换到CNBLOG了,更喜欢CNBLOG的博客服务:http://www.cnblogs.com/bytefish/p/8452190.html
文档版本号:20180216
最近在Ubuntu Linux 14.04上和CentOS Linux 7.4上成功安装了Harbor,现将过程整理如下,供大家参考:
sudo groupadd docker
将当前用户加入docker组
sudo gpasswd -a
${USER}
docker
重新启动docker服务(下面是CentOS7的命令)
sudo systemctl restart docker
当前用户退出系统重新登陆。
一、harbor安装文件下载:
1、harbor项目主页:https://github.com/vmware/harbor/
2、查看README.md,安装说明在README.md的“Installation & Configuration Guide”中:
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
3、README.md告知,master属于开发版,可能不稳定,需下载正式发行版:
https://github.com/vmware/harbor/releases
为了便于安装,选择下载二进制版,国内镜像目前只有二进制离线版,接近800M,下载了最新的1.4.0版:
harbor-offline-installer-v1.4.0.tgz
MD5:6161843c84c9944a08765c129ba44617
4、解压harbor-offline-installer-v1.4.0.tgz后发现,内含一个近800M的全部镜像的压缩包harbor.v1.4.0.tar.gz,为了便于上传到服务器,将harbor.v1.4.0.tar.gz删除,重新打包命名为harbor.bytefish.online-installer-v1.4.0.tgz,大小约为32K。
5、上传harbor.bytefish.online-installer-v1.4.0.tgz到服务器,并解压,会在当前目录下生成harbor目录。
$ scp -i .ssh/id_rsa harbor.bytefish.online-installer-v1.4.0.tgz 用户名@docker.MySite.com:/路径/harbor.bytefish.online-installer-v1.4.0.tgz
$ ssh 用户名@docker.MySite.com -i .ssh/id_rsa
$ tar -zxf harbor.bytefish.online-installer-v1.4.0.tgz && cd harbor
二、确认服务器资源:
1、官方对服务器资源的最小要求和建议:
- Hardware:
- Resource Capacity Description
- CPU minimal 2 CPU 4 CPU is prefered
- Mem minimal 4GB 8GB is prefered
- Disk minimal 40GB 160GB is prefered
- Software:
- Software Version Description
- Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
- Docker engine version 1.10 or higher For installation instructions, please refer to: https://docs.docker.com/engine/installation/
- Docker Compose version 1.6.0 or higher For installation instructions, please refer to: https://docs.docker.com/compose/install/
- Openssl latest is prefered Generate certificate and keys for Harbor
- Network ports:
- Port Protocol Description
- 443 HTTPS Harbor UI and API will accept requests on this port for https protocol
- 4443 HTTS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
- 80 HTTP Harbor UI and API will accept requests on this port for http protocol
2、确认服务器docker版本:
$ docker version
3、确认docker-compose、Python、OpenSSL版本:
$ docker-compose version
4、确认硬件情况:
$ cat /proc/cpuinfo
$ free
5、确认网络端口是否被占用:
$ ss -tna
三、编辑配置文件,并安装:
1、编辑harbor目录下harbor.cfg文件,修改内容如下:
- hostname = docker.MySite.com
- # email服务的相关参数也可在安装完成后进入网站页面配置:
- email_identity =
- email_server = smtp.mailserver.com
- # mailserver port
- email_server_port = 25
- email_username = username@mailserver.com
- email_password = 邮件服务密码
- email_from = admin
- email_ssl = true
- email_insecure = false
- harbor_admin_password = 设置一个管理员密码
- db_password = 设置一个mysql的密码
- # self_registration默认为on,是针对数据库认证方式,访客可以自己注册,对于LDAP认证方式无法自注册:
- self_registration = off
2、使用root权限执行install.sh(该脚本将会在根目录下建立/data目录及相关文件),将自动下载相关docker镜像文件,并自动安装完成:
~/harbor$ sudo ./install.sh
3、容器将自动启动,此时可用浏览器打开 http://docker.MySite.com,使用管理员账号admin登陆。
四、配置LDAP:
1、使用管理员账号admin登陆http://docker.MySite.com,点击“系统管理”、“配置管理”,将“认证模式”选择为LDAP,并配置相关参数:
- LDAP URL : ldap://MySite.com
- LDAP搜索DN : cn=admin,dc=MySite,dc=com
- LDAP搜索密码: 密码
- LDAP基础DN : dc=MySite,dc=com
- LDAP过滤器 : (|(objectclass=inetOrgPerson))
- LDAP用户UID的属性 : uid
- LDAP搜索范围 : 子树
- LDAP 检查证书 : (测试发现: “LDAP 检查证书” 选不选都能通过ldap登陆,待再次验证。)
2、点击“测试LDAP服务器”按钮,如果成功,浏览器顶部将显示“LDAP服务器的连通正常。”的提示。
3、此时可用LDAP中的账号登陆web页面,但无法通过docker login登陆,还需配置网站https证书。
五、配置https证书:
1、安装说明:
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
2、在/home/ubuntu/harbor目录执行docker-compose down,停止并删除容器:
$ docker-compose down
3、本来想通过Let’s Encrypt官方的certbot脚本(certbot.eff.org)安装证书,但是脚本不能成功执行,估计是因为nginx是在容器里造成的,但是通过这个脚本自动安装了一些软件包。然后尝试通过git获取letsencrypt进行安装:
$ git clone https://github.com/letsencrypt/letsencrypt
4、进入letsencrypt目录,生成证书
- $ cd letsencrypt
- $ sudo ./letsencrypt-auto certonly --standalone --email username@mailserver.com -d docker.MySite.com
- Saving debug log to /var/log/letsencrypt/letsencrypt.log
- Plugins selected: Authenticator standalone, Installer None
- Obtaining a new certificate
- Performing the following challenges:
- http-01 challenge for docker.MySite.com
- Waiting for verification...
- Cleaning up challenges
- IMPORTANT NOTES:
- - Congratulations! Your certificate and chain have been saved at:
- /etc/letsencrypt/live/docker.MySite.com/fullchain.pem
- Your key file has been saved at:
- /etc/letsencrypt/live/docker.MySite.com/privkey.pem
- Your cert will expire on 2018-05-15. To obtain a new or tweaked
- version of this certificate in the future, simply run
- letsencrypt-auto again. To non-interactively renew *all* of your
- certificates, run "letsencrypt-auto renew"
- - If you like Certbot, please consider supporting our work by:
- Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
- Donating to EFF: https://eff.org/donate-le
5、证书过期日期为2018-05-15,生成的证书文件位于/etc/letsencrypt/live/docker.MySite.com/文件夹(链接文件):
- $ sudo ls /etc/letsencrypt/live/docker.MySite.com/ -l
- lrwxrwxrwx 1 root root 40 Feb 14 23:30 cert.pem -> ../../archive/docker.MySite.com/cert1.pem
- lrwxrwxrwx 1 root root 41 Feb 14 23:30 chain.pem -> ../../archive/docker.MySite.com/chain1.pem
- lrwxrwxrwx 1 root root 45 Feb 14 23:30 fullchain.pem -> ../../archive/docker.MySite.com/fullchain1.pem
- lrwxrwxrwx 1 root root 43 Feb 14 23:30 privkey.pem -> ../../archive/docker.MySite.com/privkey1.pem
- -rw-r--r-- 1 root root 543 Feb 14 23:30 README
chain.pem - 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
fullchain.pem - 包括了cert.pem和chain.pem的内容
privkey.pem - 证书的私钥
6、新建目录letsencrypt,并将证书文件拷贝到该目录:
- $ mkdir /home/ubuntu/harbor/letsencrypt/ && cd /home/ubuntu/harbor/letsencrypt/
- $ sudo cp /etc/letsencrypt/archive/docker.MySite.com/fullchain1.pem docker.MySite.com.crt
- $ sudo cp /etc/letsencrypt/archive/docker.MySite.com/privkey1.pem docker.MySite.com.key
7、修改/home/ubuntu/harbor/harbor.cfg配置文件:
- #设置ui_url_protocol为https
- ui_url_protocol = https
- #设置证书文件
- ssl_cert = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.crt
- ssl_cert_key = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.key
8、用root权限执行一次prepare脚本,并启动docker重建容器:
$ sudo /home/ubuntu/harbor/prepare
$ docker-compose up -d
六、上传镜像:
1、用浏览器打开 http://docker.MySite.com,用普通用户账号登录,并新建一个项目“test”:
2、在客户端登录docker.MySite.com:
$ docker login docker.MySite.com
Username: bytefish
Password: 密码
Login Succeeded
3、将客户端的镜像打tag,然后上传到docker.MySite.com:
格式:
docker tag SOURCE_IMAGE[:TAG] docker.MySite.com/项目名称/IMAGE[:TAG]
docker push docker.MySite.com/项目名称/IMAGE[:TAG]
示例:
$ docker tag hello-world:latest docker.MySite.com/test/hello-world:test
$ docker push docker.MySite.com/test/hello-world:test
The push refers to a repository [docker.MySite.com/test/hello-world]
f999ae22f308: Mounted from library/hello-world
test: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524