harbor镜像仓库自建
1.部署harbor服务端环境
环境准备:Ubuntu系统
1.1 软件包地址
wget https://github.com/goharbor/harbor/releases/download/v2.7.4/harbor-offline-installer-v2.7.4.tgz
1.2 安装docker和docker-compose环境
docker环境就使用一键安装脚本快速安装了【没有脚本就手动安装】
[root@harbor ~]# tar xf autoinstall-docker-docker-compose.tar.gz
[root@harbor ~]# ./install-docker.sh i
[root@harbor ~]# docker --version
Docker version 20.10.24, build 297e128
[root@harbor ~]#
[root@harbor ~]# docker-compose --version
Docker Compose version v2.23.0
[root@harbor ~]#
1.3 解压harbor软件包
[root@harbor ~]# tar xf harbor-offline-installer-v2.7.4.tgz -C /Project/softwares/
1.4 创建工作目录
[root@harbor ~]# mkdir -pv /Project/softwares/harbor/certs/{ca,harbor-server,docker-client}
mkdir: created directory '/Project/softwares/harbor/certs'
mkdir: created directory '/Project/softwares/harbor/certs/ca'
mkdir: created directory '/Project/softwares/harbor/certs/harbor-server'
mkdir: created directory '/Project/softwares/harbor/certs/docker-client'
[root@harbor ~]#
2.配置harbor相关证书
2.1 进入到harbor证书存放目录
[root@harbor ~]# cd /Project/softwares/harbor/certs/
[root@harbor certs]#
[root@harbor certs]# ll
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 harbor-server/
[root@harbor certs]#
2.2 创建CA的私钥
[root@harbor certs]# openssl genrsa -out ca/ca.key 4096
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 harbor-server/
./ca:
total 12
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
[root@harbor certs]#
2.3 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)
[root@harbor certs]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=nolenlinux.cn" \
-key ca/ca.key \
-out ca/ca.crt
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
[root@harbor certs]#
2.4 查看自建证书信息
[root@harbor certs]# openssl x509 -in ca/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
58:5a:1e:23:84:70:d6:d8:5a:f9:6c:3b:d2:e6:9f:56:83:95:84:45
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = nolenlinux.cn
Validity
Not Before: Sep 10 09:17:11 2024 GMT
Not After : Sep 8 09:17:11 2034 GMT
Subject: C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = nolenlinux.cn
...
2.5 配置harbor证书
1) 生成harbor服务器的私钥
[root@harbor certs]# openssl genrsa -out harbor-server/harbor.nolenlinux.cn.key 4096
[root@harbor certs]#
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:18 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 12
drwxr-xr-x 2 root root 4096 Sep 10 17:18 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw------- 1 root root 3272 Sep 10 17:18 harbor.nolenlinux.cn.key
[root@harbor certs]#
2) harbor服务器基于私钥签发证书认证请求(csr文件),让自建CA认证
[root@harbor certs]# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.nolenlinux.cn" \
-key harbor-server/harbor.nolenlinux.cn.key \
-out harbor-server/harbor.nolenlinux.cn.csr
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:18 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:18 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 1716 Sep 10 17:18 harbor.nolenlinux.cn.csr
-rw------- 1 root root 3272 Sep 10 17:18 harbor.nolenlinux.cn.key
[root@harbor certs]#
3) 生成 x509 v3 的扩展文件用于认证
[root@harbor certs]# cat > harbor-server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.nolenlinux.cn
EOF
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:19 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 20
drwxr-xr-x 2 root root 4096 Sep 10 17:19 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 1716 Sep 10 17:18 harbor.nolenlinux.cn.csr
-rw------- 1 root root 3272 Sep 10 17:18 harbor.nolenlinux.cn.key
-rw-r--r-- 1 root root 239 Sep 10 17:19 v3.ext
[root@harbor certs]#
4) 基于 x509 v3 的扩展文件认证签发harbor server证书
[root@harbor certs]# openssl x509 -req -sha512 -days 3650 \
-extfile harbor-server/v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in harbor-server/harbor.nolenlinux.cn.csr \
-out harbor-server/harbor.nolenlinux.cn.crt
...
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = harbor.nolenlinux.cn
[root@harbor certs]#
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 3 root root 4096 Sep 10 17:16 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:16 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:19 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 8
drwxr-xr-x 2 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
./harbor-server:
total 24
drwxr-xr-x 2 root root 4096 Sep 10 17:19 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2147 Sep 10 17:19 harbor.nolenlinux.cn.crt
-rw-r--r-- 1 root root 1716 Sep 10 17:18 harbor.nolenlinux.cn.csr
-rw------- 1 root root 3272 Sep 10 17:18 harbor.nolenlinux.cn.key
-rw-r--r-- 1 root root 239 Sep 10 17:19 v3.ext
[root@harbor certs]#
5) 修改harbor的配置文件使用自建证书
[root@harbor certs]# cp ../harbor.yml.tmpl ../harbor.yml
[root@harbor certs]# vim ../harbor.yml
...
hostname: harbor.nolenlinux.cn
https:
...
certificate: /Project/softwares/harbor/certs/harbor-server/harbor.nolenlinux.cn.crt
private_key: /Project/softwares/harbor/certs/harbor-server/harbor.nolenlinux.cn.key
...
harbor_admin_password: 1
...
data_volume: /Project/data/harbor
...
[root@harbor certs]#
6) 安装harbor
[root@harbor certs]# ../install.sh --with-chartmuseum
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.24
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.23.0
[Step 2]: loading Harbor images ...
...
[Step 5]: starting Harbor ...
➜
Chartmusuem will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/15057
[+] Building 0.0s (0/0) docker:default
[+] Running 12/12
✔ Network harbor_harbor-chartmuseum Created 0.2s
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 0.1s
✔ Container registry Started 0.1s
✔ Container harbor-portal Started 0.2s
✔ Container chartmuseum Started 0.1s
✔ Container redis Started 0.1s
✔ Container harbor-db Started 0.1s
✔ Container registryctl Started 0.1s
✔ Container harbor-core Started 0.1s
✔ Container nginx Started 0.1s
✔ Container harbor-jobservice Started 0.1s
✔ ----Harbor has been installed and started successfully.----
[root@harbor certs]#
安装成功之后根据域名【或者ip】访问harborWebUI
3.配置docker客户端证书
如果不配置会出现docker客户端无法拉取镜像
3.1 生成docker客户端证书
[root@harbor certs]# openssl x509 -inform PEM -in harbor-server/harbor.nolenlinux.cn.crt -out docker-client/harbor.nolenlinux.cn.cert
[root@harbor certs]#
[root@harbor certs]#
[root@harbor certs]#
[root@harbor certs]# pwd
/Project/softwares/harbor/certs
[root@harbor certs]#
[root@harbor certs]# md5sum docker-client/harbor.nolenlinux.cn.cert harbor-server/harbor.nolenlinux.cn.crt
c7a004c0dc90c857f8fac59d73141515 docker-client/harbor.nolenlinux.cn.cert
c7a004c0dc90c857f8fac59d73141515 harbor-server/harbor.nolenlinux.cn.crt
[root@harbor certs]#
3.2 拷贝docker client证书文件
[root@harbor certs]# cp harbor-server/harbor.nolenlinux.cn.key docker-client/
[root@harbor certs]#
[root@harbor certs]# cp ca/ca.crt docker-client/
[root@harbor certs]#
[root@harbor certs]# ll -R
.:
total 20
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ./
drwxr-xr-x 4 root root 4096 Sep 10 17:30 ../
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ca/
drwxr-xr-x 2 root root 4096 Sep 10 17:37 docker-client/
drwxr-xr-x 2 root root 4096 Sep 10 17:19 harbor-server/
./ca:
total 16
drwxr-xr-x 2 root root 4096 Sep 10 17:17 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:17 ca.crt
-rw------- 1 root root 3272 Sep 10 17:16 ca.key
./docker-client:
total 20
drwxr-xr-x 2 root root 4096 Sep 10 17:37 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2049 Sep 10 17:37 ca.crt
-rw-r--r-- 1 root root 2147 Sep 10 17:36 harbor.nolenlinux.cn.cert
-rw------- 1 root root 3272 Sep 10 17:36 harbor.nolenlinux.cn.key
./harbor-server:
total 24
drwxr-xr-x 2 root root 4096 Sep 10 17:19 ./
drwxr-xr-x 5 root root 4096 Sep 10 17:16 ../
-rw-r--r-- 1 root root 2147 Sep 10 17:19 harbor.nolenlinux.cn.crt
-rw-r--r-- 1 root root 1716 Sep 10 17:18 harbor.nolenlinux.cn.csr
-rw------- 1 root root 3272 Sep 10 17:18 harbor.nolenlinux.cn.key
-rw-r--r-- 1 root root 239 Sep 10 17:19 v3.ext
[root@harbor certs]#
3.3 docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致)
这里我选择了一个K8S集群以docker为运行时的节点作为docker客户端
[root@worker211 ~]# mkdir -pv /etc/docker/certs.d/harbor.nolenlinux.cn/
mkdir: created directory '/etc/docker/certs.d'
mkdir: created directory '/etc/docker/certs.d/harbor.nolenlinux.cn/'
[root@worker211 ~]#
3.4 将客户端证书文件进行拷贝
[root@worker211 ~]# scp harbor.nolenlinux.cn:/Project/softwares/harbor/certs/docker-client/* /etc/docker/certs.d/harbor.nolenlinux.cn/
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'harbor.nolenlinux.cn' (ED25519) to the list of known hosts.
root@harbor.nolenlinux.cn’s password:
ca.crt 100% 2049 1.1MB/s 00:00
harbor.nolenlinux.cn.cert 100% 2147 801.7KB/s 00:00
harbor.nolenlinux.cn.key 100% 3272 1.4MB/s 00:00
[root@worker211 ~]#
3.5 docker客户端验证
[root@worker211 ~]# docker login -u admin -p 1 harbor.nolenlinux.cn
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4.测试镜像推送
创建harbor的项目后进行镜像推送测试
4.1 打镜像
[root@worker211 ~]# docker tag wordpress:v6.2.2 harbor.nolenlinux.cn/wordpress/wordpress:v6.2.2
4.2 推送镜像
[root@worker211 ~]# docker push harbor.nolenlinux.cn/wordpress/wordpress
Using default tag: v6.2.2
The push refers to repository [harbor.nolenlinux.cn/wordpress/wordpress]
c7ae1aefcc69: Pushed
8f1b90d2be40: Pushed
98b68a843574: Pushed
f0287c40b0d6: Pushed
a4e2d002482e: Pushed
4793c0a2ad02: Pushed
0d79fe9ffe74: Pushed
d390f2d56bd8: Pushed
10dfb82106c4: Pushed
7446d340e7f8: Pushed
55d40777afe6: Pushed
56543a169be6: Pushed
b299cffd87cb: Pushed
23946094ff3f: Pushed
6c39776a30a0: Pushed
564928686313: Pushed
6e4300c6b758: Pushed
ee0ca96d307e: Pushed
0fdfbbf7aebd: Pushed
2a3138346faa: Pushed
2edcec3590a4: Pushed
latest: digest: sha256:fc71e6a3a9214ed4bd29a268ade5fbec77589a50e00a59fa3c82641f6b58b1a9 size: 4710
[root@worker211 ~]#
浙公网安备 33010602011771号