Docker Harbor私有镜像image仓库安装

  • Docker Harbor私有镜像image仓库安装

    • goharbor/harbor

      • 参考:https://www.cnblogs.com/wuvikr/p/14688079.html
    • #停止harbor

      • systemctl stop harbor.service
    • 使用prepare脚本重新加载harbor.yml中的配置

      • [root@harbor harbor]#./prepare
      • 稍等一会harbor会自动启动起来
      • 查看一下,可以看到nginx的443端口已经打开了
      • [root@harbor harbor]#docker-compose ps
      • #如果没启动起来, 改用systemclt来启动Harbor
      • [root@harbor harbor]# systemctl enable --now harbor.service
    • HTTPS

      • 创建一个生成证书的目录

        • mkdir -p /usr/local/harbor/certs
      • 生成CA证书

        • openssl req -newkey rsa:2048 -nodes -x509 -subj "/C=CN/ST=Beijing/L=Beijing/O=david/OU=IT/CN=ca.david.com/emailAddress=ca.david.com" -set_serial 01 -keyout ca.key -days 3650 -out ca.crt
      • 生成harbor证书申请

        • openssl req -newkey rsa:2048 -nodes -subj "/C=CN/ST=Beijing/L=Beijing/O=david/OU=devops/CN=harbor.david.com" -set_serial 02 -keyout harbor.key -out harbor.csr
      • 为harbor颁发证书

        • 参考:OpenSSL SAN 证书-CSDN博客
        • 需要使用SAN(Subject Alternative Name) 扩展,所以在颁发证书的需要做一些处理,不然登录时会报以下异常
        • [root@bogon config]# docker login harbor.david.com
          • Username: admin
          • Password:
          • Error response from daemon: Get "https://harbor.david.com/v2/": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
        • 创建v3_req的配置文件 *.david.com 支持该域名下的所有子域名

          • 参考:https://www.cnblogs.com/punchlinux/p/16499966.html
            • cat > v3.ext
            • authorityKeyIdentifier=keyid,issuer
            • basicConstraints=CA:FALSE
            • keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
            • extendedKeyUsage = serverAuth
            • subjectAltName = @alt_names
            • [alt_names]
            • DNS.1=*.david.com
            • EOF
          • 开始为harbor颁发带SAN扩展的证书 -extfile v3.ext

            • openssl x509 -req -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.crt -extfile v3.ext
          • 查看证书 支持所有子域名 DNS:*.david.com

            • openssl x509 -text -noout -in harbor.crt
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B8:44:82:67:B2:E3:2C:70:B3:A9:04:66:BE:D4:C6:95:FD:2F:95:0F
X509v3 Basic Constraints:
    CA:FALSE
X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication
X509v3 Subject Alternative Name:
    DNS:*.david.com
  • 修改harbor.yml

    • 打开之前被我们注释掉的https配置,并配置好crt和key的路径:
    • Harbor.crt 和 Harbor.key 中的harbor是小写,不是大写
    • certificate: /root/harbor/certs/Harbor.crt
    • private_key: /root/harbor/certs/Harbor.key
    • 修改为正确的路径
    • -rw-r--r-- 1 root root 1391 Oct 26 15:18 ca.crt
    • -rw------- 1 root root 1708 Oct 26 15:18 ca.key
    • -rw-r--r-- 1 root root 41 Oct 26 15:20 ca.srl
    • -rw-r--r-- 1 root root 1261 Oct 26 15:20 harbor.crt
    • -rw-r--r-- 1 root root 1013 Oct 26 15:19 harbor.csr
    • -rw------- 1 root root 1704 Oct 26 15:19 harbor.key
    • certificate: /usr/local/harbor/certs/harbor.crt
    • private_key: /usr/local/harbor/certs/harbor.key
  • 将证书复制到harbor目录下,推送我使用的是reg.david.com域名

    • mkdir -pv /etc/docker/certs.d/reg.david.com
    • cp ca.crt /etc/docker/certs.d/reg.david.com/
    • mkdir -pv /etc/docker/certs.d/harbor.david.com
    • cp ca.crt /etc/docker/certs.d/harbor.david.com/
  • 登录harbor

    • docker login harbor.david.com
  • 退出harbor

    • docker logout harbor.david.com
  • 本地host添加域名 harbor.david.com / ca.david.com / reg.david.com

    • [root@bogon config]# cat /etc/hosts
    • 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    • ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    • 192.168.221.129 reg.david.com
    • 192.168.221.129 harbor.david.com
    • 192.168.221.129 ca.david.com
  • docker push 报错:unauthorized: unauthorized to access repository: library/xx处理方法

    • #daemon.json中添加insecure-registries字段,代表上传不受IP限制
      • cat /etc/docker/daemon.json
      • {
        • "insecure-registries": ["0.0.0.0/0"],
        • "registry-mirrors": ["https://wbdhknhl.mirror.aliyuncs.com"]
      • }
    • 再次重启docker服务

      • systemctl daemon-reload && systemctl restart docker.service
      • 不一定是这个造成的,我看直接推送到library目录中就正常
  • 为镜像打Tag

    • docker tag seatunnel:2.3.3 reg.david.com/library/seatunnel:2.3.3
  • 向仓库推荐镜像

    • docker push reg.david.com/library/seatunnel:2.3.3

你可能感兴趣的:(centos,linux,运维)