目录
1.环境
h132,h133,h134,h135,h136
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*
2.签发证书
目标主机:h136
步骤1:
cd /opt
mkdir certs
cd certs
#创建根证书
vim ca-csr.json
###内容如下
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
###CN-域名,非常重要,浏览器使用该字段验证网站是否合法
###C-国家 ST-省 L-地区、城市 O-组织or公司名称 OU-组织单位名称or公司部门
步骤2,生成证书及私钥:
cd /opt/certs
###下面命令cfssl生成证书及秘钥,再通过管道符用cfssl-json生成实际的文件
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
###最后生成的文件为ca.csr ca-key.pem(根证书私钥) ca.pem(根证书)
3.部署docker
目标主机:h134,h135,h136
docker-ce安装
curl -fsSl https://get.docker.com | bash -s docker --mirror Aliyun
/etc/docker/daemon.json
###注意bip的ip部署在3台机子上,172.7.134.1/24,,172.7.135.1/24,172.7.136.1/24
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.135.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
4.部署harbor
4.1安装
目标主机:h136
Tags · goharbor/harbor · GitHub
cd /opt
mkdir src
cd src
wget https://github.com/goharbor/harbor/releases/download/v2.2.0/harbor-offline-installer-v2.2.0.tgz
tar -zxvf harbor-offline-installer-v2.2.0.tgz -C /opt/
###下面的软链接,是为了方便以后的版本升级管理
cd /opt
mv harbor harbor-2.2.0
ln -s /opt/harbor-2.2.0/ /opt/harbor
cd /opt/harbor编辑harbor.yml,以下参数必要修改:
hostname、port、harbor_admin_password,data_volume,location
hostname: harbor.od.com
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 280
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/certs/ca.pem
private_key: /opt/certs/ca-key.pem
harbor_admin_password: Harbor12345
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
data_volume: /data/harbor
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: true
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /data/harbor/logs
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
_version: 2.2.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
安装docker-compose(harbor的必要依赖)
yum install -y docker-compose
接下来可以继续安装harbor
cd /opt/harbor
./install.sh
harbor安装完毕,检查容器是否正常
docker-compose ps
4.2 安装nginx
目标主机:h136
这里安装nginx是为了对harbor的180端口进行代理,以方便用http://harbor.od.com即可对harbor进行访问(PS:需要在h133的/var/named/od.com.zone下添加harbor的A记录,还需注意修改这个文件需要对serial序号进行手动+1操作,这里不做展示)
yum install nginx -y
编辑/etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_name harbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
检查nginx配置文件
nginx -t
测试
curl harbor.od.com
4.3 操作harbor
1.登录harbor.od.com页面
2.在h136上拉取nginx
docker pull nginx:1.7.9
3.将拉取的公网nginx image打上一个tag
##docker images查看id
##nginx 1.7.9 84581e99d807 6 years ago 91.7MB
##下面的public部分就是与自建harbor中public对应
docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
4.修改docker登录的用户名及密码
5.将nginx image推送到自建harbor
docker push harbor.od.com/public/nginx:v1.7.9
6.推送后在harbor.od.com页面中,可看到nginx