简介
今天领导让搭建一个私有的harbor仓库,记录一下安装过程。
版本:
| 模块 | 版本 |
|---|---|
| docker | 17.09.1-ce |
| docker-compose | 1.18.0 |
| harbor | v1.8.0 |
准备
- centos7虚拟机
- 安装docker
- 关闭防火墙啥的一些乱七八糟的准备工作
- 下载docker-compse
- 下载harbor-offline-installer
docker-compose:
curl -L https://github.com/docker/compose/releases/download/1.25.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
harbor-offline-installer:
https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0.tgz
安装
将docker-compose放到环境变量目录:
cp docker-compose /usr/local/bin/
chmod +x /usr/local/bin/docker-compose
解压harbor,执行安装脚本:
tar zxvf harbor-offline-installer-v1.8.0.tgz
cd harbor
#修改为配置文件:
vim harbor.cfg
# hostname 192.168.1.24
#安装脚本
./install.sh
报错:
[root@localhost harbor]# ./install.sh
[Step 0]: checking installation environment ...
✖ Need to upgrade docker package to 17.06.0+.
提示docker的版本太低,一般yum安装都是1.13.1,真的太讨厌了,接下来我们写一篇如何安装指定版本的docker。
[root@localhost ~]# docker version
Client:
Version: 17.09.1-ce
API version: 1.32
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:23:40 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.1-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:25:03 2017
OS/Arch: linux/amd64
Experimental: false
升级后,install.sh安装.
harbor的ldap配置
修改harbor.yml:
auth_mode: ldap_auth
ldap_url: ldap://172.18.143.190
ldap_basedn: ou=users,dc=devel,dc=cluster
ldap_searchdn: cn=ldapadm,dc=devel,dc=cluster
ldap_search_pwd: 123456
ldap_uid: cn
ldap_scope: 3
ldap_timeout: 50
重启:
./prepare
docker-compose down -v
docker-compose rm -f
docker-compose up -d
无效?why?Dont know...
不知道为何,打开harbor的ui,dashboard,以admin用户登入,依次点击:系统管理-配置管理-将配置手动写入,然后点击保存。
ldap.png
成功!
harbor开启https
生成相关证书:
mkdir -p /data/cert
cd /data/cert
#生成CA的key
openssl genrsa -out ca.key 4096
#生成CA的crt
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=chinatelecom/OU=ecloudcaas/CN=172.18.141.128" \
-key ca.key \
-out ca.crt
#生成自己域名的key
openssl genrsa -out 172.18.141.128.key 4096
#生成自己域名的csr
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=chinatelecom/OU=ecloudcaas/CN=172.18.141.128" \
-key 172.18.141.128.key \
-out 172.18.141.128.csr
# 生成一个openssl命令需要的外部配置文件
# 主要是subjectAltName,这里写的IP.1=yourip还可以写DNS.1=yourdomainname
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP=172.18.141.128
EOF
#通过之前准备好的v3.ext和csr生成crt
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 172.18.141.128.csr \
-out 172.18.141.128.crt
#将服务端的crt转换成客户端用的cert
openssl x509 -inform PEM -in 172.18.141.128.crt -out 172.18.141.128.cert
修改配置:
# https related config
https:
port: 443
certificate: /data/cert/harbor.ctyun.cn.crt
private_key: /data/cert/harbor.ctyun.cn.key
重启
下面在docker client端进行测试
# 将域名的cert,key和ca.crt拷贝到docker client所在主机的
# /etc/docker/certs.d/yourdomain/目录
# centos7,手动进行进行证书信任
cp 172.18.141.128.cert /etc/pki/ca-trust/source/anchors/172.18.141.128.cert
update-ca-trust
# 登录测试
docker login 172.18.141.128
Username (admin):
Password:
Login Succeeded
# push镜像测试
docker tag ef46e0caa533 172.18.141.128/test111/busybox:latest
docker push 172.18.141.128/test111/busybox:latest
以上↑
