zoukankan      html  css  js  c++  java

  • 十三、搭建SSL的私有harbor仓库

    一、实验环境

      
    System OS: CentOS Linux release 7.6.1810 (Core)
docker version: Docker version 20.10.1

node1 192.168.32.211 docker+harbor
node2 192.168.32.212 docker

harbor软件版本:
harbor-offline-installer-v2.1.2

    二、部署ssl的私有harbor仓库

    1、安装docker

    #下载docker-ce的yum源
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
#把docker-ce源的地址修改为清华源的地址
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
#更新docker-ce.repo
yum makecache fast
#安装docker-ce
yum install -y docker-ce

    2、安装Docker Compose

    方法一:
https://github.com/docker/compose/releases
方法二:
yum install -y docker-compose

[root@node1 ~]# docker-compose -v
docker-compose version 1.18.0, build 8dd22a9

    3、部署Harbor HTTP 

    #上传harbor-offline-installer-v2.1.2.tgz
cd /app
tar harbor-offline-installer-v2.1.2.tgz
cd harbor 
cp harbor.yml.tmpl harbor.yml 

########################################harbor.yml配置文件######################################
vim harbor.yml 
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.32.211

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
#  port: 443
  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 123456
......
####################################end###################################################


./prepare 

./install.sh
    [root@node1 harbor]# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                   PORTS                       NAMES
4289e237bf1e   goharbor/harbor-jobservice:v2.1.2    "/harbor/entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-jobservice
775f3d56527f   goharbor/nginx-photon:v2.1.2         "nginx -g 'daemon of…"   3 minutes ago   Up 3 minutes (healthy)   0.0.0.0:80->8080/tcp        nginx
3fa161a8dd62   goharbor/harbor-core:v2.1.2          "/harbor/entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-core
518b19e39709   goharbor/harbor-registryctl:v2.1.2   "/home/harbor/start.…"   3 minutes ago   Up 3 minutes (healthy)                               registryctl
decebb8bffd5   goharbor/harbor-db:v2.1.2            "/docker-entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-db
0393da381782   goharbor/redis-photon:v2.1.2         "redis-server /etc/r…"   3 minutes ago   Up 3 minutes (healthy)                               redis
8aac2bb9c083   goharbor/registry-photon:v2.1.2      "/home/harbor/entryp…"   3 minutes ago   Up 3 minutes (healthy)                               registry
48b17d48e306   goharbor/harbor-portal:v2.1.2        "nginx -g 'daemon of…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-portal
25e5d96537ca   goharbor/harbor-log:v2.1.2           "/bin/sh -c /usr/loc…"   3 minutes ago   Up 3 minutes (healthy)   127.0.0.1:1514->10514/tcp   harbor-log

    4、生成SSL证书

    4.1搭建CA服务器

    CA服务器上操作,本操作为node1

      
    #安装openssl
yum -y install openssl 
#openssl配置文件信息
#####################################################
 vim /etc/pki/tls/openssl.cnf 
[CA_default]
dir  :ca的工作目录变量。被下方参数引用(注意:centos5上,此参数要改成绝对路径,不能用相对路径);
certs    :证书存放位置;
crl_dir     :吊销证书的存放位置;
database    :索引文件数据库。签署的所有证书索引文件。自动生成;
new_certs_dir    :刚签署的证书存放位置;
certificate       :ca自己的证书位置;
serial        :下一个证书的编号;
crlnumber         :已吊销证书的证书编号;
crl        :当前正在使用的证书吊销列表文件;
private_key        :ca自己的私钥,安全性很高(可以加密私钥位置文件,让别人拿到也看不了。但是每次使用都得
解密);
##################################end###############################


#进入CA的工作目录
mkdir /harbor_CA
cd /harbor_CA
#创建自己的CA证书(不使用第三方权威机构的CA来认证,自己充当CA的角色)
(umask 077; openssl genrsa -out ca.key 2048) 
生成自签名证书(使用已有私钥cakey.pem自行签发根证书)
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt 

###########################需要填写的信息#############################
Country Name (2 letter code) [XX]:CN          #国家代码
State or Province Name (full name) []:SC      #所在省份
Locality Name (eg, city) [Default City]:CD    #所在城市 
Organization Name (eg, company) [Default Company Ltd]:test    #机构名称
Organizational Unit Name (eg, section) []:test   #部门名称
Common Name (eg, your name or your server's hostname) []:www.ywx.com  #主机名称(重要)
Email Address []:test@163.com    #邮箱地址
#########################end############################################

cd /harbor_CA 
#创建索引文件
touch index.txt 
#证书编号位置
touch serial 
#自定义开始证书编号
echo 01 > serial 
#已吊销证书编号文件
touch crlnumber

    4.2为harbor生成证书请求文件

    本操作为node1

    #创建证书目录并进入
mkdir /root/harbor_ssl
cd /root/harbor_ssl
#生成harbor私钥
(umask 077; openssl genrsa -out harbor.key 1024) 
#根据私钥,创建证书申请文件
 openssl req -new -nodes -key /root/harbor_ssl/harbor.key -out /root/harbor_ssl/harbor.csr  -days 365 
 
 ###########################填写信息############################
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     #国家代码
State or Province Name (full name) []:SC   #所在省份
Locality Name (eg, city) [Default City]:SC  #所在城市 
Organization Name (eg, company) [Default Company Ltd]:TEST  #机构名称
Organizational Unit Name (eg, section) []:TEST  #部门名称
Common Name (eg, your name or your server's hostname) []:www.ywx.com   #主机名称(重要)
Email Address []:test@163.com   #邮箱地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #空
An optional company name []:   #空
[root@node1 harbor_ssl]# 
#############################end###################################

    4.3 将harbor证书申请文件复制到CA服务器上,有CA进行数字签名

    本操作在node1

    生成注册表主机的证书

    1) 如果您使用的是像reg.yourdomain.com这样的FQDN 来连接您的注册表主机,请运行以下命令以生成注册表主机的证书:

    openssl x509 -req -days 365 -in yourdomain.com.csr -CA /harbor_CA/ca.crt -CAkey /harbor_CA/ca.key -CAcreateserial -out yourdomain.com.crt

    2) 如果你使用IP,比如192.168.32.211来连接你的注册表主机,你可以运行下面的命令:

    echo subjectAltName = IP:192.168.32.211 > extfile.cnf
openssl x509 -req -in /root/harbor_ssl/harbor.csr -CA /harbor_CA/ca.crt -CAkey /harbor_CA/ca.key -CAcreateserial -extfile /root/harbor_ssl/extfile.cnf -days 365 -out /root/harbor_ssl/harbor.crt

    拷贝回harbor主机

    4.4修改harbar的配置文件并重新安装部署

    本操作在node1

      
    #配置文件修改
 cd /app/harbor/
 vim harbor.yaml
 ##############################配置文件修改##################
 # Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.32.211

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /root/harbor_ssl/harbor.crt
  private_key: /root/harbor_ssl/harbor.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 123456
。。。。
###########################################end###################################

#重新部署https的harbor
./prepare 
./install.sh
#重启harbor的容器
docker-compose  down 
docker-compose  up -d

    5、访问测试

    6、把harbor.crt证书拷贝到docker主机

    本操作在node2

    在具有Docker守护进程的机器上,确保选项“-insecure-registry”不存在,并且您必须将上述步骤中生成的harbor.crt复制到/etc/docker/certs.d/reg.yourdomain.com(或您的注册表主机IP),如果该目录不存在,请创建它。如果您将nginx端口443映射到另一个端口,则应改为创建/etc/docker/certs.d/reg.yourdomain.com:port(或您的注册表主机IP:端口)目录。然后运行任何docker命令来验证设置。

    #创建证书目录
[root@node2 docker]# mkdir -p /etc/docker/certs.d/192.168.32.211
#从192.168.32.211上拉取harbor.crt证书
[root@node2 docker]# cd /etc/docker/certs.d/192.168.32.211
[root@node2 192.168.32.211]# scp -r 192.168.32.211:/root/harbor_ssl/harbor.crt ./
[root@node2 192.168.32.211]# ls
harbor.crt

#重启docker
[root@node2 192.168.32.211]# systemctl restart docker

    7、上传/下载镜像测试

    本操作在node2

    上传镜像文件

      
    [root@node2 ~]# docker login https://192.168.32.211
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded


[root@node2 ~]# docker tag busybox:latest 192.168.32.211/library/busybox:latest
[root@node2 ~]# docker push 192.168.32.211/library/busybox:latest
The push refers to repository [192.168.32.211/library/busybox]
de168d3b8ec4: Pushed 
latest: digest: sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab size: 527

    下载镜像文件

    [root@node2 ~]# docker rmi 192.168.32.211/busybox
Untagged: 192.168.32.211/busybox:latest
[root@node2 ~]# docker rmi 192.168.32.211/library/busybox
Untagged: 192.168.32.211/library/busybox:latest
Untagged: 192.168.32.211/library/busybox@sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab
[root@node2 ~]# docker images
REPOSITORY             TAG       IMAGE ID       CREATED       SIZE
192.168.32.211/nginx   latest    ae2feff98a0c   9 days ago    133MB
nginx                  latest    ae2feff98a0c   9 days ago    133MB
busybox                latest    219ee5171f80   3 weeks ago   1.23MB

下载镜像文件
[root@node2 ~]# docker pull 192.168.32.211/library/busybox:latest
latest: Pulling from library/busybox
Digest: sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab
Status: Downloaded newer image for 192.168.32.211/library/busybox:latest
192.168.32.211/library/busybox:latest
[root@node2 ~]# docker images
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
192.168.32.211/nginx             latest    ae2feff98a0c   9 days ago    133MB
nginx                            latest    ae2feff98a0c   9 days ago    133MB
192.168.32.211/library/busybox   latest    219ee5171f80   3 weeks ago   1.23MB
busybox                          latest    219ee5171f80   3 weeks ago   1.23MB
  • 相关阅读:
    网络测量中基于Sketch方法的简单介绍
    Reading SBAR SDN flow-Based monitoring and Application Recognition
    Reading Meticulous Measurement of Control Packets in SDN
    Reading SketchVisor Robust Network Measurement for Sofeware Packet Processing
    ovs加dpdk在日志中查看更多运行细节的方法
    后缀数组
    (转载)LCA问题的Tarjan算法
    Codeforces Intel Code Challenge Final Round (Div. 1 + Div. 2, Combined) A. Checking the Calendar(水题)
    Vijos 1816统计数字(计数排序)
    卡特兰数
  • 原文地址:https://www.cnblogs.com/yaokaka/p/14188993.html
Copyright © 2011-2022 走看看