harbor部署-ldap-开启https

简介

今天领导让搭建一个私有的harbor仓库,记录一下安装过程。
版本:

模块 版本
docker 17.09.1-ce
docker-compose 1.18.0
harbor v1.8.0

准备

  • centos7虚拟机
  • 安装docker
  • 关闭防火墙啥的一些乱七八糟的准备工作
  • 下载docker-compse
  • 下载harbor-offline-installer
docker-compose:
curl -L https://github.com/docker/compose/releases/download/1.25.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

harbor-offline-installer:
https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0.tgz

安装

将docker-compose放到环境变量目录:

cp docker-compose /usr/local/bin/
chmod +x /usr/local/bin/docker-compose

解压harbor,执行安装脚本:

tar zxvf harbor-offline-installer-v1.8.0.tgz 
cd harbor
#修改为配置文件:
vim harbor.cfg
# hostname 192.168.1.24

#安装脚本
./install.sh

报错:

[root@localhost harbor]# ./install.sh 

[Step 0]: checking installation environment ...
✖ Need to upgrade docker package to 17.06.0+. 

提示docker的版本太低,一般yum安装都是1.13.1,真的太讨厌了,接下来我们写一篇如何安装指定版本的docker。

[root@localhost ~]# docker version
Client:
 Version:      17.09.1-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:23:40 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.09.1-ce
 API version:  1.32 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:25:03 2017
 OS/Arch:      linux/amd64
 Experimental: false

升级后,install.sh安装.

harbor的ldap配置

修改harbor.yml:

auth_mode: ldap_auth
ldap_url: ldap://172.18.143.190
ldap_basedn: ou=users,dc=devel,dc=cluster
ldap_searchdn: cn=ldapadm,dc=devel,dc=cluster
ldap_search_pwd: 123456
ldap_uid: cn
ldap_scope: 3
ldap_timeout: 50

重启:

./prepare 
docker-compose down -v
docker-compose rm -f
docker-compose up -d

无效?why?Dont know...
不知道为何,打开harbor的ui,dashboard,以admin用户登入,依次点击:系统管理-配置管理-将配置手动写入,然后点击保存。


ldap.png

成功!

harbor开启https

生成相关证书:

mkdir -p /data/cert
cd /data/cert
#生成CA的key
openssl genrsa -out ca.key 4096
#生成CA的crt
openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=chinatelecom/OU=ecloudcaas/CN=172.18.141.128" \
    -key ca.key \
    -out ca.crt
#生成自己域名的key
openssl genrsa -out 172.18.141.128.key 4096
#生成自己域名的csr
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=chinatelecom/OU=ecloudcaas/CN=172.18.141.128" \
    -key 172.18.141.128.key \
    -out 172.18.141.128.csr 

# 生成一个openssl命令需要的外部配置文件
# 主要是subjectAltName,这里写的IP.1=yourip还可以写DNS.1=yourdomainname
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names

[alt_names]
IP=172.18.141.128
EOF

#通过之前准备好的v3.ext和csr生成crt
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 172.18.141.128.csr \
    -out 172.18.141.128.crt
#将服务端的crt转换成客户端用的cert
openssl x509 -inform PEM -in 172.18.141.128.crt -out 172.18.141.128.cert

修改配置:

# https related config
https:
  port: 443
  certificate: /data/cert/harbor.ctyun.cn.crt
  private_key: /data/cert/harbor.ctyun.cn.key

重启
下面在docker client端进行测试

# 将域名的cert,key和ca.crt拷贝到docker client所在主机的
# /etc/docker/certs.d/yourdomain/目录
# centos7,手动进行进行证书信任
cp 172.18.141.128.cert /etc/pki/ca-trust/source/anchors/172.18.141.128.cert
update-ca-trust

# 登录测试
docker login 172.18.141.128
Username (admin): 
Password: 
Login Succeeded

# push镜像测试
docker tag ef46e0caa533 172.18.141.128/test111/busybox:latest
docker push 172.18.141.128/test111/busybox:latest

以上↑

你可能感兴趣的:(harbor部署-ldap-开启https)