1、安裝依賴
yum install ebtables ethtool iproute iptables socat util-linux wget openssl-devel -y
2、安裝docker
yum install docker-ce
3、安裝 docker-compose
yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
docker-compose --version
4、證書存放目錄mkdir -p /mnt/hgfs/data/harbor/cert
cd /mnt/hgfs/data/harbor/cert
5、創建證書
參考官方文檔:https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
生成CA證書
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
生成證書籤名請求
openssl genrsa -out harbor.key 4096
openssl req -sha512 -new -key harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
或者:
openssl req -newkey rsa:4096 -nodes -sha512 -keyout harbor.key -out harbor.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=shary/OU=product/CN=harbor/[email protected]"
生成服務端證書
新建v3.ext文件內容:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor
IP.1 = 192.168.3.35
# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
# openssl x509 -inform PEM -in harbor.crt -out harbor.cert
# cp harbor.cert /etc/docker/certs.d/192.168.3.35/
# cp harbor.key /etc/docker/certs.d/192.168.3.35/
# cp ca.crt /etc/docker/certs.d/192.168.3.35/
上述IP地址92.168.3.35和v3.ext裏面的ip地址保持一致
先讓本機信任證書,將證書複製到信任證書的目錄裏
# cp harbor.crt /etc/pki/ca-trust/source/anchors/
然後讓它立即生效
# update-ca-trust enable
# update-ca-trust extract
# systemctl restart docker
8、上傳/解壓harbor離線包
# cd /opt
# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.5.tgz
(wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.6.tgz)
(官網地址:https://github.com/goharbor/harbor/releases)
# tar -zxf harbor-offline-installer-v1.7.5.tgz
# cd harbor
9、修改配置文件
$ vi harbor.cfg
hostname = 192.168.3.35
ui_url_protocol = https
ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt
ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key
secretkey_path = /mnt/hgfs/data/harbor
或者通過sed行編輯命令修改
## 修改配置文件harbor.cfg參數
sed -i "s#hostname = reg.mydomain.com#hostname = 192.168.3.35#g" harbor.cfg
## 可以是主機IP,或者是以後要用的域名
sed -i "s#ui_url_protocol = http#ui_url_protocol = https#g" harbor.cfg
## 使用的協議,此處用的是https,後面安裝的時候,再添加漏洞檢查的時候需要https的支持
sed -i "s#ssl_cert = /data/cert/server.crt#ssl_cert = /mnt/hgfs/data/harbor/cert/harbor.crt#g" harbor.cfg
## 證書的路徑必須先創建好,並把祕鑰放入配置文件
sed -i "s#ssl_cert_key = /data/cert/server.key#ssl_cert_key = /mnt/hgfs/data/harbor/cert/harbor.key#g" harbor.cfg
sed -i "s#secretkey_path = /data#secretkey_path = /mnt/hgfs/data/harbor#g" harbor.cfg
## 可以使用默認的路徑
## 修改配置文件docker-compose.yml
## 由於指定安裝路徑需求,需要修改一下所有部署相關文件的指定路徑()
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/ca_download#/mnt/hgfs/data/harbor/ca_download#g" docker-compose.yml
sed -i "s#/data/config#/mnt/hgfs/data/harbor/config#g" docker-compose.yml
##postgresql用到了符號鏈接,不能使用windows共享目錄
sed -i "s#/data/database#/data/harbor/database#g" docker-compose.yml
sed -i "s#/data/job_logs#/mnt/hgfs/data/harbor/job_logs#g" docker-compose.yml
sed -i "s#/data/psc#/mnt/hgfs/data/harbor/psc#g" docker-compose.yml
sed -i "s#/data/redis#/mnt/hgfs/data/harbor/redis#g" docker-compose.yml
sed -i "s#/data/registry#/mnt/hgfs/data/harbor/registry#g" docker-compose.yml
sed -i "s#/data/secretkey#/mnt/hgfs/data/harbor/secretkey#g" docker-compose.yml
sed -i "s#/data/clair-db#/mnt/hgfs/data/harbor/clair-db#g" docker-compose.clair.yml
sed -i "s#/data/notary-db#/mnt/hgfs/data/harbor/notary-db#g" docker-compose.yml
sed -i "s#/data/:/data/:z#/mnt/hgfs/data/harbor/:/data/:z#g" docker-compose.yml
sed -i "s#/data/chart_storage#/mnt/hgfs/data/harbor/chart_storage#g" docker-compose.chartmuseum.yml
## 修改配置文件prepare
sed -i "s#"/data"#/mnt/hgfs/data/harbor#" prepare
參數說明:
hostname:配置主機名稱,不可以設置127.0.0.1,localhost這樣的主機名,可以是IP或者域名
ui_url_protocol:指定使用HTTP協議還是HTTPS協議
Email settings:郵箱設置,option配置,只在首次啓動生效,可以登陸UI後修改
harbor_admin_password:設置管理員的初始密碼,只在第一次登錄時使用
auth_mode:用戶認證模式,默認是db_auth,也可以使用ldap_auth驗證。
db_password:使用db需要指定連接數據庫的密碼
self_registration:是否允許自行註冊用戶,默認是on,新版本可以在圖形界面中修改。
max_job_workers:最大工作數,默認是10個
customize_crt:是否爲token生成證書,默認爲on
ssl_cert:nginx cert與key文件的路徑, 只有採用https協議是纔有意義
ssl_cert:nginx cert與key文件的路徑, 只有採用https協議是纔有意義
secretkey_path:The path of secretkey storage
admiral_url:Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
clair_db_password:未啓用calir服務,但解壓目錄下的"./prepare"文件中要檢查以下相關參數配置,不能註釋,否則環境準備檢查不能通過,報"ConfigParser.NoOptionError: No option u'clair_db_password' in section: u'configuration' "相關錯誤;或者在"./prepare"中註釋相關檢查與定義,但需要注意,文件中的關聯太多,推薦修改"harbor.cfg"文件即可
ldap_url:ladp相關設置,如未採用ldap認證,但解壓目錄下的"./prepare"文件中要檢查以下相關參數配置,不能註釋,否則環境準備檢查不能通過,報"ConfigParser.NoOptionError: No option u'ldap_timeout' in section: u'configuration' "相關錯誤;或者在"./prepare"中註釋相關檢查與定義,但需要注意,文件中的關聯太多,推薦修改"harbor.cfg"文件即可
ldap_scope:
self_registration:默認開啓自注冊,off爲關閉
token_expiration:token有效時間,默認30minutes
project_creation_restriction:創建項目權限控制,默認是"everyone"(所有人),可設置爲"adminonly"(管理員)
verify_remote_cert:與遠程registry通信時是否採用驗證ssl
其他使用默認值
修改docker-compose.yml文件避免端口衝突
proxy:
image: goharbor/nginx-photon:v1.7.5
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
dns_search: .
ports:
- 5080:80
- 5443:443
- 4443:4443
修改 common/templates/registry/config.yml
auth:
token:
issuer: harbor-token-issuer
realm: $public_url:5443/service/token
rootcertbundle: /mnt/hgfs/data/harbor/cert/harbor.crt
確認無誤後,使用./install.sh命令開始安裝
10、安裝harbor
./install.sh --with-notary --with-clair --with-chartmuseum
# --with-notary啓用鏡像簽名,--with-clair啓用漏洞掃描如果需要在Harbor中啓用Notary,請設置--with-notary,並在harbor.cfg中設置ui_url_protocol/ssl_cert/ssl_cert_key,因爲公證必須在https下運行。
# 如果需要啓用Clair in Harbour,請設置--with-clair
# 如果需要在Harbor啓用Chartmuseum,請設置--with-chartmuseum
docker-compose常用命令
docker-compose start ## 啓動 Harbor
docker-compose stop ## 停止 Harbor
docker-compose restart ## 重啓 Harbor
docker-compose ps ## 列出容器
docker-compose create ## 創建服務
docker-compose down ## 停止並刪除容器、network、images和volumes
docker-compose log ## 容器的視圖輸出
docker-compose up ## 創建和啓動容器
重啓容器
docker-compose down -v
vi harbor.cfg ## 修改要更新的配置
vi docker-compose.yml ## 修改要更新的配置
- ./prepare
docker-compose up -d
docker login 192.168.3.35
複製ca.crt文件到的/etc/docker/certs.d/192.168.3.35目錄下
在192.168.3.34登錄192.168.3.35的harbor:
在192.168.3.34push鏡像到192.168.3.35的harbor私服:
瀏覽器訪問https://192.168.3.35
使用admin/Harbor12345登錄成功並查看從192.168.3.34 push的鏡像
參考&踩坑足跡:
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
http://www.youdzone.com/signature.html
https://www.jianshu.com/p/0046add931df
https://www.jianshu.com/p/44a3efae1d84
https://www.jianshu.com/p/f9b8a3e62af1
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
http://www.apetec.com/support/GenerateSAN-CSR.htm
http://blog.zencoffee.org/2013/04/creating-and-signing-an-ssl-cert-with-alternative-names/
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
https://zhuanlan.zhihu.com/p/26646377
https://blog.csdn.net/u013066244/article/details/78725842/