Harbor 安装配置

2018/04/24 Linux

关于 Harbor 的介绍这里不多说,可以访问 Harbor 官网看一下详细的介绍。 Hurbor 官网:https://vmware.github.io/harbor/cn/

1、Harbor 运行环境说明

OS版本 docker 版本 compose版本 Harbor版本
CentOS 7.4.1708 17.12.0-ce 1.18.0 v1.3.0

2、下载 docker-compose

由于国内从 GitHub 上下载很慢所以推荐在 DaoCloud 上下载安装。

# curl -L https://get.daocloud.io/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose

# chmod +x /usr/local/bin/docker-compose
# docker-compose -version
docker-compose version 1.18.0, build 8dd22a9

3、下载 Harbor

# wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.3.0-rc1.tgz

我下载的是offline离线包,这样在后续的部署及安装都会比较快。

4、解压配置 Harbor

root@wangenzhi-test-bjqw:/usr/local/src # tar xf harbor-offline-installer-v1.3.0-rc1.tgz 
root@wangenzhi-test-bjqw:/usr/local/src # cd harbor
root@wangenzhi-test-bjqw:/usr/local/src/harbor # vim harbor.cfg

## Configuration file of Harbor

# hostname设置访问地址,可以使用ip、域名,不可以设置为127.0.0.1或localhost
hostname = 10.100.4.197

# 访问协议,默认是http,也可以设置https,如果设置https,则nginx ssl需要设置on
ui_url_protocol = http

# mysql数据库root用户默认密码root123,实际使用时修改下
db_password = root123

max_job_workers = 3 
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA

# 邮件设置,发送重置密码邮件时使用
email_identity = 
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

# 启动Harbor后,管理员UI登录的密码,默认是Harbor12345
harbor_admin_password = Harbor12345

# 认证方式,这里支持多种认证方式,如LADP、本次存储、数据库认证。默认是db_auth,mysql数据库认证
auth_mode = db_auth

# LDAP认证时配置项
#ldap_url = ldaps://ldap.mydomain.com
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#ldap_search_pwd = password
#ldap_basedn = ou=people,dc=mydomain,dc=com
#ldap_filter = (objectClass=person)
#ldap_uid = uid 
#ldap_scope = 3 
#ldap_timeout = 5

# 是否开启自注册
self_registration = on

# Token有效时间,默认30分钟
token_expiration = 30

# 用户创建项目权限控制,默认是everyone(所有人),也可以设置为adminonly(只能管理员)
project_creation_restriction = everyone

verify_remote_cert = on

我这里只修改了 hostname 后面的IP地址。

5、配置 docker

因为docker默认使用的是https连接,而harbor默认使用http连接,所以需要修改docker配置标志insecure registry不安全仓库的主机! 当然,harbor也可以设置为https,这个后续文章中再列出操作方法吧!

# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry=10.100.4.197
#只加上 --insecure-registry 这个参数即可。

# 重启docker:
# systemctl daemon-reload
# systemctl restart docker.service

6、执行 Harbor 安装脚本

#会拉取好几个镜像下来,及检查环境:

#./instsll.sh

[Step 0]: checking installation environment ...

Note: docker version: 17.12.0

Note: docker-compose version: 1.18.0

[Step 1]: loading Harbor images ...

[Step 2]: preparing environment ...
....

[Step 3]: checking existing instance of Harbor ...

Creating registry ... done
Creating harbor-ui ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating harbor-adminserver ... 
Creating harbor-db ... 
Creating registry ... 
Creating harbor-ui ... 
Creating harbor-jobservice ... 
Creating nginx ... 

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://10.100.4.197 . 
For more details, please visit https://github.com/vmware/harbor .

到这里 Harbor 安装就结束了。安装结束后会生成7个容器,如下:

7、Harbor 容器的start与stop

进入 Harbor 目录执行如下命令即可:

docker-compose start/stop

开启之后就可以通过浏览器访问了:我这里输入10.100.4.197就可以访问harbor的管理主页。harbor 默认监听本机的80端口。请关闭防火墙。

默认用户名是admin 密码是harbor.cfg 中的默认密码。登录成功后就可以看到以下界面了。

8、配置 Harbor 使用 https 访问

1.停止 Harbor

# cd /usr/local/src/harbor/
# docker-compose down -v
Stopping nginx              ... done
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping registry           ... done
Stopping harbor-db          ... done
Stopping harbor-adminserver ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing registry           ... done
Removing harbor-db          ... done
Removing harbor-adminserver ... done
Removing harbor-log         ... done
Removing network harbor_harbor

2.修改 Harbor 配置文件

# vim harbor.cfg
# 将之前的IP地址改为你要配置的域名
hostname = harbor.bd-yg.com 
# 将默认的 http 改为 https
ui_url_protocol = https

ssl_cert = /usr/local/src/harbor/cert/harbor.bd-yg.com.crt
ssl_cert_key = /usr/local/src/harbor/cert/harbor.bd-yg.com.key

将 hostname 更改为 xxxxxx.com。ui_url_protocol 更改为 https 方式。 将 ssl_cert 以及 ssl_cert_key 的名字更改为你要生成证书的名字。

3.生成证书

按照官方文档Harbor生成证书。 (1) 生成 CA 证书

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..............................................++
............................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing   
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:bdyg
Organizational Unit Name (eg, section) []:bdyg
Common Name (eg, your name or your server's hostname) []:harbor.bd-yg.com
Email Address []:wangenzhi0312@gmail.com

(2) 生成证书签名

openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.bd-yg.com.key -out harbor.bd-yg.com.csr

Generating a 4096 bit RSA private key
................................................................................................................................................................................................................................................................................................................................................++
..........................++
writing new private key to 'harbor.bd-yg.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing     
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:bdyg
Organizational Unit Name (eg, section) []:bdyg
Common Name (eg, your name or your server's hostname) []:harbor.bd-yg.com
Email Address []:wangenzhi0312@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(3) 生成注册表主机的证书

openssl x509 -req -days 365 -in harbor.bd-yg.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.bd-yg.com.crt
# 出现如下信息
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=bdyg/OU=bdyg/CN=harbor.bd-yg.com/emailAddress=wangenzhi0312@gmail.com
Getting CA Private Key

以上harbor.bd-yg.com替换为要使用的FQDN必须和harbor中的hostname以及ssl_cert配置相同。

4. 证书配置以及安装

获取harbor.bd-yg.com.crt和harbor.bd-yg.com.key文件后,可以将它们放入如下目录/root/cert/(我将放在/usr/local/src/harbor/cert/目录下是harbor.cfg中指定的文件位置):

(1) 复制证书文件

# mkdir /usr/local/src/harbor/cert
# cp harbor.bd-yg.com.crt harbor.bd-yg.com.key cert/
# ls cert/
harbor.bd-yg.com.crt  harbor.bd-yg.com.key

(2) 为 Harbor 生成配置文件

# cd /usr/local/src/harbor
# ls
ca.crt  common                     harbor_1_1_0_template  harbor.cfg                -newkey  -x509
ca.key  docker-compose.clair.yml   harbor.bd-yg.com.crt   harbor.v1.3.0-rc1.tar.gz  NOTICE   yourdomain.com.key
ca.srl  docker-compose.notary.yml  harbor.bd-yg.com.csr   install.sh                prepare
cert    docker-compose.yml         harbor.bd-yg.com.key   LICENSE                   upgrade
# ./prepare

(4) 取消 docker 使用不安全的仓库

# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry=10.100.4.197
# 删除--insecure-registry=10.100.4.197
保存退出
# 重启docker服务
# systemctl daemon-reload
# systemctl restart docker.service

(5) 启动 Harbor

# cd /usr/local/src/harbor
# docker-compose up -d

#查看 Harbor 容器是否启动
# docker ps
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                             PORTS                                                              NAMES
123650ae78ce        vmware/harbor-jobservice:v1.3.0-rc1    "/harbor/start.sh"       8 seconds ago       Up 3 seconds (health: starting)                                                                       harbor-jobservice
ef3d83765f23        vmware/nginx-photon:1.11.13            "nginx -g 'daemon of…"   8 seconds ago       Up 3 seconds                       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
33a446fde703        vmware/harbor-ui:v1.3.0-rc1            "/harbor/start.sh"       10 seconds ago      Up 7 seconds (health: starting)                                                                       harbor-ui
72d043d5ec68        vmware/harbor-adminserver:v1.3.0-rc1   "/harbor/start.sh"       14 seconds ago      Up 9 seconds (health: starting)                                                                       harbor-adminserver
b301602dfce9        vmware/registry:2.6.2-photon           "/entrypoint.sh serv…"   14 seconds ago      Up 9 seconds (health: starting)    5000/tcp                                                           registry
c2504ae31ff3        vmware/harbor-db:v1.3.0-rc1            "/usr/local/bin/dock…"   14 seconds ago      Up 10 seconds (health: starting)   3306/tcp                                                           harbor-db
43a522c61b91        vmware/harbor-log:v1.3.0-rc1           "/bin/sh -c /usr/loc…"   16 seconds ago      Up 13 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log

(6) 访问测试 在浏览器里输入 https://harbor.bd-yg.com 访问测试,我这里没有配置DNS 解析是通过修改本地 /etc/hosts做的测试。

输出用户名和密码登录正常

(7) 测试push镜像

root@wangenzhi-test-bjqw:~ # docker login -u admin harbor.bd-yg.com
Password: 
Login Succeeded

#将官网下载的busybox 镜像修改名称,前面要加上harbor 仓库的域名和harbor上创建的项目名busybox.
root@wangenzhi-test-bjqw:~ # docker tag busybox harbor.bd-yg.com/busybox/busybox:latest

root@wangenzhi-test-bjqw:~ # docker push harbor.bd-yg.com/busybox/busybox:latest
The push refers to repository [harbor.bd-yg.com/busybox/busybox]
0271b8eebde3: Pushed 
latest: digest: sha256:91ef6c1c52b166be02645b8efee30d1ee65362024f7da41c404681561734c465 size: 527

上传成功以后可以在 Harbor 上看到busybox 仓库里多了已经镜像,镜像标签是busybox。

Search

    Table of Contents