harbor - 开源的容器镜像仓库
暂不支持ARM架构
安装docker-compose:
[root@k8s-master01 harbor]# wget https://github.com/docker/compose/releases/download/v2.19.1/docker-compose-linux-x86_64 ##下载Amd64架构安装包
[root@k8s-master01 harbor]# cp docker-compose-linux-aarch64 /usr/local/bin/docker-compose ##拷贝到/usr/local/bin下并重命名为docker-compose
[root@k8s-master01 harbor]# chmod +x /usr/local/bin/docker-compose ##赋予可执行权限
[root@k8s-master01 harbor]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ##新建软链
[root@k8s-master01 harbor]# docker-compose version ##安装完成后,查看版本
安装harbor:
[root@k8s-master01 harbor]# mkdir -p /data/harbor /var/log/harbor ##新建目录
[root@k8s-master01 harbor]# wget -P /opt/ https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz ##将下载文件放到/opt/目录下
[root@k8s-master01 harbor]# tar -zxvf /opt/harbor-offline-installer-v2.8.2.tgz ##解压完成后,会生成一个harbor目录,也就是harbor的工作目录
[root@k8s-master01 harbor]# cd /opt/harbor
[root@k8s-master01 harbor]# docker load -i harbor.v2.8.2.tar.gz
[root@k8s-master01 harbor]# cp harbor.yml.tmpl harbor.yml ##改文件名为.yml格式
按需修改harbor.yaml相关参数:
[root@k8s-master01 harbor]# vim opt/harbor/harbor.yml ##主要参数有hostname、http(s)、port、证书/私钥存放路径、数据存放路径、WebUI登陆所需的账户名/密码等:
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.cisco.com或192.168.146.133
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/server.crt
private_key: /data/cert/server.key
# # Uncomment following will enable tls communication between all harbor components
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The default data volume
data_volume: /data/harbor
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
[root@k8s-master01 harbor]# ./prepare ##Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用https
[root@k8s-master01 harbor]# sh /root/harbor/install.sh ##初始化服务后,访问http://192.168.146.133:5000(默认密码:admin/Harbor12345)
采用https方式还需要生成相关证书:
[root@k8s-master01 harbor]# mkdir -p /data/cert /etc/docker/certs.d/harbor.cisco.com 或
mkdir -p /data/cert /etc/docker/certs.d/192.168.146.133:5000 或
mkdir -p /data/cert /etc/docker/certs.d/harbor.cisco.com:5000 ##把默认的nginx端口443映射到一个不同的端口
[root@k8s-master01 harbor]# cd /etc/docker/certs.d/harbor.cisco.com 或
cd /etc/docker/certs.d/192.168.146.133:5000 或
cd /etc/docker/certs.d/harbor.cisco.com:5000
[root@k8s-master01 harbor.cisco.com]# openssl genrsa -out ca.key 4096 ##生成ca证书私钥
[root@k8s-master01 harbor.cisco.com]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cisco.com" -key ca.key -out ca.crt ##生成ca证书
[root@k8s-master01 harbor.cisco.com]# openssl genrsa -out server.key 4096 ##生成harbor服务器证书私钥
[root@k8s-master01 harbor.cisco.com]# openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cisco.com" -key server.key server.csr ##生成harbor服务器证书签发请求文件
[root@k8s-master01 harbor.cisco.com]# vim v3.ext ##新创建v3.ext文件,用于协助签发harbor服务器证书
① 域名方式访问:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.cisco.com
DNS.2=harbor.cisco
DNS.3=cisco
② IP方式访问:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.1.18
[root@k8s-master01 harbor.cisco.com]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt ##生成harbor服务器证书
[root@k8s-master01 harbor.cisco.com]# cp server.crt server.key /data/cert/ ##把server.crt和server.key拷贝到/data/cert/,供harbor.yml指定证书路径使用
[root@k8s-master01 harbor.cisco.com]# openssl x509 -inform PEM -in server.crt -out server.cert ##把.crt转换为.cert供doker的配置文件daemon.json使用
[root@k8s-master01 harbor.cisco.com]# cp server.cert server.key ca.crt /etc/docker/certs.d/harbor.cisco.com ##把这三个文件拷贝到docker的证书目录下
/etc/docker/certs.d/
└── harbor.cisco.com
├── server.cert <-- Server certificate signed by CA
├── server.key <-- Server key signed by CA
├── server.crt <-- Server certificate signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
[root@k8s-master01 harbor]# ./prepare #Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用https
[root@k8s-master01 harbor]# sh /root/harbor/install.sh #初始化服务后,访问https://192.168.146.133:5000(默认密码:admin/Harbor12345)
添加harbor开机自启动服务,需要新建harbor.service服务:
[root@k8s-master01 harbor]# vim /etc/systemd/system/harbor.service
[Unit]
Description=Harbor Container Registry
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml down
WorkingDirectory=/opt/harbor
Restart=always
[Install]
WantedBy=default.target
采用http方式使用harbor,需要修改harbor客户端的docker或K8s有关镜像仓库的配置:
修改docker的daemon.json配置:
[root@k8s-master01 harbor]# vim /etc/docker/daemon.json ##所有安装了docker的节点都需要添加insecure-registries配置,避免docker login的时候报https错误
{
"insecure-registries": ["192.168.146.133:5000"],
"live-restore": true
}
[root@k8s-master01 harbor]# systemctl daemon-reload
[root@k8s-master01 harbor]# systemctl restart docker
[root@k8s-master01 harbor]# docker-compose restart
或
[root@k8s-master01 harbor]# vim /usr/lib/systemd/system/docker.service ##在Docker server启动的时候,增加启动参数,使其默认使用HTTP访问,避免docker login的时候报https错误
--13行--修改
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 192.168.146.133:5000 --containerd=/run/containerd/containerd.sock 或
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.146.133:5000
[root@k8s-master01 harbor]# systemctl daemon-reload
[root@k8s-master01 harbor]# systemctl restart docker
[root@k8s-master01 harbor]# docker-compose restart
修改k8s的config.toml配置:
[root@k8s-master01 harbor]# vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.146.133:5000"]
endpoint = ["http://192.168.146.133:5000"]
[root@k8s-master01 harbor]# systemctl restart containerd
[root@k8s-master01 harbor]# ctr -n k8s.io image pull 192.168.146.133/kubernetes/harbor-exporter:v2.3.2 --plain-http --user admin:Harbor12345
采用https方式使用harbor,需要修改harbor客户端的docker或K8s有关镜像仓库的配置:
修改docker的daemon.json配置:
[root@k8s-master01 ~]# scp -r /etc/docker/certs.d/harbor.cisco.com/ca.crt root@客户机ip:/etc/docker/certs.d/harbor.cisco.com/ ##从harbor服务端,把相关证书文件拷贝到harbor客户端
[root@k8s-master01 ~]# vim /etc/docker/daemon.json ##修改registry-mirrors
{
"registry-mirrors": ["your-harbor-domain.com"],
"debug": true,
"experimental": false,
"tls": true,
"tlscacert": "/etc/docker/certs.d/your-harbor-domain.com/ca.crt",
"tlscert": "/etc/docker/certs.d/your-harbor-domain.com/client.cert",
"tlskey": "/etc/docker/certs.d/your-harbor-domain.com/client.key",
"live-restore": true
}
[root@k8s-master01 ~]# systemctl restart docker.service
修改K8s的config.toml配置:
[root@k8s-master01 ~]# scp -r /etc/docker/certs.d/harbor.cisco.com/ca.crt root@客户机ip:/etc/docker/certs.d/harbor.cisco.com/ ##从harbor服务端,把相关证书文件拷贝到harbor客户端
[root@k8s-master01 harbor]# vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."your-harbor-domain.com"]
endpoint = ["https://your-harbor-domain.com"]
ca_file = "/root/certs.d/your-harbor-domain.com/ca.crt"
cert_file = "/root/certs.d/your-harbor-domain.com/client.cert"
key_file = "/root/certs.d/your-harbor-domain.com/client.key"
[root@k8s-master01 ~]# systemctl restart containerd
[root@k8s-master01 harbor]# ctr -n k8s.io image pull 192.168.146.133/kubernetes/harbor-exporter:v2.3.2 --plain-http --user admin:Harbor12345 ##测试
在harbor客户端验证是否能够登陆harbor客户端:
[root@k8s-master01 ~]# docker login harbor.chengonglei.com 或 docker login harbor.chengonglei.com:port ##harbor客户端可以采用这种方式进行验证
[root@k8s-master01 ~]# vim /etc/hosts ##进行测试
192.168.1.18 harbor.cisco.com
Harbor维护命令:
docker-compose down -v ##关停harbor(数据不会被删除)
docker-compose up -d ##重启harbor
FAQ:
cat intermediate-certificate.pem >> yourdomain.com.crt ##如果使用证书签发机构的中间证书,请将中间证书与自己的证书合并,创建证书捆绑包。
cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt ##当Docker守护进程在某些操作系统上运行时,你可能需要在操作系统层面信任证书。
update-ca-trust
