Centos7安装harbor+ssl登录测试(亲测可用)
1、安装依赖
yum install ebtables ethtool iproute iptables socat util-linux wget openssl-devel -y
2、安装docker
yum install docker-ce
3、安装 docker-compose
yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
docker-compose --version
4、证书存放目录mkdir -p /mnt/hgfs/data/harbor/cert
cd /mnt/hgfs/data/harbor/cert
5、创建证书
参考官方文档:https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
生成CA证书
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
生成证书签名请求
openssl genrsa -out harbor.key 4096
openssl req -sha512 -new -key harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
生成服务端证书
新建v3.ext文件内容:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor
IP.1 = 192.168.3.35
# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
# openssl x509 -inform PEM -in harbor.crt -out harbor.cert
# cp harbor.cert /etc/docker/certs.d/192.168.3.35/
# cp harbor.key /etc/docker/certs.d/192.168.3.35/
# cp ca.crt /etc/docker/certs.d/192.168.3.35/
上述IP地址92.168.3.35和v3.ext里面的ip地址保持一致
先让本机信任证书,将证书复制到信任证书的目录里
# cp harbor.crt /etc/pki/ca-trust/source/anchors/
然后让它立即生效
# update-ca-trust enable
# update-ca-trust extract
# systemctl restart docker
8、上传/解压harbor离线包
# cd /opt
# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz
# tar -zxf harbor-offline-installer-v1.7.5.tgz
# cd harbor
9、修改配置文件
$ vi harbor.cfg
hostname = 192.168.3.35
ui_url_protocol = https
ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt
ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key
secretkey_path = /mnt/hgfs/data/harbor
或者通过sed行编辑命令修改
## 修改配置文件harbor.cfg参数
sed -i "s#hostname = reg.mydomain.com#hostname = 192.168.3.35#g" harbor.cfg
## 可以是主机IP,或者是以后要用的域名
sed -i "s#ui_url_protocol = http#ui_url_protocol = https#g" harbor.cfg
## 使用的协议,此处用的是https,后面安装的时候,再添加漏洞检查的时候需要https的支持
sed -i "s#ssl_cert = /data/cert/server.crt#ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt#g" harbor.cfg
## 证书的路径必须先创建好,并把秘钥放入配置文件
sed -i "s#ssl_cert_key = /data/cert/server.key#ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key#g" harbor.cfg
sed -i "s#secretkey_path = /data#secretkey_path = /mnt/hgfs/data/harbor#g" harbor.cfg
## 可以使用默认的路径
## 修改配置文件docker-compose.yml
## 由于指定安装路径需求,需要修改一下所有部署相关文件的指定路径()
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/ca_download#/mnt/hgfs/data/harbor/ca_download#g" docker-compose.yml
sed -i "s#/data/config#/mnt/hgfs/data/harbor/config#g" docker-compose.yml
##postgresql用到了符号链接,不能使用windows共享目录
sed -i "s#/data/database#/data/harbor/database#g" docker-compose.yml
sed -i "s#/data/job_logs#/mnt/hgfs/data/harbor/job_logs#g" docker-compose.yml
sed -i "s#/data/psc#/mnt/hgfs/data/harbor/psc#g" docker-compose.yml
sed -i "s#/data/redis#/mnt/hgfs/data/harbor/redis#g" docker-compose.yml
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/secretkey#/mnt/hgfs/data/harbor/secretkey#g" docker-compose.yml
sed -i "s#/data/clair-db#/mnt/hgfs/data/harbor/clair-db#g" docker-compose.clair.yml
sed -i "s#/data/notary-db#/mnt/hgfs/data/harbor/notary-db#g" docker-compose.yml
sed -i "s#/data/:/data/:z#/mnt/hgfs/data/harbor/:/data/:z#g" docker-compose.yml
sed -i "s#/data/chart_storage#/mnt/hgfs/data/harbor/chart_storage#g" docker-compose.chartmuseum.yml
## 修改配置文件prepare
sed -i "s#"/data"#/mnt/hgfs/data/harbor#" prepare
10、安装harbor
./install.sh --with-notary --with-clair --with-chartmuseum
# --with-notary启用镜像签名,--with-clair启用漏洞扫描如果需要在Harbor中启用Notary,请设置--with-notary,并在harbor.cfg中设置ui_url_protocol/ssl_cert/ssl_cert_key,因为公证必须在https下运行。
# 如果需要启用Clair in Harbour,请设置--with-clair
# 如果需要在Harbor启用Chartmuseum,请设置--with-chartmuseum
docker-compose常用命令
docker-compose start ## 启动 Harbor
docker-compose stop ## 停止 Harbor
docker-compose restart ## 重启 Harbor
docker-compose ps ## 列出容器
docker-compose create ## 创建服务
docker-compose down ## 停止并删除容器、network、images和volumes
docker-compose log ## 容器的视图输出
docker-compose up ## 创建和启动容器
重启容器
docker-compose down -v
vi harbor.cfg ## 修改要更新的配置
vi docker-compose.yml ## 修改要更新的配置
- ./prepare
docker-compose up -d
docker login 192.168.3.35
复制ca.crt文件到的/etc/docker/certs.d/192.168.3.35目录下
在192.168.3.34登录192.168.3.35的harbor:
在192.168.3.34push镜像到192.168.3.35的harbor私服:
浏览器访问https://192.168.3.35
使用admin/Harbor12345登录成功并查看从192.168.3.34 push的镜像
参考&踩坑足迹:
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
http://www.youdzone.com/signature.html
https://www.jianshu.com/p/0046add931df
https://www.jianshu.com/p/44a3efae1d84
https://www.jianshu.com/p/f9b8a3e62af1
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
http://www.apetec.com/support/GenerateSAN-CSR.htm
http://blog.zencoffee.org/2013/04/creating-and-signing-an-ssl-cert-with-alternative-names/
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
https://zhuanlan.zhihu.com/p/26646377
https://blog.csdn.net/u013066244/article/details/78725842/