文章目录
一、部署仓库
1、http部署harbor
#部署harbor
wget -c https://github.com/goharbor/harbor/releases/download/v2.3.1/harbor-offline-installer-v2.3.1.tgz
tar -xf harbor-offline-installer-v2.3.1.tgz -C /usr/local/
cp /usr/local/harbor/harbor.yml.tmpl /usr/local/harbor/harbor.yml
#修改域名
$ vim /usr/local/harbor/harbor.yml
hostname: 192.168.4.119
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
#启动
sh /usr/local/harbor/install.sh
访问:http://192.168.4.119
账号:admin
密码:Harbor12345
#创建mall私有仓库目录
项目-新建项目——项目名称:mall(私有)——创建
#镜像下载完毕后我要们开启远程API
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
#修改前
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
#修改后
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
#让Docker支持http上传镜像
echo '{ "insecure-registries":["192.168.4.119"] }' >/etc/docker/daemon.json
#修改配置后需要使用如下命令使配置生效
systemctl daemon-reload
#重新启动Docker服务
systemctl restart docker
#开启防火墙的Docker构建端口
firewall-cmd --zone=public --add-port=2375/tcp --permanent
firewall-cmd --reload
#登录harbor
docker login -uadmin -pHarbor12345 192.168.4.119
#测试上传
docker tag mall/镜像名:版本号 192.168.4.119/mall/镜像名:版本号
docker push 192.168.4.119/mall/镜像名:版本号
注意:此处不能配置https模式harbor,只能使用http模式harbor,否则后续上传不能识别报错。
2、https部署harbor
- 【可参考配置】https://blog.csdn.net/qq_40387355/article/details/123012142
2-1生成证书
#创建 Docker TLS 证书
#!/bin/bash
echo -e "033[32m 输入IP地址和复杂密码!\033[0m"
read -p "输入主机IP:" HOST_IP
read -p "输入主机密码:" HOST_PASSWORD
#相关配置信息
# docker主机IP
SERVER="$HOST_IP"
# 密码
PASSWORD="$HOST_PASSWORD"
# 国家
COUNTRY="CN"
# 省份
STATE="四川省"
# 城市
CITY="成都市"
# 机构名称
ORGANIZATION="美女公司"
# 机构单位
ORGANIZATIONAL_UNIT="帅哥单位"
# 邮箱
EMAIL="[email protected]"
###开始生成文件###
echo -e '\033[41;36m 开始生成证书 \033[0m'
#切换到生产密钥的目录
cd /etc/docker
#生成ca私钥(使用aes256加密)
openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048
#生成ca证书,填写配置信息
openssl req -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"
#生成server证书私钥文件
openssl genrsa -out server-key.pem 2048
#生成server证书请求文件
openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server.csr
echo "subjectAltName=IP:${SERVER},IP:0.0.0.0" >> extfile.cnf
echo "extendedKeyUsage=serverAuth" >> extfile.cnf
#使用CA证书及CA密钥以及上面的server证书请求文件进行签发,生成server自签证书
openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem -extfile extfile.cnf
#生成client证书RSA私钥文件
openssl genrsa -out key.pem 2048
#生成client证书请求文件
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
sh -c 'echo "extendedKeyUsage=clientAuth" > extfile.cnf'
#生成client自签证书(根据上面的client私钥文件、client证书请求文件生成)
openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile extfile.cnf
#更改密钥权限
chmod 0400 ca-key.pem key.pem server-key.pem
#更改密钥权限
chmod 0444 ca.pem server-cert.pem cert.pem
#删除无用文件
rm client.csr server.csr extfile.cnf ca.srl
echo -e '\033[41;36m 生成文件完成 \033[0m'
###生成结束###
#开始修改docker启动配置文件
\cp /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker.service.`date +%Y-%m-%d-%T`
sed -i "s/ExecStart/#ExecStart/g" /usr/lib/systemd/system/docker.service
sed -i '11i ExecStart=/usr/bin/dockerd \\' /usr/lib/systemd/system/docker.service
sed -i '12i --tlsverify \\' /usr/lib/systemd/system/docker.service
sed -i '13i --tlscacert=/etc/docker/ca.pem \\' /usr/lib/systemd/system/docker.service
sed -i '14i --tlscert=/etc/docker/server-cert.pem \\' /usr/lib/systemd/system/docker.service
sed -i '15i --tlskey=/etc/docker/server-key.pem \\' /usr/lib/systemd/system/docker.service
sed -i '16i -H tcp://0.0.0.0:2376 \\' /usr/lib/systemd/system/docker.service
sed -i '17i -H unix:///var/run/docker.sock \' /usr/lib/systemd/system/docker.service
echo -e '\033[41;36m docker配置文件修改成功\033[0m'
#查看
cat /usr/lib/systemd/system/docker.service
#加入仓库地址
cat >/etc/docker/daemon.json<<EOF
{"insecure-registries":["https://$SERVER"]}
EOF
# 重新加载文件
systemctl daemon-reload
systemctl restart docker.service
systemctl status docker.service
echo -e '\033[41;36m docker重启完毕033[0m'
#使用的证书详解
[root@localhost ~]# ll /etc/docker/
总用量 32
-r-------- 1 root root 1766 5月 12 23:08 ca-key.pem #客户端密钥
-r--r--r-- 1 root root 1594 5月 12 23:08 ca.pem #CA证书
-r--r--r-- 1 root root 1261 5月 12 23:08 cert.pem #客户端证书
-r-------- 1 root root 1679 5月 12 23:08 key.pem #CA密钥
-r--r--r-- 1 root root 1302 5月 12 23:08 server-cert.pem #服务端证书
-r-------- 1 root root 1675 5月 12 23:08 server-key.pem #服务端密钥
#测试证书
[root@localhost ~]# docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=192.168.4.120:2376 version
Client:
Version: 18.06.3-ce
API version: 1.38
Go version: go1.10.3
Git commit: d7080c1
Built: Wed Feb 20 02:26:51 2019
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.3-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: d7080c1
Built: Wed Feb 20 02:28:17 2019
OS/Arch: linux/amd64
Experimental: false
2-2配置harbor
#下载
wget -c https://github.com/goharbor/harbor/releases/download/v2.3.1/harbor-offline-installer-v2.3.1.tgz
tar -xf harbor-offline-installer-v2.3.1.tgz -C /usr/local/
cp /usr/local/harbor/harbor.yml.tmpl /usr/local/harbor/harbor.yml
#修改配置
[root@localhost ~]# vim /usr/local/harbor/harbor.yml
hostname: 192.168.4.120
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/docker/server-cert.pem
private_key: /etc/docker/server-key.pem
#更新配置部署
/usr/local/harbor/prepare
sh /usr/local/harbor/install.sh
2-3配置harbor配置启动
cat > /usr/lib/systemd/system/harbor.service << 'EOF'
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
Environment=harbor_install_path=/usr/local/ #安装路径不同需要修改路径
ExecStart=/usr/local/bin/docker-compose -f ${harbor_install_path}/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f ${harbor_install_path}/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF
#开启harbor
systemctl start harbor
#停止habor
systemctl stop harbor
2、4、harbor-db不能启动
#注意harbor重启可能导致harbor的数据库不能启动,需要删除数据目录重新部署。
systemctl stop harbor
#查看数据目录
[root@localhost harbor]# vim docker-compose.yml
postgresql:
image: goharbor/harbor-db:v2.3.1
container_name: harbor-db
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- /data/database:/var/lib/postgresql/data:z
#删除数据,警慎操作
mv /data/databases /tmp
#注意需要执行配置证书脚本成功启动才能登录仓库
/usr/local/harbor/prepare
sh /usr/local/harbor/install.sh
二、配置harbor认证
- 上传镜像需要配置化harbor认证
1、http配置登录harbor
#让Docker支持http上传镜像
echo '{ "insecure-registries":["192.168.4.119"] }' >/etc/docker/daemon.json
#修改配置后需要使用如下命令使配置生效
systemctl daemon-reload
#重新启动Docker服务
systemctl restart docker
#开启防火墙的Docker构建端口
firewall-cmd --zone=public --add-port=2375/tcp --permanent
firewall-cmd --reload
#登录harbor
docker login -uadmin -pHarbor12345 192.168.4.119
2、https配置登录harbor
#scp /etc/docker/*pem username@HOST:/etc/docker
#拷贝证书
scp /etc/docker/*pem [email protected]:/etc/docker
scp /etc/docker/*pem [email protected]:/etc/docker
scp /etc/docker/*pem [email protected]:/etc/docker
scp /etc/docker/*pem [email protected]:/etc/docker
#给docker增加仓库地址
echo '{ "insecure-registries":["https://192.168.4.120"] }' >/etc/docker/daemon.json
#重启登录
service docker restart
docker login -uadmin -pHarbor12345 192.168.4.120
3、多个仓库地址
- 注意不能使用>>符号,如果需要设置多个则手动输入如下格式
{
"insecure-registries":["10.10.8.1xx"],
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://192.168.4.114",
"https://docker.mirrors.ustc.edu.cn"
]
}