包下载.
https://github.com/goharbor/harbor/releases
docker-compose工具下载安装
https://github.com/docker/compose/releases/
chmod +x /usr/local/bin/docker-compose
修改yml文件
hostname: 192.168.8.181
#https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
完整配置
[root@abc138cc harbor]# egrep -v "#|^$" harbor.yml
hostname: 192.168.8.181
http:
port: 80
harbor_admin_password: Harbor12345
database:
password: root123
max_idle_conns: 50
max_open_conns: 1000
data_volume: /data
clair:
updaters_interval: 12
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.0.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy
启动
#加载harbor配置
./prepare
#安装harbor
./install.sh
docker-compose up -d 启动
docker-compose stop 停止
docker-compose restart 重新启动
客户端需要配置
[root@docker178 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://0k0953tv.mirror.aliyuncs.com"], #加速器
"insecure-registries": ["192.168.8.181:80"] #私有仓储地址
}
客户端登录Harbor仓库
[root@JBJB harbor]# docker login 192.168.8.181:80
Username: jbjb
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
开启clair自动扫描
重新加载配置
[root@abc138cc harbor]# ./prepare --with-clair
重启生效
[root@abc138cc harbor]# docker-compose down && docker-compose up -d
1.手动生成ssl证书 443
1 生成CA证书私钥
openssl genrsa -out ca.key 4096
2.生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
3. 生成服务器证书,证书通常包含一个.crt文件和一个.key文件,例如yourdomain.com.crt和yourdomain.com.key
4. 生成私钥
openssl genrsa -out yourdomain.com.key 4096
5.生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
6. 生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
7.使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
7. 将服务器证书和密钥复制到Harbor主机上的certficates文件夹中
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
8. 转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
9. 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
如果将默认nginx端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port
10. 重新启动Docker Engine
systemctl restart docker
开启ssl证书个人觉得harbor还不够成熟,就证书就要生成半天,希望官网尽早解决这个问题
官网参考连接
https://goharbor.io/docs/2.1.0/install-config/configure-https/#generate-a-certificate-authority-certificate
上面手动生成我也觉得非常麻烦推荐官网的自动生成证书镜像(goharbor/prepare:v2.1.2)
2使用harbor官网提供的镜像自动生成ssl证书
官网连接
https://goharbor.io/docs/2.1.0/install-config/configure-internal-tls/
docker run --rm -v /etc/cert:/hostfs goharbor/prepare:v2.1.2 gencert -p /path/to/internal/tls/cert
只需要harbor_internal_ca.crt harbor_internal_ca.key 即可
重新加载配置
./prepare
重启生效
docker-compose down && docker-compose up -d
客户端配置
#cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://0k0953tv.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.8.181"]
}
尝试登陆
一个demon镜像测试
[root@gitlab179 ~]# docker tag minio/minio:edge 192.168.8.181/kjbs/test:ea
[root@gitlab179 ~]# docker push 192.168.8.181/kjbs/test:ea
The push refers to repository [192.168.8.181/kjbs/test]
1dd1982f46a2: Pushed
4b5aaffec37c: Pushed
c0b95ab58f73: Pushed
636749e96b85: Pushed
6c81fc6c8bcb: Pushed
00af10937683: Pushed
3aa55ff7bca1: Pushed
ea: digest: sha256:41cbbed28e254e654d4f831b1536a475d5f8321ac2b16b3d84eb1690077d2dfa size: 1786
由于是自己生成的证书被警告正常的