CentOS安装Harbor1.10.1并与docker集成

李志强容器与虚拟化相关Leave a comment

CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成,使docker能够登录、推送、拉取Harbor中的镜像。

文章目录
CentOS安装Harbor-v1.10.1并与docker集成
一、安装docker-compose
二、Harbor的域名
三、生成自签证书
四、为各个docker客户端分发证书
五、安装Harbor
六、使用Harbor
6.1、访问Harbor WebUI
6.2、push镜像:docker ==> harbor
6.3、pull镜像: docker <== harbor
七、维护时常用命令
Harbor是一个开源的可信云本地注册表项目,用于存储、签名和扫描内容。Harbor扩展了开源Docker发行版,增加了用户通常需要的功能,比如安全性、身份和管理。
Harbor经常作为Docker私有云端仓库被企业使用。
Harbor的官方网址是这里:https://github.com/goharbor/harbor

本文介绍CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成的操作全过程。

操作系统、应用及版本信息:

Linux:CentOS 7.6
Docker : 19.03.6
docker-compose version:1.25.4
Harbor:v1.10.1
服务器规划示意图:

一、安装docker-compose
Harbor是通过docker-compose来管理镜像的。
所以在Harbor主机安装docker-compose是必须的首要的一步。

$ curl -L “https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)” -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
$ ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
$ docker-compose –version
docker-compose version 1.25.4, build 8d51620a
1
2
3
4
5
二、Harbor的域名
如果没有域名的话,可以自己定义一个域名,并在Harbor主机和Docker主机通过向/etc/hosts文件添加条目完成自定义域名与Harbor主机IP的映射关系。本文中自定义的域名是harbor.cn,配置如下:

[root@dev110 ~]

# more /etc/hosts

harbor server

192.168.100.110 harbor.cn

1
2
3
4
5
三、生成自签证书
Docker默认通过HTTPS与Harbor通信的,虽然可以改为HTTP方式,但需要修改的配置项会很多,而且也不安全。

有了域名了,配套的CA证书自然是少不了的。

mkdir -p /home/k8s/cert_harbor
cd /home/k8s/cert_harbor
1
2
Step1 – 生成根证书私钥(无加密):

openssl genrsa -out ca.key 4096
1
Step2 – 生成自签名证书(使用已有私钥ca.key自行签发根证书)生成ca.crt:

openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj “/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.110” \
-key ca.key \
-out ca.crt
1
2
3
4
添加-subj参数可以免去交互过程。

Step1 – 生成服务器端自己域名的key:

openssl genrsa -out harbor.cn.key 4096
1
Step4 – 生成服务器端自己域名的CSR签名请求:

openssl req -sha512 -new \
-subj “/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.242” \
-key harbor.cn.key \
-out harbor.cn.csr
1
2
3
4
Step5 – 生成一个 openssl 命令需要的外部配置文件 externalfile.ext。
这个文件可以随意命名,但是要记住,后面对的命令还要用到。、
文件内容中主要是subjectAltName这一项
如果配IP就写IP.1=192.168.xxx.xxx
如果配域名就写 DNS.1=xxx.xxx.com

[root@dev110 ~]

# cat > vim externalfile.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]

DNS.1=harbor.cn
EOF
1
2
3
4
5
6
7
8
9
Step6 – 通过外部配置文件 externalfile.ext和 csr 生成 crt:

openssl x509 -req -sha512 -days 3650 -extfile externalfile.ext \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in harbor.cn.csr \
-out harbor.cn.crt
1
2
3
4
5
6
Step7 – 将服务端的 crt 转换成客户端用的 cert:

openssl x509 -inform PEM -in harbor.cn.crt -out harbor.cn.cert
1
至此,所有证书文件就创建好了:

[root@dev cert_harbor]

# ll
total 32
-rw-r–r– 1 root root 2017 Feb 23 13:44 ca.crt
-rw-r–r– 1 root root 3243 Feb 23 13:42 ca.key
-rw-r–r– 1 root root 17 Feb 23 13:53 ca.srl
-rw-r–r– 1 root root 232 Feb 23 13:52 externalfile.ext
-rw-r–r– 1 root root 2049 Feb 23 13:54 harbor.cn.cert
-rw-r–r– 1 root root 2049 Feb 23 13:53 harbor.cn.crt
-rw-r–r– 1 root root 1700 Feb 23 13:49 harbor.cn.csr
-rw-r–r– 1 root root 3247 Feb 23 13:47 harbor.cn.key
1
2
3
4
5
6
7
8
9
10
四、为各个docker客户端分发证书
将Harbor主机上带域名的.cert和.key证书文件拷贝到docker客户端所在主机的/etc/docker/certs.d/xxx.xxx.com/目录下。
下面以192.168.100.111这台docker客户端主机上的操作为例进行介绍。

Step1 – 在Docker主机上执行:

mkdir -p /etc/docker/certs.d/harbor.cn/
1
Step2、在Harbor主机,执行:

scp ./harbor.cn.cert ./harbor.cn.key root@192.168.100.111:/etc/docker/certs.d/harbor.cn/
1
Step3、在Docker主机修改 /etc/docker/daemon.json,主要是增加”insecure-registries”:[“http://harbor.cn”] :

[root@dev111 ~]

# vim /etc/docker/daemon.json
{

“insecure-registries”:[“http://harbor.cn”],

}
1
2
3
4
5
6
Step4、重启Docker:

systemctl daemon-reload
systemctl restart docker
1
2
五、安装Harbor
前面准备工作做了那么多,现在终于可以进入正题了。
下载&解压:

wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
mkdir -p /home/k8s/harbor
tar -zxvf ./harbor-offline-installer-v1.10.1.tgz /home/k8s/harbor/
1
2
3
查看解压后文件:

[root@dev110 ~]

# ll /home/k8s/harbor/
total 662120
-rw-r–r– 1 root root 3398 Feb 10 14:18 common.sh
-rw-r–r– 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz
-rw-r–r– 1 root root 5882 Feb 10 14:18 harbor.yml
-rwxr-xr-x 1 root root 2284 Feb 10 14:18 install.sh
-rw-r–r– 1 root root 11347 Feb 10 14:18 LICENSE
-rwxr-xr-x 1 root root 1749 Feb 10 14:18 prepare
1
2
3
4
5
6
7
8
修改配置文件harbor.yml:

[root@dev110 ~]

vim /home/k8s/harbor/harbor.yml
hostname: #IP地址或域名
http:
port: 80
https:
port: 443
certificate: /home/k8s/cert_harbor/harbor.cn.crt # 这里是证书信息
private_key: /home/k8s/cert_harbor/harbor.cn.key # 这里是证书信息
harbor_admin_password: Ccxharbor123 # 根据需要修改Web端admin用户的密码,默认为Harbor12345
database:
password: Ccxharbor123 # 为harbor内置数据库root用户的密码,默认为root123
data_volumn: /data
log:
level: info
location: /var/log/harbor # harbor日志存放路径
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
先更新参数:

[root@dev110 ~]

# cd /home/k8s/harbor

[root@dev110 harbor]

# ./prepare
1
2
再进行安装:

[root@dev110 harbor]

# ./install.sh
[Step 0]: checking if docker is installed …
Note: docker version: 19.03.6
[Step 1]: checking docker-compose is installed …
Note: docker-compose version: 1.25.4
[Step 2]: loading Harbor images …

这里会很慢,因为要拉取很多镜像

[Step 3]: preparing environment …
[Step 4]: preparing harbor configs …
prepare base dir is set to /home/k8s/harbor
Generated configuration file: /config/log/logrotate.conf

Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor …
WARNING: The Docker Engine you’re using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use docker stack deploy.
Creating network “harbor_harbor” with the default driver
Creating harbor-log … done
Creating registry … done
Creating harbor-portal … done
Creating harbor-db … done
Creating redis … done
Creating registryctl … done
Creating harbor-core … done
Creating nginx … done
Creating harbor-jobservice … done
✔ —-Harbor has been installed and started successfully.—-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
当你看到Harbor has been installed and started successfully时,我要恭喜你安装成功了。

六、使用Harbor
6.1、访问Harbor WebUI
使用浏览器,通过https://域名或https://ip:port两种方式都可以访问Harbor的WebUI。
因为是自签CA证书,浏览器会拦截,需要添加信任即可。
之后就会看到Harbor的登录界面了:
用户名:admin
密码:即harbor.yml文件中harbor_admin_password参数的值。默认是:Harbor12345

6.2、push镜像:docker ==> harbor
要想将镜像push到Harbor仓库中,必须先要在Harbor中创建自己的项目,即project,当然也可以使用Harbor自带的项目:library
下面看看如何做才能吧nginx镜像推送到Harbor镜像中去。

Step1、docker拉取一个镜像并修改tag:

docker pull nginx
docker tag nginx:latest harbor.cn/library/nginx:latest
1
2
Step2、docker login 登录Harbor:

harbor_user_name – Harbor用户名

harbor_password – 该Harbor用户的密码

harbor_domain – Harbor的域名

docker login -u -p
1
2
3
4
执行命令,及输出:

[root@dev ~]

# docker login -uadmin -pHarbor12345 harbor.cn
WARNING! Using –password via the CLI is insecure. Use –password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
1
2
3
4
5
6
7
当看到Login Succeeded时,就说明登陆成功了。

下面可以查看docker中保存的登录信息:

[root@dev ~]

# cat ~/.docker/config.json
{
“auths”: {
“harbor.cn”: {
“auth”: “Y2N4LWRldjpDY3hkZXYxMjM=”
}
},

}
1
2
3
4
5
6
7
8
9
Step3、docker推送镜像到Harbor:

harbor_domain – Harbor的域名

project_name – Harbor中的项目名称

image_name – 镜像名称

image_tag – 镜像tag

docker push //:
1
2
3
4
5
执行命令,及输出:

[root@dev ~]

# docker push harbor.cn/library/nginx:latest
The push refers to repository [harbor.cn/library/nginx]
22439467ad99: Pushed
b4a29beac87c: Pushed
488dfecc21b1: Pushed
latest: digest: sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94 size: 948
1
2
3
4
5
6
Step4、登录Harbor查看镜像

6.3、pull镜像: docker <== harbor
Docker想从Harbor拉取镜像,只需要:

docker login 登录harbor
docker pull时,在镜像名称前加上Harbor的域名,就像这样:
docker pull harbor.cn/library/nginx:latest
1
七、维护时常用命令
查看harbor:

[root@dev110 ~]

# cd /home/k8s/harbor

[root@dev110 harbor]

# docker-compose ps

Name Command State Ports

harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice … Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ … Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
1
2
3
4
5
6
7
8
9
10
11
12
13
停止&开启命令:

docker-compose stop
docker-compose start
1
2
想要修改harbor配置时:

docker-compose down -v
vim harbor.yml
./prepare
docker-compose up -d
1
2
3
4
删除harbors的镜像保留数据库和镜像数据:

docker-compose down -v
1
删除harbor的数据库和数据,相当于重装:

docker-compose down -v
1
更多命令可以参考docker-compose命令的帮助:

[root@的dev110 harbor]

# docker-compose –help
Define and run multi-container applications with Docker.

Usage:
docker-compose [-f …] [options] [COMMAND] [ARGS…]
docker-compose -h|–help

Options:
-f, –file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, –project-name NAME Specify an alternate project name
(default: directory name)
–verbose Show more output
–log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
–no-ansi Do not print ANSI control characters
-v, –version Print version and exit
-H, –host HOST Daemon socket to connect to

–tls Use TLS; implied by –tlsverify
–tlscacert CA_PATH Trust certs signed only by this CA
–tlscert CLIENT_CERT_PATH Path to TLS certificate file
–tlskey TLS_KEY_PATH Path to TLS key file
–tlsverify Use TLS and verify the remote
–skip-hostname-check Don’t check the daemon’s hostname against the
name specified in the client certificate
–project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
–compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent
–env-file PATH Specify an alternate environment file

Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove containers, networks, images, and volumes
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker-Compose version information

[root@dp-dev-242 harbor]

#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

————————————————
版权声明:本文为CSDN博主「jason9211」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/jason9211/article/details/104464342/

Leave a Reply