zoukankan      html  css  js  c++  java

  • Harbor私有镜像仓库(上)

    Harbor私有镜像仓库(上)

    链接:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
    提取码:ldt5
    复制这段内容后打开百度网盘手机App,操作更方便哦

    1. Harbor简介

    • VMware的开源项目https://github.com/vmware/harbor
    • Harbor可帮助用户迅速搭建企业级的注册服务。它提供了管理图形界面,基于角色的访问控制(Role Based Access Control),镜像远程复制(同步),AD/LDAP集成,以及审计日志等企业用户需求的功能,同时还原生支持中文,深受中国用户的喜爱。
    • 该项目自推出以来,在GitHub获得了超过3300多个star和900多个forks。

    1.1 基于角色的访问控制

    用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。

    1.2 图形化用户界面

    用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间

    1.3 审计管理

    所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。

    1.4 国际化

    基于英文与中文语言进行了本地化。可以增加更多的语言支持。

    1.5 RESTful API:

    提供给管理员对于Harbor更多的操控,使得与其他管理软件集成变得更容易。

    1.6 LDAP认证

    1.7 镜像复制

    基于策略的Docker镜像复制功能,可在不同的数据中心,不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作。

    1.8 与Clair集成

    与Clair集成,添加漏洞扫描功能。Clair是coreos开源的容器漏洞扫描工具,在容器逐渐普及的今天,容器镜像安全问题日益严重。Clair是目前少数的开源安全扫描工具。

    1.9 Notary签名工具

    Notary是Docker镜像的签名工具,用来保证镜像在pull,push和传输工程中的一致性和完整性,避免中间人攻击,避免非法的镜像更新和运行。

    2. 为Harbor签发域名证书

    openssl是目前最流行的SSL密码库工具,提供了一个通用,功能完备的工具套件,用以支持SSL/TLS协议的实现。
    官网:https://www.openssl.org/source/

    环境准备

    主机名 IP 用途 最小资源配比 最佳资源配比
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB 
    [root@Harbor-master ~]# hostname -I
192.168.200.16 
[root@Harbor-master ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@Harbor-master ~]# uname -r
3.10.0-957.12.1.el7.x86_64

    官方文档:https://github.com/vmware/harbor/blob/master/docs/configure_https.md

    #创建自己的CA证书
[root@Harbor-master ~]# mkdir -p /data/ssl
[root@Harbor-master ~]# cd /data/ssl/
[root@Harbor-master ssl]# which openssl
/usr/bin/openssl

[root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
......++
.....................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:

    #生成证书签名请求
[root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
Generating a 4096 bit RSA private key
...........................................................................................................................................................................................++
............++
writing new private key to 'www.yunjisuan.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

    #生成注册表主机的证书
[root@Harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
Getting CA Private Key

#查看证书情况
[root@Harbor-master ssl]# ll
总用量 24
-rw-r--r-- 1 root root 2049 7月  24 14:43 ca.crt
-rw-r--r-- 1 root root 3272 7月  24 14:43 ca.key
-rw-r--r-- 1 root root   17 7月  24 14:45 ca.srl
-rw-r--r-- 1 root root 1931 7月  24 14:45 www.yunjisuan.com.crt
-rw-r--r-- 1 root root 1716 7月  24 14:45 www.yunjisuan.com.csr
-rw-r--r-- 1 root root 3272 7月  24 14:45 www.yunjisuan.com.key

    3. 信任自签发的域名证书

    由于CA证书是我们自己签发的Linux操作系统是不信任的,因此我们需要把证书加入到系统的信任证书里

    #将自签ca证书添加到系统信任
[root@Harbor-master ssl]# pwd
/data/ssl
[root@Harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
[root@Harbor-master ssl]# ll /etc/pki/ca-trust/source/anchors/
总用量 4
-rw-r--r-- 1 root root 1931 7月  24 14:49 www.yunjisuan.com.crt

#让系统ca信任设置立刻生效
[root@Harbor-master ssl]# update-ca-trust enable
[root@Harbor-master ssl]# update-ca-trust extract

    4.Harbor 1.4 版本配置与安装

    4.1 安装docker-ce社区版

    [root@Harbor-master ssl]# sestatus
SELinux status:                 disabled
[root@Harbor-master ssl]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@Harbor-master ssl]# rpm -qa yum-utils device-mapper-persistent-data lvm2
yum-utils-1.1.31-50.el7.noarch
device-mapper-persistent-data-0.7.3-3.el7.x86_64
lvm2-2.02.180-10.el7_6.8.x86_64

    [root@Harbor-master ssl]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2424  100  2424    0     0    112      0  0:00:21  0:00:21 --:--:--   686

[root@Harbor-master ssl]# yum -y install docker-ce
[root@Harbor-master ssl]# systemctl start docker
[root@Harbor-master ssl]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

    [root@Harbor-master ssl]# docker version
Client: Docker Engine - Community
 Version:           19.03.0
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        aeac9490dc
 Built:             Wed Jul 17 18:15:40 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.0
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.5
  Git commit:       aeac9490dc
  Built:            Wed Jul 17 18:14:16 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

    4.2 下载并安装harbor私有仓库

    #创建harbor的证书目录,并复制
[root@Harbor-master ssl]# mkdir -p /etc/ssl/harbor
[root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
[root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
[root@Harbor-master ssl]# ll /etc/ssl/harbor/
总用量 8
-rw-r--r-- 1 root root 1931 7月  24 15:43 www.yunjisuan.com.crt
-rw-r--r-- 1 root root 3272 7月  24 15:43 www.yunjisuan.com.key

    #创建harbor下载目录并下载harbor-offline-installer-v1.5.0.tgz
[root@Harbor-master ~]# mkdir -p /data/install
[root@Harbor-master ~]# cd /data/install/
[root@Harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# ls
harbor-offline-installer-v1.5.0.tgz

    [root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz 
[root@Harbor install]# ls
harbor  harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# cd harbor
[root@Harbor harbor]# ll
总用量 854960
drwxr-xr-x 3 root root        23 7月  16 22:29 common        #模板目录
-rw-r--r-- 1 root root      1185 5月   2 23:34 docker-compose.clair.yml
-rw-r--r-- 1 root root      1725 5月   2 23:34 docker-compose.notary.yml
-rw-r--r-- 1 root root      3596 5月   2 23:34 docker-compose.yml
drwxr-xr-x 3 root root       156 5月   2 23:34 ha            #harbor高可用配置
-rw-r--r-- 1 root root      6687 5月   2 23:34 harbor.cfg    #harbor配置文件
-rw-r--r-- 1 root root 875401338 5月   2 23:36 harbor.v1.5.0.tar.gz
-rwxr-xr-x 1 root root      5773 5月   2 23:34 install.sh
-rw-r--r-- 1 root root     10771 5月   2 23:34 LICENSE
-rw-r--r-- 1 root root       482 5月   2 23:34 NOTICE
-rwxr-xr-x 1 root root     27379 5月   2 23:34 prepare

    [root@Harbor harbor]# cp harbor.cfg{,.bak}
#修改harbor.cfg配置文件
[root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p'
     7  hostname = reg.mydomain.com             #要修改成我们证书的域名
    11  ui_url_protocol = http                  #启用加密传输协议https
    23  ssl_cert = /data/cert/server.crt        #证书的位置
    24  ssl_cert_key = /data/cert/server.key    #证书密钥位置
    68  harbor_admin_password = Harbor12345     #默认管理员及密码


#修改成如下配置
[root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
     7  hostname = www.yunjisuan.com
    11  ui_url_protocol = https
    23  ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
    24  ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
    68  harbor_admin_password = Harbor12345

    #安装命令docker-compose(需要1.21版本)
[root@Harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   617    0   617    0     0    519      0 --:--:--  0:00:01 --:--:--   519
100 10.3M  100 10.3M    0     0   354k      0  0:00:29  0:00:29 --:--:--  494k

[root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
-rw-r--r-- 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
[root@Harbor-master harbor]# chmod +x /usr/local/bin/docker-compose
[root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
-rwxr-xr-x 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
[root@Harbor-master harbor]# which docker-compose
/usr/local/bin/docker-compose

[root@Harbor-master harbor]# docker-compose --version
docker-compose version 1.21.2, build a133471

    #安装harbor私有镜像仓库
[root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
#--with-notary启用镜像签名;--with-clair启用漏洞扫描
 
#查看harbor启动的镜像
[root@Harbor-master harbor]# docker ps -a
CONTAINER ID        IMAGE                                       COMMAND                  CREATED             STATUS                             PORTS                                                              NAMES
3b0f60eb2260        vmware/harbor-jobservice:v1.5.0             "/harbor/start.sh"       23 seconds ago      Up 15 seconds                                                                                         harbor-jobservice
005954f3ec5c        vmware/nginx-photon:v1.5.0                  "nginx -g 'daemon of…"   23 seconds ago      Up 21 seconds (health: starting)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
e5a4e4d0cf56        vmware/notary-server-photon:v0.5.1-v1.5.0   "/bin/server-start.sh"   23 seconds ago      Up 21 seconds                                                                                         notary-server
0ece0afef7a6        vmware/notary-signer-photon:v0.5.1-v1.5.0   "/bin/signer-start.sh"   24 seconds ago      Up 22 seconds                                                                                         notary-signer
b7549c31328b        vmware/clair-photon:v2.0.1-v1.5.0           "/docker-entrypoint.…"   24 seconds ago      Up 18 seconds (health: starting)   6060-6061/tcp                                                      clair
1e6d6bb0bbdf        vmware/harbor-ui:v1.5.0                     "/harbor/start.sh"       24 seconds ago      Up 22 seconds (health: starting)                                                                      harbor-ui
e0fe40b6804a        vmware/mariadb-photon:v1.5.0                "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds                      3306/tcp                                                           notary-db
30331b6c8918        vmware/postgresql-photon:v1.5.0             "/entrypoint.sh post…"   25 seconds ago      Up 23 seconds (health: starting)   5432/tcp                                                           clair-db
24e4856ac9a3        vmware/harbor-adminserver:v1.5.0            "/harbor/start.sh"       25 seconds ago      Up 23 seconds (health: starting)                                                                      harbor-adminserver
0901a7fa027c        vmware/harbor-db:v1.5.0                     "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds (health: starting)   3306/tcp                                                           harbor-db
1cea792c4656        vmware/redis-photon:v1.5.0                  "docker-entrypoint.s…"   25 seconds ago      Up 24 seconds                      6379/tcp                                                           redis
7ea870371dcc        vmware/registry-photon:v2.6.2-v1.5.0        "/entrypoint.sh serv…"   25 seconds ago      Up 23 seconds (health: starting)   5000/tcp                                                           registry
cceb28b45a0d        vmware/harbor-log:v1.5.0                    "/bin/sh -c /usr/loc…"   25 seconds ago      Up 24 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log

    通过浏览器进行访问测试https://192.168.200.16

    image.png-285.3kB

    image.png-154.6kB

    项目创建:设定为仅管理员(企业中不会让注册用户随便创建) 不允许自动注册

    5.镜像管理与安全:漏洞扫描和镜像签名

    5.1 添加docker国内公有镜像源

    [root@Harbor-master harbor]# cat /etc/docker/daemon.json
{
  "registry-mirrors":[ "https://registry.docker-cn.com" ]
}
[root@Harbor-master harbor]# systemctl daemon-reload
[root@Harbor-master harbor]# systemctl restart docker

    5.2 重新启动Harbor私有镜像仓库

    #让harbor修改过的配置立刻生效
[root@Harbor-master harbor]# ./prepare 
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
##以下省略若干。。。

    #清理所有harbor容器进程
[root@Harbor-master harbor]# docker-compose down
Stopping harbor-jobservice  ... done
Stopping nginx              ... done
Stopping harbor-ui          ... done
Stopping harbor-adminserver ... done
Stopping harbor-db          ... done
Stopping redis              ... done
Stopping registry           ... done
Stopping harbor-log         ... done
WARNING: Found orphan containers (notary-server, notary-signer, clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Removing harbor-jobservice  ... done
Removing nginx              ... done
Removing harbor-ui          ... done
Removing harbor-adminserver ... done
Removing harbor-db          ... done
Removing redis              ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor

#后台启动所有harbor容器进程
[root@Harbor-master harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
WARNING: Found orphan containers (clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Creating harbor-log ... done
Creating redis              ... done
Creating registry           ... done
Creating harbor-db          ... done
Creating harbor-adminserver ... done
Creating harbor-ui          ... done
Creating nginx              ... done
Creating harbor-jobservice  ... done

    5.3 下载一个公有镜像并上传到harbor

    #harbor本地下载一个公有仓库镜像centos:7
[root@Harbor-master install]# docker pull centos:7

#本地映射私有仓库域名
[root@Harbor-master harbor]# tail -1 /etc/hosts
192.168.200.16 www.yunjisuan.com

#将centos:7镜像改名并上传私有镜像仓库
[root@Harbor-master install]# docker tag centos:7 www.yunjisuan.com/library/centos:7
[root@Harbor-master install]# docker images | grep centos
centos                             7                   9f38484d220f        4 months ago        202MB
www.yunjisuan.com/library/centos   7                   9f38484d220f        4 months ago        202MB

    #登陆验证harbor私有仓库,并上传镜像
[root@Harbor-master install]# docker login www.yunjisuan.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@Harbor-master install]# docker push www.yunjisuan.com/library/centos:7
The push refers to repository [www.yunjisuan.com/library/centos]
d69483a6face: Pushed 
7: digest: sha256:ca58fe458b8d94bc6e3072f1cfbd334855858e05e1fd633aa07cf7f82b048e66 size: 529

    #重新启用漏洞扫描
[root@Harbor-master install]# cd /data/install/harbor
[root@Harbor-master harbor]# ./install.sh --with-notary --with-clair

    5.4 登陆浏览器查看镜像上传结果,并扫描漏洞

    image.png-210.6kB

    image.png-209.8kB

    image.png-213.9kB

    image.png-245.9kB

    5.5 设置镜像仓库安全等级

    image.png-208kB

    image.png-306kB

    5.6 为docker客户端下发域名证书

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB 
    #映射harbor私有仓库域名
[root@Docker-client ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@Docker-client ~]# uname -r
3.10.0-957.12.1.el7.x86_64
[root@Docker-client ~]# hostname -I
192.168.200.17 
[root@Docker-client ~]# tail -1 /etc/hosts
192.168.200.16 www.yunjisuan.com

    #安装docker-ce社区版
[root@Docker-client ~]# sestatus
SELinux status:                 disabled
[root@Docker-client ~]# systemctl stop firewalld
[root@Docker-client ~]# systemctl disable firewalld
[root@Docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@Docker-client ~]# rpm -qa yum-utils device-mapper-persistent-data lvm2
yum-utils-1.1.31-50.el7.noarch
device-mapper-persistent-data-0.7.3-3.el7.x86_64
lvm2-2.02.180-10.el7_6.8.x86_64

    [root@Docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2424  100  2424    0     0   3925      0 --:--:-- --:--:-- --:--:--  3922


[root@Docker-client ~]# yum -y install docker-ce
[root@Docker-client ~]# systemctl start docker
[root@Docker-client ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

[root@Docker-client ~]# docker version
Client: Docker Engine - Community
 Version:           19.03.0
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        aeac9490dc
 Built:             Wed Jul 17 18:15:40 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.0
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.5
  Git commit:       aeac9490dc
  Built:            Wed Jul 17 18:14:16 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

    #配置国内公有镜像源
[root@Docker-client ~]# cat /etc/docker/daemon.json 
{
  "registry-mirrors":[ "https://registry.docker-cn.com" ]
}
[root@Docker-client ~]# systemctl daemon-reload
[root@Docker-client ~]# systemctl restart docker

    #下载mongo公有镜像
[root@Docker-client ~]# docker pull mongo
Using default tag: latest
latest: Pulling from library/mongo
f7277927d38a: Pull complete 
8d3eac894db4: Pull complete 
edf72af6d627: Pull complete 
3e4f86211d23: Pull complete 
5747135f14d2: Pull complete 
f56f2c3793f6: Pull complete 
f8b941527f3a: Pull complete 
4000e5ef59f4: Pull complete 
ad518e2379cf: Pull complete 
919225fc3685: Pull complete 
45ff8d51e53a: Pull complete 
4d3342ddfd7b: Pull complete 
26002f176fca: Pull complete 
Digest: sha256:7df93c5e2d140beabc39ef225da618df28cc916a5f5f295a41858accc0f46a0b
Status: Downloaded newer image for mongo:latest
docker.io/library/mongo:latest

[root@Docker-client ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
mongo               latest              9c02a5a12c52        18 hours ago        413MB

    #为docker客户端下发域名(在harbor本地执行操作)
#将harbor上自签发的域名证书www.yunjisuan.com.crt复制到docker客户端对应目录下
[root@Harbor-master install]# cd /data/ssl/
[root@Harbor-master ssl]# scp www.yunjisuan.com.crt 192.168.200.17:/etc/pki/ca-trust/source/anchors/
root@192.168.200.17's password: 
www.yunjisuan.com.crt                                                      100% 1931     1.6MB/s   00:00 

    #在docker客户端上执行操作,让证书立刻生效
[root@Docker-client ~]# update-ca-trust enable
[root@Docker-client ~]# update-ca-trust extract

#下发证书后必须重启动docker-client的docker服务
[root@Docker-client ~]# systemctl restart docker

    #docker-client登陆harbor仓库进行登陆验证
[root@Docker-client ~]# cd /etc/pki/ca-trust/source/anchors/
[root@Docker-client anchors]# ll
总用量 4
-rw-r--r-- 1 root root 1931 7月  24 19:56 www.yunjisuan.com.crt

[root@Docker-client anchors]# docker login www.yunjisuan.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

    #修改镜像的名字并上传harbor私有仓库
[root@Docker-client anchors]# docker tag mongo:latest www.yunjisuan.com/library/mongo
[root@Docker-client anchors]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
mongo                             latest              9c02a5a12c52        18 hours ago        413MB
www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        18 hours ago        413MB

[root@Docker-client anchors]# docker push www.yunjisuan.com/library/mongo
The push refers to repository [www.yunjisuan.com/library/mongo]
3ea1af4d89d2: Pushed 
d1badfd80c45: Pushed 
be68547708c3: Pushed 
26c9058be51d: Pushed 
689158adef1e: Pushed 
2ee7e1a20686: Pushed 
6a272ecc48d7: Pushed 
4ad102c46894: Pushed 
b03801a3ccd1: Pushed 
e79142719515: Pushed 
aeda103e78c9: Pushed 
2558e637fbff: Pushed 
f749b9b0fb21: Pushed 
latest: digest: sha256:7328ced1dd646dd65a20dbf3ae430835ce75ad6cdbfe59c83185ddb719dd5913 size: 3030

    浏览器登陆harbor进行查看:https://192.168.200.16

    image.png-222.7kB

    出现漏洞的镜像截图:
    image.png-259.2kB

    5.7 FAQ:问题解答

    windows10最新版本默认拒绝非认证的域名证书

    如果启动harbor采用的https加密证书的方式,最新版本windows10浏览器访问的话,默认会直接说“站点不安全,拒绝连接”。 那么我们可以采用非https的方式启动harbor

    [root@harbor-master ~]# sed -n '11p' /data/install/harbor/harbor.cfg
ui_url_protocol = http

    但是我们要是采用非https加密方式启动harbor的话。最新版本的docker是登陆不了的。这是因为新版本docker默认是以https方式登陆harbor

    [root@Harbor-Slave docker]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://www.yunjisuan.com/v2/: dial tcp 192.168.200.74:443: connect: connection refused

    为了解决登陆问题,我们需要在/etc/docker/下创建一个daemon.json名字的文件,加入http方式登陆的harbor域名

    [root@Harbor-Slave docker]# cat /etc/docker/daemon.json 
{
    "insecure-registries":[ "www.yunjisuan.com" ]
}
[root@Harbor-Slave docker]# systemctl restart docker    #需要重启


#然后我们再次登陆harbor
[root@harbor-slave harbor]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded    #登陆成功

    6. Harbor镜像的复制与同步

    harbor私有仓库的主从复制,类似于MySQL,属于1对多的复制

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB

    6.1 部署Habor-Slave

    再安装一个harbor私有仓库作为harbor的从库,域名为www2.yunjisuan.com

    image.png-414.6kB

    在Harbor-Master和Harbor-Slave上做域名映射

#主Harbor
[root@Harbor-master ~]# tail -2 /etc/hosts
192.168.200.16 www.yunjisuan.com
192.168.200.18 www2.yunjisuan.com

#从Harbor
[root@Harbor-slave ~]# tail -2 /etc/hosts
192.168.200.16 www.yunjisuan.com
192.168.200.18 www2.yunjisuan.com

    特别提示:离线方式安装的Habor容器默认会从LDNS处获取对应的域名的IP解析,并不找本地的hosts文件
    由于我们是自己是自己设定的域名,因此,需要搭建用于内网解析的LDNS域名解析服务器

    6.2 搭建LDNS域名解析服务器

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    LDNS 192.168.200.19 本地DNS 
    [root@LDNS ~]# yum -y install bind bind-chroot bind-utils
[root@LDNS ~]# rpm -qa bind bind-chroot bind-utils
bind-chroot-9.9.4-74.el7_6.1.x86_64
bind-9.9.4-74.el7_6.1.x86_64
bind-utils-9.9.4-74.el7_6.1.x86_64

    [root@LDNS ~]# cd /etc/
[root@LDNS etc]# cp named.conf{,.bak}

#配置文件修改成如下所示:
[root@LDNS etc]# cat named.conf
options {
    listen-on port 53 { 192.168.200.19; };
//  listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
        forwarders  { 192.168.200.2; };
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};
zone "yunjisuan.com" IN {
    type master;
    file "yunjisuan.com.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#检查配置文件是否有错
[root@LDNS etc]# named-checkconf /etc/named.conf

    #创建正向解析文件
[root@LDNS etc]# cd /var/named
[root@LDNS named]# ls
chroot  data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@LDNS named]# cp -p named.empty yunjisuan.com.zone

[root@LDNS named]# vim yunjisuan.com.zone 
[root@LDNS named]# cat yunjisuan.com.zone 
$TTL 1D
@   IN SOA  yunjisuan.com. root.ns1.yunjisuan.com. (
                    20190725    ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
     NS  ns1.yunjisuan.com.
ns1  A   192.168.200.19
www  A   192.168.200.16
www2 A   192.168.200.18

#测试正向解析文件是否有错
[root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone
zone yunjisuan.com/IN: loaded serial 20190725
OK

    #启动域名解析服务
[root@LDNS named]# systemctl start named
[root@LDNS named]# ss -antup | grep named
udp    UNCONN     0      0      192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=512))
tcp    LISTEN     0      10     192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=21))
tcp    LISTEN     0      128    127.0.0.1:953                   *:*                   users:(("named",pid=7085,fd=22))
tcp    LISTEN     0      128     ::1:953                  :::*                   users:(("named",pid=7085,fd=23))

    #将本地DNS改成自己,进行解析测试
[root@LDNS named]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 192.168.200.19

[root@LDNS named]# nslookup www.baidu.com
Server:		192.168.200.19
Address:	192.168.200.19#53

Non-authoritative answer:
www.baidu.com	canonical name = www.a.shifen.com.
Name:	www.a.shifen.com
Address: 61.135.169.125
Name:	www.a.shifen.com
Address: 61.135.169.121

[root@LDNS named]# nslookup www.yunjisuan.com
Server:		192.168.200.19
Address:	192.168.200.19#53

Name:	www.yunjisuan.com
Address: 192.168.200.16

[root@LDNS named]# nslookup www2.yunjisuan.com
Server:		192.168.200.19
Address:	192.168.200.19#53

Name:	www2.yunjisuan.com
Address: 192.168.200.18

    6.3 构建Harbor主从同步

    提示:如果Harbor不是已经绑定的公网域名,那么必须构建自己的本地LDNS

    #修改Harbor-master上的域名解析DNS服务器为本地构建的LDNS
[root@Harbor-master harbor]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 192.168.200.19

[root@Harbor-master harbor]# nslookup www2.yunjisuan.com
Server:		192.168.200.19
Address:	192.168.200.19#53

Name:	www2.yunjisuan.com
Address: 192.168.200.18

    image.png-180.2kB

    image.png-100.8kB

    image.png-183.4kB

    image.png-181.5kB

    image.png-139.1kB

    image.png-181.6kB

    至此,Harbor仓库主从复制已经构建完毕。
    备注:如果勾选了阻止潜在漏洞的选项会影响harbor主从复制

    image.png-280.9kB

    特别提示:如果是harbor经历过vmware虚拟机的暂停和恢复。那么很可能之前能够访问的harbor仓库,恢复后却不行了。此时,需要重启dorker进程并重新harbor容器进程。
  • 相关阅读:
    软件测试课堂练习1
    安卓增删改查
    安卓数据库表
    安卓注册登录
    安卓购物清单
    安卓计算器
    第四周安卓作业
    第七周作业
    jsp第六周
    第四次jsp作业
  • 原文地址:https://www.cnblogs.com/ywb123/p/11245765.html
Copyright © 2011-2022 走看看