CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成,使docker能够登录、推送、拉取Harbor中的镜像。
Harbor是一个开源的可信云本地注册表项目,用于存储、签名和扫描内容。Harbor扩展了开源Docker发行版,增加了用户通常需要的功能,比如安全性、身份和管理。
Harbor经常作为Docker私有云端仓库被企业使用。
Harbor的官方网址是这里:https://github.com/goharbor/harbor
本文介绍CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成的操作全过程。
操作系统、应用及版本信息:
Harbor是通过docker-compose来管理镜像的。
所以在Harbor主机安装docker-compose是必须的首要的一步。
$ curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
$ ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
$ docker-compose --version
docker-compose version 1.25.4, build 8d51620a
如果没有域名的话,可以自己定义一个域名,并在Harbor主机和Docker主机通过向/etc/hosts
文件添加条目完成自定义域名与Harbor主机IP的映射关系。本文中自定义的域名是harbor.cn
,配置如下:
[root@dev110 ~]# more /etc/hosts
...
#### harbor server ############
192.168.100.110 harbor.cn
...
Docker默认通过HTTPS与Harbor通信的,虽然可以改为HTTP方式,但需要修改的配置项会很多,而且也不安全。
有了域名了,配套的CA证书自然是少不了的。
mkdir -p /home/k8s/cert_harbor
cd /home/k8s/cert_harbor
Step1 - 生成根证书私钥(无加密):
openssl genrsa -out ca.key 4096
Step2 - 生成自签名证书(使用已有私钥ca.key
自行签发根证书)生成ca.crt
:
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.110" \
-key ca.key \
-out ca.crt
添加-subj
参数可以免去交互过程。
Step1 - 生成服务器端自己域名的key:
openssl genrsa -out harbor.cn.key 4096
Step4 - 生成服务器端自己域名的CSR签名请求:
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.242" \
-key harbor.cn.key \
-out harbor.cn.csr
Step5 - 生成一个 openssl 命令需要的外部配置文件 externalfile.ext
。
这个文件可以随意命名,但是要记住,后面对的命令还要用到。、
文件内容中主要是subjectAltName
这一项
如果配IP就写IP.1=192.168.xxx.xxx
如果配域名就写 DNS.1=xxx.xxx.com
[root@dev110 ~]# cat > vim externalfile.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.cn
EOF
Step6 - 通过外部配置文件 externalfile.ext
和 csr 生成 crt:
openssl x509 -req -sha512 -days 3650 -extfile externalfile.ext \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in harbor.cn.csr \
-out harbor.cn.crt
Step7 - 将服务端的 crt 转换成客户端用的 cert:
openssl x509 -inform PEM -in harbor.cn.crt -out harbor.cn.cert
至此,所有证书文件就创建好了:
[root@dev cert_harbor]# ll
total 32
-rw-r--r-- 1 root root 2017 Feb 23 13:44 ca.crt
-rw-r--r-- 1 root root 3243 Feb 23 13:42 ca.key
-rw-r--r-- 1 root root 17 Feb 23 13:53 ca.srl
-rw-r--r-- 1 root root 232 Feb 23 13:52 externalfile.ext
-rw-r--r-- 1 root root 2049 Feb 23 13:54 harbor.cn.cert
-rw-r--r-- 1 root root 2049 Feb 23 13:53 harbor.cn.crt
-rw-r--r-- 1 root root 1700 Feb 23 13:49 harbor.cn.csr
-rw-r--r-- 1 root root 3247 Feb 23 13:47 harbor.cn.key
将Harbor主机上带域名的.cert
和.key
证书文件拷贝到docker客户端所在主机的/etc/docker/certs.d/xxx.xxx.com/
目录下。
下面以192.168.100.111这台docker客户端主机上的操作为例进行介绍。
Step1 - 在Docker主机上执行:
mkdir -p /etc/docker/certs.d/harbor.cn/
Step2、在Harbor主机,执行:
scp ./harbor.cn.cert ./harbor.cn.key [email protected]:/etc/docker/certs.d/harbor.cn/
Step3、在Docker主机修改 /etc/docker/daemon.json
,主要是增加"insecure-registries":["http://harbor.cn"]
:
[root@dev111 ~]# vim /etc/docker/daemon.json
{
...
"insecure-registries":["http://harbor.cn"],
...
}
Step4、重启Docker:
systemctl daemon-reload
systemctl restart docker
前面准备工作做了那么多,现在终于可以进入正题了。
下载&解压:
wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
mkdir -p /home/k8s/harbor
tar -zxvf ./harbor-offline-installer-v1.10.1.tgz /home/k8s/harbor/
查看解压后文件:
[root@dev110 ~]# ll /home/k8s/harbor/
total 662120
-rw-r--r-- 1 root root 3398 Feb 10 14:18 common.sh
-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz
-rw-r--r-- 1 root root 5882 Feb 10 14:18 harbor.yml
-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh
-rw-r--r-- 1 root root 11347 Feb 10 14:18 LICENSE
-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare
修改配置文件harbor.yml
:
[root@dev110 ~] vim /home/k8s/harbor/harbor.yml
hostname: #IP地址或域名
http:
port: 80
https:
port: 443
certificate: /home/k8s/cert_harbor/harbor.cn.crt # 这里是证书信息
private_key: /home/k8s/cert_harbor/harbor.cn.key # 这里是证书信息
harbor_admin_password: Ccxharbor123 # 根据需要修改Web端admin用户的密码,默认为Harbor12345
database:
password: Ccxharbor123 # 为harbor内置数据库root用户的密码,默认为root123
data_volumn: /data
log:
level: info
location: /var/log/harbor # harbor日志存放路径
先更新参数:
[root@dev110 ~]# cd /home/k8s/harbor
[root@dev110 harbor]# ./prepare
再进行安装:
[root@dev110 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.6
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.4
[Step 2]: loading Harbor images ...
...
这里会很慢,因为要拉取很多镜像
...
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /home/k8s/harbor
Generated configuration file: /config/log/logrotate.conf
...
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
WARNING: The Docker Engine you're using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use `docker stack deploy`.
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-db ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
当你看到Harbor has been installed and started successfully
时,我要恭喜你安装成功了。
使用浏览器,通过https://域名
或https://ip:port
两种方式都可以访问Harbor的WebUI。
因为是自签CA证书,浏览器会拦截,需要添加信任即可。
之后就会看到Harbor的登录界面了:
用户名:admin
密码:即harbor.yml
文件中harbor_admin_password
参数的值。默认是:Harbor12345
要想将镜像push到Harbor仓库中,必须先要在Harbor中创建自己的项目,即project,当然也可以使用Harbor自带的项目:library
下面看看如何做才能吧nginx镜像推送到Harbor镜像中去。
Step1、docker拉取一个镜像并修改tag:
docker pull nginx
docker tag nginx:latest harbor.cn/library/nginx:latest
Step2、docker login 登录Harbor:
# harbor_user_name - Harbor用户名
# harbor_password - 该Harbor用户的密码
# harbor_domain - Harbor的域名
docker login -u<harbor_user_name> -p<harbor_password> <harbor_domain>
执行命令,及输出:
[root@dev ~]# docker login -uadmin -pHarbor12345 harbor.cn
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
当看到Login Succeeded时,就说明登陆成功了。
下面可以查看docker中保存的登录信息:
[root@dev ~]# cat ~/.docker/config.json
{
"auths": {
"harbor.cn": {
"auth": "Y2N4LWRldjpDY3hkZXYxMjM="
}
},
...
}
Step3、docker推送镜像到Harbor:
# harbor_domain - Harbor的域名
# project_name - Harbor中的项目名称
# image_name - 镜像名称
# image_tag - 镜像tag
docker push <harbor_domain>/<project_name>/<image_name>:<image_tag>
执行命令,及输出:
[root@dev ~]# docker push harbor.cn/library/nginx:latest
The push refers to repository [harbor.cn/library/nginx]
22439467ad99: Pushed
b4a29beac87c: Pushed
488dfecc21b1: Pushed
latest: digest: sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94 size: 948
Docker想从Harbor拉取镜像,只需要:
docker pull harbor.cn/library/nginx:latest
查看harbor:
[root@dev110 ~]# cd /home/k8s/harbor
[root@dev110 harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
停止&开启命令:
docker-compose stop
docker-compose start
想要修改harbor配置时:
docker-compose down -v
vim harbor.yml
./prepare
docker-compose up -d
删除harbors的镜像保留数据库和镜像数据:
docker-compose down -v
删除harbor的数据库和数据,相当于重装:
docker-compose down -v
更多命令可以参考docker-compose命令的帮助:
[root@的dev110 harbor]# docker-compose --help
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f ...] [options] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name
(default: directory name)
--verbose Show more output
--log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
--no-ansi Do not print ANSI control characters
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the
name specified in the client certificate
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
--compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent
--env-file PATH Specify an alternate environment file
Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove containers, networks, images, and volumes
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker-Compose version information
[root@dp-dev-242 harbor]#