溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Harbor是一個用于存儲和分發Docker鏡像的企業級Registry服務器
部署指南參考官網:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
硬件要求:
Resource Capacity Description
CPU 2CPU 4CPU is preferred
Mem 4GB 8GB is preferred
Disk 40GB 160GB is preferred
軟件要求
Software Version
Python version 2.7 or higher (自帶)
Docker engine version 1.10 or higher
Docker Compose version 1.6.0 or higher
Openssl latest latest (自帶)
1.安裝docker “docker compose”
安裝docker 參考我的另一篇文章(https://blog.51cto.com/9406836/2314122)
安裝docker compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
2.下載harbor離線安裝包
mkdir /harbor
cd /harbor
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.4.tgz
tar xvf harbor-offline-installer-v1.5.4.tgz
cd harbor
3.生成利用openssl生成秘鑰
3.1 生成自簽證書,以及私鑰。(這一步與下一步有重復,因為我又以CA的身份重新授權了一次)
mkdir /pri
cd /pri
openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 365 -out ca.crt
/C=CN
/ST=GUANGDONG
/L=SZ
/O=example
/OU=Personal
/CN=yourdomain.com
# -newkey 生成私鑰 -node 不加密 -keyout生成私鑰 -x509證書結構文件 -out生成公鑰 -days有效時間
3.2 編輯證書擴展文件v3.ext(主要目的是添加多域名認證,比如google.com證書下面,可以關聯信任youku.com等證書)
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names] #重點在這,下面可以是你主機名,比如我的主機redhat.example.com
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
3.3 Harbor服務器(redhat.example.com為例,記得更改hosts)進行證書認證。
生成服務器私鑰
openssl genrsa -out redhat.example.com.key 2048
生成認證請求(根據小道消息,CN信息一定要匹配服務器主機名)
openssl req -sha512 -new \
-subj "/C=CN/ST=GUANGDONG/L=SZ/O=XXX/OU=XXX/CN=redhat.example.com" \
-key redhat.example.com.key \
-out redhat.example.com.csr
3.4 CA服務器上進行認證授權(我是同一臺)
cd /pri
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in redhat.example.com.csr \
-out redhat.example.com.crt
3.5 配置安裝證書(harbor證書存放位置)
mkdir -p /data/cert
cp redhat.example.com.csr /data/cert/
cp redhat.example.com.crt /data/cert/
3.6 要為docker服務器安裝證書,docker服務器要求證書要是.cert結尾的文件
openssl x509 -inform PEM -in example.com.crt -out example.com.cert
mkdir -p /etc/docker/certs.d/example.com
cp example.com.cert /etc/docker/certs.d/example.com/
cp example.com.key /etc/docker/certs.d/example.com/
cp ca.crt /etc/docker/certs.d/example.com/
部署后結構如下
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
4.部署harbor
4.1編輯配置文件
cd /harbor/harbor
vim harbor.cfg
#set hostname
hostname = redhat.example.com
#set ui_url_protocol
ui_url_protocol = https
......
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/redhat.example.com.crt
ssl_cert_key = /data/cert/redhat.example.com.key
4.2預編譯文件
./prepare
4.3 安裝harbor
./install.sh
4.4 啟動harbor
docker-compose start
#4.5關閉harbor
docker-compose stop
5.web訪問注冊harbor
5.1登陸頁面
https://redhat.example.com(記得添加hosts,記得添加證書信任)
5.2 注冊賬戶
用戶名:xxx 密碼:xxx
6.客戶端拉取鏡像
6.1 首先將自簽證書添加到信任列表
cp ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
update-ca-certificates
6.2 重啟docker
systemctl restart docker
6.3 連接登陸harbor
docker login redhat.example.com
用戶名:xxx 密碼:xxx
暫時就這么多,其實我想寫很多我理解的細節,但是怕誤人子弟,所以大家自己去查吧。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
