Centos7搭建Harbor1.10.2,使用自签证书

Docker官方提供的registry这个小工具比较丑陋,如果只是测试的话可以尝试,但是想要在企业内部使用的话,就有点不够!
今天介绍的是企业中大部分使用得docker私仓Harbor

Harbor介绍:

Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. As a CNCF Incubating project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.

翻译:

Harbor是一个开放源代码容器映像注册表,可通过基于角色的访问控制来保护镜像,扫描映像中的漏洞并将映像签名为受信任。作为CNCF孵化项目,Harbor提供合规性,性能和互操作性,以帮助您跨Kubernetes和Docker等云原生计算平台持续,安全地管理镜像

安装、配置、启动

官方地址这里有所有的版本,大家可以去选择!
我选择的是当时最新的版本[v1.10.2],600M左右。V1.10.2地址

Centos7搭建Harbor1.10.2,使用自签证书_第1张图片
V1.10.2

也可以下载Onlink版本,相对于小一点,但是安装的时候会在线下载!

安装

  • 依赖软件提示

docker
docker-compose(这个在EPEL源中)

  • 解压安装包
[root@rainy src]# ls
harbor-offline-installer-v1.10.2.tgz  ossimport-2.3.4
jdk-7u79-linux-x64.tar.gz             ossimport-2.3.4.zip

[root@rainy src]# tar zxvf harbor-offline-installer-v1.10.2.tgz -C ../
harbor/harbor.v1.10.2.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml
  • 修改Harbor配置
    一般情况下只需要修改文件中的hostname属性和https证书即可。
    如果是只是测试的话修改 hostanem,直接把https相关的配置删除即可执行后面的命令。直接跳过自签证书配置
[root@rainy harbor]# ls
common     docker-compose.yml     harbor.yml  LICENSE
common.sh  harbor.v1.10.2.tar.gz  install.sh  prepare

[root@rainy harbor]# vim harbor.yml             # 配置文件

不使用https,请直接删除https文件

Centos7搭建Harbor1.10.2,使用自签证书_第2张图片
harbor.yml

使用自签证书配置
作者Centos主机名称为wang.com,大家操作的时候请替换为自己的主机名称

# 生成证书颁发机构证书
# 生成CA证书私钥。
openssl genrsa -out ca.key 4096

# 生成CA证书。
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=wang.com" \
 -key ca.key \
 -out ca.crt

##生成服务器证书
# 生成私钥。
openssl genrsa -out wang.com.key 4096

# 生成证书签名请求(CSR)
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=wang.com" \
    -key wang.com.key \
    -out wang.com.csr

# 生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=wang.com
DNS.2=wang
DNS.3=hostname
EOF

# 使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in wang.com.csr \
    -out wang.com.crt


# 提供证书给Harbor和Docker
# 将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。
mkdir -p /data/cert/
cp wang.com.crt /data/cert/
cp wang.com.key /data/cert/


# 转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用。
openssl x509 -inform PEM -in wang.com.crt -out wang.com.cert

# 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker certificate文件夹中。您必须首先创建适当的文件夹。
mkdir -p /etc/docker/certs.d/wang.com/
cp wang.com.cert /etc/docker/certs.d/wang.com/
cp wang.com.key /etc/docker/certs.d/wang.com/
cp ca.crt /etc/docker/certs.d/wang.com/
  • 安装
    执行./prepare(我记得1.4版本中是没有这个执行文件的)
[root@wang harbor]# ./prepare
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

执行./install.sh

[root@wang harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.8
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-db:v1.10.2
Loaded image: goharbor/notary-server-photon:v1.10.2
Loaded image: goharbor/clair-photon:v1.10.2
Loaded image: goharbor/harbor-portal:v1.10.2
Loaded image: goharbor/harbor-core:v1.10.2
Loaded image: goharbor/harbor-jobservice:v1.10.2
Loaded image: goharbor/harbor-registryctl:v1.10.2
Loaded image: goharbor/redis-photon:v1.10.2
Loaded image: goharbor/nginx-photon:v1.10.2
Loaded image: goharbor/chartmuseum-photon:v1.10.2
Loaded image: goharbor/harbor-log:v1.10.2
Loaded image: goharbor/registry-photon:v1.10.2
Loaded image: goharbor/notary-signer-photon:v1.10.2
Loaded image: goharbor/harbor-migrator:v1.10.2
Loaded image: goharbor/prepare:v1.10.2
Loaded image: goharbor/clair-adapter-photon:v1.10.2
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Creating nginx ... doneice ... done
Creating harbor-log ... done
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Creating harbor-db ... done
Creating harbor-core ... done
[Step 5]: starting Harbor ...
Creating registryctl ...
Creating registry ...
Creating redis ...
Creating harbor-db ...
Creating harbor-portal ...
Creating harbor-core ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----

验证服务是否启动成功
如果配置文件中删除掉https相关的配置,443端口不会监听

[root@wang harbor]# ss -tnl
State       Recv-Q Send-Q                                      Local Address:Port                                                     Peer Address:Port
LISTEN      0      128                                             127.0.0.1:1514                                                                *:*
LISTEN      0      128                                                     *:22                                                                  *:*
LISTEN      0      100                                             127.0.0.1:25                                                                  *:*
LISTEN      0      128                                                  [::]:2375                                                             [::]:*
LISTEN      0      128                                                  [::]:80                                                               [::]:*
LISTEN      0      128                                                  [::]:22                                                               [::]:*
LISTEN      0      128                                                  [::]:23                                                               [::]:*
LISTEN      0      100                                                 [::1]:25                                                               [::]:*
LISTEN      0      128                                                  [::]:443                                                              [::]:*
  • 访问Harbor
    浏览器访问:htttps:// | htttp://
    http默认端口是80,https默认是443,访问的时候直接可以不写端口号


    Centos7搭建Harbor1.10.2,使用自签证书_第3张图片
    Harbor首页

    默认账户:amdin
    默认密码:如果没有修改配置文件就是Harbor12345


    Centos7搭建Harbor1.10.2,使用自签证书_第4张图片
    登录成功
  • 管理Harbor

切换到安装目录执行
docker-compose 进行管理

暂停访问

[root@rainy harbor]# docker-compose pause
Pausing harbor-log        ... done
Pausing harbor-db         ... done
Pausing redis             ... done
Pausing registryctl       ... done
Pausing harbor-portal     ... done
Pausing registry          ... done
Pausing harbor-core       ... done
Pausing harbor-jobservice ... done
Pausing nginx             ... done

恢复访问

[root@rainy harbor]# docker-compose unpause
Unpausing nginx             ... done
Unpausing harbor-jobservice ... done
Unpausing harbor-core       ... done
Unpausing registry          ... done
Unpausing harbor-portal     ... done
Unpausing registryctl       ... done
Unpausing redis             ... done
Unpausing harbor-db         ... done
Unpausing harbor-log        ... done

更多管理命令:

Commands:
  build              Build or rebuild services
  bundle             Generate a Docker bundle from the Compose file
  config             Validate and view the Compose file
  create             Create services
  down               Stop and remove containers, networks, images, and volumes
  events             Receive real time events from containers
  exec               Execute a command in a running container
  help               Get help on a command
  images             List images
  kill               Kill containers
  logs               View output from containers
  pause              Pause services
  port               Print the public port for a port binding
  ps                 List containers
  pull               Pull service images
  push               Push service images
  restart            Restart services
  rm                 Remove stopped containers
  run                Run a one-off command
  scale              Set number of containers for a service
  start              Start services
  stop               Stop services
  top                Display the running processes
  unpause            Unpause services
  up                 Create and start containers
  version            Show the Docker-Compose version information

你可能感兴趣的:(Centos7搭建Harbor1.10.2,使用自签证书)