zoukankan      html  css  js  c++  java
  • 单点镜像仓库安装

    # tar zxvf harbor-offline-installer-v2.0.0.tgz
    #cd harbor
    #ls
        common.sh  harbor.v2.0.0.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare
    # mv harbor.yml.tmpl harbor.yml
    证书:
    
    # mkdir -p /data/cert && cd /data/cert
    # openssl genrsa -out ca.key 2048 
    # openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=Harbor-ca"
    # openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr
    #一直回车
    #harbor的主机ip以及vip 都写上 可以以写多个 格式:IP:10.20.3.7,IP:10.20.3.7
    # echo subjectAltName = IP:10.20.3.7  > extfile.cnf 
    # openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 10000 -extfile extfile.cnf -out server.crt

    修改配置  线上使用https

    vi harbor.yml
    # cat harbor.yml 
    # Configuration file of Harbor
    
    # The IP address or hostname to access admin UI and registry service.
    # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
    hostname: 10.207.23.73
    #线上建议使用https 
    # http related config
    # http:
      # port for http, default is 80. If https enabled, this port will redirect to https # # port
      # port: 8100
    
    # https related config
    https:
      # https port for harbor, default is 443
      port: 8400
      # The path of cert and key files for nginx 证书位置
    certificate:
    /data/cert/server.crt private_key: /data/cert/server.key # # Uncomment following will enable tls communication between all harbor components # internal_tls: # # set enabled to true means internal tls is enabled # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: Harbor12345 # Harbor DB configuration database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 50 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 100 for postgres. max_open_conns: 100 # The default data volume data_volume: /data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disabled: false # Clair configuration clair: # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. updaters_interval: 12 # Trivy configuration trivy: # ignoreUnfixed The flag to display only fixed vulnerabilities ignore_unfixed: false # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the # /home/scanner/.cache/trivy/db/trivy.db path. skip_update: false # # insecure The flag to skip verifying registry certificate insecure: false # github_token The GitHub access token to download Trivy DB # # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached # in the local file system (/home/scanner/.cache/trivy/db/trivy.db). In addition, the database contains the update # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. # Currently, the database is updated every 12 hours and published as a new release to GitHub. # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://developer.github.com/v3/#rate-limiting # # You can create a GitHub token by following the instuctions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # # github_token: xxx jobservice: # Maximum number of job workers in job service max_job_workers: 10 notification: # Maximum retry count for webhook job webhook_job_max_retry: 10 chart: # Change the value of absolute_url to enabled can enable absolute url in chart absolute_url: disabled # Log configurations log: # options are debug, info, warning, error, fatal level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor # Uncomment following lines to enable external syslog endpoint. # external_endpoint: # # protocol used to transmit log to external endpoint, options is tcp or udp # protocol: tcp # # The host of external endpoint # host: localhost # # Port of external endpoint # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 2.0.0 # Uncomment external_database if using external database. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port # db_name: clair_db_name # username: clair_db_username # password: clair_db_password # ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port # db_name: notary_signer_db_name # username: notary_signer_db_username # password: notary_signer_db_password # ssl_mode: disable # notary_server: # host: notary_server_db_host # port: notary_server_db_port # db_name: notary_server_db_name # username: notary_server_db_username # password: notary_server_db_password # ssl_mode: disable # Uncomment external_redis if using external Redis server # external_redis: # host: redis # port: 6379 # password: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 # clair_db_index: 4 # trivy_db_index: 5 # idle_timeout_seconds: 30 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. # Remove component from `components` array if want disable proxy # for it. If you want use proxy for replication, MUST enable proxy # for core and jobservice, and set `http_proxy` and `https_proxy`. # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - clair - trivy

    浏览器https方式访问

    设置 docker 证书
     # mkdir -p /etc/docker/certs.d/10.207.23.73 && cd /data/cert/
     # cp server.crt /etc/docker/certs.d/
     # cp ca.crt  /etc/docker/certs.d/
     
     其他服务器要docker login 只需要将/etc/docker/certs.d/10.207.23.73复制到同样的目录即可
    配置docker仓库
    # vi /etc/docker/daemon.json { "insecure-registries": ["10.207.23.73:8400"] } # systemctl daemon-reload # 重启 docker systemctl restart docker # 启动Harbor ./install.sh # docker login -u admin -p Harbor12345 10.207.23.73:8400# docker login -u admin -p Harbor12345 10.207.23.73:8400

    harbor使用中的问题:

    使用yaml下载镜像失败
    # Failed to pull image "10.20.3.7:8400/projectdemo/itmp:v2.01": rpc error: code = Unknown desc = Error response from daemon: unauthorized: unauthorized to access repository: projectdemo/itmp, action: pull: unauthorized to access repository: projectdemo/itmp, action: pull
    
    # kubectl create secret docker-registry regsecret --docker-server=10.20.3.7:8400 --docker-username=admin --docker-password=Harbor12345
    
    regsecret: 指定密钥的键名称, 可自行定义
    --docker-server: 指定docker仓库地址
    --docker-username: 指定docker仓库账号
    --docker-password: 指定docker仓库密码
    --docker-email: 指定邮件地址
    -n : 命名空间,在那个命名空间创建,就只能在那个命名空间使用这个secret


    # cat itmp2.01.yaml 
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      creationTimestamp: null
      labels:
        app: itmp
      name: itmp
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: itmp
      strategy: 
        type: RollingUpdate 
        rollingUpdate:
           maxSurge: 1
           maxUnavailable: 1
      minReadySeconds: 5
      revisionHistoryLimit: 5
      template:
        metadata:
          creationTimestamp: null
          labels:
            app: itmp
        spec:
          containers:
          - image:  10.20.3.7:8400/images
            name: itmp
            ports:
            -  containerPort: 8020
               name: itmp
            resources:
              requests:
                cpu: 90m
                memory: 90Mi
          imagePullSecrets:
            - name: regsecret
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: itmp
    spec:
      selector:
        app: itmp
      ports:
        - protocol: TCP
          port: 8039
          targetPort: 8020
  • 相关阅读:
    [C++再学习系列] 深入new/delete:Operator new的全局重载
    [C++再学习系列] 函数模板和类模板
    [C++再学习系列] 模板函数的自定义点
    [C++再学习系列] STL容器删除操作总结
    How to create a sizelimited filesystem
    CodeSmith 破解和注册
    LINQ to SQL学习的几个问题
    SQLSERVER2005 分区表
    google工具栏和搜狗拼音叠加问题
    C#中构成函数重载有哪些条件和特征?
  • 原文地址:https://www.cnblogs.com/Hale-wang/p/12965491.html
Copyright © 2011-2022 走看看