安装harbour镜像仓库
官网安装说明:https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
安装软硬件要求
Hardware
Resource | Capacity | Description |
---|---|---|
CPU | minimal 2 CPU | 4 CPU is prefered |
Mem | minimal 4GB | 8GB is prefered |
Disk | minimal 40GB | 160GB is prefered |
Software
Software | Version | Description |
---|---|---|
Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
Docker engine | version 1.10 or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
Docker Compose | version 1.6.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
Openssl | latest is prefered | Generate certificate and keys for Harbor |
Network ports
Port | Protocol | Description |
---|---|---|
443 | HTTPS | Harbor UI and API will accept requests on this port for https protocol |
4443 | HTTS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled |
80 | HTTP | Harbor UI and API will accept requests on this port for http protocol |
下载安装包
到https://github.com/vmware/harbor/releases下载安装包,分离线和在线。服务器wget进行下载。 Online installer:
$ tar xvf harbor-online-installer-<version>.tgz
Offline installer:
$ tar xvf harbor-offline-installer-<version>.tgz
修改harbour.cfg
修改host
hostname = 192.168.11.237 若修改了80端口,端位为8880,需要修改成
hostname = 192.168.11.237:8880
如果使用了HTTPS,需要进行修改8843为https端口已经修改过
hostname = 192.168.11.237:8843
修改DB设置可不修改
Harbor DB configuration section
#The address of the Harbor database. Only need to change when using external db.
db_host = 192.168.11.237
#The password for the root user of Harbor DB. Change this before any production use.
db_password = root
若重新修改参数需要如下执行
sudo docker-compose down -v
vim harbor.cfg
sudo ./prepare
sudo docker-compose up -d
若harbour只启用了HTTP,但是默认docker是使用HTTPS进行通信的需要做如下配置
/etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"insecure-registries": ["192.168.11.237:8880"],
"log-opts": {
"max-size": "10m"
}
}
重启docker
systemctl daemon-reload
systemctl restart docker.service
执行安装
如果要启用HTTPS,要先启用HTTPS
./install.sh
启用HTTPS
官网说明:https://github.com/vmware/harbor/blob/master/docs/configure_https.md
创建目录
mkdir hctp_https
mkdir -p /root/cert/
生成证书
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ca.key \
-x509 -days 365 -out ca.crt
生成证书签名请求
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key \
-out yourdomain.com.csr
本例直接使用
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout bjy.key \
-out bjy.csr
给自己HOST生成证书
如果是域名,直接使用
openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yourdomain.com.crt
若如果只是IP+端口方式,需要增加如下
echo subjectAltName = IP:192.168.11.237 > extfile.cnf
openssl x509 -req -days 365 -in bjy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out bjy.crt
证书放到root/cert目录下
cp bjy.crt /root/cert/
cp bjy.key /root/cert/
修改harbor.cfg
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /root/cert/bjy.crt
ssl_cert_key = /root/cert/bjy.key
将证书拷贝到docker目录下
mkdir -p /etc/docker/certs.d/192.168.11.237:8843
cp /root/harbor_https/ca.crt /etc/docker/certs.d/192.168.11.237:8843/ca.crt
其他环境可如下方式
rsync -a --rsync-path="mkdir -p /etc/docker/certs.d/192.168.11.237:8843/ && rsync" /root/harbor_https/ca.crt root@192.168.12.98:/etc/docker/certs.d/192.168.11.237:8843/ca.crt
重新启动
docker-compose down
./prepare
docker-compose up -d
修改端口
官网非常明细 https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
HTTP方式
- 80修改为8888
proxy:
image: library/nginx:1.11.5
restart: always
volumes:
- ./config/nginx:/etc/nginx
ports:
- 8888:80
- 443:443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
- 修改harbor.cfg
hostname = 192.168.0.2:8888
HTTPS
- 修改端口为8888
proxy:
image: library/nginx:1.11.5
restart: always
volumes:
- ./config/nginx:/etc/nginx
ports:
- 80:80
- 8888:443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
- 修改harbor.cfg
hostname = 192.168.0.2:8888
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
harbour日志
tail -f /var/log/harbor/adminserver.log