龙芯mips平台Harbor仓库配置https访问并制作上传多架构镜像指导

https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html

echo “10.130.0.175 www.harbor.mobi” >> /etc/hosts

修改harbor.yml

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
#hostname: reg.mydomain.com
hostname: www.harbor.mobi
#hostname: 10.130.0.175

# http related config
#http:
# # port for http, default is 80. If https enabled, this port will redirect to https port
# port: 80

# https related config
https:
\ # https port for harbor, default is 443
port: 443
\ # The path of cert and key files for nginx
certificate: /data/cert/www.harbor.mobi.crt
private_key: /data/cert/www.harbor.mobi.key

生成配置https所需要的证书

(可参考：https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html)
mkdir -p /data/cert
cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj “/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi” -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj “/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi” -key www.harbor.mobi.key -out www.harbor.mobi.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt

openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert

为harbor增加证书并更新

mkdir -p /etc/pki/ca-trust/source/anchors/
cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt
update-ca-trust

mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.key /etc/docker/certs.d/www.harbor.mobi/
cp ca.crt /etc/docker/certs.d/www.harbor.mobi/
./prepare --with-notary --with-clair --with-chartmuseum
docker-compose up -d

systemctl daemon-reload;systemctl restart docker

./prepare --with-notary --with-clair --with-chartmuseum
docker-compose up -d

验证：

在x86和mips下分别获取debian:unstable-slim
x86下：
docker pull debian:unstable-slim
docker tag debian:unstable-slim 10.130.0.175/library/debian-mips64le:unstable-slim
mips下:
docker pull debian:unstable-slim
docker tag debian:unstable-slim 10.130.0.175/library/debian-x86:unstable-slim
docker manifest create 10.130.0.175/library/debian:unstable-slim 10.130.0.175/library/debian-mips64le:unstable-slim 10.130.0.175/library/debian-x86:unstable-slim --insecure
docker manifest push 10.130.0.175/library/debian:unstable-slim --insecure
然后网页查看是否存在10.130.0.175/library/debian:unstable-slim并将该镜像分别拉取到x86和mips下
mips下：
[root@node001 ~]# arch
mips64
[root@node001 ~]# docker run -it www.harbor.mobi/library/debian:unstable-slim
root@6abb5bb5639d:/# arch
mips64

x86下：
[root@node-145 ~]# arch
x86_64
[root@node-145 ~]# docker run -it www.harbor.mobi/library/debian:unstable-slim
root@d51224cdd3e3:/# arch
x86_64

附录

docker login 10.130.0.175
报错Error response from daemon: Get https://10.130.0.175/v2/: x509: cannot validate certificate for 10.130.0.175 because it doesn’t contain any IP SANs
docker login www.harbor.mobi
报错Error response from daemon: Get https://www.harbor.mobi/v2/: x509: certificate signed by unknown authority
解决方案：
将10.130.0.175和www.harbor.mobi分别加入/etc/docker/daemon.json然后执行如下命令使之生效

systemctl daemon-reload
systemctl restart docker