harbor

lzjasd / 2023-05-03 / 原文

wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo


yum -y install docker-ce
yum -y install docker-compose
# 查看版本, 满足要求
docker-compose --version




wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz
mkdir /data
tar xf harbor-offline-installer-v2.4.1.tgz -C /data
加载镜像文件
cd /data/harbor
docker load -i harbor.v2.4.1.tar.gz



生成CA证书私钥
cd /etc/pki
openssl genrsa -out ca.key 4096

创建 CA 证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=hzde.com" \
 -key ca.key \
 -out ca.crt
 
 创建 Harbor 证书
 openssl genrsa -out harbor.key 4096
 openssl req -sha512 -new \
    -subj "/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=harbor.hzde.com" \
    -key harbor.key \
    -out harbor.csr
    
CN要跟你的域名保持一致，不然docker login登录不上

创建v3扩展插件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.hzde.com
DNS.2=harbor
IP.1=192.168.14.132
EOF


创建harboy 证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.csr \
    -out harbor.crt
    
    
Signature ok
subject=/C=CN/ST=GD/L=ShenZhen/O=example/OU=Personal/CN=harbor.hzde.com
Getting CA Private Key


将harbor证书拷贝到/etc/harbor 
mkdir -p /etc/harbor/ssl
cp harbor.crt harbor.key /etc/harbor/ssl/

修改 harbor 配置文件
cd /data/harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml
...
hostname: harbor.hzde.com
...
https:
  port: 443
  certificate: /etc/harbor/ssl/harbor.crt
  private_key: /etc/harbor/ssl/harbor.key
...
harbor_admin_password: 1234 # Harbor登录密码，根据自己的需要进行修改
默认是Harbor12345

启动服务
--with-notary：可保证镜像的真实性
--with-trivy：漏洞扫描工具，之前是--with-clair
--with-chartmuseum：启用chart仓库


[root@master harbor]# ./install.sh --with-notary --with-trivy --with-chartmuseum

[Step 0]: checking if docker is installed ...


检查服务运行状态
docker ps -a

docker 登录验证
echo '192.168.14.132 harbor.hzde.com' >> /etc/hosts

登录 harbor 有 2 种方式

1.为 docker 添加私有证书

mkdir /etc/docker/certs.d/harbor.hzde.com/ -p
cp /etc/harbor/ssl/harbor.crt /etc/docker/certs.d/harbor.hzde.com/ca.crt

2.将 harbor 添加到 insecure-registries 中

vim /etc/docker/daemon.json
...
  "insecure-registries": ["harbor.hzde.com"]
...

登录 harbor

docker login harbor.hzde.com -u admin -p 1234
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Harbor 控制台登录
先修改 hosts，增加一条192.168.14.132 harbor.hzde.com，然后通过浏览器访问：https://harbor.hzde.com，默认用户名：admin，默认密码：Harbor12345，密码可以在harbor.yml中修改。
自定义设置为1234 密码



docker pull nginx:1.20.2-alpine

打 tag
docker tag nginx:1.20.2-alpine harbor.hzde.com/library/nginx:1.20.2-alpine


推送镜像到仓库
docker push harbor.hzde.com/library/nginx:1.20.2-alpine