簡(jiǎn)述
我們采用Harbor作為Docker的鏡像中心并村。
有幾個(gè)原因:
- Harbor采用Docker Compose拉起維護(hù)枪芒,簡(jiǎn)單方便。
- 采用Nginx作為入口網(wǎng)關(guān)白胀,各種參數(shù)配置相對(duì)熟悉废恋。
- 基于Nginx的HTTPS證書配置相對(duì)方便谈秫。
- Harbor已支持在線清理廢棄的鏡像歷史,這點(diǎn)很重要鱼鼓。
...
一句話拟烫,夠簡(jiǎn)單,夠方便蚓哩。
環(huán)境準(zhǔn)備
Host List
| IP Address | Hosts | Disk | Comment |
|---|---|---|---|
| 192.168.0.21 | harbor | 1TB | Docker Image Registry |
OS
我們采用CentOS作為宿主機(jī)操作系統(tǒng)构灸,版本請(qǐng)升級(jí)為最新穩(wěn)定版7.6。(CentOS7即可岸梨,建議升級(jí)到最新穩(wěn)定版7.6)
升級(jí)方式喜颁,請(qǐng)參考本人的另一篇文章:http://www.reibang.com/p/3e3bc1f51332
并將內(nèi)核升級(jí)到最新穩(wěn)定版本4.20.
[root@localhost ~]# uname -sr
Linux 4.20.0-1.el7.elrepo.x86_64
[root@localhost ~]#
[root@localhost ~]#
安裝步驟
下載harbor安裝包
Harbor提供兩種安裝方式:在線安裝和離線安裝,由于GitHub服務(wù)器是在國(guó)外曹阔,國(guó)內(nèi)的很多服務(wù)器都是在內(nèi)網(wǎng)半开,即使可以訪問公網(wǎng),下載速度也不快赃份,推薦外部下載寂拆,然后上傳到內(nèi)網(wǎng)。
本人的服務(wù)器速度還可以抓韩,直接通過服務(wù)器下載纠永,并解壓
[root@localhost harbor]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz
--2019-01-07 15:16:27-- https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz
Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.160.112, 2404:6800:4012:1::2010
Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.160.112|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 597857483 (570M) [application/x-tar]
Saving to: ‘harbor-offline-installer-v1.7.1.tgz.1’
100%[====================================================================>] 597,857,483 4.64MB/s in 5m 23s
2019-01-07 15:21:51 (1.77 MB/s) - ‘harbor-offline-installer-v1.7.1.tgz.1’ saved [597857483/597857483]
[root@localhost harbor]#
[root@localhost harbor]# tar -zxvf harbor-offline-installer-v1.7.1.tgz
準(zhǔn)備SSL證書
參考Docker的安全策略推薦,我們對(duì)我們的Docker鏡像中心采用TLS證書驗(yàn)證的HTTPS訪問方式谒拴。
準(zhǔn)備證書目錄
[root@localhost harbor]# mkdir -p data/cert
[root@localhost harbor]# cd data/cert
[root@localhost cert]# pwd
/home/harbor/data/cert
生成證書
生成根證書
生成CA證書尝江。
[root@localhost cert]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
......................++
..................................++
e is 65537 (0x10001)
[root@localhost cert]#
生成CA Key。
[root@localhost cert]# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net" \
> -key ca.key \
> -out ca.crt
[root@localhost cert]#
[root@localhost cert]# ls -al
total 8
drwxr-xr-x 2 root root 44 Jan 7 15:35 .
drwxr-xr-x 3 root root 17 Jan 7 15:26 ..
-rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt
-rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key
[root@localhost cert]#
生成服務(wù)器證書
生成私有Key
[root@localhost cert]# openssl genrsa -out hub.twikle.net.key 4096
Generating RSA private key, 4096 bit long modulus
............................................++
................................................++
e is 65537 (0x10001)
[root@localhost cert]# ls -al
total 12
drwxr-xr-x 2 root root 73 Jan 7 15:40 .
drwxr-xr-x 3 root root 17 Jan 7 15:26 ..
-rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt
-rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key
-rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key
[root@localhost cert]#
生成證書的簽名英上。
[root@localhost cert]# openssl req -sha512 -new \
> -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net" \
> -key hub.twikle.net.key \
> -out hub.twikle.net.csr
[root@localhost cert]#
[root@localhost cert]#
[root@localhost cert]# ls -al
total 16
drwxr-xr-x 2 root root 102 Jan 7 15:43 .
drwxr-xr-x 3 root root 17 Jan 7 15:26 ..
-rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt
-rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key
-rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr
-rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key
[root@localhost cert]#
生成證書炭序。
[root@localhost cert]# cat > v3.ext <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=hub.twikle.net
> DNS.2=hub.twikle
> DNS.3=xxx.xxx.xxx.xxx #注意替換為自己的主機(jī)名
> EOF
[root@localhost cert]#
[root@localhost cert]# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in hub.twikle.net.csr \
> -out hub.twikle.net.crt
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=hub.twikle.net
Getting CA Private Key
[root@localhost cert]# ls -al
total 32
drwxr-xr-x 2 root root 4096 Jan 7 15:49 .
drwxr-xr-x 3 root root 17 Jan 7 15:26 ..
-rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt
-rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key
-rw-r--r-- 1 root root 17 Jan 7 15:49 ca.srl
-rw-r--r-- 1 root root 2114 Jan 7 15:49 hub.twikle.net.crt
-rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr
-rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key
-rw-r--r-- 1 root root 270 Jan 7 15:47 v3.ext
[root@localhost cert]#
證書格式調(diào)整。
[root@localhost cert]# openssl x509 -inform PEM -in hub.twikle.net.crt -out hub.twikle.net.cert
[root@localhost cert]# ls -al
total 36
drwxr-xr-x 2 root root 4096 Jan 7 15:51 .
drwxr-xr-x 3 root root 17 Jan 7 15:26 ..
-rw-r--r-- 1 root root 2041 Jan 7 15:35 ca.crt
-rw-r--r-- 1 root root 3247 Jan 7 15:33 ca.key
-rw-r--r-- 1 root root 17 Jan 7 15:49 ca.srl
-rw-r--r-- 1 root root 2114 Jan 7 15:51 hub.twikle.net.cert
-rw-r--r-- 1 root root 2114 Jan 7 15:49 hub.twikle.net.crt
-rw-r--r-- 1 root root 1712 Jan 7 15:43 hub.twikle.net.csr
-rw-r--r-- 1 root root 3243 Jan 7 15:40 hub.twikle.net.key
-rw-r--r-- 1 root root 270 Jan 7 15:47 v3.ext
[root@localhost cert]#
配置Harbor安裝參數(shù)
修改harbor.cfg文件中的相關(guān)安裝參數(shù)苍日。在第一步中的解壓目錄中找到要修改的harbor.cfg惭聂。
[root@localhost harbor]# vi harbor.cfg
......
#set hostname
hostname = hub.twikle.net:8443
#set ui_url_protocol
ui_url_protocol = https
......
#The path of cert and key files for nginx, they are applied, pls use your own crt path here.
ssl_cert = /home/harbor/data/cert/hub.twikle.net.crt
ssl_cert_key = /home/harbor/data/cert/hub.twikle.net.key
......
#Change the admin password from UI after launching Harbor.
harbor_admin_password = xxxxx
......
#Turn on or off the self-registration feature
self_registration = off
......
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = adminonly
......
#######Harbor DB configuration section#######
#The address of the Harbor database. Only need to change when using external db.
db_host = ***.***.***.***
#The password for the root user of Harbor DB. Change this before any production use.
db_password = xxxxxx
#The port of Harbor database host
db_port = 5432
#The user name of Harbor database
db_user = harbor
......
注意,請(qǐng)勿修改相恃,這個(gè)是Harbor的一個(gè)bug辜纲,修改過后,admin server會(huì)一直啟動(dòng)失敗。
#The path of secretkey storage
secretkey_path = /data
報(bào)錯(cuò):
adminserver[14789]: 2017-05-04T03:09:55Z [FATAL] [main.go:46]: failed to initialize the system: read /etc/adminserver/key: is a directory
修改默認(rèn)啟動(dòng)端口
修改docker-compose的腳本侨歉,進(jìn)入harbor的解壓目錄屋摇,找到docker-compose.yml揩魂,修改nginx相關(guān)的映射端口幽邓。
......
ports:
- 8080:80
- 8443:443
......
修改存儲(chǔ)路徑
依舊是修改docker-compose.yml文件,替換所有的/data目錄為自己的目錄火脉。
......
volumes:
- /home/harbor/harbor/data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
networks:
......
執(zhí)行環(huán)境準(zhǔn)備腳本
進(jìn)入harbor的解壓目錄牵舵。
[root@localhost harbor]# cd harbor/
[root@localhost harbor]# ls -al
total 590240
drwxr-xr-x 3 root root 4096 Jan 8 09:55 .
drwxr-xr-x 4 root root 88 Jan 7 15:26 ..
drwxr-xr-x 3 root root 30 Jan 7 15:23 common
-rw-r--r-- 1 root root 939 Jan 4 19:23 docker-compose.chartmuseum.yml
-rw-r--r-- 1 root root 975 Jan 4 19:23 docker-compose.clair.yml
-rw-r--r-- 1 root root 1434 Jan 4 19:23 docker-compose.notary.yml
-rw-r--r-- 1 root root 5608 Jan 4 19:23 docker-compose.yml
-rw-r--r-- 1 root root 8088 Jan 9 10:53 harbor.cfg
-rw-r--r-- 1 root root 603562385 Jan 4 19:24 harbor.v1.7.1.tar.gz
-rwxr-xr-x 1 root root 5739 Jan 4 19:23 install.sh
-rw-r--r-- 1 root root 11347 Jan 4 19:23 LICENSE
-rw-r--r-- 1 root root 748160 Jan 4 19:23 open_source_license
-rwxr-xr-x 1 root root 36337 Jan 4 19:23 prepare
[root@localhost harbor]# ./prepare
Generated and saved secret to file: /home/harbor/data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/core/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/registryctl/env
Generated configuration file: ./common/config/core/app.conf
Generated certificate, key file: ./common/config/core/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@localhost harbor]#
[root@localhost harbor]#
啟動(dòng)Harbor
[root@localhost harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating harbor-adminserver ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating harbor-portal ... done
Creating nginx ... done
[root@localhost harbor]#
宿主機(jī)防火墻開放端口
[root@localhost harbor]# firewall-cmd --zone=public --add-port=8443/tcp --permanent
success
[root@localhost harbor]# firewall-cmd --reload
success
[root@localhost harbor]#
檢查安裝結(jié)果
image.png
[root@localhost ~]# docker login xxx.xxx.xxx:8443
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost ~]#
