harbor私有镜像仓库,
私有仓库有两种,一种是harbor,一种是小型的私有仓库,harbor有两种模式,一种是主
从,一种是高可用仓库,
项目需求,需要两台服务器,都有docker。
ldap权限统一管理,
harbor可以基于角色的访问控制来管理,
harbor可以图形化用户界面,用户可以通过浏览器,检索当前docker镜像仓库,管理项目
和命名空间
harbor可以审计管理,所有针对镜像仓库的操作,都可以被记录追溯,用于审计管理
基于英语与中文语言进行了本地化。可以最佳更多的语言支持。
harbor可以自动启动clair漏洞扫描
harbor最低配置3cpu4gmem
操作系统7.5
首先需要做一个ca认证的问题,
通过openssl没有的yum安装一个
步骤
mkdir -p /data/ssl
cd /data/ssl
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -
out ca.crt
会出现一些的字样
[root@bogon ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key
-x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..............................................................................
...........................++
..............................................................................
............................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN(国家的名字,输入CN)
State or Province Name (full name) []:Beijing(输入城市)
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan(公司的名)
Organizational Unit Name (eg, section) []:yunjisuan(公司的名字)
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com(域
名,绑定地址)
Email Address []:(email可以不写)
以上的操作完成ca证书就出来了
然后生成域名证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out
www.yunjisuan.com.csr
Generating a 4096 bit RSA private key
......++
..................................................................++
writing new private key to 'www.yunjisuan.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN(国家)
State or Province Name (full name) []:Beijing(地区)
Locality Name (eg, city) [Default City]:Beijing(城市)
Organization Name (eg, company) [Default Company Ltd]:yunjisuan(公司名)
Organizational Unit Name (eg, section) []:yunjisuan(公司名)
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com(域
名)
Email Address []:(email)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(登陆密码,可以不写)
An optional company name []:
完成以上就完成了域名证书
[root@bogon ssl]# ls
ca.crt ca.key www.yunjisuan.com.csr www.yunjisuan.com.key
然后生成域名的crt证书
openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out www.yunjisuan.com.crt
会出现一些的结果
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.c
om
Getting CA Private Key
[root@bogon ssl]# ls
ca.crt ca.key ca.srl www.yunjisuan.com.crt www.yunjisuan.com.csr
www.yunjisuan.com.key
这样所有的证书就签发完了,我们开始分发证书
先让本机信任证书,将证书复制到证书的目录里
[root@bogon ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
然后让它立即生效
[root@bogon ssl]# update-ca-trust enable
[root@bogon ssl]# update-ca-trust extract
然后看下selinux关没有
sestatus
关闭防火墙和selinux命令
[root@bogon ssl]# setenforce 0
[root@bogon ssl]# systemctl stop firewalld
重启docker
[root@bogon ssl]# systemctl restart docker
接下了下载并安装harbor
先创建一个harbor的目录,等下要连接到软件
[root@bogon ssl]# mkdir -p /etc/ssl/harbor
将证书复制过去
[root@bogon ssl]# cp www.yunjisuan.com.crt www.yunjisuan.com.key
/etc/ssl/harbor/
创建安装目录
[root@bogon ~]# mkdir -p /data/install
[root@bogon ~]# cd /data/install/
下载安装包
wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-
v1.5.0.tgz
如果有直接解压过去就好
[root@bogon ~]# tar xf harbor-offline-installer-v1.5.0.tgz -C /data/install/
解压完了看一下
[root@bogon install]# ll harbor/
total 854960
drwxr-xr-x. 3 root root 23 Dec 11 17:26 common (模板目录)
-rw-r--r--. 1 root root 1185 May 2 2018 docker-compose.clair.yml(漏洞
扫描)
-rw-r--r--. 1 root root 1725 May 2 2018 docker-compose.notary.yml(镜像
签名)
-rw-r--r--. 1 root root 3596 May 2 2018 docker-compose.yml(接口文件)
drwxr-xr-x. 3 root root 156 May 2 2018 ha(高可用模式)
-rw-r--r--. 1 root root 6687 May 2 2018 harbor.cfg(harbor配置文件)
-rw-r--r--. 1 root root 875401338 May 2 2018 harbor.v1.5.0.tar.gz
-rwxr-xr-x. 1 root root 5773 May 2 2018 install.sh(安装脚本)
-rw-r--r--. 1 root root 10771 May 2 2018 LICENSE
-rw-r--r--. 1 root root 482 May 2 2018 NOTICE
-rwxr-xr-x. 1 root root 27379 May 2 2018 prepare
然后备份配置文件,修改配置文件
[root@bogon harbor]# pwd
/data/install/harbor
[root@bogon harbor]# cp harbor.cfg{,.bak}
然后修改配置文件
(7行) hostname = www.yunjisuan.com(之前注册的域名)
(11行) ui_url_protocol = https(改成https)
(23行) ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt(之前复制过去证书的
位置)
(24行) ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key(之前复制过去证
书的位置)
其余的不用下载
然后下载安装docker-compose
如果有就直接给x权限移动到/usr/bin下就可以了
[root@bogon ~]# chmod +x docker-compose
[root@bogon ~]# ls
anaconda-ks.cfg docker-compose harbor-offline-installer-v1.5.0.tgz
[root@bogon ~]# mv docker-compose /usr/bin/
[root@bogon ~]# which docker-compose
/usr/bin/docker-compose
[root@bogon ~]# docker-compose --version
docker-compose version 1.21.2, build a133471
接下来就可以去离线安装harbor了
[root@bogon ~]# cd /data/install/harbor/
[root@bogon harbor]# ls
common docker-compose.notary.yml ha
harbor.cfg.bak install.sh NOTICE
docker-compose.clair.yml docker-compose.yml harbor.cfg
harbor.v1.5.0.tar.gz LICENSE prepare
然后启动安装脚本
[root@bogon harbor]# ./install.sh --with-notary --with-clair
(--with-notary启用镜像签名,--with-clair启用漏洞扫描)
安装完了是一下的样子
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://www.yunjisuan.com.
For more details, please visit https://github.com/vmware/harbor .
[root@bogon harbor]# echo $?
0
[root@bogon harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
centos 7 1e1148e4cc2c 5 days
ago 202MB
vmware/redis-photon v1.5.0 7c03076402d9 7 months
ago 207MB
vmware/clair-photon v2.0.1-v1.5.0 7ae4e0670a3f 7 months
ago 301MB
vmware/notary-server-photon v0.5.1-v1.5.0 0b2b23300552 7 months
ago 211MB
vmware/notary-signer-photon v0.5.1-v1.5.0 67c41b4a1283 7 months
ago 209MB
vmware/registry-photon v2.6.2-v1.5.0 3059f44f4b9a 7 months
ago 198MB
vmware/nginx-photon v1.5.0 e100456182fc 7 months
ago 135MB
vmware/harbor-log v1.5.0 62bb6b8350d9 7 months
ago 200MB
vmware/harbor-jobservice v1.5.0 aca9fd2e867f 7 months
ago 194MB
vmware/harbor-ui v1.5.0 1055166068d0 7 months
ago 212MB
vmware/harbor-adminserver v1.5.0 019bc4544829 7 months
ago 183MB
vmware/harbor-db v1.5.0 82354dcf564f 7 months
ago 526MB
vmware/mariadb-photon v1.5.0 403e7e656499 7 months
ago 526MB
vmware/postgresql-photon v1.5.0 35c891dea9cf 7 months
ago 221MB
vmware/harbor-migrator v1.5.0 466c57ab0dc3 7 months
ago 1.16GB
vmware/photon 1.0 4b481ecbef2a 7 months
ago 130MB
编译成功后使用浏览器登陆,唯一可以用的浏览器是火狐浏览器,
点击添加例外直接确认就可以进去了
安全管理
