Harbor
Harbor官网:https://goharbor.io/
安装docker-ce&docker-compose
[root@docker ~]# yum -y install docker-ce* docker-compose
下载离线包
Harbor三种安装方式
-
在线安装:从Docker Hub下载Harbor相关镜像,因此安装软件包非常小
-
离线安装:安装包包含部署的相关镜像,因此安装包比较大
-
OVA安装程序:当用户具有vCenter环境时,使用此安装程序,在部署OVA后启动Harbor
[root@docker ~]# wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
# 解压
[root@docker ~]# tar -zxf harbor-offline-installer-v2.4.1.tgz -C /opt
生成HTTPS证书
可以使用由受信任的第三方CA签名的证书,也可以使用自签名证书。本文将介绍如何使用 OpenSSL创建CA,以及如何使用CA对服务器证书和客户端证书进行签名,证书请求文件字段解析为下:
| 字段 | 字段含义 | 示例 |
|---|---|---|
| C | Country国家 | CN |
| ST | State or Province | 省 |
| L | Location or City 城市 | Beijing |
| O | Organization 组织或企业 | example |
| OU | Organization Unit 部门 | Personal |
| CN | Common Name 域名或IP | yourdomain.com |
# 安装openssl
[root@docker ~]# yum -y install openssl openssl-devel
# 设置本地域名解析
[root@docker ssl]# cat /etc/hosts
192.168.0.50 harbor.registry.com
................................
# 使用openssl生成CA私钥,该私钥后面用于签发自签名证书
[root@docker ~]# mkdir -p /opt/harbor/ssl && cd /opt/harbor/ssl
[root@docker ssl]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................++
..............................................................++
e is 65537 (0x10001)
# 生成CA证书
[root@docker ~]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Hunan/L=Changsha/O=example/OU=example/CN=harbor.registry.com" -key ca.key -out ca.crt
注意:这里需要说明的是CN应该填写您的主机名或能够解析为IP的DNS域名,或者是实际的IP地址,最好不要使用localhost、127.0.0.1这类信息
# The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key
# 生成server端私钥
[root@docker ssl]# openssl genrsa -out harbor.registry.com.key 4096
Generating RSA private key, 4096 bit long modulus
........................................................++
...........................................................................................................................................................................................++
e is 65537 (0x10001)
# 生成服务端server证书请求文件(文件名必须是域名.csr)。Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.
[root@docker ssl]# openssl req -sha512 -new -subj "/C=CN/ST=Hunan/L=Changsha/O=example/OU=example/CN=harbor.registry.com" -key harbor.registry.com.key -out harbor.registry.com.csr
# 生成一个x509 v3扩展文件,无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域
[root@docker ssl]# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.registry.com
DNS.2=harbor.registry
DNS.3=docker
EOF
# 生成服务端server证书
[root@docker ssl]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.registry.com.csr -out harbor.registry.com.crt
Signature ok
subject=/C=CN/ST=Hunan/L=Changsha/O=example/OU=example/CN=harbor.registry.com
Getting CA Private Key
配置证书
由于https通信是建立在Docker客户端与harbor服务器之间,那么因此我们同样也要将证书文件提供给docker,甚至在操作系统层面也需要提供这类凭证
harbor采用容器部署方式,使用数据卷来持久化数据,其默认会挂载宿主机文件系统中/data路径至容器内部,证书文件同样也是如此,那么为了让容器内的harbor应用进程方便加载证书文件,我们在默认路径下创建一个目录用来存储证书文件
[root@docker ssl]# mkdir -p /data/certs
[root@docker ssl]# cp harbor.registry.com.{crt,key} /data/certs/
# Docker daemon进程使用.crt作为CA证书,.cert作为客户端证书,因此需要转换crt至cert供docker客户端使用
[root@docker ssl]# [root@docker ssl]# openssl x509 -inform PEM -in harbor.registry.com.crt -out harbor.registry.com.cert
# 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。如果路径不存在您必须首先创建适当的文件夹
[root@docker ssl]# mkdir -p /etc/docker/certs.d/harbor.registry.com
[root@docker ssl]# cp ca.crt harbor.registry.com.{cert,key} /etc/docker/certs.d/harbor.registry.com
If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port
# 重启docker
systemctl restart docker
配置Habor
在harbor安装包解压后的harbor目录中,包含了一个配置模板harbor.tmpl,该模板文件预置了一些默认配置,因此我们将其拷贝一份命名为harbor.yml,然后在此基础之上修改
[root@docker harbor]# cp harbor.yml.tmpl harbor.yml
# 配置文件如下:
[root@docker harbor]# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.registry.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/harbor/ssl/harbor.registry.com.crt
private_key: /opt/harbor/ssl/harbor.registry.com.key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: root123
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.4.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # timeout: 10s
执行安装脚本
在harbor默认安装,是不包含trivy、notary、chartmuseum这些服务支持的。但安装脚本支持这些服务可以与harbor一起安装并完成配置
如果需要harbor支持trivy、notary、chartmuseum这些服务支持,那么可以在运行脚本时使用–with参数。例如支持trivy,命令如下
./intstall.sh --with-trivy
如果要同时安装notary和chartmuseum服务,请在同一命令中指定所有参数
./install.sh --with-notary --with-trivy --with-chartmuseum
# 执行安装脚本
[root@docker harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum
# 查看harbor状态
[root@docker harbor]# docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------
chartmuseum ./docker-entrypoint.sh Up
harbor-core /harbor/entrypoint.sh Up
harbor-db /docker-entrypoint.sh 96 13 Up
harbor-jobservice /harbor/entrypoint.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up
nginx nginx -g daemon off; Up 0.0.0.0:4443->4443/tcp,:::4443->4443/tcp, 0.0.0.0:80->8080/tcp,:::80->8080/tcp,
0.0.0.0:443->8443/tcp,:::443->8443/tcp
notary-server /bin/sh -c migrate-patch - ... Up
notary-signer /bin/sh -c migrate-patch - ... Up
redis redis-server /etc/redis.conf Up
registry /home/harbor/entrypoint.sh Up
registryctl /home/harbor/start.sh Up
trivy-adapter /home/scanner/entrypoint.sh Up
# 启动harbor
[root@docker harbor]# docker-compose -f docker-compose.yml up -d
# 关闭harbor
[root@docker harbor]# docker-compose -f docker-compose.yml down
登录Habor
3197
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
