Harbor安装配置
配置要求
硬件配置
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
软件配置
| Software | Version | Description |
|---|---|---|
| Docker engine | Version 20.10.10-ce+ or higher | For installation instructions, see Docker Engine documentation |
| Docker Compose | docker-compose (v1.18.0+) or docker compose v2 (docker-compose-plugin) | For installation instructions, see Docker Compose documentation |
| Openssl | Latest is preferred | Used to generate certificate and keys for Harbor |
网络配置
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file. |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file. |
| 80 | HTTP | Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file. |
本地环境信息
操作系统
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
内核版本号
Linux ubuntu2404 6.8.0-39-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 21:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Docker版本号
Server: Docker Engine - Community
Engine:
Version: 27.1.1
API version: 1.46 (minimum version 1.24)
Go version: go1.21.12
Git commit: cc13f95
Built: Tue Jul 23 19:57:14 2024
Compose版本号
Docker Compose version v2.29.1
安装步骤
下载安装包
https://github.com/goharbor/harbor/releases/download/v2.10.3/harbor-offline-installer-v2.10.3.tgz
https://github.com/goharbor/harbor/releases/download/v2.10.3/harbor-offline-installer-v2.10.3.tgz.asc
校验文件签名
- 导入签名公钥
gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C
输出结果
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 644FF454C0B4115C: public key "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
- 开始校验文件(离线安装包)
gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-v2.10.3.tgz.asc
输出结果
gpg: enabled compatibility flags:
gpg: assuming signed data in 'harbor-offline-installer-v2.10.3.tgz'
gpg: Signature made Tue Jul 2 15:44:11 2024 CST
gpg: using RSA key 7722D168DAEC457806C96FF9644FF454C0B4115C
gpg: using pgp trust model
gpg: Good signature from "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7722 D168 DAEC 4578 06C9 6FF9 644F F454 C0B4 115C
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
提取安装文件
tar -xzvf harbor-offline-installer-v2.10.3.tgz
cd /root/harbor
签发证书
创建CA相关证书
- 模拟创建
CA机构私钥
openssl genrsa -out ca.key 4096
- 模拟创建
CA机构公钥
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=harbor/OU=Personal/CN=harbor.xiangqian.com" \
-key ca.key \
-out ca.crt
创建服务端相关证书
- 创建私钥
openssl genrsa -out harbor.xiangqian.com.key 4096
- 生成证书签名请求
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=harbor/OU=Personal/CN=harbor.xiangqian.com" \
-key harbor.xiangqian.com.key \
-out harbor.xiangqian.com.csr
- Generate an x509 v3 extension file
Regardless of whether you’re using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the
DNSentries to reflect your domain.
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.xiangqian.com
DNS.2=xiangqian.com
DNS.3=node02
EOF
- Use the
v3.extfile to generate a certificate for your Harbor host
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.xiangqian.com.csr \
-out harbor.xiangqian.com.crt
配置证书
- 拷贝服务端证书到
harbor数据目录(提前创建相关文件夹)
mkdir -p /data/cert
cp harbor.xiangqian.com.crt /data/cert/
cp harbor.xiangqian.com.key /data/cert/
- Convert
yourdomain.com.crttoyourdomain.com.cert, for use by Docker
openssl x509 -inform PEM -in harbor.xiangqian.com.crt -out harbor.xiangqian.com.cert
- 配置
docker读取证书(提前创建相关文件夹)
注意事项: If you mapped the default
nginxport 443 to a different port, create the folder/etc/docker/certs.d/yourdomain.com:port, or/etc/docker/certs.d/harbor_IP:port.
mkdir -p /etc/docker/certs.d/harbor.xiangqian.com/
cp harbor.xiangqian.com.cert /etc/docker/certs.d/harbor.xiangqian.com/
cp harbor.xiangqian.com.key /etc/docker/certs.d/harbor.xiangqian.com/
cp ca.crt /etc/docker/certs.d/harbor.xiangqian.com/
- 重启
docker
systemctl restart docker
- 检查证书
ls -l /etc/docker/certs.d/harbor.xiangqian.com/
结果如下
-rw-r--r-- 1 root root 2065 Aug 7 13:55 ca.crt
-rw-r--r-- 1 root root 2183 Aug 7 13:55 harbor.xiangqian.com.cert
-rw------- 1 root root 3272 Aug 7 13:55 harbor.xiangqian.com.key
修改harbor配置文件
# 去往harbor解压目录
cd ~/harbor
# 拷贝配置文件
cp harbor.yml.tmpl harbor.yml
# 编辑配置参数
vim harbor.yml
内容如下
hostname: harbor.xiangqian.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/docker/certs.d/harbor.xiangqian.com/harbor.xiangqian.com.cert
private_key: /etc/docker/certs.d/harbor.xiangqian.com/harbor.xiangqian.com.key
配置操作系统信任证书(可选操作)
https://goharbor.io/docs/1.10/install-config/troubleshoot-installation/#https
启动服务
–with-chartmuseum --with-notary 这两个参数已经过时; --with-trivy是镜像漏洞扫描能力
./install.sh --with-trivy
启动服务日志
-
可能报错日志(因为本地出现重复
nginx名称的容器, 我们把已有的容器重命名就好)Error response from daemon: Conflict. The container name "/nginx" is already in use by container "9e90d1957e7eef255efeb1b3a9a4ae8dd4a7e5dc170c53dea250dabf7cc3ce12". You have to remove (or rename) that container to be able to reuse that name. -
正常启动日志如下所示
root@ubuntu2404:~/harbor# ./install.sh --with-trivy [Step 0]: checking if docker is installed ... Note: docker version: 27.1.1 [Step 1]: checking docker-compose is installed ... Note: Docker Compose version v2.29.1 [Step 2]: loading Harbor images ... Loaded image: goharbor/redis-photon:v2.10.3 Loaded image: goharbor/nginx-photon:v2.10.3 Loaded image: goharbor/trivy-adapter-photon:v2.10.3 Loaded image: goharbor/prepare:v2.10.3 Loaded image: goharbor/harbor-core:v2.10.3 Loaded image: goharbor/harbor-jobservice:v2.10.3 Loaded image: goharbor/harbor-registryctl:v2.10.3 Loaded image: goharbor/harbor-exporter:v2.10.3 Loaded image: goharbor/harbor-portal:v2.10.3 Loaded image: goharbor/harbor-log:v2.10.3 Loaded image: goharbor/harbor-db:v2.10.3 Loaded image: goharbor/registry-photon:v2.10.3 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /root/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/jobservice/config.yml Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/trivy-adapter/env Clearing the configuration file: /config/db/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registry/passwd Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /data/secret/keys/secretkey Generated configuration file: /config/trivy-adapter/env Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir Note: stopping existing Harbor instance ... WARN[0000] /root/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion [+] Running 10/10 ✔ Container registryctl Removed 0.0s ✔ Container harbor-jobservice Removed 0.0s ✔ Container trivy-adapter Removed 0.0s ✔ Container harbor-portal Removed 0.0s ✔ Container harbor-core Removed 0.0s ✔ Container harbor-db Removed 0.0s ✔ Container registry Removed 0.0s ✔ Container redis Removed 0.0s ✔ Container harbor-log Removed 0.0s ✔ Network harbor_harbor Removed 0.1s [Step 5]: starting Harbor ... WARN[0000] /root/harbor/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion [+] Running 11/11 ✔ Network harbor_harbor Created 0.1s ✔ Container harbor-log Started 0.8s ✔ Container registryctl Started 4.5s ✔ Container harbor-portal Started 3.1s ✔ Container registry Started 3.1s ✔ Container redis Started 3.4s ✔ Container harbor-db Started 4.5s ✔ Container trivy-adapter Started 5.9s ✔ Container harbor-core Started 5.8s ✔ Container nginx Started 8.8s ✔ Container harbor-jobservice Started 7.5s ✔ ----Harbor has been installed and started successfully.----
启动服务报错
-
相关
issuehttps://github.com/goharbor/harbor/issues/13465
-
权限相关报错信息
./install.sh: line 91: ./prepare: Permission denied
- 修改方法
chmod a+x prepare
查看服务状态
docker compose ps
日志如下
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
harbor-core goharbor/harbor-core:v2.10.3 "/harbor/entrypoint.…" core 2 minutes ago Up 2 minutes (healthy)
harbor-db goharbor/harbor-db:v2.10.3 "/docker-entrypoint.…" postgresql 2 minutes ago Up 2 minutes (healthy)
harbor-jobservice goharbor/harbor-jobservice:v2.10.3 "/harbor/entrypoint.…" jobservice 2 minutes ago Up 2 minutes (healthy)
harbor-log goharbor/harbor-log:v2.10.3 "/bin/sh -c /usr/loc…" log 2 minutes ago Up 2 minutes (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal goharbor/harbor-portal:v2.10.3 "nginx -g 'daemon of…" portal 2 minutes ago Up 2 minutes (healthy)
nginx goharbor/nginx-photon:v2.10.3 "nginx -g 'daemon of…" proxy 2 minutes ago Up 2 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp
redis goharbor/redis-photon:v2.10.3 "redis-server /etc/r…" redis 2 minutes ago Up 2 minutes (healthy)
registry goharbor/registry-photon:v2.10.3 "/home/harbor/entryp…" registry 2 minutes ago Up 2 minutes (healthy)
registryctl goharbor/harbor-registryctl:v2.10.3 "/home/harbor/start.…" registryctl 2 minutes ago Up 2 minutes (healthy)
trivy-adapter goharbor/trivy-adapter-photon:v2.10.3 "/home/scanner/entry…" trivy-adapter 2 minutes ago Up 2 minutes (healthy)
访问页面
首先,window本地需要配置
C:\Windows\System32\drivers\etc识别自定义域名才能访问远程harbor服务器, 比如192.168.1.189 harbor.xiangqian.com;其次, 默认账号
admin,密码可以通过配置文件harbor.yml的参数harbor_admin_password指定自定义值, 否则默认密码为Harbor12345;
https://harbor.xiangqian.com/
命令行登录
root@ubuntu2404:~/harbor# docker login harbor.xiangqian.com -u admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
本地镜像上传步骤
-
新建项目
如果不新建项目, 只能上传到默认
library项目
-
镜像tag处理
docker tag redis:7.4.0 harbor.xiangqian.com/xiangqian/redis:7.4.0 -
推送进行到
harbordocker push harbor.xiangqian.com/xiangqian/redis:7.4.0 -
推送成功后通过WEB页面访问
-
本地拉取镜像
# 先删除本地已有镜像 docker rmi harbor.xiangqian.com/xiangqian/redis:7.4.0 # 从harbor服务器拉取镜像到本地 docker pull harbor.xiangqian.com/xiangqian/redis:7.4.0 -
拉取日志
7.4.0: Pulling from xiangqian/redis Digest: sha256:1805cbcbf3f5da4c7f8b676e947547059347e3195257e0ad516a319f1782afc6 Status: Downloaded newer image for harbor.xiangqian.com/xiangqian/redis:7.4.0 harbor.xiangqian.com/xiangqian/redis:7.4.0
如果使用http访问镜像仓库,需要配置docker
如果前面选择的是
https访问, 则无需这一步操作
- If your installation of Harbor uses HTTPS, you must provide the Harbor certificates to the Docker client. For information, see Configure HTTPS Access to Harbor.
- If your installation of Harbor uses HTTP, you must add the option
--insecure-registryto your client’s Docker daemon and restart the Docker service. For more information, see Connecting to Harbor via HTTP below.
vim /etc/docker/daemon.json
内容如下
{
"insecure-registries" : ["harbor.xiangqian.com:5000", "0.0.0.0"]
}
重启Docker
systemctl daemon-reload
systemctl restart docker
Harbor 生命周期管理
https://goharbor.io/docs/2.11.0/install-config/reconfigure-manage-lifecycle/
服务异常排查
https://goharbor.io/docs/2.11.0/install-config/troubleshoot-installation/
6078
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
