Harbor服务部署
简介
该服务应用于内网测试;
测试环境
| 主机名 | 系统 | IP | 公网访问 | 备注 |
|---|---|---|---|---|
| harbor | CentOS 7.9 | 172.17.80.82 | 可(桥接) | 个人办公电脑上的虚拟机; |
| 账号 | 密码 |
|---|---|
| root | root@123 |
配置ntp服务
安装ntpdate
yum -y install ntpdate
配置crontab和开机自动同步时间
crontab -e
0 */2 * * * /usr/sbin/ntpdate 114.118.7.161
# 在/etc/rc.d/rc.local文件中添加开机后自动执行的命令;
vim /etc/rc.d/rc.local
.
.
/usr/sbin/ntpdate 114.118.7.161
.
.
安装docker,docker-compose
安装docker-ce
docker-ce是docker的社区版,安装过程参考链接;
参考链接:docker-ce | 镜像站使用帮助 | 清华大学开源软件镜像站 | Tsinghua Open Source Mirror
安装docker-compose
采用二进制包方式安装;
下载链接:Releases · docker/compose · GitHub
mkdir -p /opt/docker-compose
cd /opt/docker-compose
mv /tmp/docker-compose-linux-x86_64 ./
chmod +x docker-compose-linux-x86_64
ln -s /opt/docker-compose/docker-compose-linux-x86_64 /usr/local/bin/docker-compose
[root@harbor ~]# docker-compose --version
Docker Compose version v2.18.1
注意:本环境为个人测试环境,没有专门数据盘,所以没有修改docker存储路径;
配置ssl证书
由于要使用ssl证书来保证harbor访问安全性,所以要先自签证书,如已有证书可以直接使用;
参考链接:Harbor docs | Configure HTTPS Access to Harbor (goharbor.io)
创建相关目录
mkdir -p /opt/Harbor/certs
cd /opt/Harbor/certs
创建自签ca私钥
openssl genrsa -out ca.key 4096
[root@harbor certs]# ls
ca.key
生成ca证书
其中属性部分需要根据实际情况配置
[root@harbor certs]# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=LiaoNing/L=ShenYang/O=lnsz/OU=om/CN=test.harbor.guofei" \
> -key ca.key \
> -out ca.crt
[root@harbor certs]# ls
ca.crt ca.key
生成服务器证书
其中属性部分需要根据实际情况配置
[root@harbor certs]# openssl genrsa -out test.harbor.guofei.key 4096
Generating RSA private key, 4096 bit long modulus
.................................................................++
............................................................................................++
e is 65537 (0x10001)
[root@harbor certs]# ls
ca.crt ca.key test.harbor.guofei.key
生成证书签名请求
其中属性部分需要根据实际情况配置
[root@harbor certs]# openssl req -sha512 -new \
> -subj "/C=CN/ST=LiaoNing/L=ShenYang/O=lnsz/OU=om/CN=test.harbor.guofei" \
> -key test.harbor.guofei.key \
> -out test.harbor.guofei.csr
[root@harbor certs]# ls
ca.crt ca.key test.harbor.guofei.csr test.harbor.guofei.key
生成 x509 v3 扩展文件
alt_names部分需要填写绑定ssl证书的域名或ip,可写多个
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=test.harbor.guofei
DNS.2=172.17.80.82
DNS.3=harbor
EOF
使用该文件为 Harbor 主机生成证书
其中属性部分需要根据实际情况配置
[root@harbor certs]# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in test.harbor.guofei.csr \
> -out test.harbor.guofei.crt
Signature ok
subject=/C=CN/ST=LiaoNing/L=ShenYang/O=lnsz/OU=om/CN=test.harbor.guofei
Getting CA Private Key
[root@harbor certs]# ls
ca.crt ca.key ca.srl test.harbor.guofei.crt test.harbor.guofei.csr test.harbor.guofei.key v3.ext
自签证书流程结束;
转换证书格式,并配置给docker使用
由于本次部署采用docker方式,为保证docker可以正常使用证书,所以需要将现有的crt和key格式,转换为crt和cert格式;
[root@harbor certs]# openssl x509 -inform PEM -in test.harbor.guofei.crt -out test.harbor.guofei.cert
[root@harbor certs]# ls
ca.crt ca.key ca.srl test.harbor.guofei.cert test.harbor.guofei.crt test.harbor.guofei.csr test.harbor.guofei.key v3.ext
[root@harbor test.harbor.guofei]# cp /opt/Harbor/certs/test.harbor.guofei.cert /etc/docker/certs.d/test.harbor.guofei/
[root@harbor test.harbor.guofei]# cp /opt/Harbor/certs/test.harbor.guofei.key /etc/docker/certs.d/test.harbor.guofei/
[root@harbor test.harbor.guofei]# cp /opt/Harbor/certs/ca.crt /etc/docker/certs.d/test.harbor.guofei/
[root@harbor test.harbor.guofei]# cd /etc/docker/certs.d/test.harbor.guofei/
[root@harbor test.harbor.guofei]# ls
ca.crt test.harbor.guofei.cert test.harbor.guofei.key
重启docker
systemctl restart docker
部署Harbor服务
采用docker方式部署;
下载链接:Releases · goharbor/harbor (github.com)
创建相关目录
mkdir /opt/Harbor
cd /opt/Harbor
[root@harbor Harbor]# tar -xvf harbor-offline-installer-v2.8.1.tgz
harbor/harbor.v2.8.1.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
[root@harbor Harbor]# ls
certs harbor harbor-offline-installer-v2.8.1.tgz
修改harbor配置文件
cd /opt/Harbor/harbor
cp ./harbor.yml.tmpl ./harbor.yml
vim /opt/Harbor/harbor/harbor.yml
.
.
5 hostname: test.harbor.guofei
.
13 https:
14 # https port for harbor, default is 443
15 port: 14433
16 # The path of cert and key files for nginx
17 # certificate: /your/certificate/path
18 # private_key: /your/private/key/path
19 certificate: /etc/docker/certs.d/test.harbor.guofei/test.harbor.guofei.cert
20 private_key: /etc/docker/certs.d/test.harbor.guofei/test.harbor.guofei.key
.
.
运行脚本部署服务
cd /opt/Harbor/harbor
./install.sh --with-trivy
看到以下输出则表示服务搭建成功;
.
.
[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)
[+] Running 11/11
✔ Network harbor_harbor Created 0.8s
✔ Container harbor-log Started 1.0s
✔ Container registry Started 2.8s
✔ Container registryctl Started 2.2s
✔ Container harbor-db Started 2.7s
✔ Container harbor-portal Started 2.5s
✔ Container redis Started 2.4s
✔ Container harbor-core Started 3.4s
✔ Container trivy-adapter Started 3.2s
✔ Container nginx Started 5.1s
✔ Container harbor-jobservice Started 4.5s
✔ ----Harbor has been installed and started successfully.----
Harbor访问测试
web测试
链接地址:https://test.harbor.guofei:14433/harbor/projects
根据环境不同可能需要配置hosts;
客户端连接测试
由于实验用证书为自签证书,会被认定为不安全证书所以访问测试之前需要在/lib/systemd/system/docker.service中,添加 --insecure-registry=仓库地址,以确保浏览器不会因为是危险证书而不让访问。注意:修改后需要重启docker服务;;
示例:
vim /lib/systemd/system/docker.service
.
.
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=test.harbor.guofei:14433
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always
.
.
systemctl daemon-reload
systemctl restart docker
向客户端传输SSL证书:
scp -P 2200 ./test.harbor.guofei.crt test@192.168.1.20:/tmp #将公钥文件传输给目标主机;
客户端SSL证书的保存需要遵守特定规则:
mkdir -p /etc/docker/certs.d/test.harbor.guofei/ #创建公钥保存目录;
mv /tmp/test.harbor.guofei.crt /etc/docker/certs.d/test.harbor.guofei/ #注意certs.d目录一定不要写错;
chown root:root /etc/docker/certs.d/test.harbor.guofei/test.harbor.guofei.crt
vim /etc/hosts #客户端配置域名解析;
使用docker登录测试:
docker login test.harbor.guofei:14433 # 由于自定义了默认端口所以此处要加上端口号;
Username:
Password:
管理命令
由于是通过docker镜像方式运行,所以此处所谓对服务管理,其实就是对docker容器进行管理。而该服务容器是由docker-compose.yml创建所以管理命令如下;
停止
cd /opt/Harbor/harbor/
[root@harbor harbor]# docker-compose down
[+] Running 11/11
✔ Container harbor-jobservice Removed 0.4s
✔ Container registryctl Removed 10.4s
✔ Container trivy-adapter Removed 0.4s
✔ Container nginx Removed 0.6s
✔ Container harbor-portal Removed 0.2s
✔ Container harbor-core Removed 3.2s
✔ Container redis Removed 0.5s
✔ Container harbor-db Removed 0.4s
✔ Container registry Removed 0.4s
✔ Container harbor-log Removed 10.3s
✔ Network harbor_harbor Removed
启动
cd /opt/Harbor/harbor/
[root@harbor harbor]# docker-compose up -d
[+] Building 0.0s (0/0)
[+] Running 11/11
✔ Network harbor_harbor Created 0.6s
✔ Container harbor-log Started 1.0s
✔ Container harbor-db Started 4.6s
✔ Container harbor-portal Started 4.2s
✔ Container registry Started 4.7s
✔ Container registryctl Started 4.3s
✔ Container redis Started 4.4s
✔ Container trivy-adapter Started 5.4s
✔ Container harbor-core Started 5.6s
✔ Container harbor-jobservice Started 6.9s
✔ Container nginx Started
