zoukankan      html  css  js  c++  java
  • Harbor私有镜像仓库(上)

    Harbor私有镜像仓库(上)

    链接:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
    提取码:ldt5
    复制这段内容后打开百度网盘手机App,操作更方便哦

    1. Harbor简介

    • VMware的开源项目https://github.com/vmware/harbor
    • Harbor可帮助用户迅速搭建企业级的注册服务。它提供了管理图形界面,基于角色的访问控制(Role Based Access Control),镜像远程复制(同步),AD/LDAP集成,以及审计日志等企业用户需求的功能,同时还原生支持中文,深受中国用户的喜爱。
    • 该项目自推出以来,在GitHub获得了超过3300多个star和900多个forks。

    1.1 基于角色的访问控制

    用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。

    1.2 图形化用户界面

    用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间

    1.3 审计管理

    所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。

    1.4 国际化

    基于英文与中文语言进行了本地化。可以增加更多的语言支持。

    1.5 RESTful API:

    提供给管理员对于Harbor更多的操控,使得与其他管理软件集成变得更容易。

    1.6 LDAP认证

    1.7 镜像复制

    基于策略的Docker镜像复制功能,可在不同的数据中心,不同的运行环境之间同步镜像,并提供友好的管理界面,大大简化了实际运维中的镜像管理工作。

    1.8 与Clair集成

    与Clair集成,添加漏洞扫描功能。Clair是coreos开源的容器漏洞扫描工具,在容器逐渐普及的今天,容器镜像安全问题日益严重。Clair是目前少数的开源安全扫描工具。

    1.9 Notary签名工具

    Notary是Docker镜像的签名工具,用来保证镜像在pull,push和传输工程中的一致性和完整性,避免中间人攻击,避免非法的镜像更新和运行。

    2. 为Harbor签发域名证书

    openssl是目前最流行的SSL密码库工具,提供了一个通用,功能完备的工具套件,用以支持SSL/TLS协议的实现。
    官网:https://www.openssl.org/source/

    环境准备

    主机名 IP 用途 最小资源配比 最佳资源配比
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    [root@Harbor-master ~]# hostname -I
    192.168.200.16 
    [root@Harbor-master ~]# cat /etc/redhat-release 
    CentOS Linux release 7.6.1810 (Core) 
    [root@Harbor-master ~]# uname -r
    3.10.0-957.12.1.el7.x86_64
    

    官方文档:https://github.com/vmware/harbor/blob/master/docs/configure_https.md

    #创建自己的CA证书
    [root@Harbor-master ~]# mkdir -p /data/ssl
    [root@Harbor-master ~]# cd /data/ssl/
    [root@Harbor-master ssl]# which openssl
    /usr/bin/openssl
    
    [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
    Generating a 4096 bit RSA private key
    ......++
    .....................................++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:yunjisuan
    Organizational Unit Name (eg, section) []:yunjisuan
    Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
    Email Address []:
    
    #生成证书签名请求
    [root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
    Generating a 4096 bit RSA private key
    ...........................................................................................................................................................................................++
    ............++
    writing new private key to 'www.yunjisuan.com.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:yunjisuan
    Organizational Unit Name (eg, section) []:yunjisuan
    Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    #生成注册表主机的证书
    [root@Harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
    Signature ok
    subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
    Getting CA Private Key
    
    #查看证书情况
    [root@Harbor-master ssl]# ll
    总用量 24
    -rw-r--r-- 1 root root 2049 7月  24 14:43 ca.crt
    -rw-r--r-- 1 root root 3272 7月  24 14:43 ca.key
    -rw-r--r-- 1 root root   17 7月  24 14:45 ca.srl
    -rw-r--r-- 1 root root 1931 7月  24 14:45 www.yunjisuan.com.crt
    -rw-r--r-- 1 root root 1716 7月  24 14:45 www.yunjisuan.com.csr
    -rw-r--r-- 1 root root 3272 7月  24 14:45 www.yunjisuan.com.key
    

    3. 信任自签发的域名证书

    由于CA证书是我们自己签发的Linux操作系统是不信任的,因此我们需要把证书加入到系统的信任证书里

    #将自签ca证书添加到系统信任
    [root@Harbor-master ssl]# pwd
    /data/ssl
    [root@Harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
    [root@Harbor-master ssl]# ll /etc/pki/ca-trust/source/anchors/
    总用量 4
    -rw-r--r-- 1 root root 1931 7月  24 14:49 www.yunjisuan.com.crt
    
    #让系统ca信任设置立刻生效
    [root@Harbor-master ssl]# update-ca-trust enable
    [root@Harbor-master ssl]# update-ca-trust extract
    

    4.Harbor 1.4 版本配置与安装

    4.1 安装docker-ce社区版

    [root@Harbor-master ssl]# sestatus
    SELinux status:                 disabled
    [root@Harbor-master ssl]# yum -y install yum-utils device-mapper-persistent-data lvm2
    [root@Harbor-master ssl]# rpm -qa yum-utils device-mapper-persistent-data lvm2
    yum-utils-1.1.31-50.el7.noarch
    device-mapper-persistent-data-0.7.3-3.el7.x86_64
    lvm2-2.02.180-10.el7_6.8.x86_64
    
    [root@Harbor-master ssl]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2424  100  2424    0     0    112      0  0:00:21  0:00:21 --:--:--   686
    
    [root@Harbor-master ssl]# yum -y install docker-ce
    [root@Harbor-master ssl]# systemctl start docker
    [root@Harbor-master ssl]# systemctl enable docker
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
    
    [root@Harbor-master ssl]# docker version
    Client: Docker Engine - Community
     Version:           19.03.0
     API version:       1.40
     Go version:        go1.12.5
     Git commit:        aeac9490dc
     Built:             Wed Jul 17 18:15:40 2019
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server: Docker Engine - Community
     Engine:
      Version:          19.03.0
      API version:      1.40 (minimum version 1.12)
      Go version:       go1.12.5
      Git commit:       aeac9490dc
      Built:            Wed Jul 17 18:14:16 2019
      OS/Arch:          linux/amd64
      Experimental:     false
     containerd:
      Version:          1.2.6
      GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
     runc:
      Version:          1.0.0-rc8
      GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
     docker-init:
      Version:          0.18.0
      GitCommit:        fec3683
    

    4.2 下载并安装harbor私有仓库

    #创建harbor的证书目录,并复制
    [root@Harbor-master ssl]# mkdir -p /etc/ssl/harbor
    [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
    [root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
    [root@Harbor-master ssl]# ll /etc/ssl/harbor/
    总用量 8
    -rw-r--r-- 1 root root 1931 7月  24 15:43 www.yunjisuan.com.crt
    -rw-r--r-- 1 root root 3272 7月  24 15:43 www.yunjisuan.com.key
    
    #创建harbor下载目录并下载harbor-offline-installer-v1.5.0.tgz
    [root@Harbor-master ~]# mkdir -p /data/install
    [root@Harbor-master ~]# cd /data/install/
    [root@Harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
    [root@Harbor install]# ls
    harbor-offline-installer-v1.5.0.tgz
    
    [root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz 
    [root@Harbor install]# ls
    harbor  harbor-offline-installer-v1.5.0.tgz
    [root@Harbor install]# cd harbor
    [root@Harbor harbor]# ll
    总用量 854960
    drwxr-xr-x 3 root root        23 7月  16 22:29 common        #模板目录
    -rw-r--r-- 1 root root      1185 5月   2 23:34 docker-compose.clair.yml
    -rw-r--r-- 1 root root      1725 5月   2 23:34 docker-compose.notary.yml
    -rw-r--r-- 1 root root      3596 5月   2 23:34 docker-compose.yml
    drwxr-xr-x 3 root root       156 5月   2 23:34 ha            #harbor高可用配置
    -rw-r--r-- 1 root root      6687 5月   2 23:34 harbor.cfg    #harbor配置文件
    -rw-r--r-- 1 root root 875401338 5月   2 23:36 harbor.v1.5.0.tar.gz
    -rwxr-xr-x 1 root root      5773 5月   2 23:34 install.sh
    -rw-r--r-- 1 root root     10771 5月   2 23:34 LICENSE
    -rw-r--r-- 1 root root       482 5月   2 23:34 NOTICE
    -rwxr-xr-x 1 root root     27379 5月   2 23:34 prepare
    
    [root@Harbor harbor]# cp harbor.cfg{,.bak}
    #修改harbor.cfg配置文件
    [root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p'
         7  hostname = reg.mydomain.com             #要修改成我们证书的域名
        11  ui_url_protocol = http                  #启用加密传输协议https
        23  ssl_cert = /data/cert/server.crt        #证书的位置
        24  ssl_cert_key = /data/cert/server.key    #证书密钥位置
        68  harbor_admin_password = Harbor12345     #默认管理员及密码
    
    
    #修改成如下配置
    [root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
         7  hostname = www.yunjisuan.com
        11  ui_url_protocol = https
        23  ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
        24  ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
        68  harbor_admin_password = Harbor12345
    
    #安装命令docker-compose(需要1.21版本)
    [root@Harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100   617    0   617    0     0    519      0 --:--:--  0:00:01 --:--:--   519
    100 10.3M  100 10.3M    0     0   354k      0  0:00:29  0:00:29 --:--:--  494k
    
    [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
    -rw-r--r-- 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# chmod +x /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
    -rwxr-xr-x 1 root root 10858808 7月  24 17:30 /usr/local/bin/docker-compose
    [root@Harbor-master harbor]# which docker-compose
    /usr/local/bin/docker-compose
    
    [root@Harbor-master harbor]# docker-compose --version
    docker-compose version 1.21.2, build a133471
    
    #安装harbor私有镜像仓库
    [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
    #--with-notary启用镜像签名;--with-clair启用漏洞扫描
     
    #查看harbor启动的镜像
    [root@Harbor-master harbor]# docker ps -a
    CONTAINER ID        IMAGE                                       COMMAND                  CREATED             STATUS                             PORTS                                                              NAMES
    3b0f60eb2260        vmware/harbor-jobservice:v1.5.0             "/harbor/start.sh"       23 seconds ago      Up 15 seconds                                                                                         harbor-jobservice
    005954f3ec5c        vmware/nginx-photon:v1.5.0                  "nginx -g 'daemon of…"   23 seconds ago      Up 21 seconds (health: starting)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
    e5a4e4d0cf56        vmware/notary-server-photon:v0.5.1-v1.5.0   "/bin/server-start.sh"   23 seconds ago      Up 21 seconds                                                                                         notary-server
    0ece0afef7a6        vmware/notary-signer-photon:v0.5.1-v1.5.0   "/bin/signer-start.sh"   24 seconds ago      Up 22 seconds                                                                                         notary-signer
    b7549c31328b        vmware/clair-photon:v2.0.1-v1.5.0           "/docker-entrypoint.…"   24 seconds ago      Up 18 seconds (health: starting)   6060-6061/tcp                                                      clair
    1e6d6bb0bbdf        vmware/harbor-ui:v1.5.0                     "/harbor/start.sh"       24 seconds ago      Up 22 seconds (health: starting)                                                                      harbor-ui
    e0fe40b6804a        vmware/mariadb-photon:v1.5.0                "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds                      3306/tcp                                                           notary-db
    30331b6c8918        vmware/postgresql-photon:v1.5.0             "/entrypoint.sh post…"   25 seconds ago      Up 23 seconds (health: starting)   5432/tcp                                                           clair-db
    24e4856ac9a3        vmware/harbor-adminserver:v1.5.0            "/harbor/start.sh"       25 seconds ago      Up 23 seconds (health: starting)                                                                      harbor-adminserver
    0901a7fa027c        vmware/harbor-db:v1.5.0                     "/usr/local/bin/dock…"   25 seconds ago      Up 23 seconds (health: starting)   3306/tcp                                                           harbor-db
    1cea792c4656        vmware/redis-photon:v1.5.0                  "docker-entrypoint.s…"   25 seconds ago      Up 24 seconds                      6379/tcp                                                           redis
    7ea870371dcc        vmware/registry-photon:v2.6.2-v1.5.0        "/entrypoint.sh serv…"   25 seconds ago      Up 23 seconds (health: starting)   5000/tcp                                                           registry
    cceb28b45a0d        vmware/harbor-log:v1.5.0                    "/bin/sh -c /usr/loc…"   25 seconds ago      Up 24 seconds (health: starting)   127.0.0.1:1514->10514/tcp                                          harbor-log
    

    通过浏览器进行访问测试https://192.168.200.16

    image.png-285.3kB

    image.png-154.6kB

    项目创建:设定为仅管理员(企业中不会让注册用户随便创建) 不允许自动注册

    5.镜像管理与安全:漏洞扫描和镜像签名

    5.1 添加docker国内公有镜像源

    [root@Harbor-master harbor]# cat /etc/docker/daemon.json
    {
      "registry-mirrors":[ "https://registry.docker-cn.com" ]
    }
    [root@Harbor-master harbor]# systemctl daemon-reload
    [root@Harbor-master harbor]# systemctl restart docker
    

    5.2 重新启动Harbor私有镜像仓库

    #让harbor修改过的配置立刻生效
    [root@Harbor-master harbor]# ./prepare 
    Clearing the configuration file: ./common/config/adminserver/env
    Clearing the configuration file: ./common/config/ui/env
    Clearing the configuration file: ./common/config/ui/app.conf
    Clearing the configuration file: ./common/config/ui/private_key.pem
    ##以下省略若干。。。
    
    #清理所有harbor容器进程
    [root@Harbor-master harbor]# docker-compose down
    Stopping harbor-jobservice  ... done
    Stopping nginx              ... done
    Stopping harbor-ui          ... done
    Stopping harbor-adminserver ... done
    Stopping harbor-db          ... done
    Stopping redis              ... done
    Stopping registry           ... done
    Stopping harbor-log         ... done
    WARNING: Found orphan containers (notary-server, notary-signer, clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
    Removing harbor-jobservice  ... done
    Removing nginx              ... done
    Removing harbor-ui          ... done
    Removing harbor-adminserver ... done
    Removing harbor-db          ... done
    Removing redis              ... done
    Removing registry           ... done
    Removing harbor-log         ... done
    Removing network harbor_harbor
    
    #后台启动所有harbor容器进程
    [root@Harbor-master harbor]# docker-compose up -d
    Creating network "harbor_harbor" with the default driver
    WARNING: Found orphan containers (clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
    Creating harbor-log ... done
    Creating redis              ... done
    Creating registry           ... done
    Creating harbor-db          ... done
    Creating harbor-adminserver ... done
    Creating harbor-ui          ... done
    Creating nginx              ... done
    Creating harbor-jobservice  ... done
    

    5.3 下载一个公有镜像并上传到harbor

    #harbor本地下载一个公有仓库镜像centos:7
    [root@Harbor-master install]# docker pull centos:7
    
    #本地映射私有仓库域名
    [root@Harbor-master harbor]# tail -1 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    
    #将centos:7镜像改名并上传私有镜像仓库
    [root@Harbor-master install]# docker tag centos:7 www.yunjisuan.com/library/centos:7
    [root@Harbor-master install]# docker images | grep centos
    centos                             7                   9f38484d220f        4 months ago        202MB
    www.yunjisuan.com/library/centos   7                   9f38484d220f        4 months ago        202MB
    
    #登陆验证harbor私有仓库,并上传镜像
    [root@Harbor-master install]# docker login www.yunjisuan.com
    Username: admin
    Password: Harbor12345
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded
    
    [root@Harbor-master install]# docker push www.yunjisuan.com/library/centos:7
    The push refers to repository [www.yunjisuan.com/library/centos]
    d69483a6face: Pushed 
    7: digest: sha256:ca58fe458b8d94bc6e3072f1cfbd334855858e05e1fd633aa07cf7f82b048e66 size: 529
    
    #重新启用漏洞扫描
    [root@Harbor-master install]# cd /data/install/harbor
    [root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
    

    5.4 登陆浏览器查看镜像上传结果,并扫描漏洞

    image.png-210.6kB

    image.png-209.8kB

    image.png-213.9kB

    image.png-245.9kB

    5.5 设置镜像仓库安全等级

    image.png-208kB

    image.png-306kB

    5.6 为docker客户端下发域名证书

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    #映射harbor私有仓库域名
    [root@Docker-client ~]# cat /etc/redhat-release 
    CentOS Linux release 7.6.1810 (Core) 
    [root@Docker-client ~]# uname -r
    3.10.0-957.12.1.el7.x86_64
    [root@Docker-client ~]# hostname -I
    192.168.200.17 
    [root@Docker-client ~]# tail -1 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    
    #安装docker-ce社区版
    [root@Docker-client ~]# sestatus
    SELinux status:                 disabled
    [root@Docker-client ~]# systemctl stop firewalld
    [root@Docker-client ~]# systemctl disable firewalld
    [root@Docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
    [root@Docker-client ~]# rpm -qa yum-utils device-mapper-persistent-data lvm2
    yum-utils-1.1.31-50.el7.noarch
    device-mapper-persistent-data-0.7.3-3.el7.x86_64
    lvm2-2.02.180-10.el7_6.8.x86_64
    
    [root@Docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2424  100  2424    0     0   3925      0 --:--:-- --:--:-- --:--:--  3922
    
    
    [root@Docker-client ~]# yum -y install docker-ce
    [root@Docker-client ~]# systemctl start docker
    [root@Docker-client ~]# systemctl enable docker
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
    
    [root@Docker-client ~]# docker version
    Client: Docker Engine - Community
     Version:           19.03.0
     API version:       1.40
     Go version:        go1.12.5
     Git commit:        aeac9490dc
     Built:             Wed Jul 17 18:15:40 2019
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server: Docker Engine - Community
     Engine:
      Version:          19.03.0
      API version:      1.40 (minimum version 1.12)
      Go version:       go1.12.5
      Git commit:       aeac9490dc
      Built:            Wed Jul 17 18:14:16 2019
      OS/Arch:          linux/amd64
      Experimental:     false
     containerd:
      Version:          1.2.6
      GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
     runc:
      Version:          1.0.0-rc8
      GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
     docker-init:
      Version:          0.18.0
      GitCommit:        fec3683
    
    #配置国内公有镜像源
    [root@Docker-client ~]# cat /etc/docker/daemon.json 
    {
      "registry-mirrors":[ "https://registry.docker-cn.com" ]
    }
    [root@Docker-client ~]# systemctl daemon-reload
    [root@Docker-client ~]# systemctl restart docker
    
    #下载mongo公有镜像
    [root@Docker-client ~]# docker pull mongo
    Using default tag: latest
    latest: Pulling from library/mongo
    f7277927d38a: Pull complete 
    8d3eac894db4: Pull complete 
    edf72af6d627: Pull complete 
    3e4f86211d23: Pull complete 
    5747135f14d2: Pull complete 
    f56f2c3793f6: Pull complete 
    f8b941527f3a: Pull complete 
    4000e5ef59f4: Pull complete 
    ad518e2379cf: Pull complete 
    919225fc3685: Pull complete 
    45ff8d51e53a: Pull complete 
    4d3342ddfd7b: Pull complete 
    26002f176fca: Pull complete 
    Digest: sha256:7df93c5e2d140beabc39ef225da618df28cc916a5f5f295a41858accc0f46a0b
    Status: Downloaded newer image for mongo:latest
    docker.io/library/mongo:latest
    
    [root@Docker-client ~]# docker images
    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
    mongo               latest              9c02a5a12c52        18 hours ago        413MB
    
    #为docker客户端下发域名(在harbor本地执行操作)
    #将harbor上自签发的域名证书www.yunjisuan.com.crt复制到docker客户端对应目录下
    [root@Harbor-master install]# cd /data/ssl/
    [root@Harbor-master ssl]# scp www.yunjisuan.com.crt 192.168.200.17:/etc/pki/ca-trust/source/anchors/
    root@192.168.200.17's password: 
    www.yunjisuan.com.crt                                                      100% 1931     1.6MB/s   00:00 
    
    #在docker客户端上执行操作,让证书立刻生效
    [root@Docker-client ~]# update-ca-trust enable
    [root@Docker-client ~]# update-ca-trust extract
    
    #下发证书后必须重启动docker-client的docker服务
    [root@Docker-client ~]# systemctl restart docker
    
    #docker-client登陆harbor仓库进行登陆验证
    [root@Docker-client ~]# cd /etc/pki/ca-trust/source/anchors/
    [root@Docker-client anchors]# ll
    总用量 4
    -rw-r--r-- 1 root root 1931 7月  24 19:56 www.yunjisuan.com.crt
    
    [root@Docker-client anchors]# docker login www.yunjisuan.com
    Username: admin
    Password: Harbor12345
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded
    
    #修改镜像的名字并上传harbor私有仓库
    [root@Docker-client anchors]# docker tag mongo:latest www.yunjisuan.com/library/mongo
    [root@Docker-client anchors]# docker images
    REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
    mongo                             latest              9c02a5a12c52        18 hours ago        413MB
    www.yunjisuan.com/library/mongo   latest              9c02a5a12c52        18 hours ago        413MB
    
    [root@Docker-client anchors]# docker push www.yunjisuan.com/library/mongo
    The push refers to repository [www.yunjisuan.com/library/mongo]
    3ea1af4d89d2: Pushed 
    d1badfd80c45: Pushed 
    be68547708c3: Pushed 
    26c9058be51d: Pushed 
    689158adef1e: Pushed 
    2ee7e1a20686: Pushed 
    6a272ecc48d7: Pushed 
    4ad102c46894: Pushed 
    b03801a3ccd1: Pushed 
    e79142719515: Pushed 
    aeda103e78c9: Pushed 
    2558e637fbff: Pushed 
    f749b9b0fb21: Pushed 
    latest: digest: sha256:7328ced1dd646dd65a20dbf3ae430835ce75ad6cdbfe59c83185ddb719dd5913 size: 3030
    

    浏览器登陆harbor进行查看:https://192.168.200.16

    image.png-222.7kB

    出现漏洞的镜像截图:
    image.png-259.2kB

    5.7 FAQ:问题解答

    windows10最新版本默认拒绝非认证的域名证书

    如果启动harbor采用的https加密证书的方式,最新版本windows10浏览器访问的话,默认会直接说“站点不安全,拒绝连接”。 那么我们可以采用非https的方式启动harbor

    [root@harbor-master ~]# sed -n '11p' /data/install/harbor/harbor.cfg
    ui_url_protocol = http
    

    但是我们要是采用非https加密方式启动harbor的话。最新版本的docker是登陆不了的。这是因为新版本docker默认是以https方式登陆harbor

    [root@Harbor-Slave docker]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    Error response from daemon: Get https://www.yunjisuan.com/v2/: dial tcp 192.168.200.74:443: connect: connection refused
    

    为了解决登陆问题,我们需要在/etc/docker/下创建一个daemon.json名字的文件,加入http方式登陆的harbor域名

    [root@Harbor-Slave docker]# cat /etc/docker/daemon.json 
    {
        "insecure-registries":[ "www.yunjisuan.com" ]
    }
    [root@Harbor-Slave docker]# systemctl restart docker    #需要重启
    
    
    #然后我们再次登陆harbor
    [root@harbor-slave harbor]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded    #登陆成功
    

    6. Harbor镜像的复制与同步

    harbor私有仓库的主从复制,类似于MySQL,属于1对多的复制

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB

    6.1 部署Habor-Slave

    再安装一个harbor私有仓库作为harbor的从库,域名为www2.yunjisuan.com

    image.png-414.6kB

    在Harbor-Master和Harbor-Slave上做域名映射
    
    #主Harbor
    [root@Harbor-master ~]# tail -2 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    192.168.200.18 www2.yunjisuan.com
    
    #从Harbor
    [root@Harbor-slave ~]# tail -2 /etc/hosts
    192.168.200.16 www.yunjisuan.com
    192.168.200.18 www2.yunjisuan.com
    

    特别提示:离线方式安装的Habor容器默认会从LDNS处获取对应的域名的IP解析,并不找本地的hosts文件
    由于我们是自己是自己设定的域名,因此,需要搭建用于内网解析的LDNS域名解析服务器

    6.2 搭建LDNS域名解析服务器

    主机名 IP 用途 最小资源配比 最佳资源配比
    Docker-client 192.168.200.17 docker客户端
    Harbor-master 192.168.200.16 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    Harbor-slave 192.168.200.18 harbor私有镜像仓库 2CPU 4CPU
    4GBMEM 8GB
    LDNS 192.168.200.19 本地DNS
    [root@LDNS ~]# yum -y install bind bind-chroot bind-utils
    [root@LDNS ~]# rpm -qa bind bind-chroot bind-utils
    bind-chroot-9.9.4-74.el7_6.1.x86_64
    bind-9.9.4-74.el7_6.1.x86_64
    bind-utils-9.9.4-74.el7_6.1.x86_64
    
    [root@LDNS ~]# cd /etc/
    [root@LDNS etc]# cp named.conf{,.bak}
    
    #配置文件修改成如下所示:
    [root@LDNS etc]# cat named.conf
    options {
        listen-on port 53 { 192.168.200.19; };
    //  listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
            forwarders  { 192.168.200.2; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
    };
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    zone "." IN {
        type hint;
        file "named.ca";
    };
    zone "yunjisuan.com" IN {
        type master;
        file "yunjisuan.com.zone";
    };
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    
    #检查配置文件是否有错
    [root@LDNS etc]# named-checkconf /etc/named.conf
    
    #创建正向解析文件
    [root@LDNS etc]# cd /var/named
    [root@LDNS named]# ls
    chroot  data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
    [root@LDNS named]# cp -p named.empty yunjisuan.com.zone
    
    [root@LDNS named]# vim yunjisuan.com.zone 
    [root@LDNS named]# cat yunjisuan.com.zone 
    $TTL 1D
    @   IN SOA  yunjisuan.com. root.ns1.yunjisuan.com. (
                        20190725    ; serial
                        1D  ; refresh
                        1H  ; retry
                        1W  ; expire
                        3H )    ; minimum
         NS  ns1.yunjisuan.com.
    ns1  A   192.168.200.19
    www  A   192.168.200.16
    www2 A   192.168.200.18
    
    #测试正向解析文件是否有错
    [root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone
    zone yunjisuan.com/IN: loaded serial 20190725
    OK
    
    #启动域名解析服务
    [root@LDNS named]# systemctl start named
    [root@LDNS named]# ss -antup | grep named
    udp    UNCONN     0      0      192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=512))
    tcp    LISTEN     0      10     192.168.200.19:53                    *:*                   users:(("named",pid=7085,fd=21))
    tcp    LISTEN     0      128    127.0.0.1:953                   *:*                   users:(("named",pid=7085,fd=22))
    tcp    LISTEN     0      128     ::1:953                  :::*                   users:(("named",pid=7085,fd=23))
    
    #将本地DNS改成自己,进行解析测试
    [root@LDNS named]# cat /etc/resolv.conf
    ; generated by /usr/sbin/dhclient-script
    search localdomain
    nameserver 192.168.200.19
    
    [root@LDNS named]# nslookup www.baidu.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Non-authoritative answer:
    www.baidu.com	canonical name = www.a.shifen.com.
    Name:	www.a.shifen.com
    Address: 61.135.169.125
    Name:	www.a.shifen.com
    Address: 61.135.169.121
    
    [root@LDNS named]# nslookup www.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www.yunjisuan.com
    Address: 192.168.200.16
    
    [root@LDNS named]# nslookup www2.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www2.yunjisuan.com
    Address: 192.168.200.18
    

    6.3 构建Harbor主从同步

    提示:如果Harbor不是已经绑定的公网域名,那么必须构建自己的本地LDNS

    #修改Harbor-master上的域名解析DNS服务器为本地构建的LDNS
    [root@Harbor-master harbor]# cat /etc/resolv.conf
    ; generated by /usr/sbin/dhclient-script
    search localdomain
    nameserver 192.168.200.19
    
    [root@Harbor-master harbor]# nslookup www2.yunjisuan.com
    Server:		192.168.200.19
    Address:	192.168.200.19#53
    
    Name:	www2.yunjisuan.com
    Address: 192.168.200.18
    
    

    image.png-180.2kB

    image.png-100.8kB

    image.png-183.4kB

    image.png-181.5kB

    image.png-139.1kB

    image.png-181.6kB

    至此,Harbor仓库主从复制已经构建完毕。
    备注:如果勾选了阻止潜在漏洞的选项会影响harbor主从复制

    image.png-280.9kB

    特别提示:如果是harbor经历过vmware虚拟机的暂停和恢复。那么很可能之前能够访问的harbor仓库,恢复后却不行了。此时,需要重启dorker进程并重新harbor容器进程。

  • 相关阅读:
    oracle 主键自动地址实现
    解构赋值
    那些朋友那些话系列
    那些朋友那些话
    白鹭记事
    该如何存在
    上海秋季HCC小记
    For the person you never see again
    寻城记
    2013年的国庆
  • 原文地址:https://www.cnblogs.com/ywb123/p/11245765.html
Copyright © 2011-2022 走看看