zoukankan      html  css  js  c++  java
  • harbor 安装与部署

    harbor 安装与部署

    1. harbor服务器安装docker和docker compose

    1.1 安装docker

    1.1.1 安装docker依赖包
    [root@harbor ~]#  yum install -y yum-utils device-mapper-persistent-data   lvm2
    
    1.1.2 安装docker镜像源
    [root@harbor ~]#   yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    
    1.1.3 安装docker
    [root@harbor ~]#  yum install -y docker-ce
    
    1.1.4 启动docker,并设置开机启动
    [root@harbor ~]#  /bin/systemctl start docker
    [root@harbor ~]#  /bin/systemctl enable docker      #设置开机启动
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
    
    1.1.5 安装docker的tab补全功能
    1.1.5.1 安装补全包
    [root@harbor ~]#  yum install -y bash-completion
    [root@harbor ~]#  sh /usr/share/bash-completion/bash_completion
    显然,该脚本是用于bash自动补全的,但是,不幸的是,直接 source 执行该脚本后,docker命令后敲tab,有如下错误: 
    docker -bash: _get_comp_words_by_ref: command not found 
    -bash: [: 1: unary operator expected 
    -bash: [: 1: unary operator expected 
    -bash: [: -eq: unary operator expected 
    -bash: _get_comp_words_by_ref: command not found 
    -bash: [: 1: unary operator expected 
    -bash: [: 1: unary operator expected 
    -bash: [: -eq: unary operator expected
    难道docker的bash自动补全还能有问题? 
    
    • 解决办法如下:
      • 我们这里虽然安装了bash-completion,但是没有执行其中的一个文件/usr/share/bash-completion/bash_completion 该文件中有上面缺少的命令,执行该文件,重新开一个shell终端,就解决了

    1.2 安装docker compose

    1.2.1 下载并安装docker compose
    [root@harbor ~]# sudo curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    
    1.2.2 赋予docker compose执行权限
    [root@harbor ~]# chmod +x /usr/local/bin/docker-compose 
    

    1.3 配置第三方镜像加速器

    可以配置阿里云等国内的其他镜像仓库,这里配置阿里云镜像仓库

    sudo mkdir -p /etc/docker
    sudo tee /etc/docker/daemon.json <<-'EOF'
    {
      "registry-mirrors": ["https://sv1txjq6.mirror.aliyuncs.com"]
    }
    EOF
    

    1.4 配置完成了,需要重启docker

    [root@docker ~]# systemctl daemon-reload
    [root@docker ~]# systemctl restart docker
    

    2. 安装harbor

    2.1 下载harbor

    [root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.1.0/harbor-offline-installer-v2.1.0.tgz
    [root@harbor ~]# ll
    total 543100
    -rw-------. 1 root root      1363 Jul 25  2019 anaconda-ks.cfg
    -rw-r--r--  1 root root 556130191 Oct 18 02:11 harbor-offline-installer-v2.1.0.tgz
    
    • 注释:

      这里直接用wget下载,可能会因为网络问题下载比较慢,这里可以自行使用迅雷下载,下载完成后上传到相应的服务器上

    2.2 解压harbor压缩包

    [root@harbor ~]# tar zxvf harbor-offline-installer-v2.1.0.tgz 
    harbor/harbor.v2.1.0.tar.gz
    harbor/prepare
    harbor/LICENSE
    harbor/install.sh
    harbor/common.sh
    harbor/harbor.yml.tmpl
    

    2.3 拷贝配置文件

    [root@harbor ~]# cd harbor/
    [root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
    

    2.4 修改harbor.yml

    • 需要修改内容

      hostname = 本机IP地址                   # 修改连接地址,可以是域名,ip
      harbor_admin_password = 123456          # 配置密码
      
    • 修改配置文件

      [root@harbor harbor]# vim harbor.yml
      [root@harbor harbor]# cat harbor.yml
      # Configuration file of Harbor
      
      # The IP address or hostname to access admin UI and registry service.
      # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
      hostname: harbor.scajy.cn
      
      # http related config
      http:
        # port for http, default is 80. If https enabled, this port will redirect to https port
        port: 80
      
      # https related config
      #https:
        # https port for harbor, default is 443
        #port: 443
        # The path of cert and key files for nginx
        #certificate: /your/certificate/path
        #private_key: /your/private/key/path
      
      # # Uncomment following will enable tls communication between all harbor components
      # internal_tls:
      #   # set enabled to true means internal tls is enabled
      #   enabled: true
      #   # put your cert and key files on dir
      #   dir: /etc/harbor/tls/internal
      
      # Uncomment external_url if you want to enable external proxy
      # And when it enabled the hostname will no longer used
      # external_url: https://reg.mydomain.com:8433
      
      # The initial password of Harbor admin
      # It only works in first time to install harbor
      # Remember Change the admin password from UI after launching Harbor.
      harbor_admin_password: Aa123456
      
      # Harbor DB configuration
      database:
        # The password for the root user of Harbor DB. Change this before any production use.
        password: root123
        # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
        max_idle_conns: 50
        # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
        # Note: the default number of connections is 1024 for postgres of harbor.
        max_open_conns: 1000
      
      # The default data volume
      data_volume: /data
      
      # Harbor Storage settings by default is using /data dir on local filesystem
      # Uncomment storage_service setting If you want to using external storage
      # storage_service:
      #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
      #   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
      #   ca_bundle:
      
      #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
      #   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
      #   filesystem:
      #     maxthreads: 100
      #   # set disable to true when you want to disable registry redirect
      #   redirect:
      #     disabled: false
      
      # Clair configuration
      clair:
        # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
        updaters_interval: 12
      
      # Trivy configuration
      #
      # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
      # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
      # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
      # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
      # 12 hours and published as a new release to GitHub.
      trivy:
        # ignoreUnfixed The flag to display only fixed vulnerabilities
        ignore_unfixed: false
        # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
        #
        # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
        # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
        # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
        skip_update: false
        #
        # insecure The flag to skip verifying registry certificate
        insecure: false
        # github_token The GitHub access token to download Trivy DB
        #
        # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
        # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
        # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
        # https://developer.github.com/v3/#rate-limiting
        #
        # You can create a GitHub token by following the instructions in
        # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
        #
        # github_token: xxx
      
      jobservice:
        # Maximum number of job workers in job service
        max_job_workers: 10
      
      notification:
        # Maximum retry count for webhook job
        webhook_job_max_retry: 10
      
      chart:
        # Change the value of absolute_url to enabled can enable absolute url in chart
        absolute_url: disabled
      
      # Log configurations
      log:
        # options are debug, info, warning, error, fatal
        level: info
        # configs for logs in local storage
        local:
          # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
          rotate_count: 50
          # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
          # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
          # are all valid.
          rotate_size: 200M
          # The directory on your host that store log
          location: /var/log/harbor
      
        # Uncomment following lines to enable external syslog endpoint.
        # external_endpoint:
        #   # protocol used to transmit log to external endpoint, options is tcp or udp
        #   protocol: tcp
        #   # The host of external endpoint
        #   host: localhost
        #   # Port of external endpoint
        #   port: 5140
      
      #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
      _version: 2.0.0
      
      # Uncomment external_database if using external database.
      # external_database:
      #   harbor:
      #     host: harbor_db_host
      #     port: harbor_db_port
      #     db_name: harbor_db_name
      #     username: harbor_db_username
      #     password: harbor_db_password
      #     ssl_mode: disable
      #     max_idle_conns: 2
      #     max_open_conns: 0
      #   clair:
      #     host: clair_db_host
      #     port: clair_db_port
      #     db_name: clair_db_name
      #     username: clair_db_username
      #     password: clair_db_password
      #     ssl_mode: disable
      #   notary_signer:
      #     host: notary_signer_db_host
      #     port: notary_signer_db_port
      #     db_name: notary_signer_db_name
      #     username: notary_signer_db_username
      #     password: notary_signer_db_password
      #     ssl_mode: disable
      #   notary_server:
      #     host: notary_server_db_host
      #     port: notary_server_db_port
      #     db_name: notary_server_db_name
      #     username: notary_server_db_username
      #     password: notary_server_db_password
      #     ssl_mode: disable
      
      # Uncomment external_redis if using external Redis server
      # external_redis:
      #   # support redis, redis+sentinel
      #   # host for redis: <host_redis>:<port_redis>
      #   # host for redis+sentinel:
      #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
      #   host: redis:6379
      #   password:
      #   # sentinel_master_set must be set to support redis+sentinel
      #   #sentinel_master_set:
      #   # db_index 0 is for core, it's unchangeable
      #   registry_db_index: 1
      #   jobservice_db_index: 2
      #   chartmuseum_db_index: 3
      #   clair_db_index: 4
      #   trivy_db_index: 5
      #   idle_timeout_seconds: 30
      
      # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
      # uaa:
      #   ca_file: /path/to/ca
      
      # Global proxy
      # Config http proxy for components, e.g. http://my.proxy.com:3128
      # Components doesn't need to connect to each others via http proxy.
      # Remove component from `components` array if want disable proxy
      # for it. If you want use proxy for replication, MUST enable proxy
      # for core and jobservice, and set `http_proxy` and `https_proxy`.
      # Add domain to the `no_proxy` field, when you want disable proxy
      # for some special registry.
      proxy:
        http_proxy:
        https_proxy:
        no_proxy:
        components:
          - core
          - jobservice
          - clair
          - trivy
      

    2.5 执行prepare

    [root@harbor harbor]# ./prepare 
    prepare base dir is set to /root/harbor
    Unable to find image 'goharbor/prepare:v2.1.0' locally
    v2.1.0: Pulling from goharbor/prepare
    b2823a5a3d08: Pull complete 
    5c184afe259b: Pull complete 
    7c2b2b800448: Pull complete 
    3c2d8c5c2665: Pull complete 
    ad2d8ed3252c: Pull complete 
    62b95a750685: Pull complete 
    bfe926f9ce0a: Pull complete 
    43e4c40467d4: Pull complete 
    Digest: sha256:12198af4fa3f08485507e1ec902ca38986607fe1777ff2a32db5d50c98f53bd0
    Status: Downloaded newer image for goharbor/prepare:v2.1.0
    WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
    Generated configuration file: /config/portal/nginx.conf
    Generated configuration file: /config/log/logrotate.conf
    Generated configuration file: /config/log/rsyslog_docker.conf
    Generated configuration file: /config/nginx/nginx.conf
    Generated configuration file: /config/core/env
    Generated configuration file: /config/core/app.conf
    Generated configuration file: /config/registry/config.yml
    Generated configuration file: /config/registryctl/env
    Generated configuration file: /config/registryctl/config.yml
    Generated configuration file: /config/db/env
    Generated configuration file: /config/jobservice/env
    Generated configuration file: /config/jobservice/config.yml
    loaded secret from file: /data/secret/keys/secretkey
    Successfully called func: create_root_cert
    Generated configuration file: /compose_location/docker-compose.yml
    Clean up the input dir
    

    2.6 执行install安装脚本

    [root@harbor harbor]# ./install.sh 
    
    [Step 0]: checking if docker is installed ...
    
    Note: docker version: 19.03.5
    
    [Step 1]: checking docker-compose is installed ...
    
    Note: docker-compose version: 1.23.1
    
    [Step 2]: loading Harbor images ...
    643af1ea9877: Loading layer [==================================================>]   4.78MB/4.78MB
    2f2eb198019d: Loading layer [==================================================>]  4.096kB/4.096kB
    013d878b1cd3: Loading layer [==================================================>]  3.072kB/3.072kB
    0cea77165dab: Loading layer [==================================================>]  9.427MB/9.427MB
    d5eb36d8c949: Loading layer [==================================================>]  10.25MB/10.25MB
    Loaded image: goharbor/clair-adapter-photon:v2.1.0
    4d60d24f7344: Loading layer [==================================================>]  6.084MB/6.084MB
    cd89d31b48cc: Loading layer [==================================================>]  4.096kB/4.096kB
    c5c8574d9a20: Loading layer [==================================================>]  3.072kB/3.072kB
    ab21861f74f0: Loading layer [==================================================>]  23.51MB/23.51MB
    d4a0523ddf42: Loading layer [==================================================>]  9.432MB/9.432MB
    cde298220c1c: Loading layer [==================================================>]  33.76MB/33.76MB
    Loaded image: goharbor/trivy-adapter-photon:v2.1.0
    bf8bca7d4ea5: Loading layer [==================================================>]   4.78MB/4.78MB
    d5c4f23a1da8: Loading layer [==================================================>]  4.096kB/4.096kB
    b873e48b04b8: Loading layer [==================================================>]  20.51MB/20.51MB
    426ecd50af9d: Loading layer [==================================================>]  3.072kB/3.072kB
    1a72b8257121: Loading layer [==================================================>]  25.91MB/25.91MB
    7ef3788af1ea: Loading layer [==================================================>]  47.24MB/47.24MB
    Loaded image: goharbor/harbor-registryctl:v2.1.0
    f6e400ca078e: Loading layer [==================================================>]  49.87MB/49.87MB
    df854457d3a9: Loading layer [==================================================>]  3.584kB/3.584kB
    105dc1999347: Loading layer [==================================================>]  3.072kB/3.072kB
    928960fba9b5: Loading layer [==================================================>]   2.56kB/2.56kB
    ea3614f8d633: Loading layer [==================================================>]  3.072kB/3.072kB
    fc748ef412bb: Loading layer [==================================================>]  3.584kB/3.584kB
    4eab81909717: Loading layer [==================================================>]  12.29kB/12.29kB
    08046ff8e937: Loading layer [==================================================>]  5.632kB/5.632kB
    Loaded image: goharbor/harbor-log:v2.1.0
    85ddf803217c: Loading layer [==================================================>]  6.626MB/6.626MB
    dfdbced0fe07: Loading layer [==================================================>]  8.986MB/8.986MB
    22835afce7a9: Loading layer [==================================================>]  173.6kB/173.6kB
    4fafff94ba19: Loading layer [==================================================>]  152.6kB/152.6kB
    c3fa5501b4b1: Loading layer [==================================================>]  67.07kB/67.07kB
    3910acc63022: Loading layer [==================================================>]  17.41kB/17.41kB
    07b3501d422c: Loading layer [==================================================>]  15.36kB/15.36kB
    Loaded image: goharbor/harbor-portal:v2.1.0
    6e61f5a6fb17: Loading layer [==================================================>]  63.56MB/63.56MB
    1e49f9ddcbd1: Loading layer [==================================================>]   70.1MB/70.1MB
    6fc7af60e218: Loading layer [==================================================>]  6.144kB/6.144kB
    dc2cb9a2d506: Loading layer [==================================================>]   2.56kB/2.56kB
    2347633d86f3: Loading layer [==================================================>]   2.56kB/2.56kB
    3e9929a5df23: Loading layer [==================================================>]   2.56kB/2.56kB
    48aa8c8ab242: Loading layer [==================================================>]   2.56kB/2.56kB
    bcef191e1035: Loading layer [==================================================>]  11.26kB/11.26kB
    Loaded image: goharbor/harbor-db:v2.1.0
    c5d7c2b3932e: Loading layer [==================================================>]  6.626MB/6.626MB
    Loaded image: goharbor/nginx-photon:v2.1.0
    Loaded image: goharbor/prepare:v2.1.0
    9c1567ed7ed1: Loading layer [==================================================>]   7.91MB/7.91MB
    9e1ebe27879a: Loading layer [==================================================>]  3.584kB/3.584kB
    bcfec06da51b: Loading layer [==================================================>]   2.56kB/2.56kB
    870a2e037ab6: Loading layer [==================================================>]  62.25MB/62.25MB
    75e9875fb71e: Loading layer [==================================================>]  63.08MB/63.08MB
    Loaded image: goharbor/harbor-jobservice:v2.1.0
    cb8cf329a832: Loading layer [==================================================>]  35.76MB/35.76MB
    7c5cf5cf3651: Loading layer [==================================================>]  3.072kB/3.072kB
    2c9036c54b00: Loading layer [==================================================>]   59.9kB/59.9kB
    40d96394d784: Loading layer [==================================================>]  61.95kB/61.95kB
    Loaded image: goharbor/redis-photon:v2.1.0
    8365a8a7ac38: Loading layer [==================================================>]   4.78MB/4.78MB
    7b422c5f97ac: Loading layer [==================================================>]  4.096kB/4.096kB
    0fc42ab55cdb: Loading layer [==================================================>]  3.072kB/3.072kB
    2e4c2c42935f: Loading layer [==================================================>]  20.51MB/20.51MB
    193871b7201c: Loading layer [==================================================>]  21.33MB/21.33MB
    Loaded image: goharbor/registry-photon:v2.1.0
    9a8e0a77f5b5: Loading layer [==================================================>]  4.775MB/4.775MB
    2e7f7cf4d5e2: Loading layer [==================================================>]  6.343MB/6.343MB
    dd4979ca316f: Loading layer [==================================================>]  15.84MB/15.84MB
    cae7d03d5007: Loading layer [==================================================>]  27.97MB/27.97MB
    780f529d0e40: Loading layer [==================================================>]  22.02kB/22.02kB
    8958df1396a5: Loading layer [==================================================>]  50.15MB/50.15MB
    Loaded image: goharbor/notary-server-photon:v2.1.0
    2a4281a0753e: Loading layer [==================================================>]  4.775MB/4.775MB
    2f49be32c4c6: Loading layer [==================================================>]  6.343MB/6.343MB
    4e99e16fc4e0: Loading layer [==================================================>]  14.43MB/14.43MB
    a06aef5aea58: Loading layer [==================================================>]  27.97MB/27.97MB
    2dfb5a4c74e4: Loading layer [==================================================>]  22.02kB/22.02kB
    338c6cc2212b: Loading layer [==================================================>]  48.74MB/48.74MB
    Loaded image: goharbor/notary-signer-photon:v2.1.0
    43c2e61fcc4a: Loading layer [==================================================>]  111.6MB/111.6MB
    6e2edd0822ab: Loading layer [==================================================>]  12.12MB/12.12MB
    354c6d016a81: Loading layer [==================================================>]  3.072kB/3.072kB
    16bfd1aa6381: Loading layer [==================================================>]  49.15kB/49.15kB
    b89217883992: Loading layer [==================================================>]  4.096kB/4.096kB
    812e837ca0d9: Loading layer [==================================================>]  12.99MB/12.99MB
    Loaded image: goharbor/clair-photon:v2.1.0
    0c840e0ec04a: Loading layer [==================================================>]   4.78MB/4.78MB
    226b8455f485: Loading layer [==================================================>]  66.44MB/66.44MB
    f928061673fd: Loading layer [==================================================>]  3.072kB/3.072kB
    0308faaa73d1: Loading layer [==================================================>]  4.096kB/4.096kB
    4efce89af607: Loading layer [==================================================>]  67.27MB/67.27MB
    Loaded image: goharbor/chartmuseum-photon:v2.1.0
    c22a4e901e13: Loading layer [==================================================>]   7.91MB/7.91MB
    8214586a2eae: Loading layer [==================================================>]  3.584kB/3.584kB
    f698b27e2016: Loading layer [==================================================>]   2.56kB/2.56kB
    3a34732979ca: Loading layer [==================================================>]  53.04MB/53.04MB
    9e8bf761483a: Loading layer [==================================================>]  5.632kB/5.632kB
    1b300c7f7b2a: Loading layer [==================================================>]  60.42kB/60.42kB
    cfe2a4718791: Loading layer [==================================================>]  11.78kB/11.78kB
    bde4e186d586: Loading layer [==================================================>]  53.87MB/53.87MB
    b63404705663: Loading layer [==================================================>]   2.56kB/2.56kB
    Loaded image: goharbor/harbor-core:v2.1.0
    
    
    [Step 3]: preparing environment ...
    
    [Step 4]: preparing harbor configs ...
    prepare base dir is set to /root/harbor
    WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
    Clearing the configuration file: /config/portal/nginx.conf
    Clearing the configuration file: /config/log/logrotate.conf
    Clearing the configuration file: /config/log/rsyslog_docker.conf
    Clearing the configuration file: /config/nginx/nginx.conf
    Clearing the configuration file: /config/core/env
    Clearing the configuration file: /config/core/app.conf
    Clearing the configuration file: /config/registry/passwd
    Clearing the configuration file: /config/registry/config.yml
    Clearing the configuration file: /config/registryctl/env
    Clearing the configuration file: /config/registryctl/config.yml
    Clearing the configuration file: /config/db/env
    Clearing the configuration file: /config/jobservice/env
    Clearing the configuration file: /config/jobservice/config.yml
    Generated configuration file: /config/portal/nginx.conf
    Generated configuration file: /config/log/logrotate.conf
    Generated configuration file: /config/log/rsyslog_docker.conf
    Generated configuration file: /config/nginx/nginx.conf
    Generated configuration file: /config/core/env
    Generated configuration file: /config/core/app.conf
    Generated configuration file: /config/registry/config.yml
    Generated configuration file: /config/registryctl/env
    Generated configuration file: /config/registryctl/config.yml
    Generated configuration file: /config/db/env
    Generated configuration file: /config/jobservice/env
    Generated configuration file: /config/jobservice/config.yml
    loaded secret from file: /data/secret/keys/secretkey
    Generated configuration file: /compose_location/docker-compose.yml
    Clean up the input dir
    
    
    
    [Step 5]: starting Harbor ...
    Creating harbor-log ... done
    Creating registry      ... done
    Creating harbor-db     ... done
    Creating registryctl   ... done
    Creating harbor-portal ... done
    Creating redis         ... done
    Creating harbor-core   ... done
    Creating harbor-jobservice ... done
    Creating nginx             ... done
    ✔ ----Harbor has been installed and started successfully.----
    
    

    2.7 浏览器访问测试一下

    • 注意:

      harbor.scajy.cn 这里使用的域名没有解析,需要绑定hosts进行

    • 浏览器访问
      image
      用户: admin

    密码:Aa123456
    image

    3. 配置harbor的https部署

    3.1 harbor的生成ssl证书

    image

    3.2 编写harbor配置文件,开启https配置

    • 创建证书存放目录

      [root@harbor harbor]# mkdir -p /root/harbor/ssl/
      [root@harbor harbor]# ll -a /root/harbor/ssl/
      total 8
      drwxr-xr-x 2 root root   62 Oct 18 03:55 .
      drwxr-xr-x 4 root root  191 Oct 18 03:56 ..
      -rw-r--r-- 1 root root 1732 Oct 18 03:55 harbor.scajy.org.key
      -rw-r--r-- 1 root root 3755 Oct 18 03:55 harbor.scajy.org.pem
      
      
    • 需要开启的配置

      https:
        # https port for harbor, default is 443
        port: 443
        # The path of cert and key files for nginx
        certificate: /root/harbor/ssl/harbor.scajy.org.pem
        private_key: /root/harbor/ssl/harbor.scajy.org.key
      
    • 编写harbor.yal配置文件

      [root@harbor harbor]# vim harbor.yml
      [root@harbor harbor]# cat harbor.yml
      # Configuration file of Harbor
      
      # The IP address or hostname to access admin UI and registry service.
      # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
      hostname: harbor.scajy.org
      
      # http related config
      http:
        # port for http, default is 80. If https enabled, this port will redirect to https port
        port: 80
      
      # https related config
      https:
        # https port for harbor, default is 443
        port: 443
        # The path of cert and key files for nginx
        certificate: /root/harbor/ssl/harbor.scajy.org.pem
        private_key: /root/harbor/ssl/harbor.scajy.org.key
      
      # # Uncomment following will enable tls communication between all harbor components
      # internal_tls:
      #   # set enabled to true means internal tls is enabled
      #   enabled: true
      #   # put your cert and key files on dir
      #   dir: /etc/harbor/tls/internal
      
      # Uncomment external_url if you want to enable external proxy
      # And when it enabled the hostname will no longer used
      # external_url: https://reg.mydomain.com:8433
      
      # The initial password of Harbor admin
      # It only works in first time to install harbor
      # Remember Change the admin password from UI after launching Harbor.
      harbor_admin_password: Aa123456
      
      # Harbor DB configuration
      database:
        # The password for the root user of Harbor DB. Change this before any production use.
        password: root123
        # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
        max_idle_conns: 50
        # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
        # Note: the default number of connections is 1024 for postgres of harbor.
        max_open_conns: 1000
      
      # The default data volume
      data_volume: /data
      
      # Harbor Storage settings by default is using /data dir on local filesystem
      # Uncomment storage_service setting If you want to using external storage
      # storage_service:
      #   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
      #   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
      #   ca_bundle:
      
      #   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
      #   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
      #   filesystem:
      #     maxthreads: 100
      #   # set disable to true when you want to disable registry redirect
      #   redirect:
      #     disabled: false
      
      # Clair configuration
      clair:
        # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
        updaters_interval: 12
      
      # Trivy configuration
      #
      # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
      # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
      # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
      # should download a newer version from the Internet or use the cached one. Currently, the database is updated every
      # 12 hours and published as a new release to GitHub.
      trivy:
        # ignoreUnfixed The flag to display only fixed vulnerabilities
        ignore_unfixed: false
        # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
        #
        # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
        # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
        # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
        skip_update: false
        #
        # insecure The flag to skip verifying registry certificate
        insecure: false
        # github_token The GitHub access token to download Trivy DB
        #
        # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
        # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
        # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
        # https://developer.github.com/v3/#rate-limiting
        #
        # You can create a GitHub token by following the instructions in
        # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
        #
        # github_token: xxx
      
      jobservice:
        # Maximum number of job workers in job service
        max_job_workers: 10
      
      notification:
        # Maximum retry count for webhook job
        webhook_job_max_retry: 10
      
      chart:
        # Change the value of absolute_url to enabled can enable absolute url in chart
        absolute_url: disabled
      
      # Log configurations
      log:
        # options are debug, info, warning, error, fatal
        level: info
        # configs for logs in local storage
        local:
          # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
          rotate_count: 50
          # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
          # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
          # are all valid.
          rotate_size: 200M
          # The directory on your host that store log
          location: /var/log/harbor
      
        # Uncomment following lines to enable external syslog endpoint.
        # external_endpoint:
        #   # protocol used to transmit log to external endpoint, options is tcp or udp
        #   protocol: tcp
        #   # The host of external endpoint
        #   host: localhost
        #   # Port of external endpoint
        #   port: 5140
      
      #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
      _version: 2.0.0
      
      # Uncomment external_database if using external database.
      # external_database:
      #   harbor:
      #     host: harbor_db_host
      #     port: harbor_db_port
      #     db_name: harbor_db_name
      #     username: harbor_db_username
      #     password: harbor_db_password
      #     ssl_mode: disable
      #     max_idle_conns: 2
      #     max_open_conns: 0
      #   clair:
      #     host: clair_db_host
      #     port: clair_db_port
      #     db_name: clair_db_name
      #     username: clair_db_username
      #     password: clair_db_password
      #     ssl_mode: disable
      #   notary_signer:
      #     host: notary_signer_db_host
      #     port: notary_signer_db_port
      #     db_name: notary_signer_db_name
      #     username: notary_signer_db_username
      #     password: notary_signer_db_password
      #     ssl_mode: disable
      #   notary_server:
      #     host: notary_server_db_host
      #     port: notary_server_db_port
      #     db_name: notary_server_db_name
      #     username: notary_server_db_username
      #     password: notary_server_db_password
      #     ssl_mode: disable
      
      # Uncomment external_redis if using external Redis server
      # external_redis:
      #   # support redis, redis+sentinel
      #   # host for redis: <host_redis>:<port_redis>
      #   # host for redis+sentinel:
      #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
      #   host: redis:6379
      #   password:
      #   # sentinel_master_set must be set to support redis+sentinel
      #   #sentinel_master_set:
      #   # db_index 0 is for core, it's unchangeable
      #   registry_db_index: 1
      #   jobservice_db_index: 2
      #   chartmuseum_db_index: 3
      #   clair_db_index: 4
      #   trivy_db_index: 5
      #   idle_timeout_seconds: 30
      
      # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
      # uaa:
      #   ca_file: /path/to/ca
      
      # Global proxy
      # Config http proxy for components, e.g. http://my.proxy.com:3128
      # Components doesn't need to connect to each others via http proxy.
      # Remove component from `components` array if want disable proxy
      # for it. If you want use proxy for replication, MUST enable proxy
      # for core and jobservice, and set `http_proxy` and `https_proxy`.
      # Add domain to the `no_proxy` field, when you want disable proxy
      # for some special registry.
      proxy:
        http_proxy:
        https_proxy:
        no_proxy:
        components:
          - core
          - jobservice
          - clair
          - trivy
      
      

    3.3 重新加载配置

    [root@harbor harbor]# ./prepare 
    prepare base dir is set to /root/harbor
    Clearing the configuration file: /config/portal/nginx.conf
    Clearing the configuration file: /config/log/logrotate.conf
    Clearing the configuration file: /config/log/rsyslog_docker.conf
    Clearing the configuration file: /config/nginx/nginx.conf
    Clearing the configuration file: /config/core/env
    Clearing the configuration file: /config/core/app.conf
    Clearing the configuration file: /config/registry/passwd
    Clearing the configuration file: /config/registry/config.yml
    Clearing the configuration file: /config/registryctl/env
    Clearing the configuration file: /config/registryctl/config.yml
    Clearing the configuration file: /config/db/env
    Clearing the configuration file: /config/jobservice/env
    Clearing the configuration file: /config/jobservice/config.yml
    Generated configuration file: /config/portal/nginx.conf
    Generated configuration file: /config/log/logrotate.conf
    Generated configuration file: /config/log/rsyslog_docker.conf
    Generated configuration file: /config/nginx/nginx.conf
    Generated configuration file: /config/core/env
    Generated configuration file: /config/core/app.conf
    Generated configuration file: /config/registry/config.yml
    Generated configuration file: /config/registryctl/env
    Generated configuration file: /config/registryctl/config.yml
    Generated configuration file: /config/db/env
    Generated configuration file: /config/jobservice/env
    Generated configuration file: /config/jobservice/config.yml
    loaded secret from file: /data/secret/keys/secretkey
    Generated configuration file: /compose_location/docker-compose.yml
    Clean up the input dir
    

    3.4 重启harbor服务

    [root@harbor harbor]# docker-compose  down
    Removing network harbor_harbor
    WARNING: Network harbor_harbor not found.
    [root@harbor harbor]# docker-compose up
    Creating network "harbor_harbor" with the default driver
    Creating harbor-log ... done
    Creating harbor-db     ... done
    Creating redis         ... done
    Creating harbor-portal ... done
    Creating registryctl   ... done
    Creating registry      ... done
    Creating harbor-core   ... done
    Creating nginx             ... done
    Creating harbor-jobservice ... done
    

    3.5 验证

    image

    4. 配置harbor开机启动

    • 编写启动服务配置

      [root@harbor harbor]# vi /usr/lib/systemd/system/harbor.service
      [Unit]
      Description=Harbor
      After=docker.service systemd-networkd.service systemd-resolved.service
      Requires=docker.service
      Documentation=http://github.com/vmware/harbor
      [Service]
      Type=simple
      Restart=on-failure
      RestartSec=5
      ExecStart=/usr/local/bin/docker-compose -f /root/harbor/docker-compose.yml up
      ExecStop=/usr/local/bin/docker-compose -f /root/harbor/docker-compose.yml down
      [Install]
      WantedBy=multi-user.target
      
    • 使用系统服务启动

      [root@harbor harbor]# /bin/systemctl start harbor
      
    • 检查是否启动

      [root@harbor harbor]# netstat -lntup
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
      tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      31337/docker-proxy  
      tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1225/sshd           
      tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1384/master         
      tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      31308/docker-proxy  
      tcp        0      0 127.0.0.1:1514          0.0.0.0:*               LISTEN      30631/docker-proxy  
      tcp6       0      0 :::80                   :::*                    LISTEN      31343/docker-proxy  
      tcp6       0      0 :::22                   :::*                    LISTEN      1225/sshd           
      tcp6       0      0 ::1:25                  :::*                    LISTEN      1384/master         
      tcp6       0      0 :::443                  :::*                    LISTEN      31316/docker-proxy  
      udp        0      0 127.0.0.1:323           0.0.0.0:*                           929/chronyd         
      udp6       0      0 ::1:323                 :::*                                929/chronyd         
      [root@harbor harbor]# /bin/systemctl status harbor
      ● harbor.service - Harbor
         Loaded: loaded (/usr/lib/systemd/system/harbor.service; disabled; vendor preset: disabled)
         Active: active (running) since Fri 2021-11-12 10:37:05 CST; 11s ago
           Docs: http://github.com/vmware/harbor
       Main PID: 30558 (docker-compose)
          Tasks: 12
         Memory: 46.7M
         CGroup: /system.slice/harbor.service
                 ├─30558 /usr/local/bin/docker-compose -f /root/harbor/docker-compose.yml up
                 └─30559 /usr/local/bin/docker-compose -f /root/harbor/docker-compose.yml up
      
      Nov 12 10:37:07 harbor docker-compose[30558]: Creating harbor-jobservice ...
      Nov 12 10:37:08 harbor docker-compose[30558]: [216B blob data]
      Nov 12 10:37:08 harbor docker-compose[30558]: registry       | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: harbor-portal  | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: redis          | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: harbor-db      | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: registryctl    | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: harbor-core    | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver
      Nov 12 10:37:08 harbor docker-compose[30558]: nginx          | WARNING: no logs are available with the 'syslog' log driver
      
    • 配置上开机启动

      [root@harbor harbor]# /bin/systemctl enable harbor
      Created symlink from /etc/systemd/system/multi-user.target.wants/harbor.service to /usr/lib/systemd/system/harbor.service.
      
    • harbor服务停止

      [root@harbor harbor]# /bin/systemctl stop harbor
      
  • 相关阅读:
    oracle与DB2
    oracle ORA-01427: 单行子查询返回多个行
    mysql开发总结
    mysql show profile基本详解
    mysql批量插入数据
    mysql索引详解
    mysql性能调优
    MySQL优化
    mysql主从调优
    mysql主从复制
  • 原文地址:https://www.cnblogs.com/scajy/p/15671928.html
Copyright © 2011-2022 走看看