Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,可以用来构建企业内部的Docker镜像仓库。
harbor是基于docker registry进行了相应的企业级扩展,从而获得了更加广泛的应用,新特性包括:
- 管理用户界面
- 基于角色的访问控制
- AD/LDAP集成
- 审计日志等
相比于原生的docker registry, 更加方便管理企业量级的容器, 并且通过内网搭建的传输效率也是非常高的
前置条件
- python应该是2.7或更高版本
- Docker引擎应为1.10或更高版本
- Docker Compose需要为1.6.0或更高版本
安装Docker-compose
官网安装教程: https://docs.docker.com/compose/install/
下载最新的安装包, 到/usr/local/bin/docker-compose目录
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
授权
sudo chmod +x /usr/local/bin/docker-compose
创建软连接
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
测试安装结果
docker-compose --version
docker-compose version 1.26.2, build eefe0d31
下载harbor
官网下载地址: https://github.com/vmware/harbor/releases
-
选择最新发布的版本: v1.10.4
-
下载600多兆的线下版本(这样便于后续安装): harbor-offline-installer-v1.10.4.tgz
wget https://github.com/goharbor/harbor/releases/download/v1.10.4/harbor-offline-installer-v1.10.4.tgz
解压至自定义的目录, 这里放在/usr/local下
tar xvf harbor-offline-installer-v1.10.4.tgz -C /usr/local/
# 重命名并创建软连接(推荐使用, 便于后续升级管理的常用方式)
cd /usr/local/
(root@mastar01:/usr/local)# mv harbor/ harbor-v1.10.4
(root@mastar01:/usr/local)# ln -s /usr/local/harbor-v1.10.4/ /usr/local/harbor
(root@mastar01:/usr/local)# cd harbor
(root@mastar01:/usr/local/harbor)# ls
common.sh harbor.v1.10.4.tar.gz harbor.yml install.sh LICENSE prepare
修改安装配置文件harbor.yml
# vim harbor.yml
# 1. 修改主机名, 可以是IP或者域名, 用来进入管理UI界面和仓库服务的
# 这里我随便使用一个域名地址, 然后在本机Windows10电脑的hosts中添加设置: UI,域名地址 是阿里云公网IP
# hosts文件其实就是一个dns的作用, 在浏览器中输入域名后, 会找到其对应的IP地址
hostname: 域名地址
# 2. harbor提供了http和https两种协议方式访问harbor服务, 以前版本默认使用http协议, 现在默认使用https协议,
# http 协议, 正如下面官网注释所说, 如果https服务是可用的, 那么就算访问的是http的端口, 也会重定向到https的端口上
# 将原来的80端口改为8002(自定义)端口, 之所以改80端口因为一般来说80端口都是给Nginx用的, 可以先查看端口是否被占用 netstat -anp |grep 8002
# http related config
http:
port: 8002 # port for http, default is 80. If https enabled, this port will redirect to https port
# https 协议, 如果不想用https协议, 就可以把下面的设置注释掉, 我两种方式都有尝试, https比较麻烦的一点就是需要创建授权证书
# 若证书创建好了就可以在下面配置证书信息, 创建https证书的步骤下面会介绍
# https related config
# https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /data/cert/server.crt
# private_key: /data/cert/server.key
# 3. (可选)登录harbor管理界面的用户 admin 的登录密码
harbor_admin_password: your_password
# 4. (可选)修改数据卷目录和容器目录
data_volume: /data/harbor
location: /data/harbor/logs
创建https证书(可选)
创建密钥, 使用openssl工具生成一个RSA私钥
(root@mastar01:~)# openssl genrsa -des3 -out server.key 2048
# 输入两次自定义的密码
Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
...........................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
(root@mastar01:~)# ls
server.key
生成CSR(证书签名请求), 输入的信息可以随意输入, 这里只是随便做一个虚拟的证书, 如果是真实的证书需要将证书发送给证书颁发机构(CA),CA验证过请求者的身份之后,会出具签名证书,需要花钱的
(root@mastar01:~)# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:alex.gcx.com
Email Address []:111@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(root@mastar01:~)# ls
server.csr server.key
删除密钥中的密码, 如果不删除密码,在应用加载的时候会出现输入密码进行验证的情况,不方便自动化部署
# 备份证书
(root@mastar01:~)# cp server.key server.key.back
# 删除密码
(root@mastar01:~)# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
生成自签名证书
(root@mastar01:~)# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = SH, L = SH, O = Default Company Ltd, CN = alex, emailAddress = 111@163.com
Getting Private key
生成pem格式的公钥(可选), 有些服务,需要有pem格式的证书才能正常加载,可以用下面的命令:
openssl x509 -in server.crt -out server.pem -outform PEM
创建证书目录
# 创建目录
(root@mastar01:~)# mkdir -p /data/cert
# 将证书相关文件移动至证书目录
(root@mastar01:~)# mv server.* /data/cert/
(root@mastar01:~)# cd /data/cert/
(root@mastar01:/data/cert)# ls
server.crt server.csr server.key server.key.back
# 授权
chmod -R 777 /data/cert
修改harbor.yml中证书路径配置
# vim /usr/local/harbor-v1.10.4/harbor.yml
# http related config
#http:
# port for http, default is 80. If https enabled, this port will redirect to https port
#port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/server.crt
private_key: /data/cert/server.key
生成配置
./prepare
常用管理命令
停止服务: docker-compose stop
开始服务: docker-compose start
重启服务:docker-compose restart
停止服务并删除容器:docker-compose down
启动服务并运行容器:docker-compose up
运行脚本安装harhor
(root@mastar01:~)# sh /usr/local/harbor/install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.26.2
[Step 2]: loading Harbor images ...
...
[Step 5]: starting Harbor ...
Creating network "harbor-v1104_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating harbor-portal ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
登录网站查看harbor的管理页面
http://域名地址:8002
image.png
在终端中登录harbor
(root@mastar01:/usr/local/harbor)# docker login alex.gcx.com
Username: admin
Password:
Error response from daemon: Get https://alex.gcx.com/v2/: x509: certificate signed by unknown authority
发现登录报错, 这是因为还是和上面一样, 重定向到了https的地址, 需要证书认证, 但是我们的证书是虚拟的, docker客户端认为证书是不安全的, 所以会报错, 那么这里我们需要修改一下docker的配置文件/etc/docker/daemon.json
vim /etc/docker/daemon.json
# 在里面添上一句话(显示时可能不会显示双引号)
# 告诉docker客户端这个域名可以访问
"insecure-registries":["https://harbor地址","harborIP:端口"],
# 重启docker
systemctl daemon-reload && systemctl restart docker
# 再次登录发现可以成功
(root@mastar01:/usr/local)# docker login alex.gcx.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
其他服务器访问harbor需要修改的地方
# 1.添加hosts
echo "172.19.67.12 alex.gcx.com" >> /etc/hosts
# 2.添加/etc/docker/daemon.json
"insecure-registries":["https://harbor地址","harborIP:端口"],
# 3.重启docker
systemctl daemon-reload && systemctl restart docker
运维操作-启停harbor
若想要修改harbor配置, 如这里想启用https协议, 步骤为
# 进入harbor目录
(root@mastar01:~)# cd /usr/local/harbor
(root@mastar01:/usr/local/harbor)# ls
common common.sh docker-compose.yml harbor.v1.10.4.tar.gz harbor.yml install.sh LICENSE prepare
# 关闭harbor服务(docker-compose)
(root@mastar01:/usr/local/harbor)# docker-compose down -v
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing redis ... done
Removing registryctl ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor-v1104_harbor
# 编辑harbor.yml, 修改https设置
(root@mastar01:/usr/local/harbor)# vim harbor.yml
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/server.crt
private_key: /data/cert/server.key
# 执行启动前准备
(root@mastar01:/usr/local/harbor)# ./prepare
prepare base dir is set to /usr/local/harbor-v1.10.4
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
# 启动docker-compose
(root@mastar01:/usr/local/harbor)# docker-compose up -d
Creating network "harbor-v1104_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating registry ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
浏览器中再次访问http的网址: http://域名地址:8002 发现其重定向为https的网址
image.png
网友评论