起始目录/root,root 登陆后,直接在该目录进行下面的命令
下载harbor 预编译包 0.4.5
准备通过域名 reg.server.com 来访问镜像库所以需要在/etc/hosts 文件中加入 192.168.10.90 reg.server.com,IP 镜像服务器的地址。
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg,city) []:beijing
Organization Name (eg,company) [Internet Widgits Pty Ltd]:reg.server.com
Organizational Unit Name (eg,section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 这里最重要,一定要填写你准备使用的域名
Email Address []:admin@reg.server.com
openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.server.com.key -out reg.server.com.csr
输入的内容如下
writing new private key to 'reg.server.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 必须和域名一致
Email Address []:admin@reg.server.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码留空即可
An optional company name []:
命令完成后生成
reg.server.com.csrreg.server.com.key 和
可以查看/etc/ssl/openssl.cnf 配置文件中 ssl 默认的文件夹名称是什么,一般来说,没被改动过的话是demoCA.
mkdir demoCA cd demoCA touch index.txt echo '01' > serial cd ..3.2 签名证书
因为我们生成签名的时候使用的是FQDN 所以需要如下命令
echo subjectAltName = IP:192.168.10.90 > extfile.cnf
openssl ca -in reg.server.com.csr -out reg.server.com.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .
3.3 讲生成的证书加入本机信任
运行3.2 的命令之后,会生成一个01.pem 和 reg.server.com.crt的证书。
cat 01.pem >> reg.server.com.crt
cp ca.crt reg.server.com.crt/usr/local/share/ca-certificates/
update-ca-certificates
4 安装docker(如果在导入信任证书前安装了docker, 需要重启docker,命令为 service docker restart
安装方法参见
https://docs.docker.com/engine/installation/linux/ubuntulinux/
5 安装docker compose
安装方法参见
https://docs.docker.com/compose/install/
如果遇到伟大的长城问题。
可以直接爬墙把docker-compose-Linux-x64 文件下载下来。然后chmod +x 就可以了,然后在把这个文件改名为docker-compose 复制到/usr/local/bin 下,就算安装完成。
6 配置harbor
解压安装包
tar -zxvf harbor-offline-installer-0.4.5.tgz
## Configuration file of Harbor #The IP address or hostname to access admin UI and registry service. #DO NOT use localhost or 127.0.0.1,because Harbor needs to be accessed by external clients. hostname = reg.server.com #必须和签名时的域名一致 #The protocol for accessing the UI and token/notification service,by default it is http. #It can be set to https if ssl is enabled on Nginx. ui_url_protocol = https #Email account settings for sending out password resetting emails. email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false ##The initial password of Harbor admin,only works for the first time when Harbor starts. #It has no effect after the first launch of Harbor. #Change the admin password from UI after launching Harbor. harbor_admin_password = Harbor12345 #密码可以随便改 ##By default the auth mode is db_auth,i.e. the credentials are stored in a local database. #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server. auth_mode = db_auth #The url for an ldap endpoint. ldap_url = ldaps://ldap.mydomain.com #A user's DN who has the permission to search the LDAP/AD server. #If your LDAP/AD server does not support anonymous search,you should configure this DN and ldap_search_pwd. #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #the password of the ldap_searchdn #ldap_search_pwd = password #The base DN from which to look up a user in LDAP/AD ldap_basedn = ou=people,dc=com #Search filter for LDAP/AD,make sure the Syntax of the filter is correct. #ldap_filter = (objectClass=person) # The attribute used in a search to match a user,it could be uid,cn,email,sAMAccountName or other attributes depending on your LDAP/AD ldap_uid = uid #the scope to search for users,1-LDAP_SCOPE_BASE,2-LDAP_SCOPE_ONELEVEL,3-LDAP_SCOPE_SUBTREE ldap_scope = 3 #The password for the root user of MysqL db,change this before any production use. db_password = root123 #Turn on or off the self-registration feature self_registration = on #Determine whether the UI should use compressed js files. #For production,set it to on. For development,set it to off. use_compressed_js = on #Maximum number of job workers in job service max_job_workers = 3 #The expiration time (in minute) of token created by token service,default is 30 minutes token_expiration = 30 #Determine whether the job service should verify the ssl cert when it connects to a remote registry. #Set this flag to off when the remote registry uses a self-signed or untrusted certificate. verify_remote_cert = on #Determine whether or not to generate certificate for the registry's token. #If the value is on,the prepare script creates new root cert and private key #for generating token to access the registry. If the value is off,a key/certificate must #be supplied for token generation. customize_crt = on #Information of your organization for certificate crt_country = CN crt_state = State crt_location = CN crt_organization = organization crt_organizationalunit = organizational unit crt_commonname = example.com crt_email = example@example.com #The path of cert and key files for Nginx,they are applied only the protocol is set to https ssl_cert = /etc/Nginx/cert/reg.server.com.crt #文件位置不能变,必须是这个位置 ssl_cert_key = /etc/Nginx/cert/reg.server.com.key #文件位置不能变,必须是这个位置
修改prepare 源码(此步骤 仅仅在 ubuntu 16 中才需要执行)
vim /root/harbor/prepare 在第46 行不兼容python 3.5, ubuntu 16 默认时使用的python 3.5
将原来的 os.makedirs(path,mode=0600) 改为os.makedirs(path,mode=0o600) 不然会报错。
mv /root/harbor/common/config/Nginx/Nginx.conf /root/harbor/common/config/Nginx/Nginx.conf.bak
拷贝 https 的配置文件到/root/harbor/common/config/Nginx/
cp /root/harbor/common/templates/Nginx/Nginx.https.conf /root/harbor/common/config/Nginx/Nginx.conf
拷贝证书
cp reg.server.com.crt reg.server.com.key/etc/Nginx/cert/ (如果文件夹不存在,手动创建)
cp reg.server.com.crt reg.server.com.key/root/harbor/common/config/Nginx/cert/
vim /root/harbor/docker-compose.yml
在registry 中添加ports 项,以开放端口给外网
registry:
image: library/registry:2.5.0
container_name: registry
restart: always
volumes:
- /data/registry:/storage
- ./common/config/registry/:/etc/registry/
ports:
- 5000:5000 #添加端口开放给外网
environment:
- GODEBUG=netdns=cgo
command:
["serve","/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
安装harbore
cd /root/harbor
./install.sh
安装完成后运行
docker ps 查看启动的容器,一共有6个
docker login reg.server.com (输入用户名密码,如果能成功登陆就成功 了)
过程中遇到的问题
x509: certificate signed by unknown authority
如果遇到这个问题,就是ca.crt 没有导入到本机信任列表中,运行下面命令解决
cp ca.crt/usr/local/share/ca-certificates/
update-ca-certificates
在windows平台下,需要使用docker toolBox 进行研发,docker toolBox 使用boot2docker linux。
在boot2docker linux 中,使用如下领命安装证书
1 启动 Docker Quickstart Terminal
启动之后所在的当前路径是应该是windows下的用户名文件夹c:\users\xxx
2 将ca.crt 放到c:\users\xxx文件夹中通过下面的领命将ca.crt 上传到boot2docker linux 中
docker-machine scp ca.crt default:~
3 使用用户名docker 密码tcuser 登录,然后使用sudo su 切换到root 用户
4 使用如下命令安装证书
cat ca.crt >> /etc/ssl/certs/ca-certificates.crt
5 重启docker
/etc/init.d/docker restart
然后再docker login 就可以登陆了
参考文档
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
https://mritd.me/2016/09/15/Harbor-%E4%BC%81%E4%B8%9A%E7%BA%A7-Docker-Registry-%E7%AC%AC%E4%BA%8C%E5%BC%B9/
原文链接:https://www.f2er.com/ubuntu/356154.html