbor.crt /etc/pki/ca-trust/source/anchors/harbor.crt [root@localhost cert]# update-ca-trust #重启docker [root@localhost home/harbor]# systemctl restart docker #docker登录harbor---注意,必须使用域名登录才会使用https证书!! [root@thhub cert]# docker login thhub.ltdev.com -u 用户名 -p 密码 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded