Harbor镜像仓库
|
作者 |
刘畅 |
|
时间 |
2020-7-11 |
|
微信 |
|
目录
1、下载离线安装包
环境说明:
|
主机名 |
IP |
用途 |
|
controlnode |
172.16.1.70 |
用于连接docker仓库 |
|
slavenode1 |
172.16.1.71 |
docker仓库 |
Harbor 是 Vmware 公司开源的企业级 Docker Registry 项目。
项目地址:https://github.com/goharbor/harbor
安装说明:https://github.com/goharbor/harbor/blob/master/docs/install-config/_index.md
下载地址:
https://github.com/goharbor/harbor/releases/download/v2.0.1/harbor-offline-installer-v2.0.1.tgz
2、安装docker
# 安装依赖包
[root@slavenode1 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加Docker软件包源
[root@slavenode1 ~]# yum-config-manager
--add-repo
https://download.docker.com/linux/centos/docker-ce.repo
# 更新为阿里云的源
[root@slavenode1 ~]# wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 清理源缓存
[root@slavenode1 ~]# yum clean all
# 安装Docker CE
[root@slavenode1 ~]# yum install -y docker-ce
# 启动Docker服务并设置开机启动
[root@slavenode1 ~]# systemctl start docker
[root@slavenode1 ~]# systemctl enable docker
# 查看docker版本
[root@slavenode1 ~]# docker -v
Docker version 19.03.12, build 48a66213fe
# 添加阿里云的镜像仓库
[root@slavenode1 ~]# mkdir -p /etc/docker
[root@slavenode1 ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://b1cx9cn7.mirror.aliyuncs.com"]
}
EOF
# 重启docker
[root@slavenode1 ~]# systemctl daemon-reload
[root@slavenode1 ~]# systemctl restart docker
3、安装docker-compose
# 官方参考文档
https://docs.docker.com/compose/install/
# 下载docker-compose
[root@slavenode1 ~]# curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# 为docker-compose赋予可执行权限
[root@slavenode1 ~]# chmod +x /usr/local/bin/docker-compose
# 查看docker-compose的版本
[root@slavenode1 ~]# docker-compose -v
docker-compose version 1.26.2, build eefe0d31
4、自签TLS证书
# 参考文档
https://github.com/goharbor/harbor/blob/master/docs/install-config/configure-https.md
4.1、创建自己的CA证书
[root@slavenode1 ~]# mkdir -p /root/ssl/
[root@slavenode1 ~]# cd /roo/ssl/
[root@slavenode1 ssl]# openssl req
-newkey rsa:4096 -nodes -sha256 -keyout ca.key
-x509 -days 36500 -out ca.crt
Generating a 4096 bit RSA private key
........................................................................++
.++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:LiuChang
Email Address []:
[root@slavenode1 ssl]# ls
ca.crt ca.key
4.2、生成证书签名请求
[root@slavenode1 ssl]# openssl req
-newkey rsa:4096 -nodes -sha256 -keyout reg.liuchang.com.key
-out reg.liuchang.com.csr
Generating a 4096 bit RSA private key
..............................................................................................................................................................................................
......................................++............................................................................................................................................................++
writing new private key to 'reg.liuchang.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:reg.liuchang.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@slavenode1 ssl]# ls
ca.crt ca.key reg.liuchang.com.csr reg.liuchang.com.key
4.3、生成注册表主机的证书
[root@slavenode1 ssl]# openssl x509 -req -days 36500
-in reg.liuchang.com.csr
-CA ca.crt -CAkey ca.key -CAcreateserial
-out reg.liuchang.com.crt
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=reg.liuchang.com
Getting CA Private Key
[root@slavenode1 ssl]# ls
ca.crt ca.key ca.srl reg.liuchang.com.crt reg.liuchang.com.csr reg.liuchang.com.key
说明:reg.liuchang.com.crt 和 reg.liuchang.com.key 这两个证书是harbor所需要的。
5、Harbor安装与配置
# 解压harbor安装包
[root@slavenode1 ssl]# mkdir -p /tools/
[root@slavenode1 ssl]# cd /tools/
[root@slavenode1 tools]# tar -xzf harbor-offline-installer-v2.0.1.tgz -C /usr/local/
# 将上面生成的证书拷贝到harbor目录下
[root@slavenode1 tools]# cd /usr/local/harbor/
[root@slavenode1 harbor]# mkdir -p ssl/
[root@slavenode1 harbor]# cp -a /root/ssl/reg.liuchang.com.crt ssl/
[root@slavenode1 harbor]# cp -a /root/ssl/reg.liuchang.com.key ssl/
[root@slavenode1 harbor]# ls ssl/
reg.liuchang.com.crt reg.liuchang.com.key
# 配置harbor
[root@slavenode1 harbor]# cp -a harbor.yml.tmpl harbor.yml
[root@slavenode1 harbor]# vim harbor.yml # 需要修改的内容如下
hostname: reg.liuchang.com # 被访问的域名或ip地址
certificate: /usr/local/harbor/ssl/reg.liuchang.com.crt # 证书地址
private_key: /usr/local/harbor/ssl/reg.liuchang.com.key
harbor_admin_password: Harbor12345 # 访问harbor的密码,默认用户是admin
说明:默认 harbor的80和443 端口都对外开放,如果配置了ssl 证书后,访问harbor的
80 端口也会被重定向到443 端口的访问。
# 初始化、安装harbor
[root@slavenode1 harbor]# ./prepare
[root@slavenode1 harbor]# ./install.sh
# 通过docker-compose查看安装的harbor镜像
[root@slavenode1 harbor]# docker-compose images
# 通过docker-compose查看所有harbor容器的运行状态
[root@slavenode1 harbor]# docker-compose ps -a
6、Docker主机访问Harbor
6.1、通过浏览器访问harbor
# 修改本地主机的hosts 文件
C:WindowsSystem32driversetchosts
172.16.1.71 reg.liuchang.com # 添加这条域名解析记录
# 访问 reg.liuchang.com
# 查看证书
# 登录
# 主页面
6.2、新建用户
6.3、新建项目
项目访问级别说明:
公开:用户不需要登录到docker镜像仓库,就可以拉取项目中的镜像,但不能上传镜像,默认的libray项目就是公开的。
不公开:用户需要登录到docker镜像仓库后才能从项目中拉取镜像或上传镜像到项目中。
6.4、在test项目中添加用户
6.5、linux主机访问docker仓库
1、将镜像仓库上的reg.liuchang.com.crt 文件拉到本地
因为镜像仓库设置了ssl证书,浏览器访问时可以自动将docker仓库上的证书拉下来,然后对数据进行加密和解密的交互,而使用linux主机访问时无法做到。
[root@controlnode ~]# mkdir /etc/docker/certs.d/reg.liuchang.com -p
[root@controlnode ~]# scp -rp root@172.16.1.71:/usr/local/harbor/ssl/reg.liuchang.com.crt /etc/docker/certs.d/reg.liuchang.com
[root@controlnode ~]# ls /etc/docker/certs.d/
reg.liuchang.com
2、修改本地hosts域名解析文件,添加如下内容
[root@controlnode ~]# echo "172.16.1.71 reg.liuchang.com" >>/etc/hosts
3、登录到镜像仓库
[root@controlnode ~]# docker login -uliuchang -pLiuChang@2020 reg.liuchang.com
4、上传镜像
# 可以参考项目中的推送命令
# 打标签
[root@controlnode ~]# docker image list
docker tag SOURCE_IMAGE[:TAG] reg.liuchang.com/test/REPOSITORY[:TAG]
[root@controlnode ~]# docker tag tomcat:v1 reg.liuchang.com/test/tomcat:v1
说明:tomcat:v1 表示需要打标签的源镜像名称:标签名称。
reg.liuchang.com/test/tomcat:v1 表示打标签后的镜像名称:标签名称;
reg.liuchang.com 表示镜像仓库的地址;
test 表示项目名称;tomcat:v1 表示镜像名称:标签。
[root@controlnode ~]# docker image list
# 上传镜像
docker push reg.liuchang.com/test/REPOSITORY[:TAG]
[root@controlnode ~]# docker push reg.liuchang.com/test/tomcat:v1
# 在镜像仓库中查看
5、拉取镜像
[root@controlnode ~]# docker pull reg.liuchang.com/test/tomcat:v1
7、补充:
7.1、harbor服务器重启后有些容器无法启动的解决办法
[root@slavenode1 harbor]# docker container start $(docker container list -a -q)