Docker(二):Docker镜像仓库Harbor搭建

安装docker-compose

因为docker-compose下载容易失败, 所以选择从github下载方式安装。

image-20200419071229209

[root@harbor ~]# mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
[root@harbor ~]# chmod a+x /usr/local/bin/docker-compose
[root@harbor ~]# docker-compose --version
docker-compose version 1.25.5, build 8a1c60f6

Harbor安装和配置

GitHub下载安装包

地址:https://github.com/goharbor/harbor/releases

image-20200419071415204

[root@harbor ~]# tar -zxvf harbor-offline-installer-v1.10.1.tgz 
[root@harbor ~]# mv harbor /usr/local/
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# cp harbor.yml harbor.yml.bak

修改配置文件

[root@harbor harbor]# vim harbor.yml
hostname: chinda.com
https:
  port: 443
  certificate: /data/cert/chinda.com.crt
  private_key: /data/cert/chinda.com.key
# harbor管理页面admin用户的密码
harbor_admin_password: admin

修改宿主机hosts

192.168.0.250		chinda.com

配置对Harbor的HTTPS访问

生成机构颁发的证书

  1. 生成CA证书私钥

    openssl genrsa -out ca.key 4096
    
  2. 生成CA证书

    openssl req -x509 -new -nodes -sha512 -days 3650 \
     -subj "/C=CN/ST=Beijing/L=Beijing/O=chinda/OU=chinda/CN=chinda.com" \
     -key ca.key \
     -out ca.crt
    

生成服务器证书

证书通常包含一个.crt文件和一个.key文件。

  1. 生成私钥

    openssl genrsa -out chinda.com.key 4096
    
  2. 生成证书签名(CSR)

    openssl req -sha512 -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=chinda/OU=chinda/CN=chinda.com" \
        -key chinda.com.key \
        -out chinda.com.csr
    
  3. 生成x509 v3扩展文件

    cat > v3.ext <<-EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1=chinda.com
    DNS.2=chinda
    DNS.3=harbor
    EOF
    
  4. 使用v3.ext文件为Harbor主机生成证书

    将chinda.com`CRS和CRT文件名中的替换为Harbor主机名。

    openssl x509 -req -sha512 -days 3650 \
        -extfile v3.ext \
        -CA ca.crt -CAkey ca.key -CAcreateserial \
        -in chinda.com.csr \
        -out chinda.com.crt
    

提供证书给Harbor和Docker

生成ca.crtchinda.com.crtchinda.com.key文件后,必须将它们提供给Harbor和Docker和重新配置使用它们的Harbor。首先创建存放他们的文件夹。

  1. 将服务器证书和密钥复制到Harbor主机的cert文件夹中。

    cp chinda.com.crt /data/cert/
    cp chinda.com.key /data/cert/
    chmod a+x  /data/cert/
    
  2. 转换chinda.com.crtchinda.com.cert,供Docker使用。

    Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。

    openssl x509 -inform PEM -in chinda.com.crt -out chinda.com.cert
    
  3. 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker 证书文件夹中。首先创建适当的文件夹。

    cp chinda.com.cert /etc/docker/certs.d/chinda.com/
    cp chinda.com.key /etc/docker/certs.d/chinda.com/
    cp ca.crt /etc/docker/certs.d/chinda.com/
    
  4. 重启Docker引擎

    systemctl restart docker
    

运行脚本安装

[root@harbor cert]# cd /usr/local/harbor/
[root@harbor harbor]# ./install.sh 

验证

image-20200419225824263

[root@harbor harbor]# docker login https://chinda.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

操作

# 查看执行状态。注意,要在项目下执行此命令,不然会抛出异常
docker-compose ps
# 停止/移除存在的实例
docker-compose down -v
# 重启harbor
docker-compose up -d

推送镜像的Docker命令

# 在项目中标记镜像:
docker tag SOURCE_IMAGE[:TAG] chinda.com/library/IMAGE[:TAG]
# 推送镜像到当前项目:
docker push chinda.com/library/IMAGE[:TAG]

鉴权失败401 Unauthorized

[root@harbor harbor]# docker login https://chinda.com
Authenticating with existing credentials...
Login did not succeed, error: Error response from daemon: login attempt to https://chinda.com/v2/ failed with status: 401 Unauthorized
Username (admin): admin
Password: 
Error response from daemon: login attempt to https://chinda.com/v2/ failed with status: 401 Unauthorized

解决方案

docker-compose down -v
docker-compose up -d
posted @ 2020-04-26 07:33  Chinda  阅读(455)  评论(0)    收藏  举报