CentOS7.9 部署本地私有仓库 (Harbor)
主机环境
pw 4核8G 系统盘600GB*1 管理网卡:ens33 192.168.1.15 浮动IP网络:ens33 dhcp
-
系统版本
CentOS-7-x86_64-Minimal-2009.iso -
选择
最小化->英文->标准安装 -
分区
/boot 1000M 其余/ -
设置主机名
hostnamectl set-hostname pw -
安装常用软件包
yum install vim wget net-tools yum-utils -y -
关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
firewall-cmd --state -
关闭selinux
sed -i ‘/^SELINUX=./c SELINUX=disabled’ /etc/selinux/config
sed -i 's/^SELINUXTYPE=./SELINUXTYPE=disabled/g’ /etc/selinux/config
grep --color=auto ‘^SELINUX’ /etc/selinux/config
setenforce 0 -
主机名:
echo “192.168.50.50 www.hao.com” >>/etc/hosts -
配置ssh
sed -i ‘s/#ClientAliveInterval 0/ClientAliveInterval 60/g’ /etc/ssh/sshd_config
sed -i ‘s/#ClientAliveCountMax 3/ClientAliveCountMax 60/g’ /etc/ssh/sshd_config
sed -i ‘/^#UseDNS/s/#UseDNS yes/UseDNS no/g’ /etc/ssh/sshd_config
systemctl restart sshd && systemctl status sshd -
配置yum镜像仓库
yum-config-manager --add-repo http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -
安装epel
yum install epel-release -y
yum clean all && yum makecache fast -
安装基础软件包
yum install device-mapper-persistent-data lvm2 -y -
安装docker
yum list docker-ce --showduplicates|sort -r #查询docker的版本
yum install docker-ce-19.03.8 -y #安装指定版本 -
配置加速
tee /etc/docker/daemon.json <<-‘EOF’
{
“registry-mirrors”: [“https://hub-mirror.c.163.com/”]
}
EOF
-
启动docker服务
systemctl daemon-reload && systemctl enable docker && systemctl restart docker && systemctl status docker -
安装docker-compose服务
sudo curl-L https://get.daocloud.io/docker/compose/releases/download/1.25.1/docker-compose-uname-s
-uname-m
-o /usr/local/bin/docker-compose #下载指定的安装包
sudo curl -L “https://github.com/docker/compose/releases/download/1.26.0/docker-compose- ( u n a m e − s ) − (uname -s)- (uname−s)−(uname -m)” -o /usr/local/bin/docker-compose
-
将下载后的文件放到 /usr/local/bin 目录下,并添加执行权限
chmod +x /usr/local/bin/docker-compose -
查看版本
docker-compose -version -
下载harbor软件包
wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz -
解压到指定的目录
tar xvf harbor-offline-installer-v2.4.1.tgz -C /harbor -
修改harbor.yml配置文件
mv harbor.yml.tmpl harbor.yml #修改文件名
#查看修改
cat harbor.yml
…
…
DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 盘位,zixuanyun.com ##########修改域名
########### 关闭http访问方式
#http: ##########该行注释掉
port for http, default is 80. If https enabled, this port will redirect to https port
#port: 80 ##########改行注释掉
########### 打开https访问方式
https related config
https:#########取消注释
# https port for harbor, default is 443
port: 443 #########取消注释
# The path of cert and key files for nginx
certificate: /home/harbor/certs/harbor.crt #########取消注释,填写实际路径
private_key: /home/harbor/certs/harbor.key #########取消注释,填写实际路径
…
…
Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 ######### admin用户登入密码
Harbor DB configuration
database:
The password for the root user of Harbor DB. Change this before any production use.
password: root123 ######### 数据库密码
The default data volume
data_volume: /home/harbor/data #########目录自己创建,根据实际情况填写
如下图:
-
创建存放数据目录和存放证书位置
mkdir /data/harbor/data -p
mkdir -p /data/harbor/certs -
使用openssl创建自签证书并生成证书,并保存到 /home/harbor/certs 目录下
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/harbor/certs/harbor.key -x509 -out /data/harbor/certs/harbor.crt -subj /C=CN/ST=BJ/L=BJ/O=DEVOPS/CN=www.hao.com -days 3650
表达意思
req 产生证书签发申请命令
-newkey 生成新私钥
rsa:4096 生成秘钥位数
-nodes 表示私钥不加密
-sha256 使用SHA-2哈希算法
-keyout 将新创建的私钥写入的文件名
-x509 签发X.509格式证书命令。X.509是最通用的一种签名证书格式。
-out 指定要写入的输出文件名
-subj 指定用户信息
-days 有效期(3650表示十年)
-
查看证书
ls /home/harbor/certs
如下:
harbor.crt harbor.key -
启动harbor服务
./install.sh #运行启动脚本 -
添加本地域名解析访问 #目录位置C:\Windows\System32\drivers\etc\hosts 记事本打开 新增 192.168.1.15 pw.zixuanyun.com 的解析记录
-
访问#https://www.hao.com 或者 https://192.168.50.50 用户名 admin 密码 Harbor12345
-
创建用户
-
创建项目 项目名 kolla
-
添加访客
-
添加仓库地址
vi /etc/docker/daemon.json
{
“registry-mirrors”: [“https://hub-mirror.c.163.com/”],
“insecure-registries”: [“https://www.hao.com”]
}
这里写的是域名 那么登录的时候 就必须是域名登录 如果是写的服务器ip那么就是服务器ip登录 -
重启docker服务
systemctl daemon-reload && systemctl restart docker && systemctl status docker
其他服务器登入镜像仓库,默认管理员用户名:admin 密码:Harbor12345
登入地址
详细登入方式:docker login -u 用户 -p 密码 服务器IP:端口
docker login https://www.hao.com
输出如下:
默认管理员用户名:admin 密码:Harbor12345
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 重启harbor服务
cd /home/harbor/
docker-compose stop
systemctl stop docker
systemctl daemon-reload
systemctl start docker
docker-compose start
#方法1:
下载镜像到本地
docker pull kolla/centos-source-almanach-api:train
给镜像打tag标签
docker tag kolla/centos-source-almanach-api:train pw.zixuanyun.com/kolla/centos-source-almanach-api:train
推送镜像到harbor下的kolla项目目录下
docker login https://www.hao.com admin Harbor12345
docker push www.hao.com/kolla/centos-source-almanach-api:train
但是最好下载跟上版本号下载 不然会有下载下来 版本是none的情况
docker login报错x509: certificate relies on legacy Common Name field处理记录
- 问题现象
登录harbor镜像服务器:
docker login https://reg.rundba.com
报类似错误:
Error response from daemon: Get “https://reg.rundba.com/v2/”: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
- 解决过程
- 停止harbor
docker-compose stop - 修改配置
在/etc/docker/daemon.json中添加可访问的远程registry:
“insecure-registries”: [“https://www.hao.com”]
完整配置参考:
[root@reg docker]# cat daemon.json
{
“registry-mirrors”: [“https://ul2pzi84.mirror.aliyuncs.com”],
“insecure-registries”: [“https://www.hao.com”]
}
配置多个registry参考文末。
3) 重载配置并重启docker
systemctl daemon-reload && systemctl restart docker
4) 启动harbor[可选]
docker-compose start
- 再次登录正常
同样也可通过https登录,如
[root@reg docker]# docker login https://www.hao.com
Authenticating with existing credentials…
WARNING! Your password will be stored unencrypted in root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 配置多个registry
可以设置访问所有的registry:
“insecure-registries”:[“0.0.0.0/0”] #可访问所有docker,但安全性较低
如:
{
“exec-opts”: [“native.cgroupdriver=systemd”],
“registry-mirrors”: [“https://du3ia00u.mirror.aliyuncs.com”],
“live-restore”: true,
“log-driver”:“json-file”,
“log-opts”: {“max-size”:“500m”, “max-file”:“3”},
“storage-driver”: “overlay2”,
“insecure-registries”:[“0.0.0.0/0”]
}
更安全的方法,可以配置多个registry,如:
“insecure-registries”: [“https://reg.rundba.com”,“http://registry.aliyuncs.com”]
- 完 -