安装harbour镜像仓库

安装harbour镜像仓库

官网安装说明：https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

安装软硬件要求

Hardware

Resource	Capacity	Description
CPU	minimal 2 CPU	4 CPU is prefered
Mem	minimal 4GB	8GB is prefered
Disk	minimal 40GB	160GB is prefered

Software

Software	Version	Description
Python	version 2.7 or higher	Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
Docker engine	version 1.10 or higher	For installation instructions, please refer to: https://docs.docker.com/engine/installation/
Docker Compose	version 1.6.0 or higher	For installation instructions, please refer to: https://docs.docker.com/compose/install/
Openssl	latest is prefered	Generate certificate and keys for Harbor

Network ports

Port	Protocol	Description
443	HTTPS	Harbor UI and API will accept requests on this port for https protocol
4443	HTTS	Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
80	HTTP	Harbor UI and API will accept requests on this port for http protocol

下载安装包

到https://github.com/vmware/harbor/releases下载安装包，分离线和在线。服务器wget进行下载。 Online installer:

    $ tar xvf harbor-online-installer-<version>.tgz

Offline installer:

    $ tar xvf harbor-offline-installer-<version>.tgz

修改harbour.cfg

修改host

hostname = 192.168.11.237 若修改了80端口，端位为8880，需要修改成

hostname = 192.168.11.237:8880

如果使用了HTTPS，需要进行修改8843为https端口已经修改过

hostname = 192.168.11.237:8843

修改DB设置可不修改

Harbor DB configuration section
#The address of the Harbor database. Only need to change when using external db.
db_host = 192.168.11.237
#The password for the root user of Harbor DB. Change this before any production use.
db_password = root

若重新修改参数需要如下执行

sudo docker-compose down -v
vim harbor.cfg
sudo ./prepare
sudo docker-compose up -d

若harbour只启用了HTTP，但是默认docker是使用HTTPS进行通信的需要做如下配置

/etc/docker/daemon.json
{
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "insecure-registries": ["192.168.11.237:8880"],
    "log-opts": {
      "max-size": "10m"
    }
}

重启docker

systemctl daemon-reload
systemctl restart docker.service

执行安装

如果要启用HTTPS，要先启用HTTPS

./install.sh

启用HTTPS

官网说明：https://github.com/vmware/harbor/blob/master/docs/configure_https.md

创建目录

mkdir hctp_https
mkdir -p /root/cert/

生成证书

  openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
    -x509 -days 365 -out ca.crt

生成证书签名请求

  openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key \
    -out yourdomain.com.csr

本例直接使用

openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout bjy.key \
    -out bjy.csr

给自己HOST生成证书

如果是域名，直接使用

  openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yourdomain.com.crt

若如果只是IP+端口方式，需要增加如下

  echo subjectAltName = IP:192.168.11.237 > extfile.cnf

  openssl x509 -req -days 365 -in bjy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out bjy.crt

证书放到root/cert目录下

  cp bjy.crt /root/cert/
  cp bjy.key /root/cert/ 

修改harbor.cfg

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /root/cert/bjy.crt
ssl_cert_key = /root/cert/bjy.key

将证书拷贝到docker目录下

  mkdir -p /etc/docker/certs.d/192.168.11.237:8843

  cp /root/harbor_https/ca.crt /etc/docker/certs.d/192.168.11.237:8843/ca.crt
  
  其他环境可如下方式
  rsync -a --rsync-path="mkdir -p /etc/docker/certs.d/192.168.11.237:8843/ && rsync" /root/harbor_https/ca.crt root@192.168.12.98:/etc/docker/certs.d/192.168.11.237:8843/ca.crt

重新启动

docker-compose down  
./prepare
docker-compose up -d

修改端口

官网非常明细 https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

HTTP方式

1. 80修改为8888

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 8888:80
      - 443:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

1. 修改harbor.cfg

hostname = 192.168.0.2:8888

HTTPS

1. 修改端口为8888

proxy:
    image: library/nginx:1.11.5
    restart: always
    volumes:
      - ./config/nginx:/etc/nginx
    ports:
      - 80:80
      - 8888:443
    depends_on:
      - mysql
      - registry
      - ui
      - log
    logging:
      driver: "syslog"
      options:  
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"

1. 修改harbor.cfg

hostname = 192.168.0.2:8888
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https

harbour日志

tail -f  /var/log/harbor/adminserver.log