zoukankan      html  css  js  c++  java
  • Harbor私有镜像仓库(上)

    Harbor私有镜像仓库(上)

    链接:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
    提取码:ldt5
    复制这段内容后打开百度网盘手机App,操作更方便哦

    1. Harbor简介

    • VMware的开源项目https://github.com/vmware/harbor
    • Harbor可帮助用户迅速搭建企业级的注册服务。它提供了管理图形界面,基于角色的访问控制(Role Based Access Control),镜像远程复制(同步),AD/LDAP集成,以及审计日志等企业用户需求的功能,同时还原生支持中文,深受中国用户的喜爱。
    • 该项目自推出以来,在GitHub获得了超过3300多个star和900多个forks。

    1.1 基于角色的访问控制

    用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。

    1.2 图形化用户界面

    用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间

    1.3 审计管理

    所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。

    1.4 国际化

    基于英文与中文语言进行了本地化。可以增加更多的语言支持。

    1.5 RESTful API:

    提供给管理员对于Harbor更多的操控,使得与其他管理软件集成变得更容易。

    1.6 LDAP认证

    1.7 镜像复制

    基于策略的Docker镜像复制功能,可在不同的数据中心,不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作。

    1.8 与Clair集成

    与Clair集成,添加漏洞扫描功能。Clair是coreos开源的容器漏洞扫描工具,在容器逐渐普及的今天,容器镜像安全问题日益严重。Clair是目前少数的开源安全扫描工具。

    1.9 Notary签名工具

    Notary是Docker镜像的签名工具,用来保证镜像在pull,push和传输工程中的一致性和完整性,避免中间人攻击,避免非法的镜像更新和运行。

    2. 为Harbor签发域名证书

    openssl是目前最流行的SSL密码库工具,提供了一个通用,功能完备的工具套件,用以支持SSL/TLS协议的实现。
    官网:https://www.openssl.org/source/

    环境准备

    主机名 IP 用途 最小资源配比 最佳资源配比
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    [root@Harbor-master ~]# hostname -I
    192.168.200.16 
    [root@Harbor-master ~]# cat /etc/redhat-release 
    CentOS Linux release 7.6.1810 (Core) 
    [root@Harbor-master ~]# uname -r
    3.10.0-957.12.1.el7.x86_64
    

    官方文档:https://github.com/vmware/harbor/blob/master/docs/configure_https.md

    #创建自己的CA证书
    [root@Harbor-master ~]# mkdir -p /data/ssl
    [root@Harbor-master ~]# cd /data/ssl/
    [root@Harbor-master ssl]# which openssl
    /usr/bin/openssl
    
    [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
    Generating a 4096 bit RSA private key
    ......++
    .....................................++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:yunjisuan
    Organizational Unit Name (eg, section) []:yunjisuan
    Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
    Email Address []:
    
    #生成证书签名请求
    [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
    Generating a 4096 bit RSA private key
    ...........................................................................................................................................................................................++
    ............++
    writing new private key to 'www.yunjisuan.com.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:yunjisuan
    Organizational Unit Name (eg, section) []:yunjisuan
    Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    #生成注册表主机的证书
    [root@Harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
    Signature ok
    subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
    Getting CA Private Key
    
    #查看证书情况
    [root@Harbor-master ssl]# ll
    总用量 24
    -rw-r--r-- 1 root root 2049 7月  24 14:43 ca.crt
    -rw-r--r-- 1 root root 3272 7月  24 14:43 ca.key
    -rw-r--r-- 1 root root   17 7月  24 14:45 ca.srl
    -rw-r--r-- 1 root root 1931 7月  24 14:45 www.yunjisuan.com.crt
    -rw-r--r-- 1 root root 1716 7月  24 14:45 www.yunjisuan.com.csr
    -rw-r--r-- 1 root root 3272 7月  24 14:45 www.yunjisuan.com.key
    

    3. 信任自签发的域名证书

    由于CA证书是我们自己签发的Linux操作系统是不信任的,因此我们需要把证书加入到系统的信任证书里

    #将自签ca证书添加到系统信任
    [root@Harbor-master ssl]# pwd
    /data/ssl
    [root@Harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
    [root@Harbor-master ssl]# ll /etc/pki/ca-trust/source/anchors/
    总用量 4
    -rw-r--r-- 1 root root 1931 7月  24 14:49 www.yunjisuan.com.crt
    
    #让系统ca信任设置立刻生效
    [root@Harbor-master ssl]# update-ca-trust enable
    [root@Harbor-master ssl]# update-ca-trust extract
    

    4.Harbor 1.4 版本配置与安装

    4.1 安装docker-ce社区版

    [root@Harbor-master ssl]# sestatus
    SELinux status:                 disabled
    [root@Harbor-master ssl]# yum -y install yum-utils device-mapper-persistent-data lvm2
    [root@Harbor-master ssl]# rpm -qa yum-utils device-mapper-persistent-data lvm2
    yum-utils-1.1.31-50.el7.noarch
    device-mapper-persistent-data-0.7.3-3.el7.x86_64
    lvm2-2.02.180-10.el7_6.8.x86_64
    
    [root@Harbor-master ssl]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2424  100  2424    0     0    112      0  0:00:21  0:00:21 --:--:--   686
    
    [root@Harbor-master ssl]# yum -y install docker-ce
    [root@Harbor-master ssl]# systemctl start docker
    [root@Harbor-master ssl]# systemctl enable docker
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
    
    [root@Harbor-master ssl]# docker version
    Client: Docker Engine - Community
     Version:           19.03.0
     API version:       1.40
     Go version:        go1.12.5
     Git commit:        aeac9490dc
     Built:             Wed Jul 17 18:15:40 2019
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server: Docker Engine - Community
     Engine:
      Version:          19.03.0
      API version:      1.40 (minimum version 1.12)
      Go version:       go1.12.5
      Git commit:       aeac9490dc
      Built:            Wed Jul 17 18:14:16 2019
      OS/Arch:          linux/amd64
      Experimental:     false
     containerd:
      Version:          1.2.6
      GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
     runc:
      Version:          1.0.0-rc8
      GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
     docker-init:
      Version:          0.18.0
      GitCommit:        fec3683
    

    4.2 下载并安装harbor私有仓库

    #创建harbor的证书目录,并复制
    [root@Harbor-master ssl]# mkdir -p /etc/ssl/harbor
    [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
    [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
    [root@Harbor-master ssl]# ll /etc/ssl/harbor/
    总用量 8
    -rw-r--r-- 1 root root 1931 7月  24 15:43 www.yunjisuan.com.crt
    -rw-r--r-- 1 root root 3272 7月  24 15:43 www.yunjisuan.com.key
    
    #创建harbor下载目录并下载harbor-offline-installer-v1.5.0.tgz
    [root@Harbor-master ~]# mkdir -p /data/install
    [root@Harbor-master ~]# cd /data/install/
    [root@Harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
    [root@Harbor install]# ls
    harbor-offline-installer-v1.5.0.tgz
    
    [root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz 
    [root@Harbor install]# ls
    harbor  harbor-offline-installer-v1.5.0.tgz
    [root@Harbor install]# cd harbor
    [root@Harbor harbor]# ll
    总用量 854960
    drwxr-xr-x 3 root root        23 7月  16 22:29 common        #模板目录
    -rw-r--r-- 1 root root      1185 5月   2 23:34 docker-compose.clair.yml
    -rw-r--r-- 1 root root      1725 5月   2 23:34 docker-compose.notary.yml
    -rw-r--r-- 1 root root      3596 5月   2 23:34 docker-compose.yml
    drwxr-xr-x 3 root root       156 5月   2 23:34 ha            #harbor高可用配置
    -rw-r--r-- 1 root root      6687 5月   2 23:34 harbor.cfg    #harbor配置文件
    -rw-r--r-- 1 root root 875401338 5月   2 23:36 harbor.v1.5.0.tar.gz
    -rwxr-xr-x 1 root root      5773 5月   2 23:34 install.sh
    -rw-r--r-- 1 root root     10771 5月   2 23:34 LICENSE
    -rw-r--r-- 1 root root       482 5月   2 23:34 NOTICE
    -rwxr-xr-x 1 root root     27379 5月   2 23:34 prepare
    
    [root@Harbor harbor]# cp harbor.cfg{,.bak}
    #修改harbor.cfg配置文件
    [root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p'
         7  hostname = reg.mydomain.com             #要修改成我们证书的域名
        11  ui_url_protocol = http                  #启用加密传输协议https
        23  ssl_cert = /data/cert/server.crt        #证书的位置
        24  ssl_cert_key = /data/cert/server.key    #证书密钥位置
        68  harbor_admin_password = Harbor12345     #默认管理员及密码
    
    
    #修改成如下配置
    [root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
         7  hostname = www.yunjisuan.com
        11  ui_url_protocol = https
        23  ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
        24  ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
        68  harbor_admin_password = Harbor12345
    
    #安装命令docker-compose(需要1.21版本)
    [root@Harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100   617    0   617    0     0    519      0 --:--:--  0:00:01 --:--:--   519
    100 10.3M  100 10.3M    0     0   354k      0  0:00:29  0:00:29 --:--:--  494k
    
    [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
    -rw-r--r-- 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# chmod +x /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
    -rwxr-xr-x 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# which docker-compose
    /usr/local/bin/docker-compose
    
    [root@Harbor-master harbor]# docker-compose --version
    docker-compose version 1.21.2, build a133471
    
    #安装harbor私有镜像仓库
    [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
    #--with-notary启用镜像签名;--with-clair启用漏洞扫描
     
    #查看harbor启动的镜像
    [root@Harbor-master harbor]# docker ps -a
    CONTAINER ID        IMAGE                                       COMMAND                  CREATED             STATUS                             PORTS                                                              NAMES
    3b0f60eb2260        vmware/harbor-jobservice:v1.5.0             "/harbor/start.sh"       23 seconds ago      Up 15 seconds                                                                                         harbor-jobservice
    005954f3ec5c        vmware/nginx-photon:v1.5.0                  "nginx -g 'daemon of…"   23 seconds ago      Up 21 seconds (health: starting)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
    e5a4e4d0cf56        vmware/notary-server-photon:v0.5.1-v1.5.0   "/bin/server-start.sh"   23 seconds ago      Up 21 seconds                                                                                         notary-server
    0ece0afef7a6        vmware/notary-signer-photon:v0.5.1-v1.5.0   "/bin/signer-start.sh"   24 seconds ago      Up 22 seconds                                                                                         notary-signer
    b7549c31328b        vmware/clair-photon:v2.0.1-v1.5.0           "/docker-entrypoint.…"   24 seconds ago      Up 18 seconds (health: starting)   6060-6061/tcp                                                      clair
    1e6d6bb0bbdf        vmware/harbor-ui:v1.5.0                     "/harbor/start.sh"       24 seconds ago      Up 22 seconds (health: starting)                                                                      harbor-ui
    e0fe40b6804a        vmware/mariadb-photon:v1.5.0                "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds                      3306/tcp                                                           notary-db
    30331b6c8918        vmware/postgresql-photon:v1.5.0             "/entrypoint.sh post…"   25 seconds ago      Up 23 seconds (health: starting)   5432/tcp                                                           clair-db
    24e4856ac9a3        vmware/harbor-adminserver:v1.5.0            "/harbor/start.sh"       25 seconds ago      Up 23 seconds (health: starting)                                                                      harbor-adminserver
    0901a7fa027c        vmware/harbor-db:v1.5.0                     "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds (health: starting)   3306/tcp                                                           harbor-db
    1cea792c4656        vmware/redis-photon:v1.5.0                  "docker-entrypoint.s…"   25 seconds ago      Up 24 seconds                      6379/tcp                                                           redis
    7ea870371dcc        vmware/registry-photon:v2.6.2-v1.5.0        "/entrypoint.sh serv…"   25 seconds ago      Up 23 seconds (health: starting)   5000/tcp                                                           registry
    cceb28b45a0d        vmware/harbor-log:v1.5.0                    "/bin/sh -c /usr/loc…"   25 seconds ago      Up 24 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log
    

    通过浏览器进行访问测试https://192.168.200.16

    image.png-285.3kB

    image.png-154.6kB

    项目创建:设定为仅管理员(企业中不会让注册用户随便创建) 不允许自动注册

    5.镜像管理与安全:漏洞扫描和镜像签名

    5.1 添加docker国内公有镜像源

    [root@Harbor-master harbor]# cat /etc/docker/daemon.json
    {
      "registry-mirrors":[ "https://registry.docker-cn.com" ]
    }
    [root@Harbor-master harbor]# systemctl daemon-reload
    [root@Harbor-master harbor]# systemctl restart docker
    

    5.2 重新启动Harbor私有镜像仓库

    #让harbor修改过的配置立刻生效
    [root@Harbor-master harbor]# ./prepare 
    Clearing the configuration file: ./common/config/adminserver/env
    Clearing the configuration file: ./common/config/ui/env
    Clearing the configuration file: ./common/config/ui/app.conf
    Clearing the configuration file: ./common/config/ui/private_key.pem
    ##以下省略若干。。。
    
    #清理所有harbor容器进程
    [root@Harbor-master harbor]# docker-compose down
    Stopping harbor-jobservice  ... done
    Stopping nginx              ... done
    Stopping harbor-ui          ... done
    Stopping harbor-adminserver ... done
    Stopping harbor-db          ... done
    Stopping redis              ... done
    Stopping registry           ... done
    Stopping harbor-log         ... done
    WARNING: Found orphan containers (notary-server, notary-signer, clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
    Removing harbor-jobservice  ... done
    Removing nginx              ... done
    Removing harbor-ui          ... done
    Removing harbor-adminserver ... done
    Removing harbor-db          ... done
    Removing redis              ... done
    Removing registry           ... done
    Removing harbor-log         ... done
    Removing network harbor_harbor
    
    #后台启动所有harbor容器进程
    [root@Harbor-master harbor]# docker-compose up -d
    Creating network "harbor_harbor" with the default driver
    WARNING: Found orphan containers (clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
    Creating harbor-log ... done
    Creating redis              ... done
    Creating registry           ... done
    Creating harbor-db          ... done
    Creating harbor-adminserver ... done
    Creating harbor-ui          ... done
    Creating nginx              ... done
    Creating harbor-jobservice  ... done
    

    5.3 下载一个公有镜像并上传到harbor

    #harbor本地下载一个公有仓库镜像centos:7
    [root@Harbor-master install]# docker pull centos:7
    
    #本地映射私有仓库域名
    [root@Harbor-master harbor]# tail -1 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    
    #将centos:7镜像改名并上传私有镜像仓库
    [root@Harbor-master install]# docker tag centos:7 www.yunjisuan.com/library/centos:7
    [root@Harbor-master install]# docker images | grep centos
    centos                             7                   9f38484d220f        4 months ago        202MB
    www.yunjisuan.com/library/centos   7                   9f38484d220f        4 months ago        202MB
    
    #登陆验证harbor私有仓库,并上传镜像
    [root@Harbor-master install]# docker login www.yunjisuan.com
    Username: admin
    Password: Harbor12345
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded
    
    [root@Harbor-master install]# docker push www.yunjisuan.com/library/centos:7
    The push refers to repository [www.yunjisuan.com/library/centos]
    d69483a6face: Pushed 
    7: digest: sha256:ca58fe458b8d94bc6e3072f1cfbd334855858e05e1fd633aa07cf7f82b048e66 size: 529
    
    #重新启用漏洞扫描
    [root@Harbor-master install]# cd /data/install/harbor
    [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
    

    5.4 登陆浏览器查看镜像上传结果,并扫描漏洞

    image.png-210.6kB

    image.png-209.8kB

    image.png-213.9kB

    image.png-245.9kB

    5.5 设置镜像仓库安全等级

    image.png-208kB

    image.png-306kB

    5.6 为docker客户端下发域名证书

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    #映射harbor私有仓库域名
    [root@Docker-client ~]# cat /etc/redhat-release 
    CentOS Linux release 7.6.1810 (Core) 
    [root@Docker-client ~]# uname -r
    3.10.0-957.12.1.el7.x86_64
    [root@Docker-client ~]# hostname -I
    192.168.200.17 
    [root@Docker-client ~]# tail -1 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    
    #安装docker-ce社区版
    [root@Docker-client ~]# sestatus
    SELinux status:                 disabled
    [root@Docker-client ~]# systemctl stop firewalld
    [root@Docker-client ~]# systemctl disable firewalld
    [root@Docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
    [root@Docker-client ~]# rpm -qa yum-utils device-mapper-persistent-data lvm2
    yum-utils-1.1.31-50.el7.noarch
    device-mapper-persistent-data-0.7.3-3.el7.x86_64
    lvm2-2.02.180-10.el7_6.8.x86_64
    
    [root@Docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2424  100  2424    0     0   3925      0 --:--:-- --:--:-- --:--:--  3922
    
    
    [root@Docker-client ~]# yum -y install docker-ce
    [root@Docker-client ~]# systemctl start docker
    [root@Docker-client ~]# systemctl enable docker
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
    
    [root@Docker-client ~]# docker version
    Client: Docker Engine - Community
     Version:           19.03.0
     API version:       1.40
     Go version:        go1.12.5
     Git commit:        aeac9490dc
     Built:             Wed Jul 17 18:15:40 2019
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server: Docker Engine - Community
     Engine:
      Version:          19.03.0
      API version:      1.40 (minimum version 1.12)
      Go version:       go1.12.5
      Git commit:       aeac9490dc
      Built:            Wed Jul 17 18:14:16 2019
      OS/Arch:          linux/amd64
      Experimental:     false
     containerd:
      Version:          1.2.6
      GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
     runc:
      Version:          1.0.0-rc8
      GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
     docker-init:
      Version:          0.18.0
      GitCommit:        fec3683
    
    #配置国内公有镜像源
    [root@Docker-client ~]# cat /etc/docker/daemon.json 
    {
      "registry-mirrors":[ "https://registry.docker-cn.com" ]
    }
    [root@Docker-client ~]# systemctl daemon-reload
    [root@Docker-client ~]# systemctl restart docker
    
    #下载mongo公有镜像
    [root@Docker-client ~]# docker pull mongo
    Using default tag: latest
    latest: Pulling from library/mongo
    f7277927d38a: Pull complete 
    8d3eac894db4: Pull complete 
    edf72af6d627: Pull complete 
    3e4f86211d23: Pull complete 
    5747135f14d2: Pull complete 
    f56f2c3793f6: Pull complete 
    f8b941527f3a: Pull complete 
    4000e5ef59f4: Pull complete 
    ad518e2379cf: Pull complete 
    919225fc3685: Pull complete 
    45ff8d51e53a: Pull complete 
    4d3342ddfd7b: Pull complete 
    26002f176fca: Pull complete 
    Digest: sha256:7df93c5e2d140beabc39ef225da618df28cc916a5f5f295a41858accc0f46a0b
    Status: Downloaded newer image for mongo:latest
    docker.io/library/mongo:latest
    
    [root@Docker-client ~]# docker images
    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
    mongo               latest              9c02a5a12c52        18 hours ago        413MB
    
    #为docker客户端下发域名(在harbor本地执行操作)
    #将harbor上自签发的域名证书www.yunjisuan.com.crt复制到docker客户端对应目录下
    [root@Harbor-master install]# cd /data/ssl/
    [root@Harbor-master ssl]# scp www.yunjisuan.com.crt 192.168.200.17:/etc/pki/ca-trust/source/anchors/
    root@192.168.200.17's password: 
    www.yunjisuan.com.crt                                                      100% 1931     1.6MB/s   00:00 
    
    #在docker客户端上执行操作,让证书立刻生效
    [root@Docker-client ~]# update-ca-trust enable
    [root@Docker-client ~]# update-ca-trust extract
    
    #下发证书后必须重启动docker-client的docker服务
    [root@Docker-client ~]# systemctl restart docker
    
    #docker-client登陆harbor仓库进行登陆验证
    [root@Docker-client ~]# cd /etc/pki/ca-trust/source/anchors/
    [root@Docker-client anchors]# ll
    总用量 4
    -rw-r--r-- 1 root root 1931 7月  24 19:56 www.yunjisuan.com.crt
    
    [root@Docker-client anchors]# docker login www.yunjisuan.com
    Username: admin
    Password: Harbor12345
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded
    
    #修改镜像的名字并上传harbor私有仓库
    [root@Docker-client anchors]# docker tag mongo:latest www.yunjisuan.com/library/mongo
    [root@Docker-client anchors]# docker images
    REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
    mongo                             latest              9c02a5a12c52        18 hours ago        413MB
    www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        18 hours ago        413MB
    
    [root@Docker-client anchors]# docker push www.yunjisuan.com/library/mongo
    The push refers to repository [www.yunjisuan.com/library/mongo]
    3ea1af4d89d2: Pushed 
    d1badfd80c45: Pushed 
    be68547708c3: Pushed 
    26c9058be51d: Pushed 
    689158adef1e: Pushed 
    2ee7e1a20686: Pushed 
    6a272ecc48d7: Pushed 
    4ad102c46894: Pushed 
    b03801a3ccd1: Pushed 
    e79142719515: Pushed 
    aeda103e78c9: Pushed 
    2558e637fbff: Pushed 
    f749b9b0fb21: Pushed 
    latest: digest: sha256:7328ced1dd646dd65a20dbf3ae430835ce75ad6cdbfe59c83185ddb719dd5913 size: 3030
    

    浏览器登陆harbor进行查看:https://192.168.200.16

    image.png-222.7kB

    出现漏洞的镜像截图:
    image.png-259.2kB

    5.7 FAQ:问题解答

    windows10最新版本默认拒绝非认证的域名证书

    如果启动harbor采用的https加密证书的方式,最新版本windows10浏览器访问的话,默认会直接说“站点不安全,拒绝连接”。 那么我们可以采用非https的方式启动harbor

    [root@harbor-master ~]# sed -n '11p' /data/install/harbor/harbor.cfg
    ui_url_protocol = http
    

    但是我们要是采用非https加密方式启动harbor的话。最新版本的docker是登陆不了的。这是因为新版本docker默认是以https方式登陆harbor

    [root@Harbor-Slave docker]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    Error response from daemon: Get https://www.yunjisuan.com/v2/: dial tcp 192.168.200.74:443: connect: connection refused
    

    为了解决登陆问题,我们需要在/etc/docker/下创建一个daemon.json名字的文件,加入http方式登陆的harbor域名

    [root@Harbor-Slave docker]# cat /etc/docker/daemon.json 
    {
        "insecure-registries":[ "www.yunjisuan.com" ]
    }
    [root@Harbor-Slave docker]# systemctl restart docker    #需要重启
    
    
    #然后我们再次登陆harbor
    [root@harbor-slave harbor]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded    #登陆成功
    

    6. Harbor镜像的复制与同步

    harbor私有仓库的主从复制,类似于MySQL,属于1对多的复制

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB

    6.1 部署Habor-Slave

    再安装一个harbor私有仓库作为harbor的从库,域名为www2.yunjisuan.com

    image.png-414.6kB

    在Harbor-Master和Harbor-Slave上做域名映射
    
    #主Harbor
    [root@Harbor-master ~]# tail -2 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    192.168.200.18 www2.yunjisuan.com
    
    #从Harbor
    [root@Harbor-slave ~]# tail -2 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    192.168.200.18 www2.yunjisuan.com
    

    特别提示:离线方式安装的Habor容器默认会从LDNS处获取对应的域名的IP解析,并不找本地的hosts文件
    由于我们是自己是自己设定的域名,因此,需要搭建用于内网解析的LDNS域名解析服务器

    6.2 搭建LDNS域名解析服务器

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    LDNS 192.168.200.19 本地DNS
    [root@LDNS ~]# yum -y install bind bind-chroot bind-utils
    [root@LDNS ~]# rpm -qa bind bind-chroot bind-utils
    bind-chroot-9.9.4-74.el7_6.1.x86_64
    bind-9.9.4-74.el7_6.1.x86_64
    bind-utils-9.9.4-74.el7_6.1.x86_64
    
    [root@LDNS ~]# cd /etc/
    [root@LDNS etc]# cp named.conf{,.bak}
    
    #配置文件修改成如下所示:
    [root@LDNS etc]# cat named.conf
    options {
        listen-on port 53 { 192.168.200.19; };
    //  listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
            forwarders  { 192.168.200.2; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
    };
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    zone "." IN {
        type hint;
        file "named.ca";
    };
    zone "yunjisuan.com" IN {
        type master;
        file "yunjisuan.com.zone";
    };
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    
    #检查配置文件是否有错
    [root@LDNS etc]# named-checkconf /etc/named.conf
    
    #创建正向解析文件
    [root@LDNS etc]# cd /var/named
    [root@LDNS named]# ls
    chroot  data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
    [root@LDNS named]# cp -p named.empty yunjisuan.com.zone
    
    [root@LDNS named]# vim yunjisuan.com.zone 
    [root@LDNS named]# cat yunjisuan.com.zone 
    $TTL 1D
    @   IN SOA  yunjisuan.com. root.ns1.yunjisuan.com. (
                        20190725    ; serial
                        1D  ; refresh
                        1H  ; retry
                        1W  ; expire
                        3H )    ; minimum
         NS  ns1.yunjisuan.com.
    ns1  A   192.168.200.19
    www  A   192.168.200.16
    www2 A   192.168.200.18
    
    #测试正向解析文件是否有错
    [root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone
    zone yunjisuan.com/IN: loaded serial 20190725
    OK
    
    #启动域名解析服务
    [root@LDNS named]# systemctl start named
    [root@LDNS named]# ss -antup | grep named
    udp    UNCONN     0      0      192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=512))
    tcp    LISTEN     0      10     192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=21))
    tcp    LISTEN     0      128    127.0.0.1:953                   *:*                   users:(("named",pid=7085,fd=22))
    tcp    LISTEN     0      128     ::1:953                  :::*                   users:(("named",pid=7085,fd=23))
    
    #将本地DNS改成自己,进行解析测试
    [root@LDNS named]# cat /etc/resolv.conf
    ; generated by /usr/sbin/dhclient-script
    search localdomain
    nameserver 192.168.200.19
    
    [root@LDNS named]# nslookup www.baidu.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Non-authoritative answer:
    www.baidu.com	canonical name = www.a.shifen.com.
    Name:	www.a.shifen.com
    Address: 61.135.169.125
    Name:	www.a.shifen.com
    Address: 61.135.169.121
    
    [root@LDNS named]# nslookup www.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www.yunjisuan.com
    Address: 192.168.200.16
    
    [root@LDNS named]# nslookup www2.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www2.yunjisuan.com
    Address: 192.168.200.18
    

    6.3 构建Harbor主从同步

    提示:如果Harbor不是已经绑定的公网域名,那么必须构建自己的本地LDNS

    #修改Harbor-master上的域名解析DNS服务器为本地构建的LDNS
    [root@Harbor-master harbor]# cat /etc/resolv.conf
    ; generated by /usr/sbin/dhclient-script
    search localdomain
    nameserver 192.168.200.19
    
    [root@Harbor-master harbor]# nslookup www2.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www2.yunjisuan.com
    Address: 192.168.200.18
    
    

    image.png-180.2kB

    image.png-100.8kB

    image.png-183.4kB

    image.png-181.5kB

    image.png-139.1kB

    image.png-181.6kB

    至此,Harbor仓库主从复制已经构建完毕。
    备注:如果勾选了阻止潜在漏洞的选项会影响harbor主从复制

    image.png-280.9kB

    特别提示:如果是harbor经历过vmware虚拟机的暂停和恢复。那么很可能之前能够访问的harbor仓库,恢复后却不行了。此时,需要重启dorker进程并重新harbor容器进程。

  • 相关阅读:
    BestCoder6 1002 Goffi and Squary Partition(hdu 4982) 解题报告
    codeforces 31C Schedule 解题报告
    codeforces 462C Appleman and Toastman 解题报告
    codeforces 460C. Present 解题报告
    BestCoder3 1002 BestCoder Sequence(hdu 4908) 解题报告
    BestCoder3 1001 Task schedule(hdu 4907) 解题报告
    poj 1195 Mobile phones 解题报告
    二维树状数组 探索进行中
    codeforces 460B Little Dima and Equation 解题报告
    通过Sql语句控制SQLite数据库增删改查
  • 原文地址:https://www.cnblogs.com/ywb123/p/11245765.html
Copyright © 2011-2022 走看看