1、安装docker-compose
yum install -y docker-compose
或者 curl -L https://github.com/docker/compose/releases/download/1.8.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
2、下在软件包更改镜像源
1.下载harbor-offline-install-v xxx.tgz
2.上传到一个文件并解压
3.修改harbor.cgf文件
hostname = 主机IP
harbor_admin_passwd = 123456
4.修改各个节点的/etc/docker/daemon.json 文件
cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["192.168.121.192"],
"live-restore": true
}
5.重启docker
systemctl restart docker
3、配置https:
注:一下所有192网段IP都是测试中生成得密钥文件,在生产环境可以用域名或者本地IP给替换掉
1.生成CA证书私钥。
openssl genrsa -out ca.key 4096
2.生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.121.192" \
-key ca.key \
-out ca.crt
生成服务器证书
1.生成私钥
openssl genrsa -out 192.168.121.192.key 4096
2.生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.121.192" \
-key 192.168.121.192.key \
-out 192.168.121.192.csr
3.生成一个x509 v3扩展文件
第一种方式:域名
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=192.168.121.190
DNS.2=yourdomain
DNS.3=hostname
EOF
###############################################两种方式根据情况二选一##############################################
第二种方式:ip
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.121.192
EOF
4.使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168.121.192.csr \
-out 192.168.121.192.crt
4、提供证书给Harbor和Docker
1.将服务器证书和密钥复制到Harbor主机上的certficates文件夹中
mkdir -p /data/cert/ ##目录可根据自己需求自定义
cp 192.168.121.192.crt /data/cert/
cp 192.168.121.192.key /data/cert/
2.转换192.168.121.190.crt为192.168.121.190.cert,供Docker使用
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书
openssl x509 -inform PEM -in 192.168.121.192.crt -out 192.168.121.192.cert
3.将服务器证书,密钥和CA文件复制到Harbor主机上的Docker certificate文件夹中。您必须首先创建适当的文件夹
mkdir -p /etc/docker/certs.d/192.168.121.192/
cp 192.168.121.192.cert /etc/docker/certs.d/192.168.121.192/
cp 192.168.121.192.key /etc/docker/certs.d/192.168.121.192/
cp ca.crt /etc/docker/certs.d/192.168.121.192/
4.修改harbor.yml文件
把harbor.yml文件中以下注释去掉,并配置好自己得证书目录
https:
port: 443
certificate: /data/cert/192.168.121.192.crt
private_key: /data/cert/192.168.121.192.key
5.运行prepare脚本以启用HTTPS
./prepare
6.运行install.sh脚本来启动harbor
./install.sh
7.如果Harbor正在运行,请停止并删除现有实例
docker-compose down -v
8.重启
docker-compose up -d
9.重新启动Docker Engine
systemctl restart docker
10.将名为“ca.crt”证书下载到本地电脑,然后安装证书,之后就可以正常访问了
11.从Docker客户端登录Harbor
docker login 192.168.121.192
# 如果已将nginx443端口映射到其他端口,请在login命令中添加该端口
docker login 192.168.121.192:xxxx