Harbor是VMware开源的企业级Docker Registry管理项目,它提供权限管理与Docker Registry 的相关操作。Harbor能够与Docker Registry和Clair进行集成,从而提供复杂的镜像维护功能与安全检查功能。
部署规划
10.142.70.143 | harbor |
18080 | Docker-compose |
以下是harbor部署具体步骤:
·安装docker
curl -fsSL https://get.docker.com | bash -s -- --mirror Aliyun systemctl enable --now docker
·docker-compose 部署 harbor
安装 docker-compose
sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version
harbor官方网站
https://goharbor.io/docs/2.4.0/
下载 harbor-offline-installer-v2.4.2.tgz 安装包并解压
https://github.com/goharbor/harbor/releases
解压完成后在当前目录生成harbor目录,复制和修改harbor目录下的harbor.yml
cp harbor.yml.tmpl harbor.yml
·harbor配置https(官方方法,内网环境可不配置)
#注意,全部使用hosts方式用ip来映射域名
1、修改host(
192.168.8.8修改为你自己harbor本机的ip
)
reg.bdyxzcxt.local修改成你自己想要配置的域名 echo "10.139.102.56 reg.bdyxzcxt.local" >> /etc/hosts
2、切换到harbor的路径,方便后续操作。
cd /opt/harbor
3、生成CA私钥
openssl genrsa -out ca.key 4096
4、继续生成(域名改成自己上面改的)
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.bdyxzcxt.local" \ -key ca.key \ -out ca.crt
5、生成一个服务器私钥(域名改成自己上面改的)
openssl genrsa -out reg.bdyxzcxt.local.key 4096
6、继续生成(域名改成自己上面改的)
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.bdyxzcxt.local" -key reg.bdyxzcxt.local.key -out reg.bdyxzcxt.local.csr
7、生成X509 v3的密钥文件(域名改成自己上面改的)
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=reg.bdyxzcxt.local
DNS.2=reg.bdyxzcxt.local
DNS.3=hostname
EOF
8、使用v3.ext文件生成你harbor主机密钥(域名改成自己上面改的)
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in reg.bdyxzcxt.local.csr \ -out reg.bdyxzcxt.local.crt
8、创建 /data/cert目录为了给harbor.yml使用
mkdir -p /data/cert
9、执行复制命令,将证书复制到/data/cert下(域名改成自己上面改的)
cp reg.frame4j.local.crt /data/cert/ cp reg.bdyxzcxt.local.key /data/cert/
10、为docker生成对应的证书给它使用(域名改成自己上面改的)
openssl x509 -inform PEM -in reg.frame4j.local.crt -out reg.bdyxzcxt.local.cert
11、在docker所在机器创建对应目录(域名改成自己上面改的)
mkdir -p /etc/docker/certs.d/reg.bdyxzcxt.local/
12、复制证书到目录下
cp reg.frame4j.local.cert /etc/docker/certs.d/reg.bdyxzcxt.local/
cp reg.bdyxzcxt.local.key /etc/docker/certs.d/reg.bdyxzcxt.local/
cp ca.crt /etc/docker/certs.d/reg.bdyxzcxt.local/
13、配置harbor.yml(按照如下修改,改成你自己的证书)
hostname: reg.bdyxzcxt.local # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/reg.bdyxzcxt.local.crt private_key: /data/cert/reg.bdyxzcxt.local.key
14、重启docker
systemctl restart docker
15、进入harbor目录下,重新预部署
./prepare
16、关闭harbor
docker-compose down -v
17、重启harbor
docker-compose up -d
18、docker配置
cat /etc/docker/daemon.json
{ "registry-mirrors": ["https://1do67ezy.mirror.aliyuncs.com"], "experimental": true, "insecure-registries":["https://reg.bdyxzcxt.local"], "exec-opts": ["native.cgroupdriver=systemd"] }
19、重启docker
systemctl restart docker
20、docker登陆harbor
docker login reg.bdyxzcxt.local
提示success即可
浏览器页面输入10.142.70.143:18080,即可访问到harbor Web页面