概述
搭建一个私有仓库
harbor介绍
harbor是一个开源的docker容器仓库,由下面几个组件组成
+ proxy:用来接收docker客户端和浏览器端的请求,并且把请求转发给后端的服务
+ registry:就是仓库,用来存储镜像的,
+ 核心服务:提供web ui,数据库,token认证,webhook等功能
+ 日志服务
- database:用来存储核心服务的一些数据
vmware出品,支持下面几种部署方式
- 在线安装
- 离线安装
- ova安装,这个直接在vcenter上导入就可以了
官方最小配置
- 2个cpu
- 4g内存
- 40g硬盘,因为是存储镜像的所以推荐硬盘大点
官方安装帮助
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
Software
| Software | Version | Description |
|---|---|---|
| Python | version 2.7 or higher | Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default |
| Docker engine | version 17.03.0-ce+ or higher | For installation instructions, please refer to: https://docs.docker.com/engine/installation/ |
| Docker Compose | version 1.18.0 or higher | For installation instructions, please refer to: https://docs.docker.com/compose/install/ |
| Openssl | latest is preferred | Generate certificate and keys for Harbor |
Network ports
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API will accept requests on this port for https protocol |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled |
| 80 | HTTP | Harbor portal and core API will accept requests on this port for http protocol |
安装docker:
https://docs.docker.com/install/linux/docker-ce/centos/
可选安装docker方式1: curl -fsSL get.docker.com -o get-docker.sh
- 移除旧版
sudo yum remove docker
docker-client
docker-client-latest
docker-common
docker-latest
docker-latest-logrotate
docker-logrotate
docker-engine
安装依赖包
```
sudo yum install -y yum-utils
device-mapper-persistent-data
lvm2
```
添加源
```
sudo yum-config-manager
--add-repo
https://download.docker.com/linux/centos/docker-ce.repo
```
安装和启动
sudo yum-config-manager --enable docker-ce-nightly
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
docker-compose安装:
- 安装和测试docker-compose
官网文档 https://docs.docker.com/compose/install/
下载docker-compose可执行文件
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
设可执行权限
sudo chmod +x /usr/local/bin/docker-compose
软连接到/usr/bin
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
查看安装是否成功
docker-compose --version
安装步骤:
-
Download the installer:
下载离线安装包:
https://github.com/goharbor/harbor/releasesOnline installer:
$ tar xvf harbor-online-installer-<version>.tgzOffline installer:
$ tar xvf harbor-offline-installer-<version>.tgz -
Configure harbor.cfg/harbor.yml(新版已经改成harbor.yml);
- 修改配置,协议,证书,管理员密码
hostname = reg.lvusyy.com
ui_url_protocol = https
ssl_cert = ./ssl/reg.lvusyy.com.crt
ssl_cert_key = ./ssl/reg.lvusyy.com.key
harbor_admin_password = harbor12345 - 生成配置文件
-
证书可以从 letsencrypt 生成免费的证书..(默认浏览器和工具都不会提示不安全警告的.)
详情参考:https://github.com/Neilpang/acme.sh/wiki/说明
关于配置:
-
生成https证书(手动自签发的证书,没有根证书信任)
参考 https://github.com/goharbor/harbor/blob/master/docs/configure_https.md#生成key `openssl genrsa -out ca.key 4096`#根据key生成ca.crt
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Hangzhou/L=Hangzhou/O=example/OU=Personal/CN=lvusyy.com" -key ca.key -out ca.crt-
Create your own Private Key:
openssl genrsa -out reg.lvusyy.com.key 4096 -
Generate a Certificate Signing Request:
openssl req -sha512 -new
-subj "/C=CN/ST=Hangzhou/L=Hangzhou/O=example/OU=Personal/CN=reg.lvusyy.com"
-key reg.lvusyy.com.key
-out reg.lvusyy.com.csrcat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=reg.lvusyy.com DNS.2=lvusyy DNS.3=harbor EOFopenssl x509 -req -sha512 -days 3650
-extfile v3.ext
-CA ca.crt -CAkey ca.key -CAcreateserial
-in reg.lvusyy.com.csr
-out reg.lvusyy.com.crt
-
-
导入docker镜像
sudo docker load < harbor.v1.8.0.tar.gz -
生成配置
-
./prepare
-
- 修改配置,协议,证书,管理员密码
-
Run install.sh to install and start Harbor;
-
开始安装
- #注意网络问题哦
./install
到此 harbor 已经安装完成了。
- #注意网络问题哦
192.168.1.xx reg.lvusyy.com
你可以导入你的根证书让浏览器或wget 不报ssl警告
mkdir /usr/share/ca-certificates/harbor/
cp /media/makeit/Document/harborCa/ca.crt /usr/share/ca-certificates/harbor/
sudo update-ca-certificates
这样就ok了。
wget -q -O - https://reg.lvusyy.com
如果 curl 访问呢?
* Rebuilt URL to: https://reg.lvusyy.com/
* Trying 10.1.1.53...
* TCP_NODELAY set
* Connected to reg.lvusyy.com (10.1.1.53) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /home/makeit/anaconda3/ssl/cacert.pem
CApath: none
它使用 /home/makeit/anaconda3/ssl/cacert.pem ,我们把我们ca重定向进去就可以了呗。
转换格式 .cer 到 .pem
openssl x509 -inform der -in lvusyy.cer -out lvusyy.pem
追加到信任列表
cat lvusyy.pem >> /home/makeit/anaconda3/ssl/cacert.pem
妥了!
chrome呢,firefox,oprea呢
自己设置窗口导入即可。
enjoy!