Bootstrap

docker到k8s系列之 —— harbor的安装及配置

标题docker到k8s系列之 —— harbor的安装及配置

前言:

harbor是什么

    harbor是docker镜像的私服仓库工具,我们可以通过harbor搭建个人或者公司私有镜像仓库

harbor相比其他Docker Registry 优势

   提供了企业级的Docker Registry 仓库服务,图形化的ui,提供restapi供外部系统集成。

harbor 傻瓜式安装步骤

安装 apt 依赖包

apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common

添加 Docker 的官方 GPG 密钥

curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -

使用以下指令设置稳定版仓库

add-apt-repository \
"deb [arch=amd64] https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/ \
$(lsb_release -cs) \
stable"

安装最新版本的 Docker Engine-Community 和 containerd

apt-get update
apt-get install docker-ce docker-ce-cli containerd.io
安装docker compose
root@linux01:~# wget https://ghproxy.com/https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-linux-x86_64
root@linux01:~# mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
root@linux01:~# chmod +x /usr/local/bin/docker-compose
root@linux01:~# docker-compose --version
Docker Compose version v2.12.2
root@linux01:~#

创建CA证书

创建ca证书目录

root@linux01:/usr/local/harbor# mkdir ca
root@linux01:/usr/local/harbor# cd ca/
root@linux01:/usr/local/harbor/ca#

生成CA证书私钥

root@linux01:/usr/local/harbor/ca# openssl genrsa -out ca.key 4096

生成CA证书

root@linux01:/usr/local/harbor/ca# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=hb.linux01.cn" \
 -key ca.key \
 -out ca.crt

生成服务器证书 生成私钥

root@linux01:/usr/local/harbor/ca# openssl genrsa -out hb.linux01.cn.key 4096

生成证书签名请求(CSR)

root@linux01:/usr/local/harbor/ca# openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=hb.linux01.cn" \
    -key hb.linux01.cn.key \
    -out hb.linux01.cn.csr

生成一个x509 v3扩展文件

root@linux01:/usr/local/harbor/ca# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=linux01.cn
DNS.2=hb.linux01.cn
DNS.3=www.linux01.cn
EOF

使用该v3.ext文件为您的Harbor主机生成证书

root@linux01:/usr/local/harbor/ca# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in hb.linux01.cn.csr \
    -out hb.linux01.cn.crt

配置docker证书

转换crt为cert,供Docker使用,Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书

root@linux01:/usr/local/harbor/ca# openssl x509 -inform PEM -in hb.linux01.cn.crt -out hb.linux01.cn.cert

将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹

root@linux01:/usr/local/harbor/ca# mkdir -p /etc/docker/certs.d/hb.linux01.cn/
root@linux01:/usr/local/harbor/ca# cp hb.linux01.cn.cert /etc/docker/certs.d/hb.linux01.cn/
root@linux01:/usr/local/harbor/ca# cp hb.linux01.cn.key /etc/docker/certs.d/hb.linux01.cn/
root@linux01:/usr/local/harbor/ca# cp ca.crt /etc/docker/certs.d/hb.linux01.cn/

重新启动Docker Engine

root@linux01:/usr/local/harbor/ca# systemctl restart docker

检查文件是否和下图一致

查看目录下证书文件

root@linux01:/usr/local/harbor/ca# ll
total 36
drwxr-xr-x 2 root root 4096 Nov 16 06:23 ./
drwxr-xr-x 5 root root 4096 Nov 16 06:16 ../
-rw-r--r-- 1 root root 2041 Nov 16 06:20 ca.crt
-rw------- 1 root root 3272 Nov 16 06:16 ca.key
-rw-r--r-- 1 root root 2143 Nov 16 06:23 hb.linux01.cn.cert
-rw-r--r-- 1 root root 2143 Nov 16 06:22 hb.linux01.cn.crt
-rw-r--r-- 1 root root 1704 Nov 16 06:22 hb.linux01.cn.csr
-rw------- 1 root root 3268 Nov 16 06:22 hb.linux01.cn.key
-rw-r--r-- 1 root root  261 Nov 16 06:22 v3.ext
root@linux01:/usr/local/harbor/ca#

修改harbor.yml 配置文件

配置harbor文件

root@linux01:/usr/local/harbor# cp harbor.yml.tmpl harbor.yml
root@linux01:/usr/local/harbor# vim harbor.yml 
root@linux01:/usr/local/harbor# cat harbor.yml | grep -v '^#' | grep -v '^$' | grep -v '  #'
hostname: hb.linux01.cn
http:
  port: 80
https:
  port: 443
  certificate: /usr/local/harbor/ca/hb.linux01.cn.crt 
  private_key: /usr/local/harbor/ca/hb.linux01.cn.key
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  security_check: vuln
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.6.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false
cache:
  enabled: false
  expire_hours: 24
root@linux01:/usr/local/harbor#

安装harbor

进行安装

root@linux01:/usr/local/harbor# ./install.sh
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.21

[Step 1]: checking docker-compose is installed ...

....................

[Step 5]: starting Harbor ...
..................
✔ ----Harbor has been installed and started successfully.----
root@linux01:/usr/local/harbor# 
root@linux01:/usr/local/harbor# 
root@linux01:/usr/local/harbor#

配置解析和docker

hosts解析

cat > /etc/hosts <<EOF
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.88.101 hb.linux01.cn
EOF

docker的配置客户端免证书登录

[root@linux01 ~]# cat > /etc/docker/daemon.json <<EOF
{
  "registry-mirrors": ["https://x39u468p.mirror.aliyuncs.com"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "insecure-registries": ["hb.linux01.cn"]
}
EOF

测试harbor

重新启动docker

[root@linux01 ~]# systemctl restart docker && systemctl status docker -l

登陆

[root@linux01 ~]# docker login hb.linux01.cn                                                                                        
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@linux01 ~]#

测试使用

[root@linux01 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0
[root@linux01 ~]# docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0 
[root@linux01 ~]# docker push hb.linux01.cn/library/dashboard:v2.7.0
[root@linux01 ~]# docker pull hb.linux01.cn/library/dashboard:v2.7.0

测试web UI

浏览器输入 https://hb.linux01.cn/  登录密码是 harbor.yml 中 harbor_admin_password 配置项值

在这里插入图片描述在这里插入图片描述

悦读

道可道,非常道;名可名,非常名。 无名,天地之始,有名,万物之母。 故常无欲,以观其妙,常有欲,以观其徼。 此两者,同出而异名,同谓之玄,玄之又玄,众妙之门。

最新收录
MySQL主从复制原理与操作
【vue】npm install -g @vue/cli出现错误
jmeter beanshell 中签名的用法
javascript之setTimeout(function(){},0)
java计算机毕业设计高校大学生互助学习平台(附源码+springboot+开题+论文+部署)
Python教程:input接受输入
ES6新特性之Proxy(有助于理解Vue3的响应式原理)
前端实现小说分页功能(pc、h5)
MongoDB Shell 基本命令(一)
【PCL】教程 stick_segmentation点云的滤波、降采样、颜色阈值过滤、欧式聚类提取以及线段分割等过程...
;