0
点赞
收藏
分享

微信扫一扫

利用Harbor搭建私有镜像仓库

七公子706 2024-01-10 阅读 13

harbor - 开源的容器镜像仓库

暂不支持ARM架构

安装docker-compose:

[root@k8s-master01 harbor]# wget https://github.com/docker/compose/releases/download/v2.19.1/docker-compose-linux-x86_64  ##下载Amd64架构安装包

[root@k8s-master01 harbor]# cp docker-compose-linux-aarch64 /usr/local/bin/docker-compose  ##拷贝到/usr/local/bin下并重命名为docker-compose

[root@k8s-master01 harbor]# chmod +x /usr/local/bin/docker-compose  ##赋予可执行权限

[root@k8s-master01 harbor]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose  ##新建软链

[root@k8s-master01 harbor]# docker-compose version  ##安装完成后,查看版本

安装harbor:

[root@k8s-master01 harbor]# mkdir -p /data/harbor /var/log/harbor  ##新建目录

[root@k8s-master01 harbor]# wget -P /opt/ https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz  ##将下载文件放到/opt/目录下

[root@k8s-master01 harbor]# tar -zxvf /opt/harbor-offline-installer-v2.8.2.tgz  ##解压完成后,会生成一个harbor目录,也就是harbor的工作目录

[root@k8s-master01 harbor]# cd /opt/harbor

[root@k8s-master01 harbor]# docker load -i harbor.v2.8.2.tar.gz

[root@k8s-master01 harbor]# cp harbor.yml.tmpl harbor.yml  ##改文件名为.yml格式

按需修改harbor.yaml相关参数: 

[root@k8s-master01 harbor]# vim opt/harbor/harbor.yml  ##主要参数有hostname、http(s)、port、证书/私钥存放路径、数据存放路径、WebUI登陆所需的账户名/密码等:

# The IP address or hostname to access admin UI and registry service.

# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname: harbor.cisco.com或192.168.146.133

# http related config

http:

  # port for http, default is 80. If https enabled, this port will redirect to https port

  port: 80

# https related config

https:

  # https port for harbor, default is 443

  port: 443

  # The path of cert and key files for nginx

  certificate: /data/cert/server.crt

  private_key: /data/cert/server.key

# # Uncomment following will enable tls communication between all harbor components

# The initial password of Harbor admin

# It only works in first time to install harbor

# Remember Change the admin password from UI after launching Harbor.

harbor_admin_password: Harbor12345

# Harbor DB configuration

database:

  # The password for the root user of Harbor DB. Change this before any production use.

  password: root123

# The default data volume

data_volume: /data/harbor

# Log configurations

log:

  # options are debug, info, warning, error, fatal

  level: info

  # configs for logs in local storage

  local:

    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

    rotate_count: 50

    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

    # are all valid.

    rotate_size: 200M

    # The directory on your host that store log

    location: /var/log/harbor

[root@k8s-master01 harbor]# ./prepare     ##Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用https

[root@k8s-master01 harbor]# sh /root/harbor/install.sh  ##初始化服务后,访问http://192.168.146.133:5000(默认密码:admin/Harbor12345)

采用https方式还需要生成相关证书:

[root@k8s-master01 harbor]# mkdir -p /data/cert /etc/docker/certs.d/harbor.cisco.com   或

                            mkdir -p /data/cert /etc/docker/certs.d/192.168.146.133:5000  或

                            mkdir -p /data/cert /etc/docker/certs.d/harbor.cisco.com:5000   ##把默认的nginx端口443映射到一个不同的端口

[root@k8s-master01 harbor]# cd /etc/docker/certs.d/harbor.cisco.com 或

                            cd /etc/docker/certs.d/192.168.146.133:5000 或

                            cd /etc/docker/certs.d/harbor.cisco.com:5000

[root@k8s-master01 harbor.cisco.com]# openssl genrsa -out ca.key 4096  ##生成ca证书私钥

[root@k8s-master01 harbor.cisco.com]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cisco.com" -key ca.key -out ca.crt  ##生成ca证书

[root@k8s-master01 harbor.cisco.com]# openssl genrsa -out server.key 4096   ##生成harbor服务器证书私钥

[root@k8s-master01 harbor.cisco.com]# openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cisco.com" -key server.key server.csr     ##生成harbor服务器证书签发请求文件

[root@k8s-master01 harbor.cisco.com]# vim v3.ext  ##新创建v3.ext文件,用于协助签发harbor服务器证书

① 域名方式访问:

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=harbor.cisco.com

DNS.2=harbor.cisco

DNS.3=cisco

② IP方式访问:

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = IP:192.168.1.18

[root@k8s-master01 harbor.cisco.com]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt ##生成harbor服务器证书

[root@k8s-master01 harbor.cisco.com]# cp server.crt server.key /data/cert/  ##把server.crt和server.key拷贝到/data/cert/,供harbor.yml指定证书路径使用

[root@k8s-master01 harbor.cisco.com]# openssl x509 -inform PEM -in server.crt -out server.cert  ##把.crt转换为.cert供doker的配置文件daemon.json使用

[root@k8s-master01 harbor.cisco.com]# cp server.cert server.key ca.crt /etc/docker/certs.d/harbor.cisco.com  ##把这三个文件拷贝到docker的证书目录下

/etc/docker/certs.d/

    └── harbor.cisco.com

       ├── server.cert  <-- Server certificate signed by CA

       ├── server.key   <-- Server key signed by CA

       ├── server.crt   <-- Server certificate signed by CA

       └── ca.crt       <-- Certificate authority that signed the registry certificate

[root@k8s-master01 harbor]# ./prepare                   #Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用https

[root@k8s-master01 harbor]# sh /root/harbor/install.sh  #初始化服务后,访问https://192.168.146.133:5000(默认密码:admin/Harbor12345)

添加harbor开机自启动服务,需要新建harbor.service服务:

[root@k8s-master01 harbor]# vim /etc/systemd/system/harbor.service   

[Unit]

Description=Harbor Container Registry

After=network.target

[Service]

Type=simple

ExecStart=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up

ExecStop=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml down

WorkingDirectory=/opt/harbor

Restart=always

[Install]

WantedBy=default.target

采用http方式使用harbor,需要修改harbor客户端的docker或K8s有关镜像仓库的配置:

修改docker的daemon.json配置:

[root@k8s-master01 harbor]# vim /etc/docker/daemon.json  ##所有安装了docker的节点都需要添加insecure-registries配置,避免docker login的时候报https错误

{

  "insecure-registries": ["192.168.146.133:5000"],

  "live-restore": true

}

[root@k8s-master01 harbor]# systemctl daemon-reload

[root@k8s-master01 harbor]# systemctl restart docker

[root@k8s-master01 harbor]# docker-compose restart

[root@k8s-master01 harbor]# vim /usr/lib/systemd/system/docker.service  ##在Docker server启动的时候,增加启动参数,使其默认使用HTTP访问,避免docker login的时候报https错误

--13行--修改

ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.146.133:5000 --containerd=/run/containerd/containerd.sock  或

ExecStart=/usr/bin/dockerd --insecure-registry 192.168.146.133:5000

[root@k8s-master01 harbor]# systemctl daemon-reload

[root@k8s-master01 harbor]# systemctl restart docker

[root@k8s-master01 harbor]# docker-compose restart

修改k8s的config.toml配置:

[root@k8s-master01 harbor]# vim /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.146.133:5000"]

    endpoint = ["http://192.168.146.133:5000"]

[root@k8s-master01 harbor]# systemctl restart containerd

[root@k8s-master01 harbor]# ctr -n k8s.io image pull 192.168.146.133/kubernetes/harbor-exporter:v2.3.2 --plain-http --user admin:Harbor12345

采用https方式使用harbor,需要修改harbor客户端的docker或K8s有关镜像仓库的配置:

修改docker的daemon.json配置:

[root@k8s-master01 ~]# scp -r /etc/docker/certs.d/harbor.cisco.com/ca.crt root@客户机ip:/etc/docker/certs.d/harbor.cisco.com/   ##从harbor服务端,把相关证书文件拷贝到harbor客户端

[root@k8s-master01 ~]# vim /etc/docker/daemon.json   ##修改registry-mirrors

{

  "registry-mirrors": ["your-harbor-domain.com"],

  "debug": true,

  "experimental": false,

  "tls": true,

  "tlscacert": "/etc/docker/certs.d/your-harbor-domain.com/ca.crt",

  "tlscert": "/etc/docker/certs.d/your-harbor-domain.com/client.cert",

  "tlskey": "/etc/docker/certs.d/your-harbor-domain.com/client.key",

  "live-restore": true

}

[root@k8s-master01 ~]# systemctl restart docker.service

修改K8s的config.toml配置:

[root@k8s-master01 ~]# scp -r /etc/docker/certs.d/harbor.cisco.com/ca.crt root@客户机ip:/etc/docker/certs.d/harbor.cisco.com/   ##从harbor服务端,把相关证书文件拷贝到harbor客户端

[root@k8s-master01 harbor]# vim /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."your-harbor-domain.com"]

    endpoint = ["https://your-harbor-domain.com"]

    ca_file = "/root/certs.d/your-harbor-domain.com/ca.crt"

    cert_file = "/root/certs.d/your-harbor-domain.com/client.cert"

    key_file = "/root/certs.d/your-harbor-domain.com/client.key"

[root@k8s-master01 ~]# systemctl restart containerd

[root@k8s-master01 harbor]# ctr -n k8s.io image pull 192.168.146.133/kubernetes/harbor-exporter:v2.3.2 --plain-http --user admin:Harbor12345  ##测试

在harbor客户端验证是否能够登陆harbor客户端:

[root@k8s-master01 ~]# docker login harbor.chengonglei.com 或 docker login harbor.chengonglei.com:port  ##harbor客户端可以采用这种方式进行验证

[root@k8s-master01 ~]# vim /etc/hosts  ##进行测试

192.168.1.18 harbor.cisco.com

Harbor维护命令:

docker-compose down -v  ##关停harbor(数据不会被删除)

docker-compose up -d  ##重启harbor

FAQ:

cat intermediate-certificate.pem >> yourdomain.com.crt   ##如果使用证书签发机构的中间证书,请将中间证书与自己的证书合并,创建证书捆绑包。

cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt  ##当Docker守护进程在某些操作系统上运行时,你可能需要在操作系统层面信任证书。

update-ca-trust

举报

相关推荐

0 条评论