- Harbor概述
- Harbor架构
- Harbor部署
- 基本部署
- https配置
- CA证书颁发机构证书
- 创建服务器证书
- Harbor和Docker运用证书
- Harbor运用
- docker命令行操作
VMware开源的企业级Registry项目Harbor,以Docker公司开源的registry 为基础,提供了管理UI, 基于角色的访问控制(Role Based Access Control),AD/LDAP集成、以及审计日志(Audit logging) 等企业用户需求的功能,同时还原生支持中文,主要特点:
- 基于角色的访问控制 - 用户与 Docker 镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
- 镜像复制 - 镜像可以在多个 Registry 实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
- 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前 Docker 镜像仓库,管理项目和命名空间。
- AD/LDAP 支持 - Harbor 可以集成企业内部已有的 AD/LDAP,用于鉴权认证管理。
- 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
- 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言将会添加进来。
- RESTful API - RESTful API 提供给管理员对于 Harbor 更多的操控, 使得与其它管理软件集成变得更容易。
- 部署简单 - 提供在线和离线两种安装工具, 也可以安装到 vSphere 平台(OVA 方式)虚拟设备
名称分别为:nginx、harbor-jobservice、harbor-ui、harbor-db、harbor-adminserver、registry以及harbor-log。它们各自的描述如下:
-
Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。
-
Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。因为Harbor强制要求对镜像的访问做权限控制, 在每一次push/pull请求时,Registry会强制要求客户端从token service那里获得一个有效的token。
-
Core services: Harbor的核心功能,主要包括如下3个服务:
- UI: 作为Registry Webhook, 以图像用户界面的方式辅助用户管理镜像。
- WebHook:WebHook是在registry中配置的一种机制, 当registry中镜像发生改变时,就可以通知到Harbor的webhook endpoint。Harbor使用webhook来更新日志、初始化同步job等。
- Token 服务:负责根据用户权限给每个docker push/pull命令签发token. Docker 客户端向Regiøstry服务发起的请求,如果不包含token,会被重定向到这里,获得token后再重新向Registry进行请求。
-
Database:为core services提供数据库服务,负责储存用户权限、审计日志、Docker image分组信息等数据。
-
Job services: 主要用于镜像复制,本地镜像可以被同步到远程Harbor实例上。
-
Log collector: 负责收集其他组件的日志到其它地方存储
# 下载阿里的epel源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# 安装并升级Python-pip
yum install python3-pip -y
pip3 install --upgrade pip
# 安装docker-compose
pip3 install docker-compose
# 查看docker-compose版本
docker-compose -v
# 下载harbor安装包
https://github.com/goharbor/harbor/releases
# 解压harbor
tar zxvf harbor-online-installer-v2.5.0.tgz
---
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
---
# 修改harbor配置
cp harbor.yml.tmpl harbor.yml
# 数据持久化配置
mkdir -p /opt/application/harbor
vi harbor.yml
---
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: registry.zhong.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor1234
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root1234
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The default data volume
# 数据持久化路径
data_volume: /opt/application/harbor
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
offline_scan: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.5.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: :
# # host for redis+sentinel:
# # :,:,:
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # timeout: 10s
# enable purge _upload directories
upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
---
# 安装harbor
./install
---
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.14
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.29.2
[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v2.5.0' locally
v2.5.0: Pulling from goharbor/prepare
a2bff079975e: Pull complete
139dd386c677: Pull complete
1d33a65536a5: Pull complete
503709a21f15: Pull complete
91a43f8fca25: Pull complete
290cb7bdf647: Pull complete
990ae4cb9535: Pull complete
5d7d5f7fd522: Pull complete
Digest: sha256:903df65251aa518779b5df3ec1d03fc636cc3baef729128c481021093dfc1922
Status: Downloaded newer image for goharbor/prepare:v2.5.0
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Pulling log (goharbor/harbor-log:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-log
a2bff079975e: Already exists
23b79b2df83d: Pull complete
d58b33c03d2b: Pull complete
2152d223cef6: Pull complete
b20d0828aadf: Pull complete
16117ae1dbf8: Pull complete
7f2dbd648242: Pull complete
6b9af7aea815: Pull complete
Digest: sha256:4997f54045e0527c2b535641eec0888af1403ba2b4be699154e1d37465ca377e
Status: Downloaded newer image for goharbor/harbor-log:v2.5.0
Pulling registry (goharbor/registry-photon:v2.5.0)...
v2.5.0: Pulling from goharbor/registry-photon
a2bff079975e: Already exists
4ecff0a6d921: Pull complete
73759bf0b0fc: Pull complete
f6f6b25b8371: Pull complete
728c9b45ea35: Pull complete
6c85a61309e1: Pull complete
Digest: sha256:8b4cb416381370ed07e56c73cb1c5905cd0376ec64bde4b6c29b8307fd07cf79
Status: Downloaded newer image for goharbor/registry-photon:v2.5.0
Pulling registryctl (goharbor/harbor-registryctl:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-registryctl
a2bff079975e: Already exists
ae73c3d3dba6: Pull complete
e78db2e772c3: Pull complete
99a420b43333: Pull complete
19f4da61475c: Pull complete
30354e35d04d: Pull complete
7363e96f7ed9: Pull complete
Digest: sha256:f299c4281edeb9555771024def6e669602fb61f3f70b3627c2c385bb20426c31
Status: Downloaded newer image for goharbor/harbor-registryctl:v2.5.0
Pulling postgresql (goharbor/harbor-db:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-db
a2bff079975e: Already exists
bca4e54ad502: Pull complete
55235e0033f1: Pull complete
6ea705300931: Pull complete
05eedee1c50c: Pull complete
57fb929a890d: Pull complete
36604d53f838: Pull complete
8e5c9ea4731e: Pull complete
96822eb642e4: Pull complete
0326f0323899: Pull complete
2382c2e3e12e: Pull complete
79b1ba60608a: Pull complete
7bd65d99cd16: Pull complete
Digest: sha256:e5df42f4f0ed02e3832e5e6848b97bb736c9dcf31502e9d4a239b0122d594ff6
Status: Downloaded newer image for goharbor/harbor-db:v2.5.0
Pulling portal (goharbor/harbor-portal:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-portal
a2bff079975e: Already exists
604ff7f711f0: Pull complete
f04a2825bd7b: Pull complete
384e4bcbc1c4: Pull complete
Digest: sha256:f3f86271689caa73ef719e94b7c69522ad2e12d87c4d9462a452a8568bfab062
Status: Downloaded newer image for goharbor/harbor-portal:v2.5.0
Pulling redis (goharbor/redis-photon:v2.5.0)...
v2.5.0: Pulling from goharbor/redis-photon
a2bff079975e: Already exists
e31992ef9cd0: Pull complete
8737d8fb58bb: Pull complete
d1b4854b2210: Pull complete
4be180c0f02a: Pull complete
Digest: sha256:d32cc3bfb539523b00636959fae03aa86ee2890702862d3e0f75060f204f6ea0
Status: Downloaded newer image for goharbor/redis-photon:v2.5.0
Pulling core (goharbor/harbor-core:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-core
a2bff079975e: Already exists
fa0fe3f819ef: Pull complete
f0622d586766: Pull complete
f4b47546ba07: Pull complete
2591682be7d7: Pull complete
682c6556f485: Pull complete
fac99a0ce654: Pull complete
09b7a3e4a168: Pull complete
5a6aa7cd6ddd: Pull complete
0d84b2e0e14a: Pull complete
Digest: sha256:aa4602ab17ae6a0f9f096ceb5a3d5cbc17745b394162a04c61b46960d8b89842
Status: Downloaded newer image for goharbor/harbor-core:v2.5.0
Pulling jobservice (goharbor/harbor-jobservice:v2.5.0)...
v2.5.0: Pulling from goharbor/harbor-jobservice
a2bff079975e: Already exists
54e0c9740942: Pull complete
86f60f9282f9: Pull complete
ddb7a10d15ea: Pull complete
c6037774295c: Pull complete
ce0078ddb757: Pull complete
Digest: sha256:32769757d5d8e6028196eb54c0f290824163318de476b25c8fb86e05c499a9aa
Status: Downloaded newer image for goharbor/harbor-jobservice:v2.5.0
Pulling proxy (goharbor/nginx-photon:v2.5.0)...
v2.5.0: Pulling from goharbor/nginx-photon
a2bff079975e: Already exists
1c0346237ace: Pull complete
Digest: sha256:a577c0251b0630a6172254bb5f199eb5c9bd8ef863515b7109027eb86df948f9
Status: Downloaded newer image for goharbor/nginx-photon:v2.5.0
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registry ... done
Creating redis ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
---
# 检查Harbor状态
docker images
---
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/redis-photon v2.5.0 1e00fcc9ae63 2 weeks ago 156MB
goharbor/harbor-registryctl v2.5.0 90ef6b10ab31 2 weeks ago 136MB
goharbor/registry-photon v2.5.0 30e130148067 2 weeks ago 77.5MB
goharbor/nginx-photon v2.5.0 5041274b8b8a 2 weeks ago 44MB
goharbor/harbor-log v2.5.0 89fd73f9714d 2 weeks ago 160MB
goharbor/harbor-jobservice v2.5.0 1d097e877be4 2 weeks ago 226MB
goharbor/harbor-core v2.5.0 42a54bc05b02 2 weeks ago 202MB
goharbor/harbor-portal v2.5.0 c206e936f4f9 2 weeks ago 52.3MB
goharbor/harbor-db v2.5.0 d40a1ae87646 2 weeks ago 223MB
goharbor/prepare v2.5.0 36539574668f 2 weeks ago 268MB
---
docker-compose ps
---
harbor-core /harbor/entrypoint.sh Up (healthy)
harbor-db /docker-entrypoint.sh 96 13 Up (healthy)
harbor-jobservice /harbor/entrypoint.sh Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,:::80->8080/tcp, 0.0.0.0:443->8443/tcp,:::443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy)
registry /home/harbor/entrypoint.sh Up (healthy)
registryctl /home/harbor/start.sh Up (healthy)
---
# 访问harbor
http://192.168.0.81
# 开机自动启动
cat > /usr/lib/systemd/system/harbor.service << 'EOF'
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
Environment=harbor_install_path=/data/packages
ExecStart=/usr/local/bin/docker-compose -f ${harbor_install_path}/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f ${harbor_install_path}/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now harbor
systemctl restart harbor
# Harbor启停操作
cd /root/harbor/
docker-compose stop
docker-compose start
https配置
默认情况下,Harbor不附带证书。可以在没有安全性的情况下部署Harbor,以便您可以通过HTTP连接到它。但是,只有在没有外部网络连接的测试或开发环境中,才可以使用HTTP。在外网暴露环境中使用HTTP会使您遭受中间人攻击。在生产环境中,请始终使用HTTPS。如果启用Content Trust with Notary来正确签名所有镜像,则必须使用HTTPS。
要配置HTTPS,必须创建SSL证书。您可以使用由受信任的第三方CA签名的证书,也可以使用自签名证书。本节介绍如何使用OpenSSL创建CA,以及如何使用CA签署服务器证书和客户端证书。您可以使用其他CA提供程序,例如Let’s Encrypt。
以下过程假定您的Harbor注册表的主机名是zhong.com,并且其DNS记录指向您在其上运行Harbor的主机。
以上是官方说明,这里以registry.zhong.com域名为例进行演示,也可以直接使用IP地址代替域名配置https,但在生成证书时有两处配置稍有不同。
官方文档:https://goharbor.io/docs/2.0.0/install-config/configure-https/
CA证书颁发机构证书在生产环境中,您应该从CA获得证书。在测试或开发环境中,您可以生成自己的CA。
# 创建CA证书私钥 mkdir -p /root/harbor/cert cd /root/harbor/cert openssl genrsa -out ca.key 4096 # 创建CA证书 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.zhong.com" -key ca.key -out ca.crt创建服务器证书
证书通常包含一个.crt文件和一个.key文件,例如yourdomain.com.crt和yourdomain.com.key。
# 创建私钥
openssl genrsa -out registry.zhong.com.key 4096
# 创建证书签名请求(CSR)
openssl req -sha512 -new
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.zhong.com"
-key registry.zhong.com.key
-out registry.zhong.com.csr
# 创建x509 v3扩展文件
> 无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符> 合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域。
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=registry.zhong.com
DNS.2=registry.zhong
DNS.3=zhong
EOF
# 通过x509 v3创建Harbor证书
openssl x509 -req -sha512 -days 3650
-extfile v3.ext
-CA ca.crt -CAkey ca.key -CAcreateserial
-in registry.zhong.com.csr
-out registry.zhong.com.crt
Harbor和Docker运用证书
生成后ca.crt,yourdomain.com.crt和yourdomain.com.key文件,必须将它们提供给harbor和docker,和重新配置harbor使用它们。
# 将服务器证书和密钥复制到Harbor主机上的certficates文件夹中
mkdir -p /opt/application/harbor/cert
cp registry.zhong.com.crt /opt/application/harbor/cert/
cp registry.zhong.com.key /opt/application/harbor/cert/
# crt证书格式变更cert供Docker使用
> Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。
openssl x509 -inform PEM -in registry.zhong.com.crt -out registry.zhong.com.cert
# 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中
mkdir -p /etc/docker/certs.d/registry.zhong.com/
cp registry.zhong.com.cert /etc/docker/certs.d/registry.zhong.com/
cp registry.zhong.com.key /etc/docker/certs.d/registry.zhong.com/
cp ca.crt /etc/docker/certs.d/registry.zhong.com/
---
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- CA 签署的服务器证书
├── yourdomain.com.key <-- 由 CA 签名的服务器密钥
└── ca.crt <-- 签署注册表证书的证书颁发机构
---
# 重启Docker Engine
systemctl restart docker
# harbor新增https配置
vi harbor.yml
---
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/application/harbor/cert/registry.zhong.com.crt
private_key: /opt/application/harbor/cert/registry.zhong.com.key
---
# 从http变更https部署
> Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTPS。
cd /root/harbor
./prepare --with-notary --with-clair --with-chartmuseum
---
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
---
# 删除harbor
docker-compose down -v
---
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping harbor-portal ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing harbor-portal ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing redis ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
---
# 重建harbor
docker-compose up -d
---
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
---
Harbor运用 docker命令行操作某些浏览器可能会显示警告,指出证书颁发机构(CA)未知。使用不是来自受信任的第三方CA的自签名CA时,会发生这种情况。您可以将CA导入浏览器以删除警告。此时你可以下载CA导入到浏览器,如下以Chrome浏览器为例子:
- CA证书路径 /root/harbor/cert/ca.crt
- Chrome设置 chrome://settings/security > 管理证书 > 受信任的证书颁发机构 > 重启浏览器
# 登录harbor docker login registry.zhong.com --- Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded --- # 镜像查询 docker images --- REPOSITORY TAG IMAGE ID CREATED SIZE local/htmlgenerator 1.0 92bd14848c9b 2 weeks ago 354MB --- # 镜像标签 docker tag local/htmlgenerator:1.0 registry.zhong.com/library/htmlgenerator:1.0 # 镜像推送 docker push registry.zhong.com/library/htmlgenerator:1.0 --- The push refers to repository [registry.zhong.com/library/htmlgenerator] e79b739c07df: Pushed 2378d797ad25: Pushed 174f56854903: Pushed 1.0: digest: sha256:b8c310157e59b2fca92a1171b81f1766d2465445c2f919b112ae6565583c7a5a size: 948 --- # 镜像拉取 docker rmi registry.zhong.com/library/htmlgenerator:1.0 docker pull registry.zhong.com/library/htmlgenerator:1.0 # 镜像查询 docker images --- REPOSITORY TAG IMAGE ID CREATED SIZE registry.zhong.com/library/htmlgenerator 1.0 92bd14848c9b 2 weeks ago 354MB ---
