软件环境
| 项目 | 描述 | 备注 |
|---|---|---|
| 操作系统 | CentOS 7.6 1908 | 2C 4G |
| Docker | 20.10.6 | |
| Docker-compose | 1.29.2 | |
| Harbor | 2.2.2 |
参考官方Harbor Installation Prerequisites
基础环境搭建
安装操作系统
OS 安装完成后做如下配置:
禁用SELinux
- 不重启系统
[root@localhost ~]# setenforce 0 #重启电脑后失效 - 修改文件,需要重启系统
[root@localhost ~]# vim /etc/selinux/config
把SELINUX=enforce 改成disabled就可以了,永久生效
禁用防火墙
systemctl disable firewalld
systemctl stop firewalld
如果已经安装好docker和docker-compose,要重启docker,否则安装harbor时会报错
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-d9421562407e -j RETURN: iptables: No chain/target/match by that name.
安装docker
安装yum-utils软件包
yum install -y yum-utils
设置Docker仓库(使用阿里云地址)
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
更新yum软件包索引
yum makecache fast
安装最新版Docker
yum install docker-ce docker-ce-cli containerd.io
启动/开机启动docker
systemctl start docker
systemctl enable docker
查看docker版本
[root@harbor harbor]# docker version
Client: Docker Engine - Community
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:45:33 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8728dd2
Built: Fri Apr 9 22:43:57 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.19.0
GitCommit: de40ad0
安装docker-compose
下载
地址:docker-compose 1.29.2 for linux
移至路径
将下载的docker-compose 放到执行路径下,并修改为可执行属性
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
查看版本
[root@harbor harbor]# docker-compose version
docker-compose version 1.29.2, build 5becea4c
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
安装配置Harbor
准备自签名证书
官方文档:Configure HTTPS Access to Harbor
我们建立一个ssl.sh脚本文件
#!/bin/bash
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Shanghai/L=Huangpu/O=VMware/OU=SE/CN=harbor.corp.tanzu" -key ca.key -out ca.crt
openssl genrsa -out harbor.corp.tanzu.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Huangpu/O=VMware/OU=SE/CN=harbor.corp.tanzu" \
-key harbor.corp.tanzu.key \
-out harbor.corp.tanzu.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.corp.tanzu
DNS.2=corp.tanzu
DNS.3=harbor
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.corp.tanzu.csr \
-out harbor.corp.tanzu.crt
openssl x509 -inform PEM -in harbor.corp.tanzu.crt -out harbor.corp.tanzu.cert
运行之后生成自签名文件,#已注释
[root@harbor harbor]# ./ssl.sh
Generating RSA private key, 4096 bit long modulus
..................................................................++
............++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..............................................++
.............................................................++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=Shanghai/L=Huangpu/O=VMware/OU=SE/CN=harbor.corp.tanzu
Getting CA Private Key
[root@harbor harbor]# ll
total 36
-rw-r--r--. 1 root root 2025 May 30 16:54 ca.crt #自签名根证书,配置到需要的客户端
-rw-r--r--. 1 root root 3247 May 30 16:54 ca.key #自签名证书私钥
-rw-r--r--. 1 root root 17 May 30 16:54 ca.srl # CA 生成的序列号
-rw-r--r--. 1 root root 2098 May 30 16:54 harbor.corp.tanzu.cert #主机证书,harbor配置
-rw-r--r--. 1 root root 2098 May 30 16:54 harbor.corp.tanzu.crt # 主机证书,同.cert
-rw-r--r--. 1 root root 1704 May 30 16:54 harbor.corp.tanzu.csr #主机证书请求文件
-rw-r--r--. 1 root root 3243 May 30 16:54 harbor.corp.tanzu.key #主机证书私钥,harbor配置
-rwxr-xr-x. 1 root root 923 May 30 16:54 ssl.sh
-rw-r--r--. 1 root root 265 May 30 16:54 v3.ext #扩展配置文件
Harbor 服务在启动时需要挂载一个本地目录作为镜像存放相关的配置和数据,我们创建一个目录作为Harbor 数据存放的目录。
mkdir /var/lib/harbor
mkdir /var/lib/harbor/cert
将之前生成的主机的证书和key 拷贝到cert 目录下
cp harbor.vmlab.local.cert /var/lib/harbor/cert
cp harbor.vmlab.local.key /var/lib/harbor/cert
安装Harbor
从Harbor 官网下载离线安装包并解压
https://github.com/goharbor/harbor/releases/download/v2.2.2/harboroffline-installer-v2.2.2.tgz
将安装文件解压到/opt 目录
tar zxvf harbor-offline-installer-v2.2.2.tgz -C /opt
修改配置文件
进入/opt/harbor 目录,将配置模板拷贝一份
cp harbor.yml.tmpl harbor.yml
修改harbor.yml 如下行:
hostname: harbor.vmlab.local
certificate: /var/lib/harbor/cert/harbor.corp.tanzu.cert
private_key: /var/lib/harbor/cert/harbor.corp.tanzu.key
harbor_admin_password: VMware1!
data_volume: /var/lib/harbor
password: VMware1!(数据库密码)
Harbor安装
Harbor安装,直接运行目录下的安装程序
./install.sh --with-trivy
–with-trivy 安装trivy 扫描工具
安装完成后会自动启动harbor 服务。可以通过如下命令关闭、启动harbor 服
务。
docker-compose down (停止服务)
docker-ccompose up -d (启动服务)
[root@harbor harbor]# ./install.sh --with-trivy
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.6
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.2
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-jobservice:v2.2.2
Loaded image: goharbor/harbor-exporter:v2.2.2
Loaded image: goharbor/nginx-photon:v2.2.2
Loaded image: goharbor/trivy-adapter-photon:v2.2.2
Loaded image: goharbor/prepare:v2.2.2
Loaded image: goharbor/harbor-db:v2.2.2
Loaded image: goharbor/harbor-registryctl:v2.2.2
Loaded image: goharbor/notary-server-photon:v2.2.2
Loaded image: goharbor/notary-signer-photon:v2.2.2
Loaded image: goharbor/redis-photon:v2.2.2
Loaded image: goharbor/registry-photon:v2.2.2
Loaded image: goharbor/chartmuseum-photon:v2.2.2
Loaded image: goharbor/harbor-portal:v2.2.2
Loaded image: goharbor/harbor-core:v2.2.2
Loaded image: goharbor/harbor-log:v2.2.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /opt/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/trivy-adapter/env
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping trivy-adapter ... done
Stopping harbor-portal ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping registry ... done
Stopping registryctl ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing trivy-adapter ... done
Removing harbor-portal ... done
Removing redis ... done
Removing harbor-db ... done
Removing registry ... done
Removing registryctl ... done
Removing harbor-log ... done
Removing network harbor_harbor
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating registry ... done
Creating redis ... done
Creating trivy-adapter ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
打开URL查看
从客户端PUSH 镜像
官方参考:Pulling and Pushing Images in the Docker Client
我们使用CentOS客户端
绑定ca证书
[root@localhost tanzu]# vim /etc/docker/certs.d/harbor.corp.tanzu/ca.crt
其内容就是我们前面生成的CA.crt
[root@harbor harbor]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIFqzCCA5OgAwIBAgIJAJkSSONeTS5iMA0GCSqGSIb3DQEBDQUAMGwxCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTEQMA4GA1UEBwwHSHVhbmdwdTEPMA0G
A1UECgwGVk13YXJlMQswCQYDVQQLDAJTRTEaMBgGA1UEAwwRaGFyYm9yLmNvcnAu
dGFuenUwHhcNMjEwNTMwMDg1NDA5WhcNMzEwNTI4MDg1NDA5WjBsMQswCQYDVQQG
EwJDTjERMA8GA1UECAwIU2hhbmdoYWkxEDAOBgNVBAcMB0h1YW5ncHUxDzANBgNV
BAoMBlZNd2FyZTELMAkGA1UECwwCU0UxGjAYBgNVBAMMEWhhcmJvci5jb3JwLnRh
bnp1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5b+05ubwvcqq73ta
A1Kwt4T1UXSoYU0D2pHFrbLzoEh9iokpdnDR6YuDYmAAczTU+Rv/oOoofhOcUI0E
+CUuPAvmI6pqmlX32+5cafGVyVUticOtO24tDe86/VVihN3OIV9Naf4glady/jk1
B32opOwtsEF+yygP0WTUEcWf9Zx1gOVfgOGPFzJW0QaepZxWgX19X393cR5VOpiR
CE9R0sWVQ4U/0tw9nMQsSYilrmU2HMorVFvDza5CAd5w2froakmSN750eXRkE6za
viPei3TKHCUEQ9L3QOAUZCaDYHtelzG0/shJCto4sXJgITaKjHui9aSKvgCR6PLj
aO6cPAc1zioiSEmVT1NGJYpWMJMH/tSOeOAxwZflgsKb0tcjZjpKdtpTU86UdwF/
b7susqL2M5whDl4R3CrafmY+L3PKEmg+y+pE6NrgvtG2a5B757qePFS6rFBdlyu6
zSFpgZTjrxiTOGRtk5faeoG60sqVVNXppOUTf6X/f6k5SiWIDD+VUFQkysT3OgS9
Gt6wZ4LEzg2i06qsPcTrQ5MFdUF/KRVA7drxCQgPCXXrZzdKJ608GU3sIt/X1IK4
mmSIGxTihQxiUevtaDIVKbuSwtbPMdONm4nXDOWY2WZKOY8C1Dn6otINH7MCzGrl
4HXVu/UwlHiWDZyGRk4akLiCciMCAwEAAaNQME4wHQYDVR0OBBYEFDTGy6/b4wbT
X+KkKdR5D+A/ckxRMB8GA1UdIwQYMBaAFDTGy6/b4wbTX+KkKdR5D+A/ckxRMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAKXIvDBNoJXYzzrnatJlVfIN
MECm6uEjM4oUOrF136SVx6kmbKL6ZIjP4bwtWswENZhi8WyLPzzwlnZs3BO1mD0D
Ixbi8Hu0AT2PUOaUabenhpV6CPUw/6zawJwEJ12YIuEwvdGZPFHItj7uZ2Yb8g+2
IDzByO2X2vZUB6jcxxEayrXvRuP4o9BvCDMLMCq72aI+maxo+QMPhQ/qdSBePfm6
O1iNIPzua1jLJDT6MrniurpZvBadk9IMsZIuvA4D2ifonfdswrI63xW7Uzq1dQrT
ks2991N/rSN5wx82ojiOL5SUPxq6dPFW9vGyWFB5L/p9k//EH30WgfTbNle8xn/3
S0KgBqrO4kg3PY/wq/lgLwCLtSZTUAkJJkW0byaAbmjMrv1g9SRCjy54ekVpbnF5
Aj/7Mgg177QKjzbylOOr0VB2Hv2bKmR8BqNXKjvtm12Pc+nWw8RGoKMpkmw2rxMU
abLVuMyAO0e0n7QAHXxuioSLEpxnS1Nz5UX4TYzv7xDkDPNA59LIEAZ/OSJd2n2m
WmkxRrSkNDGlUdp6pY5jjoZRIGFCS8j8LLpEhC9EOEvAmRLEez/TFYvlJeiflXDN
NRH8lPvNkGfVIF5BKdSSB1YGUltx5NCRbS5ZeKnSV4SCab5lYvmh7+ThoXHfyV+v
cyezOITBANOGDREaWoDu
-----END CERTIFICATE-----
然后,就可以推送镜像了
[root@localhost tanzu]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
wordpress 4.8-apache fcf3e41b8864 3 years ago 408MB
[root@localhost tanzu]# docker tag wordpress:4.8-apache harbor.corp.tanzu/library/wordpress:4.8-apache
[root@localhost tanzu]# docker push harbor.corp.tanzu/library/wordpress:4.8-apache
The push refers to repository [harbor.corp.tanzu/library/wordpress]
2ff5b2ab6416: Pushed
4f2aeb865fa0: Pushed
24605e7ca88b: Pushed
6594bf4ea5b9: Pushed
749e8aaa7dd4: Pushed
493137409f3e: Pushed
8933dc910eee: Pushed
61a961ab5d2b: Pushed
fa7f9311a060: Pushed
a9aa8861270e: Pushed
dcdbe9fe2ca1: Pushed
2f6273a5f133: Pushed
4c0354ed71f4: Pushed
2c3aa4e96952: Pushed
5cd2e0cfe892: Pushed
c3d26400d3ff: Pushed
37412c153883: Pushed
c01c63c6823d: Pushed
4.8-apache: digest: sha256:b40c224a95cd51d5af4d23a87bd2971805b858a35e03a24797f75b25b473d0a7 size: 4078
在Harbor上面查看
成功上传。
扫一扫
874
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
