Harbor安装
一、离线安装包
docker安装包地址:https://download.docker.com/linux/static/stable/x86_64/
docker-compose安装包地址:https://github.com/docker/compose/releases
harbor安装包地址:https://github.com/goharbor/harbor/releases
使用版本
docker-ce:v23.06
docker-compose:v2.18.1
harbor:v2.8.2
节点Ip
harbor:192.168.40.15
master:192.168.40.10
node1:192.168.40.11
node2:192.168.40.12
所有节点均做好域名解析
二、安装步骤
1.安装docker
此处采用rpm包安装
设置docker启动和开机自启
systemctl enable docker.service --now
查看docker状态
systemctl status docker.service
docker version
Client: Docker Engine - Community
Version: 24.0.2
API version: 1.42 (downgraded from 1.43)
Go version: go1.20.4
Git commit: cb74dfc
Built: Thu May 25 21:55:21 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.6
API version: 1.42 (minimum version 1.12)
Go version: go1.19.9
Git commit: 9dbdbd4
Built: Fri May 5 21:20:38 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.21
GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
Version: 1.1.7
GitCommit: v1.1.7-0-g860f061
docker-init:
Version: 0.19.0
GitCommit: de40ad0
2.安装docker-compose
wget https://github.com/docker/compose/releases/download/v2.18.1/docker-compose-linux-x86_64
# 在线下载
将安装包移动到/usr/bin目录下,并修改名称
mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
修改权限
chmod +x /usr/local/bin/docker-compose
查看版本
docker-compose -v
Docker Compose version v2.18.1
3.安装Harbor
wget https://github.com/vmware/harbor/releases/download/v2.8.2/harbor-online-installer-v2.8.2.tgz
解压安装包
tar -xzvf harbor-offline-installer-v2.8.2.tgz -C /usr/local
修改文件名
cp /usr/local/harbor/harbor.yml.tmpl /usr/local/harbor/harbor.yml
vi /usr/local/harbor/harbor.yml
修改配置文件harbor.yml,hostname修改为IP或者域名;将ssl相关配置注释,不使用https访问。
(要使用https请参考下面的ssl证书配置)
解压镜像
docker load -i /usr/local/harbor/harbor.v2.8.2.tar.gz
执行准备程序
sh /usr/local/harbor/prepare
执行安装程序
sh /usr/local/harbor/install.sh
[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 1.2s
✔ Container harbor-db Started 2.7s
✔ Container redis Started 2.8s
✔ Container registryctl Started 2.4s
✔ Container registry Started 2.7s
✔ Container harbor-portal Started 2.6s
✔ Container harbor-core Started 3.5s
✔ Container nginx Started 4.6s
✔ Container harbor-jobservice Started 4.7s
✔ ----Harbor has been installed and started successfully.----
查看docker-compose状态
docker-compose ps
启动停止
docker-compose down -v # 停止
docker-compose up -d # 启动(要进入harbor目录)
通过IP访问web页面,默认账号密码(配置文件中可修改)
admin Harbor12345
k8s 节点登录harbor
在其他worker计算节点操作
`docker login 192.168.40.50
四、登录报错
使用http协议的harbor登录报错:
Error response from daemon: Get https://192.168.40.50/v1/users/: dial
tcp 192.168.40.50:443: connect: connection refused
在/etc/docker/daemon.json文件里添加"insecure-registries"配置。(如果还不行,可以尝试将下面添加的地址由"192.168.40.50"改为"http://192.168.40.50:80")
# vim /etc/docker/daemon.json
{
"insecure-registries": ["192.168.40.50"]
}
(拓展)ssl证书配置
按上述方式我们使用的是http协议,但是默认情况下docker拉取镜像会使用https协议,那就需要我们的harbor仓库使用ssl协议
证书生成
mkdir /usr/local/harbor/sslkey&&cd /usr/local/harbor/sslkey
配置ca证书请求
openssl genrsa -out ca.key 2048
生成ca证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Harbor/OU=Harbor/CN=server.harbor.com"
生成服务器证书请求
openssl genrsa -out harbor.key 2048
生成服务器证书
openssl req -sha256 -new -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Harbor/OU=Harbor/CN=server.harbor.com" -key harbor.key -out harbor.csr
生成拓展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=server.harbor.com
DNS.2=server
EOF
生成服务端证书
openssl x509 -req -sha256 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
将crt文件解释为cert
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
在harbor的配置文件中配置证书位置
vi /usr/local/harbor/harbor.yml
hostname: server.harbor.com #你设置的域名
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /usr/local/harbor/sslkey/harbor.cert
private_key: /usr/local/harbor/sslkey/harbor.key
记得要重新安装
执行准备程序
sh /usr/local/harbor/prepare
执行安装程序
sh /usr/local/harbor/install.sh
# 创建证书文件夹
mkdir -p /etc/docker/certs.d/server.harbor.com
# 拷贝服务器证书
cp harbor.cert /etc/docker/certs.d/server.harbor.com/
# 拷贝服务器私钥
cp harbor.key /etc/docker/certs.d/server.harbor.com/
# 拷贝自签的颁发证书机构ca证书
cp ca.crt /etc/docker/certs.d/server.harbor.com/
cp harbor.cert harbor.key ca.crt /etc/docker/certs.d/server.harbor.com/
# vim /etc/docker/daemon.json
{
"insecure-registries": ["https://server.harbor.com"]
}
Harbor修改密码
# docker exec -it a6b2ea24ff49 /bin/bash
postgres [ / ]$ psql -h postgresql -d postgres -U postgres
# 默认密码root123
postgres=# \c registry
registry=# select * from harbor_user;
registry=# update harbor_user set salt='',password='' where user_id = 1;
registry=# \q # 退出数据库
postgres [ / ]$ exit # 退出容器
重启
docker-compose down -v # 停止
docker-compose up -d # 启动(要进入harbor目录)
Harbor镜像推送
需要先login,将镜像tag之后再push
for i in `docker images|awk 'NR!=1{print$1":"$2}'`;do
docker tag $i server.harbor.com/base/`echo $i|awk -F "/" '{print$NF}'`
done # 打tag
docker images|awk 'NR!=1&&$1~/^server.harbor.com/{print$1":"$2}'|xargs -i docker push {} # 推送
K8S使用Harbor仓库
首先在任意节点上docker login Harbor仓库
# 查看秘钥
# cat /root/.docker/config.json
{
"auths": {
"server.harbor.com": {
"auth": "YmFzZTpCYXNlQDEyMzQ1"
}
}
}
# 加密
# cat /root/.docker/config.json | base64 -w 0
ewoJImF1dGhzIjogewoJCSJzZXJ2ZXIuaGFyYm9yLmNvbSI6IHsKCQkJImF1dGgiOiAiWW1GelpUcENZWE5sUURFeU16UTEiCgkJfQoJfQp9
给Harbor创建一个secret文件
# vim harbor-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: harbor-pull
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJzZXJ2ZXIuaGFyYm9yLmNvbSI6IHsKCQkJImF1dGgiOiAiWW1GelpUcENZWE5sUURFeU16UTEiCgkJfQoJfQp9
然后创建该secret
kubectl apply -f harbor-secret.yaml
kubectl get secrets
后续创建资源需要拉取镜像时记得加上
# 例:
spec:
spec:
imagePullSecrets:
- name: harbor-pull
containers:
- name: mytomcat
image: server.harbor.com/base/tomcat:9.0.78-jre8
ports:
- containerPort: 8080
Harbor仓库指定IP网段
由于docker默认在172网段上从17开始创建IP网段,而服务器IP又是在172开头的网段上,所以为了避免网段冲突,我们可以设置一下docker-compose文件的网段
# vim /usr/local/harbor/docker-compose.yml
找到最下面的网络信息对其进行修改
networks:
harbor:
driver: bridge
ipam:
config:
- subnet: 172.100.0.0/16
gateway: 172.100.0.1