您好,欢迎访问代理记账网站
  • 价格透明
  • 信息保密
  • 进度掌控
  • 售后无忧

docker harbor部署及使用

配置企业级docker注册服务器

1. 部署docker、docker-compose环境

# 略

2. 下载Harboe离线安装包

# 地址:https://github.com/goharbor/harbor/releases
	harbor-offline-installer-v2.1.2.tgz

# 使用rz或者xftp传入虚拟机
$ yum install lrzsz -y

# 解压压缩包
$ tar zxf harbor-offline-installer-v2.1.2.tgz

# 进入目录及导入镜像
$ cd harbor/
$ docker load -i harbor.v2.1.2.tar.gz

3. 配置Harbor的HTTPS访问

# 安装证书所要用的命令
$ yum install openssl -y

3.1 产生CA证书

3.1.1 产生CA证书私钥
$ openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
......................................................................++
.....................................................................................................................................................................++
e is 65537 (0x10001)
3.1.2 产生CA证书
$ openssl req -x509 -new -nodes -sha512 -days 3650 \
$               -subj "/C=CN/ST=Hebei/L=Handan/O=bzx/OU=Student/CN=www.bzx.com" \
$               -key ca.key \
$               -out ca.crt

4. 产生服务器证书

4.1 产生一个私钥

$ openssl genrsa -out www.bzx.com.key 4096
Generating RSA private key, 4096 bit long modulus
............................++
................................................................................................++
e is 65537 (0x10001)

4.2 生成证书签名请求

$ openssl req -sha512 -new \
$                -subj "/C=CN/ST=Hebei/L=Handan/O=bzx/OU=Student/CN=www.bzx.com" \
$                -key www.bzx.com.key \
$                -out www.bzx.com.csr

4.3 生成x509 v3扩展文件

$ cat v3.ext 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=www.bzx.com
DNS.2=bzx.com
DNS.3=www

4.4 使用v3.ext文件为你的Harbor服务器生成服务器证书:

$ openssl x509 -req -sha512 -days 3650 \
$                -extfile v3.ext \
$                -CA ca.crt -CAkey ca.key -CAcreateserial \
$                -in www.bzx.com.csr \
$                -out www.bzx.com.crt
Signature ok
subject=/C=CN/ST=Hebei/L=Handan/O=bzx/OU=Student/CN=www.bzx.com
Getting CA Private Key

5. 提供证书给Harbor和Docker

5.1 在Harbor主机上创建证书目录,并将服务器证书及私钥文件复制过来

$ mkdir /data/cert -p
$ cp www.bzx.com.crt www.bzx.com.key ca.crt /data/cert/

5.2 转换证书 www.change.tm.crt 为 www.change.tm.cert

# Docker Daemon将 .crt 作为CA证书,将 .cert 作为客户端证书
$ cd /data/cert/
$ openssl x509 -inform PEM -in www.bzx.com.crt -out www.bzx.com.cert
$ ll
total 16K
-rw-r--r--. 1 root root 2.0K Jan  8 04:15 ca.crt
-rw-r--r--. 1 root root 2.1K Jan  8 04:18 www.bzx.com.cert
-rw-r--r--. 1 root root 2.1K Jan  8 04:15 www.bzx.com.crt
-rw-r--r--. 1 root root 3.2K Jan  8 04:15 www.bzx.com.key

5.3 复制服务器证书、服务器私钥和CA证书到Harbor主机上的Docker证书目录中,这个目录需要先被 创建出来。

$ mkdir /etc/docker/certs.d/www.bzx.com -p
$ cp www.bzx.com.cert www.bzx.com.key ca.crt /etc/docker/certs.d/www.bzx.com/

5.4 重启docker引擎

$ systemctl restart docker

6. 配置harbor.yml文件

$ cd /root/harbor
$ cp harbor.yml.tmpl harbor.yml
$ vim harbor.yml
	hostname: www.bzx.com
	certificate: /data/cert/www.bzx.com.cert
	private_key: /data/cert/www.bzx.com.key

7. 安装Harbor

$ ./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

$ ./install.sh

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.1

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.27.4

[Step 2]: loading Harbor images ...
Loaded image: goharbor/chartmuseum-photon:v2.1.2
Loaded image: goharbor/prepare:v2.1.2
Loaded image: goharbor/harbor-log:v2.1.2
Loaded image: goharbor/harbor-registryctl:v2.1.2
Loaded image: goharbor/clair-adapter-photon:v2.1.2
Loaded image: goharbor/harbor-db:v2.1.2
Loaded image: goharbor/harbor-jobservice:v2.1.2
Loaded image: goharbor/clair-photon:v2.1.2
Loaded image: goharbor/notary-signer-photon:v2.1.2
Loaded image: goharbor/harbor-portal:v2.1.2
Loaded image: goharbor/redis-photon:v2.1.2
Loaded image: goharbor/nginx-photon:v2.1.2
Loaded image: goharbor/trivy-adapter-photon:v2.1.2
Loaded image: goharbor/harbor-core:v2.1.2
Loaded image: goharbor/registry-photon:v2.1.2
Loaded image: goharbor/notary-server-photon:v2.1.2

[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating registryctl   ... done
Creating harbor-portal ... done
Creating redis         ... done
Creating registry      ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
✔ ----Harbor has been installed and started successfully.----

8. 测试

# 编辑hosts文件,添加地址解析
$ vim /etc/hosts
	192.168.119.128 www.bzx.com
	
# 登录
$ docker login www.bzx.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

# 上传镜像
$ docker tag centos:latest www.bzx.com/library/centos:v10
$ docker push www.bzx.com/library/centos:v10

9. 使用客户端访问

# ca.crt文件需要导出,然后添加到浏览器的受信任的根证书颁发机构中。
$ sz ca.crt 

# 防火墙放行
$ firewall-cmd --add-port=80/tcp --permanent
$ firewall-cmd --add-port=443/tcp --permanent
$ firewall-cmd --add-port=4443/tcp --permanent 
$ firewall-cmd --reload

# 设置客户端hosts文件,添加地址解析
	192.168.119.128 www.bzx.com

$ ping www.bzx.com

正在 Ping www.bzx.com [192.168.119.128] 具有 32 字节的数据:
来自 192.168.119.128 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.119.128 的回复: 字节=32 时间<1ms TTL=64

192.168.119.128 的 Ping 统计信息:
    数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 0ms,最长 = 0ms,平均 = 0ms

10. 访问web网页

10.1 创建用户

10.2 创建项目

10.3 上传镜像到仓库并查看

# 退出admin用户登录
$ docker logout admin

# 登录自己创建的账户
$ docker login www.bzx.com -ubzx -pCom.123456
$ docker pull centos
$ docker push www.bzx.com/centos/centos:v10

总结:

openssl工具生成自签名证书过程

# 安装
$ yum install openssl -y

# 产生CA证书私钥
# 产生CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=HeBei/L=Baoding/O=bzx/OU=Teacher/CN=www.change.tm" \
> -key ca.key \
> -out ca.crt
## -nodes 如果创建的私钥是没有被加密的,需要指定这个选项
## C(Country Name 国家名称)
## ST(State or Province Name 州、邦或者省名称)
## L(Locality Name 城市名称)
## O(Organization Name 机构名称或者公司名称)
## OU(Organization Unit Name 组织单位名称、部门名称)
## CN(Common Name 通用名称或者server FQDN)

# 产生一个服务器证书
## 产生一个私钥
## 生成证书签名请求
## 生成x509 v3扩展文件
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=www.change.tm
> DNS.2=change.tm
> DNS.3=www
##authorityKeyIdentifier:keyid表示从ParentCA拷贝key identifier,本参数优先。issuer表示拷贝发布人证书中的issuer和serial number
##basicConstraints:CA证书必须包含这项且值为TRUE,终端用户证书必须设置为FALSE或者nothing。
##keyUsage:key用于数字签名,不可否认性,key加密,数据加密
##extendedKeyUsage:扩展Key也用于服务器认证
##subjectAltName:这个参数很重要,现在被很多地方用来签署多域名证书,但它除了DNS,还可指定email, IP,DN等

# 使用v3.ext文件为你的Harbor服务器生成服务器证书

# Docker Daemon将 .crt 作为CA证书,将 .cert 作为客户端证书
## 转换命令
$ openssl x509 -inform PEM -in www.change.tm.crt -outwww.change.tm.cert

分享:

低价透明

统一报价,无隐形消费

金牌服务

一对一专属顾问7*24小时金牌服务

信息保密

个人信息安全有保障

售后无忧

服务出问题客服经理全程跟进